Windows Analysis Report http://t.rdsv.net/ls/click?upn=cpwegmyFHUuNgEU3lyNXXhPGSYXUqt-2BGXbRNBYBa2g896D4DVCuUlLbtHzBnOscW6qJbOo1xArXiRLhNUJmqbMk7y0c07Wwhd-2B50vpuXpvZoWm4jahZHqBv4QldQQ0YZbzW8_UjuXtHjpHNrQkHhOUKYAq28-2F0Q4sGSdW314MKXxhxNDN4dWOs6ea-2BfxlUCZOmCV9bdkAe-2Bq7ZxF6fKOF-2BbFoN6lR49ezWp6pYyEXYyCx2xJHqh0tHicanG21dXeyuGH2hZLF7vIvxCRl-2Fx7JEkTzcQcb6jsT6ykl2ZNHUJwPvKy2zYCswEDcQhCs2i-2FZkXZqjRVLtLe-2FPHg50AHygfh3npy3FHX0dqegT-2FltXWzgdPgRR17ANwdxTJePU6pbIk63-2BrC-2BAwG9Pa8VEhtQUk35o9wKU3NEI3MbP7446zXRjZj2N4WfFCLcmNgIyJMMTy4YIFCESv5pdcyMrXKcX8lNXYt4HqFEVxQ89cOgMKFrpq8PMtQcWdbbuu3F4IyAj-2Bs3xcKdnkwASyatHiB6Y1PTxlXQ2ai87Qw6hmXZXJiCQ1OoPbl2psrJUn95vFQL2AHT9UoLNvZfSbcFCj1P0QPVSq4B3LhLX5M5A3Kt-2BEYCxIB2u2IwSHwe4zQexVD0rJzb

Overview

General Information

Sample URL:	http://t.rdsv.net/ls/click?upn=cpwegmyFHUuNgEU3lyNXXhPGSYXUqt-2BGXbRNBYBa2g896D4DVCuUlLbtHzBnOscW6qJbOo1xArXiRLhNUJmqbMk7y0c07Wwhd-2B50vpuXpvZoWm4jahZHqBv4QldQQ0YZbzW8_UjuXtHjpHNrQkHhOUKYAq28-2F0Q4sGSdW314MKXxhxNDN4dWOs6ea-2BfxlUCZOmCV9bdkAe-2Bq7ZxF6fKOF-2BbFoN6lR49ezWp6pYyEXYyCx2xJHqh0tHicanG21dXeyuGH2hZLF7vIvxCRl-2Fx7JEkTzcQcb6jsT6ykl2ZNHUJwPvKy2zYCswEDcQhCs2i-2FZkXZqjRVLtLe-2FPHg50AHygfh3npy3FHX0dqegT-2FltXWzgdPgRR17ANwdxTJePU6pbIk63-2BrC-2BAwG9Pa8VEhtQUk35o9wKU3NEI3MbP7446zXRjZj2N4WfFCLcmNgIyJMMTy4YIFCESv5pdcyMrXKcX8lNXYt4HqFEVxQ89cOgMKFrpq8PMtQcWdbbuu3F4IyAj-2Bs3xcKdnkwASyatHiB6Y1PTxlXQ2ai87Qw6hmXZXJiCQ1OoPbl2psrJUn95vFQL2AHT9UoLNvZfSbcFCj1P0QPVSq4B3LhLX5M5A3Kt-2BEYCxIB2u2IwSHwe4zQexVD0rJzb
Analysis ID:	445712
Infos:
Most interesting Screenshot:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

No high impact signatures.

Classification

Signatures

There are no high impact signatures.

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.21.75.148:443 -> 192.168.2.3:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.75.148:443 -> 192.168.2.3:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.192.76.182:443 -> 192.168.2.3:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.192.76.182:443 -> 192.168.2.3:49723 version: TLS 1.2

Source: global traffic

HTTP traffic detected: GET /ls/click?upn=cpwegmyFHUuNgEU3lyNXXhPGSYXUqt-2BGXbRNBYBa2g896D4DVCuUlLbtHzBnOscW6qJbOo1xArXiRLhNUJmqbMk7y0c07Wwhd-2B50vpuXpvZoWm4jahZHqBv4QldQQ0YZbzW8_UjuXtHjpHNrQkHhOUKYAq28-2F0Q4sGSdW314MKXxhxNDN4dWOs6ea-2BfxlUCZOmCV9bdkAe-2Bq7ZxF6fKOF-2BbFoN6lR49ezWp6pYyEXYyCx2xJHqh0tHicanG21dXeyuGH2hZLF7vIvxCRl-2Fx7JEkTzcQcb6jsT6ykl2ZNHUJwPvKy2zYCswEDcQhCs2i-2FZkXZqjRVLtLe-2FPHg50AHygfh3npy3FHX0dqegT-2FltXWzgdPgRR17ANwdxTJePU6pbIk63-2BrC-2BAwG9Pa8VEhtQUk35o9wKU3NEI3MbP7446zXRjZj2N4WfFCLcmNgIyJMMTy4YIFCESv5pdcyMrXKcX8lNXYt4HqFEVxQ89cOgMKFrpq8PMtQcWdbbuu3F4IyAj-2Bs3xcKdnkwASyatHiB6Y1PTxlXQ2ai87Qw6hmXZXJiCQ1OoPbl2psrJUn95vFQL2AHT9UoLNvZfSbcFCj1P0QPVSq4B3LhLX5M5A3Kt-2BEYCxIB2u2IwSHwe4zQexVD0rJzb HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: t.rdsv.netConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: t.rdsv.net

Source: banned[1].htm.3.dr, 5c7e195[1].js.3.dr	String found in binary or memory: https://chl.li
Source: c5070a3[1].js.3.dr	String found in binary or memory: https://chl.li/
Source: c5070a3[1].js.3.dr	String found in binary or memory: https://chl.li/$
Source: {7E25200B-E006-11EB-90E4-ECF4BB862DED}.dat.2.dr	String found in binary or memory: https://chl.li/banned
Source: {7E25200B-E006-11EB-90E4-ECF4BB862DED}.dat.2.dr	String found in binary or memory: https://chl.li/bannedL
Source: {7E25200B-E006-11EB-90E4-ECF4BB862DED}.dat.2.dr	String found in binary or memory: https://chl.li/bannedRoot
Source: {7E25200B-E006-11EB-90E4-ECF4BB862DED}.dat.2.dr	String found in binary or memory: https://chl.li/contact
Source: {7E25200B-E006-11EB-90E4-ECF4BB862DED}.dat.2.dr	String found in binary or memory: https://chl.li/contactL
Source: ~DFD748ABD5F4183990.TMP.2.dr	String found in binary or memory: https://chl.li/contactavelLog
Source: imagestore.dat.3.dr	String found in binary or memory: https://chl.li/favicon.ico
Source: {7E25200B-E006-11EB-90E4-ECF4BB862DED}.dat.2.dr	String found in binary or memory: https://chl.li/ontact
Source: c5070a3[1].js.3.dr	String found in binary or memory: https://ko-fi.com/vincentdoerig
Source: 389e2cc[1].js.3.dr	String found in binary or memory: https://s.pageclip.co/v1/pageclip.js
Source: banned[1].htm.3.dr, OND0U4FC.htm.3.dr, contact[1].htm.3.dr	String found in binary or memory: https://sa.chl.li/image.gif
Source: pageclip[1].js.3.dr	String found in binary or memory: https://send.pageclip.co
Source: 389e2cc[1].js.3.dr, contact[1].htm.3.dr	String found in binary or memory: https://send.pageclip.co/V4TI4hdGwPHLUh3G6rElfsYTZZs0N6wJ

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 104.21.75.148:443 -> 192.168.2.3:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.75.148:443 -> 192.168.2.3:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.192.76.182:443 -> 192.168.2.3:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.192.76.182:443 -> 192.168.2.3:49723 version: TLS 1.2

Source: classification engine

Classification label: clean0.win@3/24@5/3

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF3868AD8133FA3F13.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4424 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4424 CREDAT:17410 /prefetch:2	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Screenshots

Behavior

Click here to start
Slideshow Behavior Animation

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.75.148	chl.li	United States	13335	CLOUDFLARENETUS	false
18.192.76.182	pageclip-static.netlify.com	United States	16509	AMAZON-02US	false
13.224.99.50	d4liwvj3ggvqp.cloudfront.net	United States	16509	AMAZON-02US	false

Contacted Domains

Name	IP	Active
d4liwvj3ggvqp.cloudfront.net	13.224.99.50	true
pageclip-static.netlify.com	18.192.76.182	true
chl.li	104.21.75.148	true
t.rdsv.net	unknown	unknown
s.pageclip.co	unknown	unknown
clientconfig.passport.net	unknown	unknown

Contacted URLs

Name	Malicious	Reputation
https://chl.li/contact	false	unknown
https://chl.li/banned	false	unknown
https://chl.li/	false	unknown

ID:	445712
Product:	CloudBasic
Start time:	09:05:54
Start date:	08.07.2021
Cookbook:	browseurl.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7E252009-E006-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	E47ADB13F5EBCD1A6EA6F8599D5546EA	8FE9A8C6D6265D0C6747795BF8215FCC2089CA34	5426C83A1F59EC9C88672C96B0617FF27F9CD7BCA759C7C72E3478F26B3F752A
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7E25200B-E006-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	C9F268F65B7A22AC5823936CA26CD972	E1E9264442618A64932620A96EDA5D3A366A6729	4E4B292E9316FF7F51DB02EA1E4DB7AA7A340C05A498A006FEB7E06E7B855B74
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7E25200C-E006-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	B136C620B228DF8778ECD5BA6E3E4D58	E67ADEAA2010507EE3C94DD5870296E022118509	D0D044883DBB79D6A27AAB114FF1C10E991CD508B977337CC2F80E1A051C9B42
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\ynfz0jx\imagestore.dat	data	69272E412F333C595243F7D051F1A87F	1DFBD7851D47A8E69801130C1C200FF72F8DBF5D	2A42E56F090F05EFC2A2B2961EB64F6759A93D9537ACB21E5EC2C2143501D193
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\OND0U4FC.htm	HTML document, UTF-8 Unicode text, with very long lines	2919F6E2AF6915AFE1AD4F17FD639535	0E2E6E7148B9CFBFD45FF1FEA26F2BE7DE41BCA8	FAC1E030322F82306EEAAADAACDE6737959A6C9D002ECEBB727E83A5F940A080
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\b0bc7c6[1].js	UTF-8 Unicode text, with very long lines	321C3D3B9D8E84D1748B24A84C670570	6659D64D5FE77DE66E34EFA31E7DAEE42114F702	B96AE6D80BAC96F4CC055C938E8AAAD9940AA3B7A7FBF759E0ACFA0D883729D8
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\b3f9ba0[1].js	UTF-8 Unicode text, with very long lines, with no line terminators	EBA956AFE7D94FF67C6829A53D804CBB	62C21C90BF08400F2BF9E0D7EBDA1B7134A478F8	81B3DC4C4620AC1C2412C143552AEC07771A1D0FF2B99870CFBBE623F9B03705
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\contact[1].htm	HTML document, UTF-8 Unicode text, with very long lines	1C88F2F03AD4CA6BBEBC2E235A6585F5	D4F33722D319560DC5335090D89D6EB36408B2E4	76F1EDC22EFF27DA005952C3B7FF517E932017E3AF9E23D7A89667E126119930
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\5c7e195[1].js	UTF-8 Unicode text, with very long lines, with no line terminators	163B6B5ED8B590F5E6A1EB65491392C3	1B494DF14D5E2DA65FFBBE7955AD0B4C7F2A058D	A8FD119369B99AC4F4F6FA321D41BE8DA80EF8C3CB2995B9675C26B93D7183BB
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\c5a3555[1].js	ASCII text, with very long lines, with no line terminators	1C5FDEED03156FCBF6D34E972F69C981	53B41BBA42DB2BAC87ED055BCF20A2069B913CDE	1D7AF4A5914668C4C306224C466CF26E7FB9F1AF388F79CDD9D189EC5FE545B2
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\favicon[1].ico	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel	67C579157CD701147FB1B5BAABC3441F	D97A82365E5D79DE78C102E3D3E79D77E55C30B5	38436B524ECDA125F510BFF2C3CFD409844AE730D58B72E3D27660C41D4FD62E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\pageclip[1].js	ASCII text, with very long lines, with no line terminators	2DD4235A5FD32D52150D9A93E448CBCE	0CC64A3F6B0985D0385A488E60D2D481DF17E696	1B8458D134C27A4AE53C74D0C76736A62B65F320EB29B575FC872723E6DEF3AD
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\2b2015b[1].js	UTF-8 Unicode text, with very long lines	89D0374A9C10440DF9E36AE8C3D924A7	133E18091162C131D0E6B2F3D4DCF7B8C277E3DF	6BC8073DC25E92B446C3C445E4BFA8B6F96C9B0257BA2BDEC6EE72BEE3E1AA19
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\389e2cc[1].js	ASCII text, with very long lines, with no line terminators	40F0D1EF3E639C2C8954A1BB961A4FB0	8A32BCBDD211A530B7FBBB6CE24C34848987F943	1433A7DE286FAF42AF7A42495C3F35B9844A509B0DBB51CE88768C7AEC698C0D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\CircularStd-Black[1].eot	Embedded OpenType (EOT), CircularStd family	D15B35DD66E65E46EEA1282335F2FAF9	0706C85CF590E2331AD5937AB1A72A3C05E7157D	82DAF453C4BEAF23BAF6F678BB5886915BD97E7BC20913628AD94F68E94B5335
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\email-decode.min[1].js	HTML document, ASCII text, with very long lines	9E8F56E8E1806253BA01A95CFC3D392C	A8AF90D7482E1E99D03DE6BF88FED2315C5DD728	2595496FE48DF6FCF9B1BC57C29A744C121EB4DD11566466BC13D2E52E6BBCC8
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\CircularStd-MediumItalic[1].eot	Embedded OpenType (EOT), CircularStd family	0527002E4CC6730EC1641A2861678E50	9B8A90A2D95E35AF71E4993240282E21E914E835	DFC578951BA26C914C258123400A07CD5C623ED52C02F698933866B826F7F8DF
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\CircularStd-Medium[1].eot	Embedded OpenType (EOT), CircularStd family	8811E8E952715D0E564F3D782A693110	60EF4BB6901420F4C4165358C837949A93CA7A4C	69DEF5E3BB7A6942F98BC098B5B669C162F5959B1FEDF3AE4100BA9CDA3AD900
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\banned[1].htm	HTML document, UTF-8 Unicode text, with very long lines	BD4AF3D5D3C51DA226601A57AE5D85F0	49E3A5550446DFC4BAC2794CF8BBF16917174D45	F3BFE63314B1DDE42E1D8AE8BDA512A85B79974E97AAB87BD012ED493DAB3FCB
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\c5070a3[1].js	UTF-8 Unicode text, with very long lines, with NEL line terminators	718DD0C21F678B9A0F3DA9185CC8F5D6	1F806E4EA92495B4BB096DD24F35B11209DAF75B	2AFF80012D7D109AEEC4D3C2014C14D99E006DBAA0823D56B16339C9506AE6A1
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\pageclip[1].css	ASCII text, with very long lines, with no line terminators	F783FCEEEC9E68C2E8EF6CD4EC8E523C	31047D483CD7B1DF884B719672495132674E114A	A5E7074AB3D9676F57660144F7664698DFC63A952141AFE22618C9A579844C19
C:\Users\user\AppData\Local\Temp\~DF3868AD8133FA3F13.TMP	data	BE72F9D9EB08D9041BDFCA19AAB08E66	0F4D8CFDDE384EBEB907A9828B30F51A8B5DAD6D	B5682B5114F01294177F76A1D5D83A3159F8C71FBC34CDD622DD9B116B7C2A2F
C:\Users\user\AppData\Local\Temp\~DF91159CE79C29A6AD.TMP	data	1F9410AC60CA5DB4AE0D87AEBE7475FD	79E8BC01EB65B01FA4F9B0789FA8EA6A3B7D4302	B748AC146261A43553CCCDC8F556E08094C4414D060F1EE03A57E346368381AB
C:\Users\user\AppData\Local\Temp\~DFD748ABD5F4183990.TMP	data	3668A1462E7B0AFE27B33BA5C1A918F8	52C18875713752AF4FF9C87DDF20D36F38913AC6	6C36953E74268C87B423CDF0F27C9C283033585609E198EA6334E1CF03A5D50E

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance:

Networking:

System Summary:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs