Play interactive tour

Edit tour

Analysis Report https://n.wpslot.net/u?id=21VXS6F&ifca=D85JBJ

Overview

General Information

Sample URL:	https://n.wpslot.net/u?id=21VXS6F&ifca=D85JBJ
Analysis ID:	321425
Most interesting Screenshot:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

No high impact signatures.

Classification

Startup

System is w10x64

iexplore.exe (PID: 852 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 4852 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:852 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: unknown

DNS traffic detected: queries for: n.wpslot.net

Source: avignon-demi-webfont[1].eot.2.dr	String found in binary or memory: http://www.softmaker.dehttp://www.softmaker.dehttp://www.softmaker.de
Source: avignon-regular-webfont[1].eot.2.dr	String found in binary or memory: http://www.softmaker.dehttp://www.softmaker.dehttp://www.softmaker.deAvignonBook
Source: avignon-demi-webfont[1].eot.2.dr	String found in binary or memory: http://www.softmaker.dehttp://www.softmaker.dehttp://www.softmaker.deAvignonDemi
Source: {4E511632-2CAD-11EB-90E4-ECF4BB862DED}.dat.1.dr	String found in binary or memory: https://n.wpslot.net/u
Source: ~DFF170DD14E7BFC24B.TMP.1.dr, {4E511632-2CAD-11EB-90E4-ECF4BB862DED}.dat.1.dr	String found in binary or memory: https://n.wpslot.net/u?id=21VXS6F&ifca=D85JBJ
Source: {4E511632-2CAD-11EB-90E4-ECF4BB862DED}.dat.1.dr	String found in binary or memory: https://n.wpslot.net/u?id=21VXS6F&ifca=D85JBJRoot
Source: ~DFF170DD14E7BFC24B.TMP.1.dr	String found in binary or memory: https://n.wpslot.net/unsubscribe?id=21VXS6F&ifca=D85JBJ&confirm=true

Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702

Source: classification engine

Classification label: clean0.win@3/12@2/1

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF6FE7520CCB2DC8FD.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:852 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:852 CREDAT:17410 /prefetch:2

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping	File and Directory Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
https://n.wpslot.net/u?id=21VXS6F&ifca=D85JBJ	1%	Virustotal		Browse
https://n.wpslot.net/u?id=21VXS6F&ifca=D85JBJ	0%	Avira URL Cloud	safe

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
n.wpslot.net	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.softmaker.dehttp://www.softmaker.dehttp://www.softmaker.deAvignonBook	0%	Avira URL Cloud	safe
https://n.wpslot.net/u?id=21VXS6F&ifca=D85JBJ	1%	Virustotal		Browse
http://www.softmaker.dehttp://www.softmaker.dehttp://www.softmaker.de	0%	Avira URL Cloud	safe
https://n.wpslot.net/u?id=21VXS6F&ifca=D85JBJRoot	0%	Avira URL Cloud	safe
https://n.wpslot.net/u	0%	Avira URL Cloud	safe
http://www.softmaker.dehttp://www.softmaker.dehttp://www.softmaker.deAvignonDemi	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
n.wpslot.net	176.31.142.212	true	false	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://n.wpslot.net/u?id=21VXS6F&ifca=D85JBJ	false	1%, Virustotal, Browse	unknown
https://n.wpslot.net/unsubscribe?id=21VXS6F&ifca=D85JBJ&confirm=true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.softmaker.dehttp://www.softmaker.dehttp://www.softmaker.deAvignonBook	avignon-regular-webfont[1].eot.2.dr	false	Avira URL Cloud: safe	unknown
http://www.softmaker.dehttp://www.softmaker.dehttp://www.softmaker.de	avignon-demi-webfont[1].eot.2.dr	false	Avira URL Cloud: safe	unknown
https://n.wpslot.net/u?id=21VXS6F&ifca=D85JBJRoot	{4E511632-2CAD-11EB-90E4-ECF4BB862DED}.dat.1.dr	false	Avira URL Cloud: safe	unknown
https://n.wpslot.net/u?id=21VXS6F&ifca=D85JBJ	~DFF170DD14E7BFC24B.TMP.1.dr, {4E511632-2CAD-11EB-90E4-ECF4BB862DED}.dat.1.dr	false	1%, Virustotal, Browse	unknown
https://n.wpslot.net/unsubscribe?id=21VXS6F&ifca=D85JBJ&confirm=true	~DFF170DD14E7BFC24B.TMP.1.dr	false		unknown
https://n.wpslot.net/u	{4E511632-2CAD-11EB-90E4-ECF4BB862DED}.dat.1.dr	false	Avira URL Cloud: safe	unknown
http://www.softmaker.dehttp://www.softmaker.dehttp://www.softmaker.deAvignonDemi	avignon-demi-webfont[1].eot.2.dr	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
176.31.142.212	unknown	France		16276	OVHFR	false

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	321425
Start date:	22.11.2020
Start time:	02:26:37
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 12s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	browseurl.jbs
Sample URL:	https://n.wpslot.net/u?id=21VXS6F&ifca=D85JBJ
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean0.win@3/12@2/1
Cookbook Comments:	Adjust boot time Enable AMSI Browsing link: https://n.wpslot.net/unsubscribe?id=21VXS6F&ifca=D85JBJ&confirm=true
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 104.83.120.32, 40.88.32.150, 13.88.21.125, 51.11.168.160, 92.122.213.194, 92.122.213.247, 2.20.84.85, 152.199.19.161, 93.184.221.240, 51.132.208.181 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, wu.azureedge.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, skypedataprdcoleus15.cloudapp.net, go.microsoft.com, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, fs.microsoft.com, ie9comview.vo.msecnd.net, wu.ec.azureedge.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, go.microsoft.com.edgekey.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, cs9.wpc.v0cdn.net

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4E511630-2CAD-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	30296
Entropy (8bit):	1.853079330237767
Encrypted:	false
SSDEEP:	96:rT/ZQZc2B9WNTtNAFfNIFMN5rN0NZNRfNZYScX:rbZQZc2B9WhtgfOFM7K3fbcX
MD5:	A29F1D6A21D951152D36A0F1EA2093DF
SHA1:	03C4CA567C91D9800E719B644045489B43888A18
SHA-256:	DEC2307B3A771FB96D3AEE09D5A3658DF091C4D1DD426977DBD22E593E399CFB
SHA-512:	39CF09AC06711B11B426BA140B5529C21039D7164C9ACACDD3704B1794D17D644D9E4F78231E324834CA4C57878AED1B4652D8B88FA91F7979D11A7F884C7E1F
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{4E511632-2CAD-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	35780
Entropy (8bit):	1.915822050606748
Encrypted:	false
SSDEEP:	192:rJZeQS6AkkFjR2MkWBM+YTUYmz9loM9mL:r/b9NkhA4a+WBmhGUm
MD5:	9F3250368A181F986EA0A42C7FDF99CE
SHA1:	1B4564E8C59D80D2A1E55A8092A68C546A7E8A64
SHA-256:	FBD4455073FF3EFFFFAD5836D2A1189F1894B811CC24F63A2588DD70999C7A92
SHA-512:	F23E8B89DD5F810D22129FC1D737B3A2197ED8012944127E765923BD12D07D307B89385D8D28155A29383430180ED5FDD7C63C2B9A45F6FF2065E027A50CF277
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{4E511633-2CAD-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	16984
Entropy (8bit):	1.5650506673374784
Encrypted:	false
SSDEEP:	48:IwPlZGcprGGwpaDlZG4pQrGrapbSZrGQpK7G7HpRMsTGIpG:rd/ZeQ576fBSZFA6TM4A
MD5:	C1160044483D4BD00D5717B4A0F44D69
SHA1:	BB0F4349AA695A62FECAFDB8F8FB0901551B79D7
SHA-256:	61E86DE67DD293D7DCB776DC0566A6E2F6728057D99A2D769BF15B967F24B7DD
SHA-512:	035EB3DB19EA171F6975BCB8B3FB926BAE04B5D560D260DB989F01D62467DD1B8367B6EABCECC4CD846F306E71EC3CD88DF00B73ACAD9E753869341250DD6559
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\site[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	39643
Entropy (8bit):	4.9098474932705
Encrypted:	false
SSDEEP:	768:VpEGTLpEG72lVfq5FZmd3sRU6Fcz5qFwBWVACb9uzl:VpEGXpEGKlVfq5A5qu
MD5:	31CBF4F283C2233B4F55A93CA5EE9CEA
SHA1:	C7D3CECF28B481100258C6450F4B557EDEA0DC31
SHA-256:	8E197478F0F830AB8E3D092DA98A8993AF2A5C98F7809A7348EF2ABD7D02689A
SHA-512:	835C6497C2C8521B06C6DB20D48B64D1CA2F649D2400E45EFA8A63D56E0B4580F48B742160FABC5F01C320441A23B3286E6F3F9640123F7C73D6DC086025C112
Malicious:	false
Reputation:	low
IE Cache URL:	https://n.wpslot.net/css/site.css?t=2020-11-10T09:26:22Z
Preview:	.clear-flex {. width: 100%;.}..clearfix::after {. content: '';. display: block;. height: 0;. opacity: 0;. clear: both;.}..display-grid {. display: -ms-grid;. display: grid;.}.* {. padding: 0;. margin: 0;. outline: 0;. border: 0;.}.select,.input {. border-radius: 0;.}.:-webkit-autofill {. -webkit-box-shadow: 0 0 0px 1000px #0b0204 inset;. -webkit-text-fill-color: #ffffff;.}.:focus:-webkit-autofill {. -webkit-box-shadow: 0 0 0px 1000px #0b0204 inset;. -webkit-text-fill-color: #ffffff;.}.input.w-input {. -moz-box-sizing: border-box;. -webkit-box-sizing: border-box;. box-sizing: border-box;. background-color: rgba(0, 0, 0, 0);. border-style: solid;. border-width: 0 0 1px;. width: 100%;. font-size: 16px;. line-height: 35px;. height: 35px;. border-color: #bdbdbd;. color: #ffffff;.}.input.w-input::-webkit-input-placeholder {. opacity: 1;. color: #bdbdbd;. font-family: 'Avignon Book Italic';.}.input.w-input:-moz-placeholder {. opacity: 1;. color: #bdbdbd;. fo

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\fonts[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	downloaded
Size (bytes):	2813
Entropy (8bit):	5.02414750899614
Encrypted:	false
SSDEEP:	24:LFVoZNeYxJpV6N0keYYIVg3xcbeYTVV44xcbe36Tkz3i3g/:xVovx5V62kxdVgBcbx5V42cbMiK
MD5:	A5A744825560EDB0C263302D9C440692
SHA1:	0A8E3367B969932A5FB121E93F9A5F537613F5CF
SHA-256:	FE3A16D9FF2BD64874EC75B523B14ADF20FBBCA652482815DD1383AF41692336
SHA-512:	06E8FFE6700DAC6CE47C8B9925C67BCF10CCB1B45312B3C85FB357D488F3DC821DCB53AD85791E014BD42550D6DE9A9DB4C4A2907ACB35824D0DBB05A1920B2B
Malicious:	false
Reputation:	low
IE Cache URL:	https://n.wpslot.net/css/fonts.css
Preview:	/* ==========================================================================...#Fonts..========================================================================== */..@font-face {.. font-family: 'Avignon Book';.. src: url('fonts/avignon-regular-webfont.eot');.. src: url('fonts/avignon-regular-webfont.eot?#iefix') format('embedded-opentype'),.. url('fonts/avignon-regular-webfont.woff') format('woff'),.. url('fonts/avignon-regular-webfont.ttf') format('truetype'),.. url('fonts/avignon-regular-webfont.svg#avignonbook') format('svg');.. font-weight: normal;.. font-style: normal;..}....@font-face {.. font-family: 'Avignon Book Italic';.. src: url('fonts/avignon-italic-webfont.eot');.. src: url('fonts/avignon-italic-webfont.eot?#iefix') format('embedded-opentype'),.. url('fonts/avignon-italic-webfont.woff') format('woff'),.. url('fonts/avignon-italic-webfont.ttf') format('truetype'),.. url('fonts/avignon-italic-webfont.s

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\avignon-demi-webfont[1].eot Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	Embedded OpenType (EOT), Avignon family
Category:	downloaded
Size (bytes):	194038
Entropy (8bit):	5.9965382746383815
Encrypted:	false
SSDEEP:	3072:CxH7iJG48Vna2YrkiYVDbk0bGlaPQQA37YQoKGLJM/MZ1UKv9o5y3mUscwUU8dIu:CxHOG48Vna2YrkiYVDbkOG4PQQArYQoT
MD5:	40FED42EF530AD90EC281F844B0271F7
SHA1:	44AD7D546CFBE10BF4497481506784516107519D
SHA-256:	83D3FAED6C774A4577A789E7D8755DA241330292F5BEF39071E64587CD7F9F96
SHA-512:	76D904B7D1F6EC0A51BD76C4BE0383AE65984EEAFAE8A9DAB0450331E9325857365088836F1DDF6A6ED451A0510E6713A431F5C0084303A0662C08AD3EAFDE5B
Malicious:	false
Reputation:	low
IE Cache URL:	https://n.wpslot.net/css/fonts/avignon-demi-webfont.eot?
Preview:	....8.............................LP....... ...........@.....tb.....................A.v.i.g.n.o.n.....D.e.m.i...,.V.e.r.s.i.o.n. .1...0. .0.8.-.1.0.-.2.0.0.2.....A.v.i.g.n.o.n.-.D.e.m.i................0GPOSf.........^LTSHAKgq........OS/2i.=........`PCLT.F.......6VDMX{..(........cmap.:....F.....cvt ......X4....fpgm.S.1..V....sglyfTUg...X8..I.hdmx.Q~......./.head.w.....<...6hhea...6...t...$hmtx\|..E........kern............loca.V..........maxp...p....... name:*a.........post-.:2.......prep...+..X0.............bt._.<.................l@].....y...............................y...................................................../.......................2.................. ...........smak. . ............@.............. .....?...............F...........#...".k.".....7.".7...../...%...9.......9...................................;...........9...9..."...%..."...............>... .w.>...>...>... .c.>...>.......>...>.8.>...>... ...>... ...>.........M.7.a...A...S...(.......7.6...(.7.;...........f.h

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\avignon-regular-webfont[1].eot Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	Embedded OpenType (EOT), Avignon family
Category:	downloaded
Size (bytes):	187066
Entropy (8bit):	6.03237808375965
Encrypted:	false
SSDEEP:	3072:JMip24BwzGJE9Hhwp2chr/7lyDUTENaQePSa5HMgl36jCCuFrOZZvnIL3b4SKKdj:jp24BwqE9Be2chr/7kDUTENaQePSa5BP
MD5:	589D0675883F51E3827E72C8C89B8529
SHA1:	F1A17B7A4FB7C7FC37F47D5F2FDF241EEB6C2A78
SHA-256:	51CD3B8BBD0731A2C103D58ABDBD0E5A70E8CDA6D05D7B179DF0AEC52A7CE641
SHA-512:	4C5A9A88EE14CDD892261A216AE28FF991F8275B2A1F8996AA2D26EF7709E503996A659E00E3BED1AD7A163414FC8ED23D9A23F79E264B18AA3CC29CEF44D2B5
Malicious:	false
Reputation:	low
IE Cache URL:	https://n.wpslot.net/css/fonts/avignon-regular-webfont.eot?
Preview:	..................................LP....... ...........@.....T3.....................A.v.i.g.n.o.n.....R.e.g.u.l.a.r...,.V.e.r.s.i.o.n. .1...0. .0.8.-.1.0.-.2.0.0.2.....A.v.i.g.n.o.n.-.R.e.g.u.l.a.r................0GPOS`.g.......RLTSH...j........OS/2h;=........`PCLT.F.{...d...6VDMXw..i........cmap.R.}..EL...Vcvt ......V.....fpgm.S.1..T....sglyf.F....V ..1.hdmxn...........head...N...<...6hhea.......t...$hmtxS;..........kern...G........loca. .(...,....maxp...p....... name.w`6.......5post.Z..........prep...+..V..............3T._.<...........#.....l?........F.................F.................................................................-.......................2.................. ...........smak.@. ...F.....F..@.............. .....?...............O...#...!.../.b.&...&...#.[.&.[.....9...,...........B.......#...........................B...&.......B......."...,..."......./.......H...$...H...H...H...$.s.H...H..... .H...H.H.H...H...$...H...$.8.H.........L.B.h...p...#...........[.E...2.[.`..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\u[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text
Category:	downloaded
Size (bytes):	984
Entropy (8bit):	5.24959414573647
Encrypted:	false
SSDEEP:	24:4WYus7pN4ODUDRh+ozxyaOpB39ZpdVP+W4T:4p7RDUaGOT3HzUT
MD5:	03B52C64057974838A53E10C7FABD569
SHA1:	8C3C666FA80EDEAF41C122FDF341037A9A0605D0
SHA-256:	0900B5CD25BFEED9BA922074A35F6D6B1C88A9C11ABA36BE12EF94E02230CFAA
SHA-512:	E59E1E47EE21769DE4F8AB0C27F9A3A46BB60961B72316C01FFED8AB11A3A77FB6888E7B9F71023C1434B79B0A7222B55DD53A999E16CB02F34DEEA3DEEA9A47
Malicious:	false
Reputation:	low
IE Cache URL:	https://n.wpslot.net/u?id=21VXS6F&ifca=D85JBJ
Preview:	.<!DOCTYPE html>.<html lang="en">.<head>. . <meta http-equiv="content-type" content="text/html; charset=UTF-8">. <meta charset="UTF-8">. <meta name="robots" content="noindex, nofollow">. <meta name="viewport" content="width=device-width, initial-scale=0.60, maximum-scale=1"> 320-->. <title>Unsubscribe</title>. <link rel="shortcut icon" href="/img/empty.ico"/>. <link rel="stylesheet" type="text/css" href="/css/fonts.css"/>. <link rel="stylesheet" type="text/css" href="/css/site.css?t=2020-11-10T09:26:22Z"/>.</head>.<body ng-app>..<div class="unsubContainer">. <p>CLICK THE BUTTON BELOW<br>TO UNSUBSCRIBE</p>. <a ng-hide="inProgress" class="w-button" ng-click="inProgress = true". href="/unsubscribe?id=21VXS6F&ifca=D85JBJ&confirm=true">UNSUBSCRIBE</a>. <div ng-cloak ng-show="inProgress" class="icon loader white"></div>.</div>..<script type="text/javascript" src="/js/angular.min.js?t=2020-11-10T09:26:22Z"></script>.</body>.</html>

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\unsubscribe[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text
Category:	downloaded
Size (bytes):	644
Entropy (8bit):	5.0807188774889696
Encrypted:	false
SSDEEP:	12:4WYurYfD1cSN4F/d40hsM+IlM+KoRCxwdou4oQb:4WYus7pN4GUDR7ouY
MD5:	06084FB6C0D023E07F8EBE8539C3FF9D
SHA1:	51D7F27F1808C713AABB46F709EA5227EFCEB478
SHA-256:	DF65FC946597098D93F7A5C62CC5C4215064A853CE789472B4AE052942AF2C76
SHA-512:	DEB0C19968B30F0A9129466B967DC4BF30EFDC6DED936DE44A65800FBA5F3BBA0C3CC09188E36652A683B77075AE266AA76525EC941E7D0E74E21EC7E8C94AFF
Malicious:	false
Reputation:	low
IE Cache URL:	https://n.wpslot.net/unsubscribe?id=21VXS6F&ifca=D85JBJ&confirm=true
Preview:	.<!DOCTYPE html>.<html lang="en">.<head>. . <meta http-equiv="content-type" content="text/html; charset=UTF-8">. <meta charset="UTF-8">. <meta name="robots" content="noindex, nofollow">. <meta name="viewport" content="width=device-width, initial-scale=0.60, maximum-scale=1"> 320-->. <title>Unsubscribed</title>. <link rel="shortcut icon" href="/img/empty.ico"/>. <link rel="stylesheet" type="text/css" href="/css/fonts.css"/>. <link rel="stylesheet" type="text/css" href="/css/site.css?t=2020-11-10T09:26:22Z"/>.</head>.<body>..<div class="unsubContainer">. <p>YOU ARE UNSUBSCRIBED</p>.</div>..</body>.</html>

C:\Users\user\AppData\Local\Temp\~DF4C58437C8BBA4D34.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	25441
Entropy (8bit):	0.32352424685266234
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRx/9lRJ9lTb9lTb9lSSU9lSSU9laAa/9laAQHlm:kBqoxxJhHWSVSEabQFm
MD5:	B334CC71A7703CFB0B68B7A17EAEA652
SHA1:	686A9D7F16085B929613F8CA0D59ADDA9A4CB936
SHA-256:	A1DFFF06DFF69CA4F1A8A34C1AB7571F37649634DD914C8D5FAAC50A59ACD7B5
SHA-512:	01DF47CC2A9CF0D81B162A8B116950F7CE29190F4D02C7FB06C7C7C9611114A4184D7AA770964DA9AC190E706332D933BDB53375B09E5E989EAFC54E3AB32470
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF6FE7520CCB2DC8FD.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	13029
Entropy (8bit):	0.4809905323650239
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loEF9loE9lWYANa55ZY1:kBqoI/JHNa55ZY1
MD5:	18E94463D95D440C659290B797747B97
SHA1:	63C78685C10DAEA443DEB433B751F32D4D4BCEB6
SHA-256:	1241F8E87E7579D276C7E553CCB62EF3F2F79E2132384F847D28481883239D9F
SHA-512:	FB5C0675D137F6FEEDBB7D1DEA24E9C1EA4313A48250F169B3D27B371875767BCB813DC9AF6928FCFE0A0ADDC653397A858B5353B544711AECECE2A883703086
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFF170DD14E7BFC24B.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	43773
Entropy (8bit):	0.4927093641573615
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+WQKjQnEHJPb7VfUlIEH4zyQ:kBqoxKAuqR+WQKjQnm59+
MD5:	A8FB09A7FE4B7BE75D9431BAB41ED8BD
SHA1:	C9F67B10B41B8B1F23F2727A1E3CA0ADDF655870
SHA-256:	15D493FC54A0E8F8B5D094D34EEE1EE4D17EC301E7BCBDDB1505FB49051812A8
SHA-512:	258D9669E6BAB1C984D4A870B3DF97897BF1BC6B0E26F3BF52F2CE93A7FE1A1AD61547E20688B348710651B8778F98A7070B2C8DA57C2D108A3B544C8072673A
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

No static file info

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 22, 2020 02:27:25.072717905 CET	49698	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.072726965 CET	49697	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.098908901 CET	443	49697	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.098963976 CET	443	49698	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.099005938 CET	49697	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.099127054 CET	49698	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.104590893 CET	49697	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.104890108 CET	49698	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.130665064 CET	443	49697	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.130705118 CET	443	49698	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.132739067 CET	443	49697	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.132781982 CET	443	49697	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.132808924 CET	443	49697	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.132824898 CET	49697	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.132855892 CET	49697	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.132880926 CET	49697	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.134171009 CET	443	49698	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.134211063 CET	443	49698	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.134239912 CET	443	49698	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.134309053 CET	49698	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.134351969 CET	49698	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.180610895 CET	49697	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.182410955 CET	49698	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.186165094 CET	49697	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.206974030 CET	443	49697	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.207088947 CET	49697	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.208633900 CET	443	49698	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.208767891 CET	49698	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.223752975 CET	443	49697	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.223795891 CET	443	49697	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.223917961 CET	49697	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.286611080 CET	49697	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.287491083 CET	49698	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.288181067 CET	49699	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.313575029 CET	443	49698	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.313699961 CET	49698	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.314079046 CET	443	49699	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.314172029 CET	49699	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.314307928 CET	49698	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.314898014 CET	49699	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.340835094 CET	443	49699	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.340998888 CET	443	49699	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.341089964 CET	49699	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.341474056 CET	49699	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.342242956 CET	443	49697	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.342284918 CET	443	49697	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.342315912 CET	443	49697	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.342336893 CET	49697	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.342395067 CET	49697	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.342401981 CET	49697	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.342976093 CET	443	49698	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.343060017 CET	443	49698	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.343060017 CET	49698	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.343116045 CET	443	49698	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.343154907 CET	443	49698	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.343170881 CET	49698	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.343177080 CET	49698	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.343194008 CET	443	49698	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.343216896 CET	49698	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.343239069 CET	443	49698	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.343255997 CET	49698	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.343277931 CET	443	49698	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.343295097 CET	49698	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.343318939 CET	443	49698	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.343337059 CET	49698	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.343358040 CET	443	49698	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.343372107 CET	49698	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.343405962 CET	443	49698	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.343409061 CET	49698	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.343456984 CET	49698	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.369466066 CET	443	49698	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.369561911 CET	443	49698	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.369605064 CET	49698	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.369621038 CET	443	49698	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.369638920 CET	49698	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.369661093 CET	443	49698	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.369668961 CET	49698	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.369700909 CET	443	49698	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.369723082 CET	49698	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.369741917 CET	443	49698	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.369755030 CET	49698	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.369781017 CET	443	49698	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.369801998 CET	49698	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.369820118 CET	443	49698	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.369827986 CET	49698	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.369858980 CET	443	49698	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.369874001 CET	49698	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.369905949 CET	443	49698	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.369906902 CET	49698	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.369961023 CET	443	49698	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.369975090 CET	49698	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.369999886 CET	443	49698	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.370014906 CET	49698	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.370039940 CET	443	49698	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.370059967 CET	49698	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.370079994 CET	443	49698	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.370096922 CET	49698	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.370117903 CET	443	49698	176.31.142.212	192.168.2.3
Nov 22, 2020 02:27:25.370131969 CET	49698	443	192.168.2.3	176.31.142.212
Nov 22, 2020 02:27:25.370157003 CET	443	49698	176.31.142.212	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 22, 2020 02:27:23.961940050 CET	51281	53	192.168.2.3	8.8.8.8
Nov 22, 2020 02:27:23.999130011 CET	53	51281	8.8.8.8	192.168.2.3
Nov 22, 2020 02:27:25.023294926 CET	49199	53	192.168.2.3	8.8.8.8
Nov 22, 2020 02:27:25.063536882 CET	53	49199	8.8.8.8	192.168.2.3
Nov 22, 2020 02:27:40.696542025 CET	50620	53	192.168.2.3	8.8.8.8
Nov 22, 2020 02:27:40.723726034 CET	53	50620	8.8.8.8	192.168.2.3
Nov 22, 2020 02:27:41.154623032 CET	64938	53	192.168.2.3	8.8.8.8
Nov 22, 2020 02:27:41.205127954 CET	53	64938	8.8.8.8	192.168.2.3
Nov 22, 2020 02:27:41.934082985 CET	60152	53	192.168.2.3	8.8.8.8
Nov 22, 2020 02:27:41.961347103 CET	53	60152	8.8.8.8	192.168.2.3
Nov 22, 2020 02:27:42.780378103 CET	57544	53	192.168.2.3	8.8.8.8
Nov 22, 2020 02:27:42.807553053 CET	53	57544	8.8.8.8	192.168.2.3
Nov 22, 2020 02:27:43.596894026 CET	55984	53	192.168.2.3	8.8.8.8
Nov 22, 2020 02:27:43.632548094 CET	53	55984	8.8.8.8	192.168.2.3
Nov 22, 2020 02:27:44.528425932 CET	64185	53	192.168.2.3	8.8.8.8
Nov 22, 2020 02:27:44.555557013 CET	53	64185	8.8.8.8	192.168.2.3
Nov 22, 2020 02:27:44.959991932 CET	65110	53	192.168.2.3	8.8.8.8
Nov 22, 2020 02:27:44.987231970 CET	53	65110	8.8.8.8	192.168.2.3
Nov 22, 2020 02:27:45.639411926 CET	58361	53	192.168.2.3	8.8.8.8
Nov 22, 2020 02:27:45.666591883 CET	53	58361	8.8.8.8	192.168.2.3
Nov 22, 2020 02:27:46.737993002 CET	63492	53	192.168.2.3	8.8.8.8
Nov 22, 2020 02:27:46.773919106 CET	53	63492	8.8.8.8	192.168.2.3
Nov 22, 2020 02:27:47.134888887 CET	60831	53	192.168.2.3	8.8.8.8
Nov 22, 2020 02:27:47.171758890 CET	53	60831	8.8.8.8	192.168.2.3
Nov 22, 2020 02:27:47.771706104 CET	60100	53	192.168.2.3	8.8.8.8
Nov 22, 2020 02:27:47.799355984 CET	53	60100	8.8.8.8	192.168.2.3
Nov 22, 2020 02:27:48.814776897 CET	53195	53	192.168.2.3	8.8.8.8
Nov 22, 2020 02:27:48.842047930 CET	53	53195	8.8.8.8	192.168.2.3
Nov 22, 2020 02:27:49.924978018 CET	50141	53	192.168.2.3	8.8.8.8
Nov 22, 2020 02:27:49.952255964 CET	53	50141	8.8.8.8	192.168.2.3
Nov 22, 2020 02:27:52.321197987 CET	53023	53	192.168.2.3	8.8.8.8
Nov 22, 2020 02:27:52.348460913 CET	53	53023	8.8.8.8	192.168.2.3
Nov 22, 2020 02:27:53.200246096 CET	49563	53	192.168.2.3	8.8.8.8
Nov 22, 2020 02:27:53.227458000 CET	53	49563	8.8.8.8	192.168.2.3
Nov 22, 2020 02:27:53.806734085 CET	51352	53	192.168.2.3	8.8.8.8
Nov 22, 2020 02:27:53.857952118 CET	53	51352	8.8.8.8	192.168.2.3
Nov 22, 2020 02:27:53.960041046 CET	59349	53	192.168.2.3	8.8.8.8
Nov 22, 2020 02:27:53.987236977 CET	53	59349	8.8.8.8	192.168.2.3
Nov 22, 2020 02:27:54.328712940 CET	57084	53	192.168.2.3	8.8.8.8
Nov 22, 2020 02:27:54.364134073 CET	53	57084	8.8.8.8	192.168.2.3
Nov 22, 2020 02:27:54.690665007 CET	58823	53	192.168.2.3	8.8.8.8
Nov 22, 2020 02:27:54.717962980 CET	53	58823	8.8.8.8	192.168.2.3
Nov 22, 2020 02:27:54.977780104 CET	59349	53	192.168.2.3	8.8.8.8
Nov 22, 2020 02:27:55.005057096 CET	53	59349	8.8.8.8	192.168.2.3
Nov 22, 2020 02:27:55.400392056 CET	57568	53	192.168.2.3	8.8.8.8
Nov 22, 2020 02:27:55.436291933 CET	53	57568	8.8.8.8	192.168.2.3
Nov 22, 2020 02:27:55.694684029 CET	58823	53	192.168.2.3	8.8.8.8
Nov 22, 2020 02:27:55.721968889 CET	53	58823	8.8.8.8	192.168.2.3
Nov 22, 2020 02:27:56.276618004 CET	59349	53	192.168.2.3	8.8.8.8
Nov 22, 2020 02:27:56.303874969 CET	53	59349	8.8.8.8	192.168.2.3
Nov 22, 2020 02:27:56.850744963 CET	58823	53	192.168.2.3	8.8.8.8
Nov 22, 2020 02:27:56.877957106 CET	53	58823	8.8.8.8	192.168.2.3
Nov 22, 2020 02:27:58.610270977 CET	59349	53	192.168.2.3	8.8.8.8
Nov 22, 2020 02:27:58.637526035 CET	53	59349	8.8.8.8	192.168.2.3
Nov 22, 2020 02:27:58.914940119 CET	58823	53	192.168.2.3	8.8.8.8
Nov 22, 2020 02:27:58.942132950 CET	53	58823	8.8.8.8	192.168.2.3
Nov 22, 2020 02:27:59.425965071 CET	50540	53	192.168.2.3	8.8.8.8
Nov 22, 2020 02:27:59.453242064 CET	53	50540	8.8.8.8	192.168.2.3
Nov 22, 2020 02:28:00.588303089 CET	54366	53	192.168.2.3	8.8.8.8
Nov 22, 2020 02:28:00.615581036 CET	53	54366	8.8.8.8	192.168.2.3
Nov 22, 2020 02:28:01.657067060 CET	53034	53	192.168.2.3	8.8.8.8
Nov 22, 2020 02:28:01.692748070 CET	53	53034	8.8.8.8	192.168.2.3
Nov 22, 2020 02:28:02.616969109 CET	59349	53	192.168.2.3	8.8.8.8
Nov 22, 2020 02:28:02.644239902 CET	53	59349	8.8.8.8	192.168.2.3
Nov 22, 2020 02:28:02.929361105 CET	58823	53	192.168.2.3	8.8.8.8
Nov 22, 2020 02:28:02.956481934 CET	53	58823	8.8.8.8	192.168.2.3
Nov 22, 2020 02:28:03.084914923 CET	57762	53	192.168.2.3	8.8.8.8
Nov 22, 2020 02:28:03.112124920 CET	53	57762	8.8.8.8	192.168.2.3
Nov 22, 2020 02:28:04.205156088 CET	55435	53	192.168.2.3	8.8.8.8
Nov 22, 2020 02:28:04.240829945 CET	53	55435	8.8.8.8	192.168.2.3
Nov 22, 2020 02:28:09.298877001 CET	50713	53	192.168.2.3	8.8.8.8
Nov 22, 2020 02:28:09.336848974 CET	53	50713	8.8.8.8	192.168.2.3
Nov 22, 2020 02:28:18.037527084 CET	56132	53	192.168.2.3	8.8.8.8
Nov 22, 2020 02:28:18.064841032 CET	53	56132	8.8.8.8	192.168.2.3
Nov 22, 2020 02:28:20.669688940 CET	58987	53	192.168.2.3	8.8.8.8
Nov 22, 2020 02:28:20.706723928 CET	53	58987	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 22, 2020 02:27:25.023294926 CET	192.168.2.3	8.8.8.8	0x3c7e	Standard query (0)	n.wpslot.net	A (IP address)	IN (0x0001)
Nov 22, 2020 02:27:41.154623032 CET	192.168.2.3	8.8.8.8	0x8503	Standard query (0)	n.wpslot.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 22, 2020 02:27:25.063536882 CET	8.8.8.8	192.168.2.3	0x3c7e	No error (0)	n.wpslot.net		176.31.142.212	A (IP address)	IN (0x0001)
Nov 22, 2020 02:27:41.205127954 CET	8.8.8.8	192.168.2.3	0x8503	No error (0)	n.wpslot.net		176.31.142.212	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Nov 22, 2020 02:27:25.132781982 CET	176.31.142.212	443	192.168.2.3	49697	CN=n.wpslot.net CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Fri Nov 06 15:45:36 CET 2020 Thu Mar 17 17:40:46 CET 2016	Thu Feb 04 15:45:36 CET 2021 Wed Mar 17 17:40:46 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Nov 22, 2020 02:27:25.132781982 CET	176.31.142.212	443	192.168.2.3	49697	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Thu Mar 17 17:40:46 CET 2016	Wed Mar 17 17:40:46 CET 2021		9e10692f1b7f78228b2d4e424db3a98c
Nov 22, 2020 02:27:25.134211063 CET	176.31.142.212	443	192.168.2.3	49698	CN=n.wpslot.net CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Fri Nov 06 15:45:36 CET 2020 Thu Mar 17 17:40:46 CET 2016	Thu Feb 04 15:45:36 CET 2021 Wed Mar 17 17:40:46 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Nov 22, 2020 02:27:25.134211063 CET	176.31.142.212	443	192.168.2.3	49698	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Thu Mar 17 17:40:46 CET 2016	Wed Mar 17 17:40:46 CET 2021		9e10692f1b7f78228b2d4e424db3a98c
Nov 22, 2020 02:27:41.264200926 CET	176.31.142.212	443	192.168.2.3	49702	CN=n.wpslot.net CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Fri Nov 06 15:45:36 CET 2020 Thu Mar 17 17:40:46 CET 2016	Thu Feb 04 15:45:36 CET 2021 Wed Mar 17 17:40:46 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Nov 22, 2020 02:27:41.264200926 CET	176.31.142.212	443	192.168.2.3	49702	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Thu Mar 17 17:40:46 CET 2016	Wed Mar 17 17:40:46 CET 2021		37f463bf4616ecd445d4a1937da06e19

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: iexplore.exe PID: 852 Parent PID: 792

General

Start time:	02:27:22
Start date:	22/11/2020
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff775510000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: iexplore.exe PID: 4852 Parent PID: 852

General

Start time:	02:27:23
Start date:	22/11/2020
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:852 CREDAT:17410 /prefetch:2
Imagebase:	0x80000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Disassembly

Reset < >

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report https://n.wpslot.net/u?id=21VXS6F&ifca=D85JBJ

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

Networking:

System Summary:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

No static file info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: iexplore.exe PID: 852 Parent PID: 792

General

Analysis Process: iexplore.exe PID: 4852 Parent PID: 852

General

Disassembly