Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report http://cobalten.com/apu.php?zoneid=1543391

Overview

General Information

Sample URL:http://cobalten.com/apu.php?zoneid=1543391
Analysis ID:324344

Most interesting Screenshot:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Found WSH timer for Javascript or VBS script (likely evasive script)
Potential browser exploit detected (process start blacklist hit)

Classification

Startup

  • System is w10x64
  • iexplore.exe (PID: 6704 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6752 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6704 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • wscript.exe (PID: 6436 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\apu.js' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for domain / URLShow sources
Source: cobalten.comVirustotal: Detection: 6%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: http://cobalten.com/apu.php?zoneid=1543391Virustotal: Detection: 6%Perma Link
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Jump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Jump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Jump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Windows\System32\wscript.exeJump to behavior
Source: global trafficHTTP traffic detected: GET /apu.php?zoneid=1543391 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: cobalten.comConnection: Keep-Alive
Source: unknownDNS traffic detected: queries for: cobalten.com
Source: wscript.exe, 00000007.00000003.701380758.000001BA88B3F000.00000004.00000001.sdmp, wscript.exe, 00000007.00000002.899911273.000001BA88B5F000.00000004.00000001.sdmpString found in binary or memory: http://cobalten.com/options?option_args=CN-ZXhIgMmRlNzVmMTY0MmIxNDM5OGJlZjc5ZTZiOTM5OGRkMTIaKmh0dHA6
Source: classification engineClassification label: mal56.win@5/9@1/1
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C9FB0D29-3221-11EB-90EB-ECF4BBEA1588}.datJump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF7D86A71D5668986C.TMPJump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6704 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\apu.js'
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6704 CREDAT:17410 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\apu.js' Jump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
Source: Binary string: wscript.pdbGCTL source: wscript.exe, 00000007.00000002.899337256.000001BA86E60000.00000002.00000001.sdmp
Source: Binary string: wscript.pdb source: wscript.exe, 00000007.00000002.899337256.000001BA86E60000.00000002.00000001.sdmp
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Jump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Jump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Jump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\Jump to behavior
Source: wscript.exe, 00000007.00000002.899404860.000001BA872A0000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: wscript.exe, 00000007.00000002.899404860.000001BA872A0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: wscript.exe, 00000007.00000002.899404860.000001BA872A0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: wscript.exe, 00000007.00000002.899404860.000001BA872A0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting1Path InterceptionProcess Injection2Masquerading1OS Credential DumpingProcess Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumNon-Application Layer Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection2LSASS MemoryFile and Directory Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Scripting1Security Account ManagerSystem Information Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
http://cobalten.com/apu.php?zoneid=15433916%VirustotalBrowse
http://cobalten.com/apu.php?zoneid=15433910%Avira URL Cloudsafe

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
cobalten.com6%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://cobalten.com/options?option_args=CN-ZXhIgMmRlNzVmMTY0MmIxNDM5OGJlZjc5ZTZiOTM5OGRkMTIaKmh0dHA60%Avira URL Cloudsafe
01%VirustotalBrowse

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
cobalten.com
139.45.196.83
truetrueunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://cobalten.com/apu.php?zoneid=1543391true
    		unknown
    0truelow

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://cobalten.com/options?option_args=CN-ZXhIgMmRlNzVmMTY0MmIxNDM5OGJlZjc5ZTZiOTM5OGRkMTIaKmh0dHA6wscript.exe, 00000007.00000003.701380758.000001BA88B3F000.00000004.00000001.sdmp, wscript.exe, 00000007.00000002.899911273.000001BA88B5F000.00000004.00000001.sdmptrue
    • Avira URL Cloud: safe
    		unknown

    Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public

    IPDomainCountryFlagASNASN NameMalicious
    139.45.196.83
    		unknownNetherlands
    		9002RETN-ASEUtrue

    General Information

    Joe Sandbox Version:31.0.0 Red Diamond
    Analysis ID:324344
    Start date:29.11.2020
    Start time:10:03:04
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 4m 3s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:browseurl.jbs
    Sample URL:http://cobalten.com/apu.php?zoneid=1543391
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:16
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal56.win@5/9@1/1
    EGA Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    Warnings:
    Show All
    • Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
    • Excluded IPs from analysis (whitelisted): 104.83.120.32, 93.184.220.29, 51.104.139.180, 152.199.19.161, 13.64.90.137, 40.126.1.135, 40.126.1.144, 20.190.129.18, 40.126.1.143, 40.126.1.129, 20.190.129.23, 20.190.129.1, 20.190.129.134, 52.155.217.156, 104.42.151.234, 20.54.26.129, 67.26.83.254, 67.26.81.254, 8.241.122.254, 8.253.204.249, 8.241.121.126, 92.122.213.194, 92.122.213.247
    • Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, arc.msn.com.nsatc.net, www.tm.lg.prod.aadmsa.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, www.tm.a.prd.aadg.trafficmanager.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, go.microsoft.com, ocsp.digicert.com, login.live.com, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, ie9comview.vo.msecnd.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, login.msa.msidentity.com, ris.api.iris.microsoft.com, go.microsoft.com.edgekey.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, cs9.wpc.v0cdn.net
    • Report size getting too big, too many NtProtectVirtualMemory calls found.

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C9FB0D29-3221-11EB-90EB-ECF4BBEA1588}.dat
    Process:C:\Program Files\internet explorer\iexplore.exe
    File Type:Microsoft Word Document
    Category:dropped
    Size (bytes):32344
    Entropy (8bit):1.796751689523737
    Encrypted:false
    SSDEEP:192:r9ZaZll299WfztTif2c+zMcWB3QiRkGP1AyXyp2:rTGl89Ufx0fPPF2yt
    MD5:14E3FBB02E4A1E3F4093CBDB2C849CC3
    SHA1:58057F91AA6DD83F30ED46E619123179445FCD88
    SHA-256:110EABAF3E1B741DED95DB1D72F94CE872430D538F6E8E5BC0AE65617DE70D05
    SHA-512:531B42249C72F641A765CCC552CF15E97A2D4C89327FC277DA642BF404DD240C3CBACFE198F68723F555AE64EC8E72001A6D35D53D2A970CB171E1A568CE4DC7
    Malicious:false
    Reputation:low
    Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C9FB0D2B-3221-11EB-90EB-ECF4BBEA1588}.dat
    Process:C:\Program Files\internet explorer\iexplore.exe
    File Type:Microsoft Word Document
    Category:dropped
    Size (bytes):19032
    Entropy (8bit):1.6006443159742842
    Encrypted:false
    SSDEEP:48:Iw/GcprGjGwpa+G4pQOhGrapbSjrGQpBl9WGHHpclOXsTGUpQlCiQGcpm:rVZaQ+6OxBSjFjl9V2lOXk6lgg
    MD5:D46933DC8A8508F0DEF22E85BF63782A
    SHA1:5F1E6ACF5A510E2CC393327DBDE1543E6F374EBE
    SHA-256:CFF602EE4C36BB577A44417725BF19F7CB264CF2E72E3E9146B769C212189D27
    SHA-512:3610CBC47FDC460AE795E1156E24BDDABAFF6E4A4697801C998E3002457786A77594031C2B9056BE146C4D0D4374A073850B168BFE640A84B60294D63DEDCDEF
    Malicious:false
    Reputation:low
    Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\apu.js.38x4qq4.partial
    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
    File Type:ASCII text, with very long lines, with no line terminators
    Category:dropped
    Size (bytes):63244
    Entropy (8bit):5.305075867676128
    Encrypted:false
    SSDEEP:768:zxU7XsA1y2H2wWirIv+XIJYN4b/QQASNOEguYJwjc6n5njZet1mC4HdrGB88q9i7:1UbsA1lrIv+XulNAB9u6Cjy1mjJE8w
    MD5:468803AC7B14D9E67D8533EE74D8E9DA
    SHA1:E0B1B62B16DA21688CFB9E740ABD9AAD5014222F
    SHA-256:C6910AF0DB585874714680D0B8F400A05C0B006733DAAA681B1F58D702411E2D
    SHA-512:28AF18835313C6806F688D3E1B6407D14DA2538902F4651616C13B6DFB3DB5B7F3A0F96CCB971F6F352669111ECA46B74A6A839790D9282CB990EBC44CC7539D
    Malicious:false
    Reputation:low
    Preview: (function(lczxsusin) {function c(e){if(b[e])return b[e].exports;var t=b[e]={exports:{},id:e,loaded:!1};return a[e].call(t.exports,t,t.exports,c),t.loaded=!0,t.exports}var a,b;a=[function(e,t,n){"use strict";var o=r(n(1)),i=n(2),a=r(n(3)),u=n(4),d=r(n(32)),c=r(n(33)),l=n(34),s=n(7),f=n(6),p=n(19),h=r(n(35)),m=n(30),v=n(5),g=n(13),w=r(n(9));n(8);var y=n(29);function r(e){return e&&e.__esModule?e:{default:e}}function b(e){(0,f.addUsedMethod)("initStart");var r="string"==typeof e?JSON.parse((0,l.toString)(e)):e;(0,i.setOptions)(r);var n=0;if(setInterval(function(){n++,S(r.zoneId,function(e){var t=e.url;(0,i.setOptions)(e),(0,i.setOption)("url",t+(-1<t.indexOf("?")?"&":"?")+"rfo="+n),(0,s.setQualityParams)(),(0,p.refreshLinks)()})},108e5),(0,m.broadcastInfo)("onclick","0.0.1",r.zoneId,void 0,void 0,{sd:p.setDomain,gum:f.getUsedMethods}),(r.tryToEscapeIframe||r.getOutFromIframe)&&a.default.tryTop(),(0,v.isOpenThroughAntiAdblock)()&&setTimeout(function(){(0,h.default)(r.zoneId,"onclick")},100
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\apu.js.38x4qq4.partial:Zone.Identifier
    Process:C:\Program Files\internet explorer\iexplore.exe
    File Type:ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):26
    Entropy (8bit):3.95006375643621
    Encrypted:false
    SSDEEP:3:gAWY3n:qY3n
    MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
    SHA1:D59FC84CDD5217C6CF74785703655F78DA6B582B
    SHA-256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
    SHA-512:AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
    Malicious:false
    Reputation:low
    Preview: [ZoneTransfer]..ZoneId=3..
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\apu.js:Zone.Identifier
    Process:C:\Program Files\internet explorer\iexplore.exe
    File Type:very short file (no magic)
    Category:modified
    Size (bytes):1
    Entropy (8bit):0.0
    Encrypted:false
    SSDEEP:3:W:W
    MD5:ECCBC87E4B5CE2FE28308FD9F2A7BAF3
    SHA1:77DE68DAECD823BABBB58EDB1C8E14D7106E83BB
    SHA-256:4E07408562BEDB8B60CE05C1DECFE3AD16B72230967DE01F640B7E4729B49FCE
    SHA-512:3BAFBF08882A2D10133093A1B8433F50563B93C14ACD05B79028EB1D12799027241450980651994501423A66C276AE26C43B739BC65C4E16B10C3AF6C202AEBB
    Malicious:false
    Reputation:low
    Preview: 3
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\apu[1].js
    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
    File Type:ASCII text, with very long lines, with no line terminators
    Category:dropped
    Size (bytes):63244
    Entropy (8bit):5.305075867676128
    Encrypted:false
    SSDEEP:768:zxU7XsA1y2H2wWirIv+XIJYN4b/QQASNOEguYJwjc6n5njZet1mC4HdrGB88q9i7:1UbsA1lrIv+XulNAB9u6Cjy1mjJE8w
    MD5:468803AC7B14D9E67D8533EE74D8E9DA
    SHA1:E0B1B62B16DA21688CFB9E740ABD9AAD5014222F
    SHA-256:C6910AF0DB585874714680D0B8F400A05C0B006733DAAA681B1F58D702411E2D
    SHA-512:28AF18835313C6806F688D3E1B6407D14DA2538902F4651616C13B6DFB3DB5B7F3A0F96CCB971F6F352669111ECA46B74A6A839790D9282CB990EBC44CC7539D
    Malicious:false
    Reputation:low
    Preview: (function(lczxsusin) {function c(e){if(b[e])return b[e].exports;var t=b[e]={exports:{},id:e,loaded:!1};return a[e].call(t.exports,t,t.exports,c),t.loaded=!0,t.exports}var a,b;a=[function(e,t,n){"use strict";var o=r(n(1)),i=n(2),a=r(n(3)),u=n(4),d=r(n(32)),c=r(n(33)),l=n(34),s=n(7),f=n(6),p=n(19),h=r(n(35)),m=n(30),v=n(5),g=n(13),w=r(n(9));n(8);var y=n(29);function r(e){return e&&e.__esModule?e:{default:e}}function b(e){(0,f.addUsedMethod)("initStart");var r="string"==typeof e?JSON.parse((0,l.toString)(e)):e;(0,i.setOptions)(r);var n=0;if(setInterval(function(){n++,S(r.zoneId,function(e){var t=e.url;(0,i.setOptions)(e),(0,i.setOption)("url",t+(-1<t.indexOf("?")?"&":"?")+"rfo="+n),(0,s.setQualityParams)(),(0,p.refreshLinks)()})},108e5),(0,m.broadcastInfo)("onclick","0.0.1",r.zoneId,void 0,void 0,{sd:p.setDomain,gum:f.getUsedMethods}),(r.tryToEscapeIframe||r.getOutFromIframe)&&a.default.tryTop(),(0,v.isOpenThroughAntiAdblock)()&&setTimeout(function(){(0,h.default)(r.zoneId,"onclick")},100
    C:\Users\user\AppData\Local\Temp\JavaDeployReg.log
    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
    File Type:ASCII text, with CRLF line terminators
    Category:modified
    Size (bytes):89
    Entropy (8bit):4.376382982745554
    Encrypted:false
    SSDEEP:3:oVXVPIMfO75b8JOGXnFPIMfO75+un:o9WMqVqmMq0u
    MD5:28B3CDBBB2DEB560B229EF760BDA5DC3
    SHA1:8A59EBC87777925FE32B755C5A9220376D75AA5D
    SHA-256:52F6CEEE041FD1774C0268E908F9D701BC71DD88D7AA9FA859F971756260D1A5
    SHA-512:E96573353E6711825682A45CED028A0689664E6C170F05EF41242A5A207EC40323EF298A098BC48222259E61C39D0C7E44BB124B542C583192D4530FF7F5B008
    Malicious:false
    Reputation:low
    Preview: [2020/11/29 10:03:48.828] Latest deploy version: ..[2020/11/29 10:03:48.828] 11.211.2 ..
    C:\Users\user\AppData\Local\Temp\~DF787EA13DB244596B.TMP
    Process:C:\Program Files\internet explorer\iexplore.exe
    File Type:data
    Category:dropped
    Size (bytes):29989
    Entropy (8bit):0.3303862347843544
    Encrypted:false
    SSDEEP:24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lwlA9lwlw9l2lm/9l2lz:kBqoxKAuvScS+ljl9lm+ljlCy
    MD5:34D95264272545DD591CDBECA4CF0FB9
    SHA1:8325D66421DA421BECE431BF73E5C96D606E0013
    SHA-256:781B0F673243B0FB06C3BD984B446A8C7D831D24B48249F3E2737B2376D42662
    SHA-512:2000AFC90F607DDF3FFBF412BF880E90CA3F5233081B0A24AC83CCD0BC53FC4090F58405114ED6F823CDA45C30210BC4E676DDCBBA1FF90F8282FF90E95B35C5
    Malicious:false
    Reputation:low
    Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
    C:\Users\user\AppData\Local\Temp\~DF7D86A71D5668986C.TMP
    Process:C:\Program Files\internet explorer\iexplore.exe
    File Type:data
    Category:dropped
    Size (bytes):12981
    Entropy (8bit):0.4415542379601371
    Encrypted:false
    SSDEEP:12:c9lCg5/9lCgeK9l26an9l26an9l8fRRF9l8fRz9lTq5AoLC:c9lLh9lLh9lIn9lIn9loz9loz9lWs
    MD5:63F15878D07078EFAEE2987386A9FE86
    SHA1:6D49A13E9915A4DCDB4FB0B038AB951C53CAAB8A
    SHA-256:80CEB98819C9FDB3D69747F0ECC0BFCC8AA112E51BECC629966780295F01B739
    SHA-512:30EAE097291797F8274847140C8702DC0EF8498B8308A80894EAAB059292F9C8A23D29DD2FD3BD40193237D6C8EEF6649337416272519C7E407FBAF13C6AD515
    Malicious:false
    Reputation:low
    Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    Static File Info

    No static file info

    Network Behavior

    Network Port Distribution

    TCP Packets

    TimestampSource PortDest PortSource IPDest IP
    Nov 29, 2020 10:03:49.936918974 CET4973080192.168.2.4139.45.196.83
    Nov 29, 2020 10:03:49.937750101 CET4973180192.168.2.4139.45.196.83
    Nov 29, 2020 10:03:49.962661982 CET8049730139.45.196.83192.168.2.4
    Nov 29, 2020 10:03:49.962770939 CET4973080192.168.2.4139.45.196.83
    Nov 29, 2020 10:03:49.963325024 CET8049731139.45.196.83192.168.2.4
    Nov 29, 2020 10:03:49.963402987 CET4973180192.168.2.4139.45.196.83
    Nov 29, 2020 10:03:49.964040995 CET4973080192.168.2.4139.45.196.83
    Nov 29, 2020 10:03:49.989686012 CET8049730139.45.196.83192.168.2.4
    Nov 29, 2020 10:03:49.996120930 CET8049730139.45.196.83192.168.2.4
    Nov 29, 2020 10:03:49.996169090 CET8049730139.45.196.83192.168.2.4
    Nov 29, 2020 10:03:49.996191978 CET4973080192.168.2.4139.45.196.83
    Nov 29, 2020 10:03:49.996202946 CET8049730139.45.196.83192.168.2.4
    Nov 29, 2020 10:03:49.996220112 CET4973080192.168.2.4139.45.196.83
    Nov 29, 2020 10:03:49.996246099 CET8049730139.45.196.83192.168.2.4
    Nov 29, 2020 10:03:49.996263027 CET4973080192.168.2.4139.45.196.83
    Nov 29, 2020 10:03:49.996294022 CET8049730139.45.196.83192.168.2.4
    Nov 29, 2020 10:03:49.996304035 CET4973080192.168.2.4139.45.196.83
    Nov 29, 2020 10:03:49.996335030 CET8049730139.45.196.83192.168.2.4
    Nov 29, 2020 10:03:49.996349096 CET4973080192.168.2.4139.45.196.83
    Nov 29, 2020 10:03:49.996377945 CET8049730139.45.196.83192.168.2.4
    Nov 29, 2020 10:03:49.996387959 CET4973080192.168.2.4139.45.196.83
    Nov 29, 2020 10:03:49.996413946 CET8049730139.45.196.83192.168.2.4
    Nov 29, 2020 10:03:49.996438026 CET4973080192.168.2.4139.45.196.83
    Nov 29, 2020 10:03:49.996459961 CET8049730139.45.196.83192.168.2.4
    Nov 29, 2020 10:03:49.996478081 CET4973080192.168.2.4139.45.196.83
    Nov 29, 2020 10:03:49.996500969 CET8049730139.45.196.83192.168.2.4
    Nov 29, 2020 10:03:49.996537924 CET4973080192.168.2.4139.45.196.83
    Nov 29, 2020 10:03:49.996550083 CET4973080192.168.2.4139.45.196.83
    Nov 29, 2020 10:03:50.022214890 CET8049730139.45.196.83192.168.2.4
    Nov 29, 2020 10:03:50.022252083 CET8049730139.45.196.83192.168.2.4
    Nov 29, 2020 10:03:50.022283077 CET4973080192.168.2.4139.45.196.83
    Nov 29, 2020 10:03:50.022298098 CET8049730139.45.196.83192.168.2.4
    Nov 29, 2020 10:03:50.022325039 CET4973080192.168.2.4139.45.196.83
    Nov 29, 2020 10:03:50.022330999 CET8049730139.45.196.83192.168.2.4
    Nov 29, 2020 10:03:50.022346973 CET4973080192.168.2.4139.45.196.83
    Nov 29, 2020 10:03:50.022360086 CET8049730139.45.196.83192.168.2.4
    Nov 29, 2020 10:03:50.022392035 CET4973080192.168.2.4139.45.196.83
    Nov 29, 2020 10:03:50.022399902 CET8049730139.45.196.83192.168.2.4
    Nov 29, 2020 10:03:50.022403955 CET4973080192.168.2.4139.45.196.83
    Nov 29, 2020 10:03:50.022433996 CET8049730139.45.196.83192.168.2.4
    Nov 29, 2020 10:03:50.022454023 CET4973080192.168.2.4139.45.196.83
    Nov 29, 2020 10:03:50.022481918 CET4973080192.168.2.4139.45.196.83
    Nov 29, 2020 10:03:54.996385098 CET8049730139.45.196.83192.168.2.4
    Nov 29, 2020 10:03:54.996725082 CET4973080192.168.2.4139.45.196.83
    Nov 29, 2020 10:04:02.194062948 CET4973080192.168.2.4139.45.196.83
    Nov 29, 2020 10:04:02.219938040 CET8049730139.45.196.83192.168.2.4
    Nov 29, 2020 10:04:02.227606058 CET4973180192.168.2.4139.45.196.83

    UDP Packets

    TimestampSource PortDest PortSource IPDest IP
    Nov 29, 2020 10:03:48.832676888 CET5309753192.168.2.48.8.8.8
    Nov 29, 2020 10:03:48.869710922 CET53530978.8.8.8192.168.2.4
    Nov 29, 2020 10:03:49.890487909 CET4925753192.168.2.48.8.8.8
    Nov 29, 2020 10:03:49.925926924 CET53492578.8.8.8192.168.2.4
    Nov 29, 2020 10:03:56.968848944 CET6238953192.168.2.48.8.8.8
    Nov 29, 2020 10:03:56.996298075 CET53623898.8.8.8192.168.2.4
    Nov 29, 2020 10:04:17.220031023 CET4991053192.168.2.48.8.8.8
    Nov 29, 2020 10:04:17.247478962 CET53499108.8.8.8192.168.2.4
    Nov 29, 2020 10:04:18.823914051 CET5585453192.168.2.48.8.8.8
    Nov 29, 2020 10:04:18.863179922 CET53558548.8.8.8192.168.2.4
    Nov 29, 2020 10:04:19.255518913 CET6454953192.168.2.48.8.8.8
    Nov 29, 2020 10:04:19.291258097 CET53645498.8.8.8192.168.2.4
    Nov 29, 2020 10:04:19.827651978 CET5585453192.168.2.48.8.8.8
    Nov 29, 2020 10:04:19.863396883 CET53558548.8.8.8192.168.2.4
    Nov 29, 2020 10:04:20.830734015 CET5585453192.168.2.48.8.8.8
    Nov 29, 2020 10:04:20.866213083 CET53558548.8.8.8192.168.2.4
    Nov 29, 2020 10:04:22.453840017 CET6315353192.168.2.48.8.8.8
    Nov 29, 2020 10:04:22.490827084 CET53631538.8.8.8192.168.2.4
    Nov 29, 2020 10:04:22.562586069 CET5299153192.168.2.48.8.8.8
    Nov 29, 2020 10:04:22.599355936 CET53529918.8.8.8192.168.2.4
    Nov 29, 2020 10:04:22.846357107 CET5585453192.168.2.48.8.8.8
    Nov 29, 2020 10:04:22.881577969 CET53558548.8.8.8192.168.2.4
    Nov 29, 2020 10:04:23.023591042 CET5370053192.168.2.48.8.8.8
    Nov 29, 2020 10:04:23.079916000 CET53537008.8.8.8192.168.2.4
    Nov 29, 2020 10:04:23.466439009 CET5172653192.168.2.48.8.8.8
    Nov 29, 2020 10:04:23.501782894 CET53517268.8.8.8192.168.2.4
    Nov 29, 2020 10:04:23.647947073 CET5679453192.168.2.48.8.8.8
    Nov 29, 2020 10:04:23.674860954 CET53567948.8.8.8192.168.2.4
    Nov 29, 2020 10:04:24.192768097 CET5653453192.168.2.48.8.8.8
    Nov 29, 2020 10:04:24.230690002 CET53565348.8.8.8192.168.2.4
    Nov 29, 2020 10:04:24.807898998 CET5662753192.168.2.48.8.8.8
    Nov 29, 2020 10:04:24.843483925 CET53566278.8.8.8192.168.2.4
    Nov 29, 2020 10:04:24.879498005 CET5662153192.168.2.48.8.8.8
    Nov 29, 2020 10:04:24.891875982 CET6311653192.168.2.48.8.8.8
    Nov 29, 2020 10:04:24.918977976 CET53631168.8.8.8192.168.2.4
    Nov 29, 2020 10:04:24.923193932 CET53566218.8.8.8192.168.2.4
    Nov 29, 2020 10:04:25.212330103 CET6407853192.168.2.48.8.8.8
    Nov 29, 2020 10:04:25.248246908 CET53640788.8.8.8192.168.2.4
    Nov 29, 2020 10:04:25.653007030 CET6480153192.168.2.48.8.8.8
    Nov 29, 2020 10:04:25.688878059 CET53648018.8.8.8192.168.2.4
    Nov 29, 2020 10:04:26.185631990 CET6172153192.168.2.48.8.8.8
    Nov 29, 2020 10:04:26.221194983 CET53617218.8.8.8192.168.2.4
    Nov 29, 2020 10:04:26.302387953 CET5125553192.168.2.48.8.8.8
    Nov 29, 2020 10:04:26.329488993 CET53512558.8.8.8192.168.2.4
    Nov 29, 2020 10:04:26.830339909 CET6152253192.168.2.48.8.8.8
    Nov 29, 2020 10:04:26.862430096 CET5585453192.168.2.48.8.8.8
    Nov 29, 2020 10:04:26.865880966 CET53615228.8.8.8192.168.2.4
    Nov 29, 2020 10:04:26.900038958 CET53558548.8.8.8192.168.2.4
    Nov 29, 2020 10:04:27.251632929 CET5233753192.168.2.48.8.8.8
    Nov 29, 2020 10:04:27.278814077 CET53523378.8.8.8192.168.2.4
    Nov 29, 2020 10:04:27.369324923 CET5504653192.168.2.48.8.8.8
    Nov 29, 2020 10:04:27.404973030 CET53550468.8.8.8192.168.2.4
    Nov 29, 2020 10:04:28.603399992 CET4961253192.168.2.48.8.8.8
    Nov 29, 2020 10:04:28.639071941 CET53496128.8.8.8192.168.2.4
    Nov 29, 2020 10:04:29.618382931 CET4928553192.168.2.48.8.8.8
    Nov 29, 2020 10:04:29.645915985 CET53492858.8.8.8192.168.2.4
    Nov 29, 2020 10:04:30.717787027 CET5060153192.168.2.48.8.8.8
    Nov 29, 2020 10:04:30.745055914 CET53506018.8.8.8192.168.2.4
    Nov 29, 2020 10:04:31.743808985 CET6087553192.168.2.48.8.8.8
    Nov 29, 2020 10:04:31.771111012 CET53608758.8.8.8192.168.2.4
    Nov 29, 2020 10:04:32.807871103 CET5644853192.168.2.48.8.8.8
    Nov 29, 2020 10:04:32.835032940 CET53564488.8.8.8192.168.2.4
    Nov 29, 2020 10:04:33.316510916 CET5917253192.168.2.48.8.8.8
    Nov 29, 2020 10:04:33.343626976 CET53591728.8.8.8192.168.2.4
    Nov 29, 2020 10:04:34.089165926 CET6242053192.168.2.48.8.8.8
    Nov 29, 2020 10:04:34.116295099 CET53624208.8.8.8192.168.2.4
    Nov 29, 2020 10:04:35.219573021 CET6057953192.168.2.48.8.8.8
    Nov 29, 2020 10:04:35.246833086 CET53605798.8.8.8192.168.2.4
    Nov 29, 2020 10:04:36.208369970 CET5018353192.168.2.48.8.8.8
    Nov 29, 2020 10:04:36.244106054 CET53501838.8.8.8192.168.2.4
    Nov 29, 2020 10:04:37.914171934 CET6153153192.168.2.48.8.8.8
    Nov 29, 2020 10:04:37.941526890 CET53615318.8.8.8192.168.2.4
    Nov 29, 2020 10:04:39.007266045 CET4922853192.168.2.48.8.8.8
    Nov 29, 2020 10:04:39.043148994 CET53492288.8.8.8192.168.2.4
    Nov 29, 2020 10:04:40.089257956 CET5979453192.168.2.48.8.8.8
    Nov 29, 2020 10:04:40.116472960 CET53597948.8.8.8192.168.2.4
    Nov 29, 2020 10:04:41.432390928 CET5591653192.168.2.48.8.8.8
    Nov 29, 2020 10:04:41.459590912 CET53559168.8.8.8192.168.2.4
    Nov 29, 2020 10:04:42.604558945 CET5275253192.168.2.48.8.8.8
    Nov 29, 2020 10:04:42.631647110 CET53527528.8.8.8192.168.2.4
    Nov 29, 2020 10:04:43.709355116 CET6054253192.168.2.48.8.8.8
    Nov 29, 2020 10:04:43.736694098 CET53605428.8.8.8192.168.2.4
    Nov 29, 2020 10:04:44.821275949 CET6068953192.168.2.48.8.8.8
    Nov 29, 2020 10:04:44.848459005 CET53606898.8.8.8192.168.2.4
    Nov 29, 2020 10:04:51.890614033 CET6420653192.168.2.48.8.8.8
    Nov 29, 2020 10:04:51.901263952 CET5090453192.168.2.48.8.8.8
    Nov 29, 2020 10:04:51.917781115 CET53642068.8.8.8192.168.2.4
    Nov 29, 2020 10:04:51.936786890 CET53509048.8.8.8192.168.2.4
    Nov 29, 2020 10:04:55.120908022 CET5752553192.168.2.48.8.8.8
    Nov 29, 2020 10:04:55.156374931 CET53575258.8.8.8192.168.2.4
    Nov 29, 2020 10:05:26.084811926 CET5381453192.168.2.48.8.8.8
    Nov 29, 2020 10:05:26.112126112 CET53538148.8.8.8192.168.2.4
    Nov 29, 2020 10:05:27.608913898 CET5341853192.168.2.48.8.8.8
    Nov 29, 2020 10:05:27.660434008 CET53534188.8.8.8192.168.2.4

    DNS Queries

    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
    Nov 29, 2020 10:03:49.890487909 CET192.168.2.48.8.8.80xa10Standard query (0)cobalten.comA (IP address)IN (0x0001)

    DNS Answers

    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
    Nov 29, 2020 10:03:49.925926924 CET8.8.8.8192.168.2.40xa10No error (0)cobalten.com139.45.196.83A (IP address)IN (0x0001)
    Nov 29, 2020 10:03:49.925926924 CET8.8.8.8192.168.2.40xa10No error (0)cobalten.com139.45.196.21A (IP address)IN (0x0001)
    Nov 29, 2020 10:03:49.925926924 CET8.8.8.8192.168.2.40xa10No error (0)cobalten.com139.45.195.158A (IP address)IN (0x0001)
    Nov 29, 2020 10:03:49.925926924 CET8.8.8.8192.168.2.40xa10No error (0)cobalten.com139.45.195.37A (IP address)IN (0x0001)
    Nov 29, 2020 10:03:49.925926924 CET8.8.8.8192.168.2.40xa10No error (0)cobalten.com139.45.197.8A (IP address)IN (0x0001)
    Nov 29, 2020 10:03:49.925926924 CET8.8.8.8192.168.2.40xa10No error (0)cobalten.com139.45.195.102A (IP address)IN (0x0001)
    Nov 29, 2020 10:04:22.490827084 CET8.8.8.8192.168.2.40x97c8No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.trafficmanager.netCNAME (Canonical name)IN (0x0001)

    HTTP Request Dependency Graph

    • cobalten.com

    HTTP Packets

    Session IDSource IPSource PortDestination IPDestination PortProcess
    0192.168.2.449730139.45.196.8380C:\Program Files (x86)\Internet Explorer\iexplore.exe
    TimestampkBytes transferredDirectionData
    Nov 29, 2020 10:03:49.964040995 CET2OUTGET /apu.php?zoneid=1543391 HTTP/1.1
    Accept: text/html, application/xhtml+xml, image/jxr, */*
    Accept-Language: en-US
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
    Accept-Encoding: gzip, deflate
    Host: cobalten.com
    Connection: Keep-Alive
    Nov 29, 2020 10:03:49.996120930 CET3INHTTP/1.1 200 OK
    Server: nginx
    Date: Sun, 29 Nov 2020 09:03:49 GMT
    Content-Type: application/javascript
    Transfer-Encoding: chunked
    Connection: keep-alive
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Methods: GET, POST, OPTIONS
    Access-Control-Allow-Headers: Accept, Content-Type, Content-Length, Accept-Encoding
    Pragma: no-cache
    Cache-Control: no-transform, no-store, no-cache, must-revalidate, max-age=0
    Expires: Tue, 11 Jan 1994 10:00:00 GMT
    Timing-Allow-Origin: *
    X-Trace-Id: f83dd63a37d5c263aa2364f4c65ffdf5
    Set-Cookie: OAID=2de75f1642b14398bef79e6b9398dd12; expires=Mon, 29 Nov 2021 09:03:49 GMT
    Set-Cookie: oaidts=1606640629; expires=Mon, 29 Nov 2021 09:03:49 GMT
    Strict-Transport-Security: max-age=1
    X-Content-Type-Options: nosniff
    Timing-Allow-Origin: *
    Content-Encoding: gzip
    Data Raw: 35 35 30 33 0d 0a 1f 8b 08 00 00 00 00 00 04 03 cd bd 0b 5f db 56 d6 f0 fb 55 40 f3 be 8c 1d 8c b9 24 69 1b 1c 97 93 90 a4 a1 4d 02 0d 64 7a a1 4c 7e c2 16 a0 62 4b 1e 59 86 10 e0 7c f6 f3 5f 6b ef 2d 6d d9 32 a1 9d ce 9c 79 9e 69 b0 a4 7d df 6b af fb 5a bb 71 32 49 7a 79 9c 26 8d 41 ef f3 a7 f1 64 1c 27 cd 85 6b f7 72 a1 d7 88 9a d7 f1 49 e3 f8 30 3a 6a 66 51 3e c9 92 05 f9 dd 8e 3e 8d d2 2c 1f 77 2e c2 6c 21 ef ca ab ee b5 7d b7 79 7d db 8a fb 9b 51 6b 90 86 fd a8 bf b9 b8 7e db b1 55 43 a9 da 0b 07 83 46 ee 5a 68 e5 ad f2 77 af c9 83 a9 d6 5d 5c 2b 3f dc 4a 37 61 eb b8 13 76 0f dd d8 1a 11 55 93 e6 75 30 19 47 0b e3 3c 8b 7b 79 a0 c3 49 bb 59 23 69 ac 37 9b ad b8 9b 34 36 9a ad 50 5f 3c e4 c5 84 17 8f 9a ad be 79 b1 c1 9b 9e f9 29 1f 07 7c 7c c8 d7 31 7f bf 6e b6 4e f8 f3 55 b3 35 e2 cf fa 93 66 eb cc 14 7c 4c c1 a1 14 5c 6b b6 2e f8 fb b8 d9 3a 95 12 0f 9b ad 4b 2d f1 a4 d9 ec 24 8d 6f 9a 3a 94 2b 3e 6d 3c 69 76 dc 98 17 32 59 4f bb 18 d1 d2 52 d4 fe f8 31 1a bf 4d fb 93 41 b4 15 6d 5e f7 a3 93 70 32 c8 37 a3 db db a2 ca b1 54 69 ac b5 4e da 61 bf ff 61 1c f5 df 46 f9 59 da 6f 36 82 38 89 f3 fd 3c cc f2 c0 f4 96 75 03 59 87 e4 34 e8 76 f3 ab 51 94 9e 2c 44 5b df ef ef be 6b 8f c2 6c 1c 35 68 64 d0 ce d3 7d 2d d3 a4 d9 e6 66 d4 e1 65 dc 1e 47 f9 ee 48 a0 60 dc 6c 64 a6 b1 a4 bb d6 61 e3 f9 b2 93 e4 51 76 11 0e 1a 6e 48 8d e6 75 b2 bc dc da 6f 64 ed cf 69 12 ed f4 5b c5 17 86 6a 20 22 6a 4f b2 c1 6c e3 51 b3 55 ed 90 69 50 30 68 e5
    Data Ascii: 5503_VU@$iMdzL~bKY|_k-m2yi}kZq2Izy&Ad'krI0:jfQ>>,w.l!}y}Qk~UCFZhw]\+?J7avUu0G<{yIY#i746P_<y)||1nNU5f|L\k.:K-$o:+>m<iv2YOR1MAm^p27TiNaaFYo68<uY4vQ,D[kl5hd}-feGH`ldaQvnHuodi[j "jOlQUiP0h
    Nov 29, 2020 10:03:49.996169090 CET5INData Raw: cb 8d 95 f5 a7 79 3b 4e fa d1 a7 dd 93 46 b0 15 34 b7 82 a5 60 53 7e 2c 07 d9 49 da 0d 96 13 ad 3d 96 e1 fe 38 09 07 71 7e b5 17 66 e1 90 41 eb 87 51 3b 8b 4e b2 68 7c f6 26 4e ce e5 e5 6d f3 b6 b5 be f6 4d c4 26 d1 eb b0 7d 9c 01 91 bd 70 cc 94
    Data Ascii: y;NF4`S~,I=8q~fAQ;Nh|&NmM&}pNRzN `^Z."q:7OQ^n>v]/p0&UR[mj.xw%gY:9={ 3%pt[\kbr@kF~U
    Nov 29, 2020 10:03:49.996202946 CET6INData Raw: cd 9e 21 22 5e 28 ab a3 54 22 4d aa 2f e7 c8 27 7d 83 df aa 65 e5 98 65 57 d7 bb c7 32 56 99 28 74 4b 58 29 c0 f3 aa 91 84 17 31 2c 55 9a b5 44 aa f3 ba 0d 5a c8 15 83 49 b4 69 38 72 70 29 3c 41 ef 4c 44 a3 db 5b 68 e2 d4 80 96 96 a6 eb c7 c9 42
    Data Ascii: !"^(T"M/'}eeW2V(tKX)1,UDZIi8rp)<ALD[hBruR( HUcW`sO5@6YwRYWPoFw4~`Cp4iF[i]_BJq~E@pyce!Dy-k7<)2?iUIX
    Nov 29, 2020 10:03:49.996246099 CET7INData Raw: a9 50 a6 8f c2 fc 2c 41 39 80 a5 6b 4e 89 33 74 f2 37 37 77 7c 94 ea 02 73 c7 5d d8 c2 bd bd 0f 1f f7 5f ee ef ef ec be fb b8 fe 31 58 ce 96 03 fe 6d c8 8e 35 5b fb d3 25 28 f4 62 f7 ed b3 1d bf 6c 1f 23 05 c0 f6 32 44 68 2b 41 b4 79 bd 27 ec d6
    Data Ascii: P,A9kN3t77w|s]_1Xm5[%(bl#2Dh+Ay'Z\j|;>p04d1(bS3>'uTiXGd<sn^y0qM\z09FB3X>^v4~{PqC1\Q=i?ECO)%ora+
    Nov 29, 2020 10:03:49.996294022 CET9INData Raw: de d3 b8 52 28 5c 5a 5a 7f 5a 69 cf f2 c3 c2 b5 78 bd d8 b7 4f bb 21 1c 94 3f 20 78 7a f7 ac ce 9f 7d f7 04 5f 2e 2b 2c aa ff 6f 51 ed 60 04 86 f3 77 6f 9e f6 15 1c cb 17 52 c4 6f 16 06 82 d9 d6 0d 61 de c0 92 a2 be b1 94 53 bd 6e 05 98 ac e5 bf
    Data Ascii: R(\ZZZixO!? xz}_.+,oQ`woRoaSnayRd.:+ex]\:~1(5z>\F%!'nQp:v:}WK<^&[T,Ej.g
    Nov 29, 2020 10:03:49.996335030 CET10INData Raw: 74 fc 93 ee ca 2e 25 70 88 28 54 b5 a6 be ba 04 e5 68 a0 30 22 60 5c dd d3 03 54 9a 21 0d 37 66 78 31 27 fe 2b 6b 21 7c 16 d5 0c 2b 00 89 77 9c f1 02 5e cc c6 9b 03 3e ce 9b b0 3d 80 2c 9f 19 cd eb 28 3e 3d cb 4b 58 75 1b b0 d6 09 12 b5 d7 c1 2a
    Data Ascii: t.%p(Th0"`\T!7fx1'+k!|+w^>=,(>=KXu*hW;CW,f c|N|+l6^3Y)I]uRX)5-]\gZOq4~a1Z?;V\yBh_,OBoRvks6%~cT,nw6.j?K"{g
    Nov 29, 2020 10:03:49.996377945 CET12INData Raw: d7 9f 07 05 d6 a5 69 11 fd 32 ba 0b 19 4f df 86 2e c8 7e db f0 84 24 5d 30 68 c6 17 b1 a5 59 b8 fe 7a b0 00 b8 04 9c b5 3d e4 7c 60 96 d3 52 85 ac 3e bc 50 33 7f da 90 dd 47 87 2e 19 1d 74 57 6b ce ab d9 d0 41 8d 65 a5 89 51 a0 b9 49 57 49 ba 52
    Data Ascii: i2O.~$]0hYz=|`R>P3G.tWkAeQIWIR[-Bqi,I0fqQ#b}WQ{+(RpED5*n<Yy2V]ybNI/yP99GdC[C0Z?A;u"\@:YYW;#5b k
    Nov 29, 2020 10:03:49.996413946 CET13INData Raw: cc 8f 34 2f 59 b3 66 c0 11 15 9f e5 81 a2 65 28 aa 48 b1 25 11 f6 12 1b b7 f8 7c 18 25 64 8d 89 3e bc df 11 77 02 94 26 04 2d 23 de d7 bc 4d 9a ce fc d4 45 f2 72 62 c2 82 08 95 4a 45 e7 4a 85 76 2c b9 67 85 11 79 c9 19 03 7f fb ed 78 69 4b 8d 65
    Data Ascii: 4/Yfe(H%|%d>w&-#MErbJEJv,gyxiKe7n.BE$jh]|NlIMmx[xV#Mgq71+Q&G_?Wl"Sde}[nS1=N1LRBI-]E@y)2~e?
    Nov 29, 2020 10:03:49.996459961 CET14INData Raw: c1 a6 2b 26 d6 3a e2 f4 77 f7 05 4b cc 5e 99 01 ab 28 17 e8 14 84 9d 7c dc 82 2c 44 74 f4 2e 19 40 64 bc 28 fc 3c 4e 2b a0 2c c6 50 b9 18 41 a3 d0 5c 33 0b 6f a1 09 00 6b 81 b6 af 2f c8 96 31 c3 1e 99 f4 65 12 b3 e9 c2 a1 60 60 ca 9b 34 00 d2 92
    Data Ascii: +&:wK^(|,Dt.@d(<N+,PA\3ok/1e``4:a*+.F[X{qoKbcQR?]luo-$j H@I[r:(T\IYy"a}N]^5X$tB5M>Vy4>CY%pw32
    Nov 29, 2020 10:03:49.996500969 CET16INData Raw: fd 48 dd 0d a6 6c 25 73 2c 1b 20 92 4c 82 c9 14 0a e6 5d 3c 6b d5 41 b6 94 b8 32 29 e1 b0 bc 3c ec a4 a1 c2 96 6f 16 f6 52 29 34 38 d5 72 3e e6 d9 1c 22 f7 75 ff 32 1c 21 46 a8 98 20 b4 3d d7 8b ae 78 33 fe 09 56 d0 45 ec 80 32 dc 4f 82 77 5c a8
    Data Ascii: Hl%s, L]<kA2)<oR)48r>"u2!F =x3VE2Ow\-*v-J<Wv+#x[9y\Z:kS}05tUh-&>l?8}q`WVGbln5mFA)[v_0wQM7!heymw
    Nov 29, 2020 10:03:50.022214890 CET17INData Raw: b9 2a 46 82 06 d1 5b 18 ca a5 3b 67 cc bf 65 23 b0 31 12 21 8d 04 e4 08 ed 9d 89 f2 fc 9d 43 6b 0b 10 7e 69 e3 fe fa 9d 82 48 ce ca d0 d8 44 67 6c 67 fa 4e f4 20 d6 1a a9 cf 8e 7b da 4d 0c a9 75 85 0a 1b 9d 79 91 fc 90 60 58 04 dd 4a 06 0d 57 c6
    Data Ascii: *F[;ge#1!Ck~iHDglgN {Muy`XJWT:>KWqH~_>,#Zx"/48FWt>;oU@Yc8<BWb/aYX^.)=<'\W4AS;O9;


    Code Manipulations

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    Behavior

    Click to jump to process

    System Behavior

    Analysis Process: iexplore.exe PID: 6704 Parent PID: 800

    General

    Start time:10:03:47
    Start date:29/11/2020
    Path:C:\Program Files\internet explorer\iexplore.exe
    Wow64 process (32bit):false
    Commandline:'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
    Imagebase:0x7ff60e6e0000
    File size:823560 bytes
    MD5 hash:6465CB92B25A7BC1DF8E01D8AC5E7596
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low

    Chronological Activities

    Analysis Process: iexplore.exe PID: 6752 Parent PID: 6704

    General

    Start time:10:03:48
    Start date:29/11/2020
    Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
    Wow64 process (32bit):true
    Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6704 CREDAT:17410 /prefetch:2
    Imagebase:0xed0000
    File size:822536 bytes
    MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low

    Chronological Activities

    Analysis Process: wscript.exe PID: 6436 Parent PID: 6704

    General

    Start time:10:04:16
    Start date:29/11/2020
    Path:C:\Windows\System32\wscript.exe
    Wow64 process (32bit):false
    Commandline:'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\apu.js'
    Imagebase:0x7ff773b00000
    File size:163840 bytes
    MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low

    Chronological Activities

    Disassembly

    Code Analysis

    Reset < >