Play interactive tour

Edit tour

Analysis Report http://213.217.0.184

Overview

General Information

Sample URL:	http://213.217.0.184
Analysis ID:	324356
Most interesting Screenshot:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Classification

Startup

System is w10x64

iexplore.exe (PID: 852 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 3892 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:852 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for domain / URL

Show sources

Source: http://213.217.0.184/

Virustotal: Detection: 8%

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: http://213.217.0.184

Virustotal: Detection: 8%

Perma Link

Source: unknown	TCP traffic detected without corresponding DNS query: 213.217.0.184
Source: unknown	TCP traffic detected without corresponding DNS query: 213.217.0.184
Source: unknown	TCP traffic detected without corresponding DNS query: 213.217.0.184
Source: unknown	TCP traffic detected without corresponding DNS query: 213.217.0.184
Source: unknown	TCP traffic detected without corresponding DNS query: 213.217.0.184
Source: unknown	TCP traffic detected without corresponding DNS query: 213.217.0.184
Source: unknown	TCP traffic detected without corresponding DNS query: 213.217.0.184
Source: unknown	TCP traffic detected without corresponding DNS query: 213.217.0.184
Source: unknown	TCP traffic detected without corresponding DNS query: 213.217.0.184
Source: unknown	TCP traffic detected without corresponding DNS query: 213.217.0.184
Source: unknown	TCP traffic detected without corresponding DNS query: 213.217.0.184
Source: unknown	TCP traffic detected without corresponding DNS query: 213.217.0.184
Source: unknown	TCP traffic detected without corresponding DNS query: 213.217.0.184
Source: unknown	TCP traffic detected without corresponding DNS query: 213.217.0.184
Source: unknown	TCP traffic detected without corresponding DNS query: 213.217.0.184

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: 213.217.0.184Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 213.217.0.184Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1User-Agent: AutoItHost: 213.217.0.184

Source: msapplication.xml0.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xe6745b85,0x01d6c6a5</date><accdate>0xe6745b85,0x01d6c6a5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xe6745b85,0x01d6c6a5</date><accdate>0xe6745b85,0x01d6c6a5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xe676bdfc,0x01d6c6a5</date><accdate>0xe676bdfc,0x01d6c6a5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xe676bdfc,0x01d6c6a5</date><accdate>0xe676bdfc,0x01d6c6a5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xe6792040,0x01d6c6a5</date><accdate>0xe6792040,0x01d6c6a5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xe6792040,0x01d6c6a5</date><accdate>0xe6792040,0x01d6c6a5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Nov 2020 14:17:39 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 275Keep-Alive: timeout=5, max=99Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 32 31 33 2e 32 31 37 2e 30 2e 31 38 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 213.217.0.184 Port 80</address></body></html>

Source: ~DF5116F9D0FFB55263.TMP.1.dr	String found in binary or memory: http://213.217.0.184/
Source: {113904BF-3299-11EB-90E4-ECF4BB862DED}.dat.1.dr	String found in binary or memory: http://213.217.0.184/Root
Source: msapplication.xml.1.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.1.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.1.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.1.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.1.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.1.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.1.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.1.dr	String found in binary or memory: http://www.youtube.com/

Source: classification engine

Classification label: mal56.win@3/16@0/1

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF6BB103AE132F7921.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:852 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:852 CREDAT:17410 /prefetch:2

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping	File and Directory Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Non-Application Layer Protocol2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Ingress Tool Transfer3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
http://213.217.0.184	9%	Virustotal		Browse
http://213.217.0.184	0%	Avira URL Cloud	safe

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://213.217.0.184/favicon.ico	0%	Avira URL Cloud	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://213.217.0.184/Root	0%	Avira URL Cloud	safe
http://213.217.0.184/	9%	Virustotal		Browse

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://213.217.0.184/favicon.ico	true	Avira URL Cloud: safe	unknown
http://213.217.0.184/	true	9%, Virustotal, Browse	unknown
http://213.217.0.184/	true	9%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.wikipedia.com/	msapplication.xml6.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.amazon.com/	msapplication.xml.1.dr	false		high
http://www.nytimes.com/	msapplication.xml3.1.dr	false		high
http://www.live.com/	msapplication.xml2.1.dr	false		high
http://213.217.0.184/Root	{113904BF-3299-11EB-90E4-ECF4BB862DED}.dat.1.dr	true	Avira URL Cloud: safe	unknown
http://www.reddit.com/	msapplication.xml4.1.dr	false		high
http://www.twitter.com/	msapplication.xml5.1.dr	false		high
http://www.youtube.com/	msapplication.xml7.1.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
213.217.0.184	unknown	Russian Federation		50340	SELECTEL-MSKRU	false

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	324356
Start date:	29.11.2020
Start time:	15:16:52
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 40s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	browseurl.jbs
Sample URL:	http://213.217.0.184
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal56.win@3/16@0/1
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, ielowutil.exe, backgroundTaskHost.exe, SgrmBroker.exe, svchost.exe Excluded IPs from analysis (whitelisted): 52.147.198.201, 104.108.39.131, 51.104.139.180, 152.199.19.161, 92.122.144.200, 20.54.26.129, 13.107.4.50 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, elasticShed.au.au-msedge.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, fs.microsoft.com, ie9comview.vo.msecnd.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, afdap.au.au-msedge.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, au.au-msedge.net, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, au.c-0001.c-msedge.net, cs9.wpc.v0cdn.net

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{113904BD-3299-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	30296
Entropy (8bit):	1.854850662154892
Encrypted:	false
SSDEEP:	192:r0ZvZ/2i9WdtZUfJWGBM9uHV41DqfXWDxX:rkRuiUnZaAGK9uHV41DomDZ
MD5:	478DDE2DA893940DF993781D876A24AC
SHA1:	21521C8600C1534E57B066CC6FE387ABC075EDE3
SHA-256:	16E5452025A460DDF82B5B420932C0B897E5E1C2D9063EDF6F2F80213DDC22D4
SHA-512:	7892D1DEA13C3872AC1A463FA021EA33621F423763AB450376E25F1E19FC1A6EAAFADA06B30E0DA249D7A37AF594C04A3D4D6B470D703F1013FA29B3760CDBD7
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{113904BF-3299-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	23640
Entropy (8bit):	1.6403095248544746
Encrypted:	false
SSDEEP:	48:IwdGcprsGwpaUG4pQrGrapbSyrGQpBKGHHpcRsTGUp8oGzYpmjXYGopeZjGhp7:rDZEQk6fBSyFjR2RkWsMrYUih
MD5:	EF5F54EE868893E06672284D11EB610D
SHA1:	CFB50B8F9213035B4A3292AE78095B5DBFDBF912
SHA-256:	42AF25FBE0E43DE7E087CFF311C395B740793D1199E10AA7DF48651CC89DE9EF
SHA-512:	6C977A81A2545174481046AFBCAA8BD98A5E49C01AB4626B164FA6775DF8B78E5DE37E23FC74DBFFB8A1ECAB5891D2169503B3CBF22351EF214CD7F87D33B90A
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{113904C0-3299-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	16984
Entropy (8bit):	1.5675377170269231
Encrypted:	false
SSDEEP:	48:Iw0GcprlGwpaMG4pQoGrapbSHrGQpKlG7HpRPsTGIpG:roZvQM62BSHFAUTP4A
MD5:	F160508D6C3589BBC37F031603B54FA5
SHA1:	0653A84D53EB8D4F8B4144EF2554A8A5A3BAD10B
SHA-256:	4096AFCAB0F33CA470983E833F216A1CF3D7E9D6952B7FCB59C78873AE45D6EB
SHA-512:	9C54A4558CCA950E440BFCE407D0401F72C5B8FF23892E355A928D4D19EA40EA10C40BE83E3D8A147C10379AD59D93084F1AE419A196217CC493406388814451
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.060477660470656
Encrypted:	false
SSDEEP:	12:TMHdNMNxOEvqxqvNnWimI002EtM3MHdNMNxOEvqxqvNnWimI00ObVbkEtMb:2d6NxOAigSZHKd6NxOAigSZ76b
MD5:	FF9C2F6F2F2664210049332349DB059F
SHA1:	868B51457ECFE6CA85BEC35D4B2C6DA783558478
SHA-256:	A1A42653AD0123A356BFF3F1EFC1C17E95026789E6DD2D4D4E90DDA02B432D4A
SHA-512:	16A39389B5361C29D27B2120F737F12988F08D9A06A3DCC7B0EBD1C3AE06CC650270B89BC341501BBAC3A2F9B968D8E12A19AF06364CE0993A373ADFBEB4A6C9
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xe676bdfc,0x01d6c6a5</date><accdate>0xe676bdfc,0x01d6c6a5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xe676bdfc,0x01d6c6a5</date><accdate>0xe676bdfc,0x01d6c6a5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.143811925910352
Encrypted:	false
SSDEEP:	12:TMHdNMNxe2kWf+IqEf+IqvNnWimI002EtM3MHdNMNxe2kWf+IqEf+IqvNnWimI0/:2d6NxraI0IgSZHKd6NxraI0IgSZ7Aa7b
MD5:	4AB1C85D43CE21C1C7E7C624B06988D7
SHA1:	4EA110A60B550CB3946FD479D173A4D70869475F
SHA-256:	8AA0E0C1F14F4CCCB0C168273CC539139D58A1309A14744A44A154F03C588DF2
SHA-512:	C94A59D5F5B334DAF3538DD6BC8414AB21093D51FDC5329744D4A490C2303CA7D00FCA8A7255A8C18D5D776F0577EF097AD468AD098227CC39DAF7E6FAE60552
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0xe671f924,0x01d6c6a5</date><accdate>0xe671f924,0x01d6c6a5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0xe671f924,0x01d6c6a5</date><accdate>0xe671f924,0x01d6c6a5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	662
Entropy (8bit):	5.127459098657169
Encrypted:	false
SSDEEP:	12:TMHdNMNxvL5qvqvNnWimI002EtM3MHdNMNxvL5qvqvNnWimI00ObmZEtMb:2d6NxvVUgSZHKd6NxvVUgSZ7mb
MD5:	4B74E1FADFAAD7F4112008BCC25DE9A3
SHA1:	456F8EFB33B7B2D6AB9836F42B1B6B2A04A5FEC9
SHA-256:	DDF66D0A578A4F91643C5D90E6AC314B91368D1854DB85B36B8FAE11832AE239
SHA-512:	671104DE2CBF9FF80625D96404C70E3C1ED1192C0DD82941CAFFD3F3A3F58776D76D933185E0A718EDA9388FD3D5C2E1A853522879F3293AC602624DC93BA6CD
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0xe6792040,0x01d6c6a5</date><accdate>0xe6792040,0x01d6c6a5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0xe6792040,0x01d6c6a5</date><accdate>0xe6792040,0x01d6c6a5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	647
Entropy (8bit):	5.123561195781089
Encrypted:	false
SSDEEP:	12:TMHdNMNxishqihqvNnWimI002EtM3MHdNMNxishqihqvNnWimI00Obd5EtMb:2d6NxlRgSZHKd6NxlRgSZ7Jjb
MD5:	1AA1AB6956478D14806AA3BE80B523AE
SHA1:	AEEF1EA93D829D655D8DA6888B710FD928D2F6B5
SHA-256:	F7E369CFED78EFE48A5CB40D299E46378AB7FE654B10012F1E57A69971B8E361
SHA-512:	09894F5609A4DD4CDCB577DA1E68A3FA661B03843786289AF74BD6A151CB99EA3E38E54AC7DA132749F15F810236F3011B4958C1C5752BBBA01DE7B148FA3647
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0xe6745b85,0x01d6c6a5</date><accdate>0xe6745b85,0x01d6c6a5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0xe6745b85,0x01d6c6a5</date><accdate>0xe6745b85,0x01d6c6a5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.14320413271527
Encrypted:	false
SSDEEP:	12:TMHdNMNxhGw5qvqvNnWimI002EtM3MHdNMNxhGw5qvqvNnWimI00Ob8K075EtMb:2d6NxQqUgSZHKd6NxQqUgSZ7YKajb
MD5:	13FEC8FCC997AFE6317213C384588830
SHA1:	199E79B8363BABF9B1FFAA35BB6ECD27C9CBA91A
SHA-256:	9363B2360C5BB998F92336DF4339E9845BCFD6B7927F11413675E157E2953179
SHA-512:	A8E7B550DBC0E5CAC11B86E7651A5C493EB746A9E8BDCE536AE9E26DB424951B22A743976FD77BAE32726437AB75F541406D922C26380F1256160238456D7B52
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xe6792040,0x01d6c6a5</date><accdate>0xe6792040,0x01d6c6a5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xe6792040,0x01d6c6a5</date><accdate>0xe6792040,0x01d6c6a5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.061060674587126
Encrypted:	false
SSDEEP:	12:TMHdNMNx0nvqxqvNnWimI002EtM3MHdNMNx0nvqxqvNnWimI00ObxEtMb:2d6Nx0vigSZHKd6Nx0vigSZ7nb
MD5:	1BBDCDD734000187846B69E27359D3C1
SHA1:	AA18F41492520C8EA2892722429594C32FAD6E8B
SHA-256:	7913909327074EBBA1F890212E836FE530445259EE32230DC33441011A784098
SHA-512:	AA0F4EE28DA660766CE2B49DFF9806403B5E488EB237EA52BE1C08DE941BDAFEF384298FF18FFFAB5A967D3B3FCC8290AE7F8631BE685D88361396A33B40D834
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0xe676bdfc,0x01d6c6a5</date><accdate>0xe676bdfc,0x01d6c6a5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0xe676bdfc,0x01d6c6a5</date><accdate>0xe676bdfc,0x01d6c6a5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.100901361741353
Encrypted:	false
SSDEEP:	12:TMHdNMNxxvqxqvNnWimI002EtM3MHdNMNxxvqxqvNnWimI00Ob6Kq5EtMb:2d6Nx5igSZHKd6Nx5igSZ7ob
MD5:	F44AFFE4F3EE7E605C8FB26106630170
SHA1:	264295A2D380910EC6DE4944C642C250B449CCEA
SHA-256:	05D89EBD77AC4574754D823FA5FED0FA2D84D604324528A0400DC1FA444EFD8C
SHA-512:	52FC500AFDBEE92A412F7FE00545217E499EE3E8F9C74256D63EE9E3E342C08B996164AC5D8FD5320134A2B62A60DC2B2D102DA9E3B24250EE5D3D367D326489
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0xe676bdfc,0x01d6c6a5</date><accdate>0xe676bdfc,0x01d6c6a5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0xe676bdfc,0x01d6c6a5</date><accdate>0xe676bdfc,0x01d6c6a5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	659
Entropy (8bit):	5.123813429752426
Encrypted:	false
SSDEEP:	12:TMHdNMNxcshqihqvNnWimI002EtM3MHdNMNxcshqihqvNnWimI00ObVEtMb:2d6NxbRgSZHKd6NxbRgSZ7Db
MD5:	483BB93EB38A42A6B4BC5F57C0470131
SHA1:	C4900F227E184695AC80CA9A7A5C29F4F8413F17
SHA-256:	4976F486E311797E8356C6A03E46C6AEE78DDAADD92E19C3BCE30A066F3632CB
SHA-512:	BFFEF01646C3FB168B79CCFE609E870708E3CF36478D4CC66CB843E8025EE541BE1BD1A7636F914C5992D27928C67F2B9CB018AE3EA8D957618F4A1D76C92007
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xe6745b85,0x01d6c6a5</date><accdate>0xe6745b85,0x01d6c6a5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xe6745b85,0x01d6c6a5</date><accdate>0xe6745b85,0x01d6c6a5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.109110481516924
Encrypted:	false
SSDEEP:	12:TMHdNMNxfnshqihqvNnWimI002EtM3MHdNMNxfnshqihqvNnWimI00Obe5EtMb:2d6NxgRgSZHKd6NxgRgSZ7ijb
MD5:	482EB10D0C92551C3FD0569D3E283CDA
SHA1:	D2E6284C8B2D80D764D5A65C0EEABF232EF559C0
SHA-256:	6AFE0B5CC5847E7911890010CD8C5C6104292C45AD2447BD6D864A987438FFEB
SHA-512:	428B8A154117F8D765EACF593F75669841DF838D94848208A30764ECF313375CE5D2BA2C551B243AF9FF78255569F5CCBA013D205CAA34A6F34431D4C1C022F5
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0xe6745b85,0x01d6c6a5</date><accdate>0xe6745b85,0x01d6c6a5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0xe6745b85,0x01d6c6a5</date><accdate>0xe6745b85,0x01d6c6a5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\W7CO3SZE.htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	2
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:/:/
MD5:	23B58DEF11B45727D3351702515F86AF
SHA1:	099600A10A944114AAC406D136B625FB416DD779
SHA-256:	6C179F21E6F62B629055D8AB40F454ED02E48B68563913473B857D3638E23B28
SHA-512:	16B7AA7F7E549BA129C776BB91CE1E692DA103271242D44A9BC145CF338450C90132496EAD2530F527B1BD7F50544F37E7D27A2D2BBB58099890AA320F40ACA9
Malicious:	false
Reputation:	low
IE Cache URL:	http://213.217.0.184/
Preview:

C:\Users\user\AppData\Local\Temp\~DF5116F9D0FFB55263.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	34345
Entropy (8bit):	0.3478152855241574
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lwZ9lw59l2X9l2X9l/jS:kBqoxKAuvScS+6cGPjIjgZc
MD5:	65024DCCE694D14168C972B8D79B69A4
SHA1:	B8F344CBC07E1E8EA6FA49EAC2F1141E54E1EAF6
SHA-256:	F36BA7F4956F1C6C836272609882E2D87037E0D88C0195837557614A16E04091
SHA-512:	16B3C18E43F68621EBA572733F65744D23A41684EAF025B4FD83CFBF5300F1E9DD2606483B1AAC6E89B4A018E4FA62DFDDD926B355467D94D48CD5D93ECC55FA
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF6BB103AE132F7921.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	13029
Entropy (8bit):	0.4768286681305649
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9losF9loM9lWh+wA4E:kBqoIHhh+wAJ
MD5:	DA231010898AEAA00D3037DC435FCD05
SHA1:	1ED133FADD046EC952B436F82EF20F3D6ECC7CCD
SHA-256:	3327EAAEBDAC49C7BBF7DECB1D1EBBAC2401811DA0DEC4D01334932E1C47F0A3
SHA-512:	232E0AD3794CA60682579A64081CC9E9B78B332447C9832E11D0A7F40D3A1C409F5FBB489DAAE7882C07BB5863511E0F5604ED1F66D3E01C500E0557B48FF75F
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFAAA89ABA67B57266.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	25441
Entropy (8bit):	0.2882412374330955
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRx/9lRJ9lTb9lTb9lSSU9lSSU9laAa/9laApfBu:kBqoxxJhHWSVSEabpfB
MD5:	B4E392D56472029888EF5C97125EDB0E
SHA1:	9325A2EC21F37C6EBB56E1AABD488A4252024A5B
SHA-256:	FE5A96BEC4D501E2ED9E5B14EBE9185CBA3DCA9D49FD66A4CF4B56A9143D37FD
SHA-512:	B24B0B6871CD8BC41AC49CA350F622C6D3CABC0B481BBAF1A62BA02F2C88C2EF7DAF615ECFAD5D4E87267193BB8BFB642B2BFBAB3D39D233E404BF4A1863014E
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

No static file info

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2020 15:17:39.553035021 CET	49724	80	192.168.2.3	213.217.0.184
Nov 29, 2020 15:17:39.553698063 CET	49725	80	192.168.2.3	213.217.0.184
Nov 29, 2020 15:17:39.625636101 CET	80	49724	213.217.0.184	192.168.2.3
Nov 29, 2020 15:17:39.625864983 CET	49724	80	192.168.2.3	213.217.0.184
Nov 29, 2020 15:17:39.626405001 CET	49724	80	192.168.2.3	213.217.0.184
Nov 29, 2020 15:17:39.630559921 CET	80	49725	213.217.0.184	192.168.2.3
Nov 29, 2020 15:17:39.630711079 CET	49725	80	192.168.2.3	213.217.0.184
Nov 29, 2020 15:17:39.698858023 CET	80	49724	213.217.0.184	192.168.2.3
Nov 29, 2020 15:17:39.699071884 CET	80	49724	213.217.0.184	192.168.2.3
Nov 29, 2020 15:17:39.699240923 CET	49724	80	192.168.2.3	213.217.0.184
Nov 29, 2020 15:17:39.906862020 CET	49724	80	192.168.2.3	213.217.0.184
Nov 29, 2020 15:17:39.979676962 CET	80	49724	213.217.0.184	192.168.2.3
Nov 29, 2020 15:17:39.979724884 CET	80	49724	213.217.0.184	192.168.2.3
Nov 29, 2020 15:17:39.980000973 CET	49724	80	192.168.2.3	213.217.0.184
Nov 29, 2020 15:17:44.982142925 CET	80	49724	213.217.0.184	192.168.2.3
Nov 29, 2020 15:17:44.982525110 CET	49724	80	192.168.2.3	213.217.0.184
Nov 29, 2020 15:17:55.754333019 CET	49726	80	192.168.2.3	213.217.0.184
Nov 29, 2020 15:17:55.831346989 CET	80	49726	213.217.0.184	192.168.2.3
Nov 29, 2020 15:17:55.831474066 CET	49726	80	192.168.2.3	213.217.0.184
Nov 29, 2020 15:17:55.831665039 CET	49726	80	192.168.2.3	213.217.0.184
Nov 29, 2020 15:17:55.908269882 CET	80	49726	213.217.0.184	192.168.2.3
Nov 29, 2020 15:17:55.908318996 CET	80	49726	213.217.0.184	192.168.2.3
Nov 29, 2020 15:17:55.908417940 CET	49726	80	192.168.2.3	213.217.0.184
Nov 29, 2020 15:18:00.909966946 CET	80	49726	213.217.0.184	192.168.2.3
Nov 29, 2020 15:18:00.910216093 CET	49726	80	192.168.2.3	213.217.0.184
Nov 29, 2020 15:18:11.174386978 CET	80	49725	213.217.0.184	192.168.2.3
Nov 29, 2020 15:18:11.174578905 CET	49725	80	192.168.2.3	213.217.0.184

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2020 15:17:33.548199892 CET	50141	53	192.168.2.3	8.8.8.8
Nov 29, 2020 15:17:33.583772898 CET	53	50141	8.8.8.8	192.168.2.3
Nov 29, 2020 15:17:34.218105078 CET	53023	53	192.168.2.3	8.8.8.8
Nov 29, 2020 15:17:34.254070044 CET	53	53023	8.8.8.8	192.168.2.3
Nov 29, 2020 15:17:34.899370909 CET	49563	53	192.168.2.3	8.8.8.8
Nov 29, 2020 15:17:34.926770926 CET	53	49563	8.8.8.8	192.168.2.3
Nov 29, 2020 15:17:35.620897055 CET	51352	53	192.168.2.3	8.8.8.8
Nov 29, 2020 15:17:35.656444073 CET	53	51352	8.8.8.8	192.168.2.3
Nov 29, 2020 15:17:36.281229019 CET	59349	53	192.168.2.3	8.8.8.8
Nov 29, 2020 15:17:36.316678047 CET	53	59349	8.8.8.8	192.168.2.3
Nov 29, 2020 15:17:37.083910942 CET	57084	53	192.168.2.3	8.8.8.8
Nov 29, 2020 15:17:37.111103058 CET	53	57084	8.8.8.8	192.168.2.3
Nov 29, 2020 15:17:37.722959995 CET	58823	53	192.168.2.3	8.8.8.8
Nov 29, 2020 15:17:37.750046968 CET	53	58823	8.8.8.8	192.168.2.3
Nov 29, 2020 15:17:38.428469896 CET	57568	53	192.168.2.3	8.8.8.8
Nov 29, 2020 15:17:38.474581003 CET	53	57568	8.8.8.8	192.168.2.3
Nov 29, 2020 15:17:38.696753979 CET	50540	53	192.168.2.3	8.8.8.8
Nov 29, 2020 15:17:38.724009037 CET	53	50540	8.8.8.8	192.168.2.3
Nov 29, 2020 15:18:00.129690886 CET	54366	53	192.168.2.3	8.8.8.8
Nov 29, 2020 15:18:00.156934023 CET	53	54366	8.8.8.8	192.168.2.3
Nov 29, 2020 15:18:08.516307116 CET	53034	53	192.168.2.3	8.8.8.8
Nov 29, 2020 15:18:08.543433905 CET	53	53034	8.8.8.8	192.168.2.3
Nov 29, 2020 15:18:08.833832026 CET	57762	53	192.168.2.3	8.8.8.8
Nov 29, 2020 15:18:08.869900942 CET	53	57762	8.8.8.8	192.168.2.3
Nov 29, 2020 15:18:09.170793056 CET	55435	53	192.168.2.3	8.8.8.8
Nov 29, 2020 15:18:09.197938919 CET	53	55435	8.8.8.8	192.168.2.3
Nov 29, 2020 15:18:09.530468941 CET	53034	53	192.168.2.3	8.8.8.8
Nov 29, 2020 15:18:09.557831049 CET	53	53034	8.8.8.8	192.168.2.3
Nov 29, 2020 15:18:10.186198950 CET	55435	53	192.168.2.3	8.8.8.8
Nov 29, 2020 15:18:10.213566065 CET	53	55435	8.8.8.8	192.168.2.3
Nov 29, 2020 15:18:10.546282053 CET	53034	53	192.168.2.3	8.8.8.8
Nov 29, 2020 15:18:10.573630095 CET	53	53034	8.8.8.8	192.168.2.3
Nov 29, 2020 15:18:11.195956945 CET	55435	53	192.168.2.3	8.8.8.8
Nov 29, 2020 15:18:11.223171949 CET	53	55435	8.8.8.8	192.168.2.3
Nov 29, 2020 15:18:12.545161963 CET	53034	53	192.168.2.3	8.8.8.8
Nov 29, 2020 15:18:12.572477102 CET	53	53034	8.8.8.8	192.168.2.3
Nov 29, 2020 15:18:13.201123953 CET	55435	53	192.168.2.3	8.8.8.8
Nov 29, 2020 15:18:13.228574991 CET	53	55435	8.8.8.8	192.168.2.3
Nov 29, 2020 15:18:16.561048031 CET	53034	53	192.168.2.3	8.8.8.8
Nov 29, 2020 15:18:16.588299036 CET	53	53034	8.8.8.8	192.168.2.3
Nov 29, 2020 15:18:17.217108965 CET	55435	53	192.168.2.3	8.8.8.8
Nov 29, 2020 15:18:17.244398117 CET	53	55435	8.8.8.8	192.168.2.3
Nov 29, 2020 15:18:18.069411993 CET	50713	53	192.168.2.3	8.8.8.8
Nov 29, 2020 15:18:18.122076988 CET	53	50713	8.8.8.8	192.168.2.3
Nov 29, 2020 15:18:23.270389080 CET	56132	53	192.168.2.3	8.8.8.8
Nov 29, 2020 15:18:23.297658920 CET	53	56132	8.8.8.8	192.168.2.3

HTTP Request Dependency Graph

213.217.0.184

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49724	213.217.0.184	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Nov 29, 2020 15:17:39.626405001 CET	199	OUT	GET / HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: 213.217.0.184 Connection: Keep-Alive
Nov 29, 2020 15:17:39.699071884 CET	199	IN	HTTP/1.1 200 OK Date: Sun, 29 Nov 2020 14:17:39 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Sat, 03 Oct 2020 10:08:03 GMT ETag: "2-5b0c16cbdb6e2" Accept-Ranges: bytes Content-Length: 2 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html Data Raw: 20 20 Data Ascii:
Nov 29, 2020 15:17:39.906862020 CET	200	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: 213.217.0.184 Connection: Keep-Alive
Nov 29, 2020 15:17:39.979724884 CET	200	IN	HTTP/1.1 404 Not Found Date: Sun, 29 Nov 2020 14:17:39 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 275 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 32 31 33 2e 32 31 37 2e 30 2e 31 38 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 213.217.0.184 Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49726	213.217.0.184	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Nov 29, 2020 15:17:55.831665039 CET	201	OUT	GET /favicon.ico HTTP/1.1 User-Agent: AutoIt Host: 213.217.0.184
Nov 29, 2020 15:17:55.908318996 CET	201	IN	HTTP/1.1 404 Not Found Date: Sun, 29 Nov 2020 14:17:55 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 275 Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 32 31 33 2e 32 31 37 2e 30 2e 31 38 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 213.217.0.184 Port 80</address></body></html>

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: iexplore.exe PID: 852 Parent PID: 792

General

Start time:	15:17:37
Start date:	29/11/2020
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff6be6f0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: iexplore.exe PID: 3892 Parent PID: 852

General

Start time:	15:17:37
Start date:	29/11/2020
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:852 CREDAT:17410 /prefetch:2
Imagebase:	0x3f0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Disassembly

Reset < >

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report http://213.217.0.184

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Networking:

System Summary:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

No static file info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: iexplore.exe PID: 852 Parent PID: 792

General

Analysis Process: iexplore.exe PID: 3892 Parent PID: 852

General

Disassembly