Play interactive tour

Edit tour

Analysis Report https://partnersinhealth.sharepoint.com/:x:/s/COVIDCommunityTeam-Massachusetts-EIU-EpidemicIntelligenceUnit/Ec_oHive0IlGh0zKWdNWJqwBv4CGuicjIXG6ZM__kHKiUQ?email=Bill.Sparrow%4099restaurants.com&e=4%3atJjRLx&at=9

Overview

General Information

Sample URL:	https://partnersinhealth.sharepoint.com/:x:/s/COVIDCommunityTeam-Massachusetts-EIU-EpidemicIntelligenceUnit/Ec_oHive0IlGh0zKWdNWJqwBv4CGuicjIXG6ZM__kHKiUQ?email=Bill.Sparrow%4099restaurants.com&e=4%3atJjRLx&at=9
Analysis ID:	338878
Most interesting Screenshot:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Queries the volume information (name, serial number etc) of a device

Classification

Startup

System is w10x64

cmd.exe (PID: 5564 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://partnersinhealth.sharepoint.com/:x:/s/COVIDCommunityTeam-Massachusetts-EIU-EpidemicIntelligenceUnit/Ec_oHive0IlGh0zKWdNWJqwBv4CGuicjIXG6ZM__kHKiUQ?email=Bill.Sparrow%4099restaurants.com&e=4%3atJjRLx&at=9' > cmdline.out 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 4792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

wget.exe (PID: 4972 cmdline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://partnersinhealth.sharepoint.com/:x:/s/COVIDCommunityTeam-Massachusetts-EIU-EpidemicIntelligenceUnit/Ec_oHive0IlGh0zKWdNWJqwBv4CGuicjIXG6ZM__kHKiUQ?email=Bill.Sparrow%4099restaurants.com&e=4%3atJjRLx&at=9' MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)

iexplore.exe (PID: 464 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' C:\Users\user\Desktop\download\Ec_oHive0IlGh0zKWdNWJqwBv4CGuicjIXG6ZM__kHKiUQ@email=Bill.Sparrow@99restaurants.com&e=4%3AtJjRLx&at=9.html MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 2432 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:464 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source: msapplication.xml0.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x68a89723,0x01d6e992</date><accdate>0x68a89723,0x01d6e992</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x68a89723,0x01d6e992</date><accdate>0x68aaf93e,0x01d6e992</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x68ad5b87,0x01d6e992</date><accdate>0x68ad5b87,0x01d6e992</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x68ad5b87,0x01d6e992</date><accdate>0x68ad5b87,0x01d6e992</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x68afbdec,0x01d6e992</date><accdate>0x68afbdec,0x01d6e992</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x68afbdec,0x01d6e992</date><accdate>0x68afbdec,0x01d6e992</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: partnersinhealth.sharepoint.com

Source: msapplication.xml.3.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.3.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.3.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.3.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.3.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.3.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.3.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.3.dr	String found in binary or memory: http://www.youtube.com/
Source: Ec_oHive0IlGh0zKWdNWJqwBv4CGuicjIXG6ZM__kHKiUQ@email=Bill.Sparrow@99restaurants.com&e=4%3AtJjRLx&at=9.2.dr	String found in binary or memory: https://az741266.vo.msecnd.net/files/odsp-next-prod-amd_2020-12-04-sts_20201208.001/
Source: spoguestaccess-a0017cc2[1].js.4.dr	String found in binary or memory: https://github.com/microsoft/fluentui/wiki/Using-icons
Source: wget.exe, 00000002.00000002.212219619.00000000014B6000.00000004.00000040.sdmp, cmdline.out.2.dr	String found in binary or memory: https://partnersinhealth.sharepoint.com/:x:/s/COVIDCommunityTeam-Massachusetts-EIU-EpidemicIntellige
Source: Ec_oHive0IlGh0zKWdNWJqwBv4CGuicjIXG6ZM__kHKiUQ@email=Bill.Sparrow@99restaurants.com&e=4%3AtJjRLx&at=9.2.dr	String found in binary or memory: https://partnersinhealth.sharepoint.com/sites/COVIDCommunityTeam-Massachusetts-EIU-EpidemicIntellige
Source: Ec_oHive0IlGh0zKWdNWJqwBv4CGuicjIXG6ZM__kHKiUQ@email=Bill.Sparrow@99restaurants.com&e=4%3AtJjRLx&at=9.2.dr	String found in binary or memory: https://spoprod-a.akamaihd.net
Source: spoguestaccess-a0017cc2[1].js.4.dr	String found in binary or memory: https://spoprod-a.akamaihd.net/files/fabric-cdn-prod_20201008.001/assets/item-types/
Source: Ec_oHive0IlGh0zKWdNWJqwBv4CGuicjIXG6ZM__kHKiUQ@email=Bill.Sparrow@99restaurants.com&e=4%3AtJjRLx&at=9.2.dr	String found in binary or memory: https://spoprod-a.akamaihd.net/files/odsp-common-library-prod_2019-02-15_20190219.002/require.js
Source: spoguestaccess-a0017cc2[1].js.4.dr	String found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49682
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49682 -> 443

Source: classification engine

Classification label: clean0.win@7/18@3/2

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\Desktop\cmdline.out

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4792:120:WilError_01

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF3A4ED906E2C2A4CC.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\wget.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\SysWOW64\wget.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://partnersinhealth.sharepoint.com/:x:/s/COVIDCommunityTeam-Massachusetts-EIU-EpidemicIntelligenceUnit/Ec_oHive0IlGh0zKWdNWJqwBv4CGuicjIXG6ZM__kHKiUQ?email=Bill.Sparrow%4099restaurants.com&e=4%3atJjRLx&at=9' > cmdline.out 2>&1
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://partnersinhealth.sharepoint.com/:x:/s/COVIDCommunityTeam-Massachusetts-EIU-EpidemicIntelligenceUnit/Ec_oHive0IlGh0zKWdNWJqwBv4CGuicjIXG6ZM__kHKiUQ?email=Bill.Sparrow%4099restaurants.com&e=4%3atJjRLx&at=9'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' C:\Users\user\Desktop\download\Ec_oHive0IlGh0zKWdNWJqwBv4CGuicjIXG6ZM__kHKiUQ@email=Bill.Sparrow@99restaurants.com&e=4%3AtJjRLx&at=9.html
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:464 CREDAT:17410 /prefetch:2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://partnersinhealth.sharepoint.com/:x:/s/COVIDCommunityTeam-Massachusetts-EIU-EpidemicIntelligenceUnit/Ec_oHive0IlGh0zKWdNWJqwBv4CGuicjIXG6ZM__kHKiUQ?email=Bill.Sparrow%4099restaurants.com&e=4%3atJjRLx&at=9'
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:464 CREDAT:17410 /prefetch:2

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\wget.exe

Queries volume information: C:\Users\user\Desktop\download VolumeInformation

Source: C:\Windows\SysWOW64\wget.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping	File and Directory Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	System Information Discovery12	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Remote System Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
https://partnersinhealth.sharepoint.com/:x:/s/COVIDCommunityTeam-Massachusetts-EIU-EpidemicIntelligenceUnit/Ec_oHive0IlGh0zKWdNWJqwBv4CGuicjIXG6ZM__kHKiUQ?email=Bill.Sparrow%4099restaurants.com&e=4%3atJjRLx&at=9	0%	Virustotal		Browse
https://partnersinhealth.sharepoint.com/:x:/s/COVIDCommunityTeam-Massachusetts-EIU-EpidemicIntelligenceUnit/Ec_oHive0IlGh0zKWdNWJqwBv4CGuicjIXG6ZM__kHKiUQ?email=Bill.Sparrow%4099restaurants.com&e=4%3atJjRLx&at=9	0%	Avira URL Cloud	safe

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://partnersinhealth.sharepoint.com/sites/COVIDCommunityTeam-Massachusetts-EIU-EpidemicIntellige	0%	Avira URL Cloud	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
https://static2.sharepointonline.com/files/fabric/assets	0%	URL Reputation	safe
https://static2.sharepointonline.com/files/fabric/assets	0%	URL Reputation	safe
https://static2.sharepointonline.com/files/fabric/assets	0%	URL Reputation	safe
https://static2.sharepointonline.com/files/fabric/assets	0%	URL Reputation	safe
https://partnersinhealth.sharepoint.com/:x:/s/COVIDCommunityTeam-Massachusetts-EIU-EpidemicIntellige	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
18164-ipv4.farm.prod.aa-rt.sharepoint.com	40.108.137.41	true	false	unknown
partnersinhealth.sharepoint.com	unknown	unknown	false	unknown
spoprod-a.akamaihd.net	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.nytimes.com/	msapplication.xml3.3.dr	false		high
https://spoprod-a.akamaihd.net/files/fabric-cdn-prod_20201008.001/assets/item-types/	spoguestaccess-a0017cc2[1].js.4.dr	false		high
https://github.com/microsoft/fluentui/wiki/Using-icons	spoguestaccess-a0017cc2[1].js.4.dr	false		high
https://partnersinhealth.sharepoint.com/sites/COVIDCommunityTeam-Massachusetts-EIU-EpidemicIntellige	Ec_oHive0IlGh0zKWdNWJqwBv4CGuicjIXG6ZM__kHKiUQ@email=Bill.Sparrow@99restaurants.com&e=4%3AtJjRLx&at=9.2.dr	false	Avira URL Cloud: safe	unknown
http://www.youtube.com/	msapplication.xml7.3.dr	false		high
http://www.wikipedia.com/	msapplication.xml6.3.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.amazon.com/	msapplication.xml.3.dr	false		high
http://www.live.com/	msapplication.xml2.3.dr	false		high
https://spoprod-a.akamaihd.net	Ec_oHive0IlGh0zKWdNWJqwBv4CGuicjIXG6ZM__kHKiUQ@email=Bill.Sparrow@99restaurants.com&e=4%3AtJjRLx&at=9.2.dr	false		high
http://www.reddit.com/	msapplication.xml4.3.dr	false		high
http://www.twitter.com/	msapplication.xml5.3.dr	false		high
https://spoprod-a.akamaihd.net/files/odsp-common-library-prod_2019-02-15_20190219.002/require.js	Ec_oHive0IlGh0zKWdNWJqwBv4CGuicjIXG6ZM__kHKiUQ@email=Bill.Sparrow@99restaurants.com&e=4%3AtJjRLx&at=9.2.dr	false		high
https://static2.sharepointonline.com/files/fabric/assets	spoguestaccess-a0017cc2[1].js.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://partnersinhealth.sharepoint.com/:x:/s/COVIDCommunityTeam-Massachusetts-EIU-EpidemicIntellige	wget.exe, 00000002.00000002.212219619.00000000014B6000.00000004.00000040.sdmp, cmdline.out.2.dr	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
40.108.137.41	unknown	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	338878
Start date:	13.01.2021
Start time:	01:55:22
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 9s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	urldownload.jbs
Sample URL:	https://partnersinhealth.sharepoint.com/:x:/s/COVIDCommunityTeam-Massachusetts-EIU-EpidemicIntelligenceUnit/Ec_oHive0IlGh0zKWdNWJqwBv4CGuicjIXG6ZM__kHKiUQ?email=Bill.Sparrow%4099restaurants.com&e=4%3atJjRLx&at=9
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean0.win@7/18@3/2
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, wermgr.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 88.221.62.148, 92.122.213.248, 92.122.213.216, 2.20.84.85, 152.199.19.161, 67.27.159.254, 8.248.141.254, 67.27.157.254, 8.253.95.120, 8.248.135.254, 40.88.32.150, 13.64.90.137 Excluded domains from analysis (whitelisted): skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, ie9comview.vo.msecnd.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, skypedataprdcoleus15.cloudapp.net, go.microsoft.com, go.microsoft.com.edgekey.net, audownload.windowsupdate.nsatc.net, blobcollector.events.data.trafficmanager.net, a1531.g2.akamai.net, spoprod-a.akamaihd.net.edgesuite.net, auto.au.download.windowsupdate.com.c.footprint.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, cs9.wpc.v0cdn.net Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{936DC963-5585-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	24152
Entropy (8bit):	1.7629257565398486
Encrypted:	false
SSDEEP:	48:IwRGcprQGwpLZG/ap8urGIpc00GvnZpv05GvHZp90VGogTqpv0NGo4UMXpcqGWgU:rnZ4Z92u9W2tpf9+tXUMXWt0L
MD5:	B0597B3AC8E190D261ABCB13EDFF1434
SHA1:	0CF4BBE91D9C10F6BF3716261CC4499E6D2D26FD
SHA-256:	1E0FCBD36579F314189BC895C736C4C19737C58D77B0921D14659CA2AE2DF1D6
SHA-512:	53857A182C865F889081269F9D179AFBF4B5410E2E261A9A6B8E9CDF667959104D67DAE6666E164E9D5C3938BFD881AA6D8204D335FF14571D56EFF71DB70577
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{936DC965-5585-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	31840
Entropy (8bit):	2.575257962006325
Encrypted:	false
SSDEEP:	192:rAZLQ7pHr0HBJUHwdH69AHuN0yH8ZmuytvCe5YiDufb2+xHPaFrR7r:rwkdHgHBKH4HFHenHQZ6vCe5YmO6mHS7
MD5:	5684A0B6DD93E6956BB5BC78519AA698
SHA1:	F0C2B291DE1C373CF629F12923DA4B47D7BD89DD
SHA-256:	D7A70796123125B9CB660F027B00D67B057FDCA5983FF916BD0B4CAF39A10804
SHA-512:	43CFA93B6ABF2F1BB2D2050681492F83DC65EEE751C4173900D5C348E4259095202FD0F8286610E27A6CE13CFC0B80904EC2BE2DE4E48CA52D79978E74A31579
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.1343698452494735
Encrypted:	false
SSDEEP:	12:TMHdNMNxOEbgAnWimI002EtM3MHdNMNxOEbgAnWimI00ObVbkEtMb:2d6NxOASZHKd6NxOASZ76b
MD5:	3189F12305A29213FEEE3D258EC7113B
SHA1:	E58B953D45CB0EAFCD3458B091352DAE3E083DFB
SHA-256:	CADD0BA5B4FA5E5DF6A13D1EE7E874765507ED399C652D1F32E8A5BE63294D8C
SHA-512:	2F9A8C14806D8BF4E70184D419A2DE9F471E3927FA5096C873656F95B52FF2F37EAA96885E3511633A7486D3437630FB167E72B2009694BA15CC97B5BE999453
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x68ad5b87,0x01d6e992</date><accdate>0x68ad5b87,0x01d6e992</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x68ad5b87,0x01d6e992</date><accdate>0x68ad5b87,0x01d6e992</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.162247191221455
Encrypted:	false
SSDEEP:	12:TMHdNMNxe2kpKAnWimI002EtM3MHdNMNxe2kpKAnWimI00Obkak6EtMb:2d6NxrsSZHKd6NxrsSZ7Aa7b
MD5:	019737DF1CDF8F3351C91CD933BB5BE7
SHA1:	3134DC169EEDEF30B751C9A0DCCA878CE5367AA0
SHA-256:	729E275FE943D2C75EFCCA6B07F34E8DF6ECFA904B3B04148F09811A5B093723
SHA-512:	0587E3793C5AE9C00FC166FAB20F9829BBB6636B656ACCB0D574DCAF2F61231644F43D1E69B4A74D919685301CE1D4FE761E914D9B538D0612B026540CF77340
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x68a634b1,0x01d6e992</date><accdate>0x68a634b1,0x01d6e992</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x68a634b1,0x01d6e992</date><accdate>0x68a634b1,0x01d6e992</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	662
Entropy (8bit):	5.113222872743223
Encrypted:	false
SSDEEP:	12:TMHdNMNxvL+elrvelrAnWimI002EtM3MHdNMNxvL+elrvelrAnWimI00ObmZEtMb:2d6Nxv7lSlUSZHKd6Nxv7lSlUSZ7mb
MD5:	E6FCA072E7BC8154138D240B6D67B9CC
SHA1:	FA7BBE84D82E2E5F4B47651ED03E944EB926A7C4
SHA-256:	0DC29118F756850A8D09F61ED8CA3FFC768FFD324F98485F3AB16F9603B8D0FA
SHA-512:	46A05D58D261304BBF8419F901A7FCC56FDD8B5142C99BDE362D6D9F60DECDF30BB40730C9EB499EDF97013DA31E768DD4DC642E0A5F08197512F266C907A5F3
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x68afbdec,0x01d6e992</date><accdate>0x68afbdec,0x01d6e992</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x68afbdec,0x01d6e992</date><accdate>0x68afbdec,0x01d6e992</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	647
Entropy (8bit):	5.150685714258783
Encrypted:	false
SSDEEP:	12:TMHdNMNxibgAnWimI002EtM3MHdNMNxibgAnWimI00Obd5EtMb:2d6NxOSZHKd6NxOSZ7Jjb
MD5:	0EE4592AC16B19AC08789E911F5B5486
SHA1:	D8A362BB195BD8929B6A721D9FBF7554C1D9DE9A
SHA-256:	73011F6851EFEA39A4478101B7AD690D63E97237F1B47AE99271FBF402DFA952
SHA-512:	F9C4AC9A06F6BDDB70FBBA77C09D00518F1162F6DE2695A683901254EC74079D7677B69FD431B512603D9F47A17821CEB62627749BED1F11A808882EA3FFAD62
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x68ad5b87,0x01d6e992</date><accdate>0x68ad5b87,0x01d6e992</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x68ad5b87,0x01d6e992</date><accdate>0x68ad5b87,0x01d6e992</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.126469522405549
Encrypted:	false
SSDEEP:	12:TMHdNMNxhGw+elrvelrAnWimI002EtM3MHdNMNxhGw+elrvelrAnWimI00Ob8K0z:2d6NxQMlSlUSZHKd6NxQMlSlUSZ7YKa/
MD5:	10EBD6C78C8629C3CF8B3F2CD138F234
SHA1:	D8FA56F42E153A446C57F50FBBA84DFFD83D3282
SHA-256:	87CBE17AD9839C47C4433E7707A1492AF3B1AE9DA14183B37F438266F84FD1AC
SHA-512:	CD4AA8F33247031DCFCFA40291276EF560932E9406CED26A5AD8B0F4AFEFC35612D2AC616476C90497BDF2AE357AA049DBD02CCB89E2BB07379B8182D9716E79
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x68afbdec,0x01d6e992</date><accdate>0x68afbdec,0x01d6e992</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x68afbdec,0x01d6e992</date><accdate>0x68afbdec,0x01d6e992</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.135292333415464
Encrypted:	false
SSDEEP:	12:TMHdNMNx0nbgAnWimI002EtM3MHdNMNx0nbgAnWimI00ObxEtMb:2d6Nx0hSZHKd6Nx0hSZ7nb
MD5:	52A2F6E5D7C40F615C356D7466069306
SHA1:	F542C6B2B408D92FFE8CA6A881375D63B4F9EAB6
SHA-256:	36A54D52BDFB803C10268FFFB74FDCF20316CD2D4D1EC554DF4BA2D87A6D98CA
SHA-512:	4BA560018A04D67064090A304247E2F15346C8E543492E6568C32978ACECADB8B8175B04EEA046711F3930FE57C7E31389E24CC2F39260014A86FB7F767D5B77
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x68ad5b87,0x01d6e992</date><accdate>0x68ad5b87,0x01d6e992</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x68ad5b87,0x01d6e992</date><accdate>0x68ad5b87,0x01d6e992</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.17479354652017
Encrypted:	false
SSDEEP:	12:TMHdNMNxxbgAnWimI002EtM3MHdNMNxxbgAnWimI00Ob6Kq5EtMb:2d6Nx7SZHKd6Nx7SZ7ob
MD5:	465725C770B6B1F4B405119CA19845A9
SHA1:	0A6C6574C8A0686EE472BDCA52AE2597C18DD572
SHA-256:	7CA2082B7C9682A4AA0570B967643DE7C1A9C4CE7001FC1F9D339656BCA0F419
SHA-512:	6A4D529374D041990B10A1689901E7C3A7B3BC170D043C0F72DEDD556B1F9E4E43CA47F59A02C5D89377DCA87E8BED08B6A35599F895BC136DD4967DF7BE28E7
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x68ad5b87,0x01d6e992</date><accdate>0x68ad5b87,0x01d6e992</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x68ad5b87,0x01d6e992</date><accdate>0x68ad5b87,0x01d6e992</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	659
Entropy (8bit):	5.146548427542041
Encrypted:	false
SSDEEP:	12:TMHdNMNxcoHAnWimI002EtM3MHdNMNxcovwAnWimI00ObVEtMb:2d6NxuSZHKd6NxnSZ7Db
MD5:	8808DD65D0D126F30E0E09D86605B9A0
SHA1:	C3CFE1E965F5105E76ADCAC97CE350054219D13D
SHA-256:	B89325E8306BE5AFBB50200C2C5CB04EFB35ED1D094ADFFBFC0AADE01543FF0E
SHA-512:	48CB3BF199A85A9E3208DEE3ADC8CA7735D23EC0448A31FFE8B578051B2BFA66807F861E11D8420AFA1724818E9ECB44AD6E16F4B46402CD277246065259D129
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x68a89723,0x01d6e992</date><accdate>0x68a89723,0x01d6e992</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x68a89723,0x01d6e992</date><accdate>0x68aaf93e,0x01d6e992</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.098759897568669
Encrypted:	false
SSDEEP:	12:TMHdNMNxfnawvwAnWimI002EtM3MHdNMNxfnawvwAnWimI00Obe5EtMb:2d6NxpSZHKd6NxpSZ7ijb
MD5:	1443C948F560E99D389F8DFCC367B1AA
SHA1:	C665E5FF179F6CCD5C0B944DBF2CE480EFCE1013
SHA-256:	16178F3D7A84927E88DE8FCE30EB4324E3B37D46533B6CB229CD512E4A602520
SHA-512:	2B8B8D0068F30449CD50D29B3BFEBA55833F69280C18DA330D4947CC20DE25214094E9BC1C0B1454EECCDF83685BF636C2F3B3E781A78DE7E1E62927A14C2351
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x68aaf93e,0x01d6e992</date><accdate>0x68aaf93e,0x01d6e992</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x68aaf93e,0x01d6e992</date><accdate>0x68aaf93e,0x01d6e992</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\xlsx[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	610
Entropy (8bit):	7.446106595237686
Encrypted:	false
SSDEEP:	12:6v/7iMXrhs/Ns+lovx1jE1A/uyggIrhP9fgpwvBymiN6gD9/y:s6/tGrjE+/uyLI9P2miTty
MD5:	DF5801D25ACC3A3F1F23301440C00096
SHA1:	048E30F257749D063704FEFD74E2782D905344BC
SHA-256:	687E84B08DA5544F8B05CB4C4CC9941D9B36461C594F9805382D18030710C371
SHA-512:	35B5F1BB0D096B9F96959BABCA67FE85BF0856E73E382272948E75DE578CD962F4C396F6A17623BB75ABFFA6EB567B8C50422A506612A1B67C0E1C4BA2E41608
Malicious:	false
Reputation:	low
IE Cache URL:	https://spoprod-a.akamaihd.net/files/fabric-cdn-prod_20201008.001/assets/item-types/32/xlsx.png
Preview:	.PNG........IHDR... ... .....szz.....tEXtSoftware.Adobe ImageReadyq.e<....IDATx.b`........ %O....,Zr.l.Y....y...t....-@....L....../...d{ 3+.._...#.h.....l...D.....4u..77..o.:....055.....JGhRi@L\.....T. 3....x...8..R...60<e.P.U......Y.9..j..6......P'.>....t....d.........p!....d...??.b.,.....H+...t2.... ./...^.p&g>...:.>..a.\|.C.]4.....9..jw....ct...D;....c./3x.Y2X..2<...a.=...x(.t.}.....:.V?..? e.?....MX..TF...$.Bp..(-......I.$.@...8..:.....R0.$F....9....\|..z7X..........}..7./.......>~...s.2.]u.x..,3..."...J.4@,......1.4p.T.A.....o..........=#9.<,)*XBe.?d..P..`.....rv.M....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\spoguestaccess-a0017cc2[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	downloaded
Size (bytes):	161989
Entropy (8bit):	5.339918222131445
Encrypted:	false
SSDEEP:	1536:Ieh9W6NxmcW/kCClKOY/Vu3PUEz45lLi6dhqumpWxaDaNrI9itUR3D7kLDbM:RWexEPqzELi0udRhD7B
MD5:	A0017CC26C936403E7606856755692A7
SHA1:	A87C65638A0FEBAA076F5316033BA08CDE5ED843
SHA-256:	08BD9EDCC17CC0B47080B229C0A88A4347000B2904A7F5DFFD37C7DD07A99C22
SHA-512:	39F5660CD3B04B5897E26DF416BF25301AB68E8BE130E6C863507DACA6356E76CC1ED1F1DF28639D34B391FC029D35D5C12F8398618E4CA5EE0225D9B1A7291E
Malicious:	false
Reputation:	low
IE Cache URL:	https://spoprod-a.akamaihd.net/files/odsp-next-prod-amd_2020-12-04-sts_20201208.001/spoguestaccess-a0017cc2.js
Preview:	define("@fluentui/dom-utilities",["./dom-utilities/lib/index"],function(e){return e});.define("@fluentui/dom-utilities/lib/elementContains",["require","exports","./getParent"],function(e,t,n){"use strict";Object.defineProperty(t,"__esModule",{value:!0});t.elementContains=function(e,t,r){void 0===r&&(r=!0);var i=!1;if(e&&t)if(r)if(e===t)i=!0;else{i=!1;for(;t;){var s=n.getParent(t);if(s===e){i=!0;break}t=s}}else e.contains&&(i=e.contains(t));return i}});.define("@fluentui/dom-utilities/lib/elementContainsAttribute",["require","exports","./findElementRecursive"],function(e,t,n){"use strict";Object.defineProperty(t,"__esModule",{value:!0});t.elementContainsAttribute=function(e,t){var r=n.findElementRecursive(e,function(e){return e.hasAttribute(t)});return r&&r.getAttribute(t)}});.define("@fluentui/dom-utilities/lib/findElementRecursive",["require","exports","./getParent"],function(e,t,n){"use strict";Object.defineProperty(t,"__esModule",{value:!0});t.findElementRecursive=function e(t,r){re

C:\Users\user\AppData\Local\Temp\~DF3A4ED906E2C2A4CC.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12965
Entropy (8bit):	0.42177073558503364
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loqF9lom9lWu1O1YA:kBqoIx3UO1b
MD5:	9E9F9E6E722E977139EA68A53AAB6B16
SHA1:	F9A75AFAF27BD48C649855EA637017DB2E978398
SHA-256:	0209F6C80C1F3585E3E655111732BD55BDB298B75E10A84EA99FAA78A1C56ACF
SHA-512:	B5062A66E4210283BB6427D03D0247BA621BAC3C6D3E4FFD9C945701EEB98E340E48B14F1D24ECA9CB6B8CD77C1FA62287B0DD925BB714149999E77E6983D002
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFF5BAC88AD18566F0.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	41446
Entropy (8bit):	1.3579696245073978
Encrypted:	false
SSDEEP:	384:kBqoxK3HVHiHJH/HMHWHAHznHFnHxZivCe5YmO6mHS:iOlS
MD5:	1C16DCF93BE5EC3608EF021DD8D119A3
SHA1:	1494425E51E6C56840DA889916BDC0C26D17EB10
SHA-256:	5FDE717FFE45627D9E572E558A519A2AB3E7BB6B2631D0444D3D49A69DF14916
SHA-512:	CD37376D471E0D35E2001B6D17B5D031AC59FBF025A5D47753E16D929D1D10AD6F492E5D4E5FD79FD4A38C8433A72FCD9735857A65A7353E54C03D99AEB2D698
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\cmdline.out Download File
Process:	C:\Windows\SysWOW64\wget.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1027
Entropy (8bit):	5.489576928741128
Encrypted:	false
SSDEEP:	24:l9HSAfWDLHT1l6cFERntDdDMAxePgh1p31l6cl2T1vE31l6cl2qGn:bHSDKc+BtDdDMA31pKcsZEKcsqGn
MD5:	2E288A32724221E0457004F06B37A81C
SHA1:	CA43B7B04C00D17967DB1C223FC00A70C8432E35
SHA-256:	A084D759889212664C61E42E02658C0B0313A883C4327809B08A8547F9F41C35
SHA-512:	9A43062C06DD7037F363A447A0D3A1338D313991700CB71E7128618BDB86527D781CC0B1B3DF6E4BB50801C7196B26FFC841C7A31CA7BF397543ED0A592CDA3B
Malicious:	false
Reputation:	low
Preview:	--2021-01-13 01:56:13-- https://partnersinhealth.sharepoint.com/:x:/s/COVIDCommunityTeam-Massachusetts-EIU-EpidemicIntelligenceUnit/Ec_oHive0IlGh0zKWdNWJqwBv4CGuicjIXG6ZM__kHKiUQ?email=Bill.Sparrow%4099restaurants.com&e=4%3atJjRLx&at=9..Resolving partnersinhealth.sharepoint.com (partnersinhealth.sharepoint.com)... 40.108.137.41..Connecting to partnersinhealth.sharepoint.com (partnersinhealth.sharepoint.com)\|40.108.137.41\|:443... connected...HTTP request sent, awaiting response... 200 OK..Length: 78027 (76K) [text/html]..Saving to: 'C:/Users/user/Desktop/download/Ec_oHive0IlGh0zKWdNWJqwBv4CGuicjIXG6ZM__kHKiUQ@email=Bill.Sparrow@99restaurants.com&e=4%3AtJjRLx&at=9'.... 0K .......... .......... .......... .......... .......... 65% 180K 0s.. 50K .......... .......... ...... 100% 1.99M=0.3s....2021-01-13 01:56:14 (262 KB/s) - 'C:/Users/user/Desktop/download/Ec_oHive0IlGh0zKWdNWJqwBv4CGuicjIXG6ZM__kHKiUQ@email=Bill.Sparrow@99restaurants.com&e=4%3AtJjRLx&at

C:\Users\user\Desktop\download\.wget-hsts Download File
Process:	C:\Windows\SysWOW64\wget.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	5.090890247117107
Encrypted:	false
SSDEEP:	3:SY2FyFARLlbwFAM9CxnOLVFzDwIVhyyJxWQ5RdkA8dyYEbJRNLXArL20Dm3JMov:SYeRLlbA0noH9VhyyJQQ5oA8UYEbfNLv
MD5:	5D63833B62B2B08BA0A49C127B052D52
SHA1:	7B20A4EA95A1E8D447FE88B8211B082EEE65D4AF
SHA-256:	F7AD31DA55D1E035BC0C548B5CDD577077D16B68E0469F19CE9B12BD0393E933
SHA-512:	37DE15DF42AAC9428AF986F09F92E23EBDA37D656F0EFEE1CD07325BBD5E508A8B6EB7CECA7F42FAB1174D9B7481885C0EFA9C6C4F49930010C80EAEA352B5A3
Malicious:	false
Reputation:	low
Preview:	# HSTS 1.0 Known Hosts database for GNU Wget...# Edit at your own risk...# <hostname>.<port>.<incl. subdomains>.<created>.<max-age>..partnersinhealth.sharepoint.com.0.0.1610531774.31536000..

C:\Users\user\Desktop\download\Ec_oHive0IlGh0zKWdNWJqwBv4CGuicjIXG6ZM__kHKiUQ@email=Bill.Sparrow@99restaurants.com&e=4%3AtJjRLx&at=9 Download File
Process:	C:\Windows\SysWOW64\wget.exe
File Type:	HTML document, ASCII text, with very long lines, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	78027
Entropy (8bit):	5.571804087436113
Encrypted:	false
SSDEEP:	1536:Plggu7WXBOxSPSW8N6fGNNKXujzAJs2Suj25:PLuCCGeTKXuVuO
MD5:	5ACA5A2FFE3302CB271ACE70DC0FE36E
SHA1:	91A88DBC7EEC2E1B069367E4F14E7D2979343573
SHA-256:	74D4D2EA5C75CA9C2E5856D9E9DF05ADDAA8F07D3A9F84F291D8C6FA3BB1C69D
SHA-512:	B818771767813A4A3EE3EDE85C79D47E7702864400929812E7084B2161591F68262B19CA14B0E4BFFF40B3D90B52D3F7881FA363AA6811D07C3C01E9E10E7066
Malicious:	false
Reputation:	low
Preview:	..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns:o="urn:schemas-microsoft-com:office:office" lang="en-us" dir="ltr">..<head><meta name="GENERATOR" content="Microsoft SharePoint" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta http-equiv="Expires" content="0" /><meta name="Robots" content="NOHTMLINDEX" /><meta charset="UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1" /><meta http-equiv="X-UA-Compatible" content="IE=edge" /><link id="favicon" rel="shortcut icon" href="/_layouts/15/images/favicon.ico?rev=47" type="image/vnd.microsoft.icon" /><title>...Sharing Link Validation..</title>...<style type="text/css" media="screen, print, projection">....html{line-height:1.15;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}body{margin:0}article,aside,footer,header,nav,section{display:block}h1{font-size:2em;margin:.67em 0}figcaption,figure,ma

Static File Info

No static file info

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2021 01:56:13.759547949 CET	49682	443	192.168.2.3	40.108.137.41
Jan 13, 2021 01:56:13.904985905 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:13.905138969 CET	49682	443	192.168.2.3	40.108.137.41
Jan 13, 2021 01:56:13.913949013 CET	49682	443	192.168.2.3	40.108.137.41
Jan 13, 2021 01:56:14.060374975 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.060430050 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.060463905 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.060621023 CET	49682	443	192.168.2.3	40.108.137.41
Jan 13, 2021 01:56:14.076025009 CET	49682	443	192.168.2.3	40.108.137.41
Jan 13, 2021 01:56:14.222326994 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.226738930 CET	49682	443	192.168.2.3	40.108.137.41
Jan 13, 2021 01:56:14.416731119 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.845175028 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.845241070 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.845272064 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.845300913 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.845330000 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.845370054 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.845447063 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.845484972 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.845523119 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.845527887 CET	49682	443	192.168.2.3	40.108.137.41
Jan 13, 2021 01:56:14.845561028 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.845602989 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.845633030 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.845639944 CET	49682	443	192.168.2.3	40.108.137.41
Jan 13, 2021 01:56:14.845670938 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.845700026 CET	49682	443	192.168.2.3	40.108.137.41
Jan 13, 2021 01:56:14.845709085 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.845748901 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.845787048 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.845824957 CET	49682	443	192.168.2.3	40.108.137.41
Jan 13, 2021 01:56:14.845904112 CET	49682	443	192.168.2.3	40.108.137.41
Jan 13, 2021 01:56:14.990250111 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.990318060 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.990360975 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.990397930 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.990416050 CET	49682	443	192.168.2.3	40.108.137.41
Jan 13, 2021 01:56:14.990436077 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.990474939 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.990483046 CET	49682	443	192.168.2.3	40.108.137.41
Jan 13, 2021 01:56:14.990510941 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.990549088 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.990566015 CET	49682	443	192.168.2.3	40.108.137.41
Jan 13, 2021 01:56:14.990596056 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.990632057 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.990641117 CET	49682	443	192.168.2.3	40.108.137.41
Jan 13, 2021 01:56:14.990669966 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.990706921 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.990744114 CET	49682	443	192.168.2.3	40.108.137.41
Jan 13, 2021 01:56:14.990753889 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.990794897 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.990829945 CET	49682	443	192.168.2.3	40.108.137.41
Jan 13, 2021 01:56:14.990830898 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.990869045 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.990885019 CET	49682	443	192.168.2.3	40.108.137.41
Jan 13, 2021 01:56:14.990906000 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.990942001 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.990962982 CET	49682	443	192.168.2.3	40.108.137.41
Jan 13, 2021 01:56:14.990978956 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.991017103 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.991063118 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.991066933 CET	49682	443	192.168.2.3	40.108.137.41
Jan 13, 2021 01:56:14.991105080 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.991128922 CET	49682	443	192.168.2.3	40.108.137.41
Jan 13, 2021 01:56:14.991142035 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.991180897 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.991202116 CET	49682	443	192.168.2.3	40.108.137.41
Jan 13, 2021 01:56:14.991216898 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.991252899 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.991255999 CET	49682	443	192.168.2.3	40.108.137.41
Jan 13, 2021 01:56:14.991291046 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.991328001 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.991374969 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.991400957 CET	49682	443	192.168.2.3	40.108.137.41
Jan 13, 2021 01:56:14.991415977 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.991453886 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.991491079 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:14.991493940 CET	49682	443	192.168.2.3	40.108.137.41
Jan 13, 2021 01:56:14.991552114 CET	49682	443	192.168.2.3	40.108.137.41
Jan 13, 2021 01:56:15.135967016 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:15.136019945 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:15.136059999 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:15.136097908 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:15.136135101 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:15.136178017 CET	49682	443	192.168.2.3	40.108.137.41
Jan 13, 2021 01:56:15.136182070 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:15.136224031 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:15.136260986 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:15.136267900 CET	49682	443	192.168.2.3	40.108.137.41
Jan 13, 2021 01:56:15.136301041 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:15.136341095 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:15.136343956 CET	49682	443	192.168.2.3	40.108.137.41
Jan 13, 2021 01:56:15.136378050 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:15.136405945 CET	443	49682	40.108.137.41	192.168.2.3
Jan 13, 2021 01:56:15.136523008 CET	49682	443	192.168.2.3	40.108.137.41
Jan 13, 2021 01:56:15.136554956 CET	49682	443	192.168.2.3	40.108.137.41
Jan 13, 2021 01:56:15.520143986 CET	49682	443	192.168.2.3	40.108.137.41
Jan 13, 2021 01:56:18.609467983 CET	49685	443	192.168.2.3	40.108.137.41
Jan 13, 2021 01:56:18.609658003 CET	49686	443	192.168.2.3	40.108.137.41

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2021 01:56:13.628463984 CET	51904	53	192.168.2.3	8.8.8.8
Jan 13, 2021 01:56:13.749702930 CET	53	51904	8.8.8.8	192.168.2.3
Jan 13, 2021 01:56:17.176605940 CET	61328	53	192.168.2.3	8.8.8.8
Jan 13, 2021 01:56:17.236324072 CET	53	61328	8.8.8.8	192.168.2.3
Jan 13, 2021 01:56:18.505795002 CET	54130	53	192.168.2.3	8.8.8.8
Jan 13, 2021 01:56:18.515054941 CET	56961	53	192.168.2.3	8.8.8.8
Jan 13, 2021 01:56:18.571999073 CET	53	56961	8.8.8.8	192.168.2.3
Jan 13, 2021 01:56:18.607713938 CET	53	54130	8.8.8.8	192.168.2.3
Jan 13, 2021 01:56:39.308556080 CET	59353	53	192.168.2.3	8.8.8.8
Jan 13, 2021 01:56:39.374706984 CET	53	59353	8.8.8.8	192.168.2.3
Jan 13, 2021 01:56:47.192418098 CET	52238	53	192.168.2.3	8.8.8.8
Jan 13, 2021 01:56:47.239507914 CET	53	52238	8.8.8.8	192.168.2.3
Jan 13, 2021 01:56:47.890770912 CET	49873	53	192.168.2.3	8.8.8.8
Jan 13, 2021 01:56:47.938075066 CET	53	49873	8.8.8.8	192.168.2.3
Jan 13, 2021 01:56:48.180442095 CET	52238	53	192.168.2.3	8.8.8.8
Jan 13, 2021 01:56:48.235960960 CET	53	52238	8.8.8.8	192.168.2.3
Jan 13, 2021 01:56:48.881573915 CET	49873	53	192.168.2.3	8.8.8.8
Jan 13, 2021 01:56:48.928859949 CET	53	49873	8.8.8.8	192.168.2.3
Jan 13, 2021 01:56:49.193836927 CET	52238	53	192.168.2.3	8.8.8.8
Jan 13, 2021 01:56:49.240947008 CET	53	52238	8.8.8.8	192.168.2.3
Jan 13, 2021 01:56:49.881797075 CET	49873	53	192.168.2.3	8.8.8.8
Jan 13, 2021 01:56:49.928958893 CET	53	49873	8.8.8.8	192.168.2.3
Jan 13, 2021 01:56:51.194642067 CET	52238	53	192.168.2.3	8.8.8.8
Jan 13, 2021 01:56:51.250201941 CET	53	52238	8.8.8.8	192.168.2.3
Jan 13, 2021 01:56:51.897406101 CET	49873	53	192.168.2.3	8.8.8.8
Jan 13, 2021 01:56:51.944776058 CET	53	49873	8.8.8.8	192.168.2.3
Jan 13, 2021 01:56:55.210334063 CET	52238	53	192.168.2.3	8.8.8.8
Jan 13, 2021 01:56:55.257808924 CET	53	52238	8.8.8.8	192.168.2.3
Jan 13, 2021 01:56:55.913307905 CET	49873	53	192.168.2.3	8.8.8.8
Jan 13, 2021 01:56:55.960745096 CET	53	49873	8.8.8.8	192.168.2.3
Jan 13, 2021 01:56:58.336972952 CET	53196	53	192.168.2.3	8.8.8.8
Jan 13, 2021 01:56:58.384295940 CET	53	53196	8.8.8.8	192.168.2.3
Jan 13, 2021 01:57:48.553457975 CET	56777	53	192.168.2.3	8.8.8.8
Jan 13, 2021 01:57:48.612126112 CET	53	56777	8.8.8.8	192.168.2.3
Jan 13, 2021 01:57:49.812861919 CET	58643	53	192.168.2.3	8.8.8.8
Jan 13, 2021 01:57:49.862839937 CET	53	58643	8.8.8.8	192.168.2.3
Jan 13, 2021 01:57:50.911310911 CET	60985	53	192.168.2.3	8.8.8.8
Jan 13, 2021 01:57:50.958623886 CET	53	60985	8.8.8.8	192.168.2.3
Jan 13, 2021 01:57:52.123501062 CET	50200	53	192.168.2.3	8.8.8.8
Jan 13, 2021 01:57:52.170756102 CET	53	50200	8.8.8.8	192.168.2.3
Jan 13, 2021 01:57:53.503588915 CET	51281	53	192.168.2.3	8.8.8.8
Jan 13, 2021 01:57:53.554100037 CET	53	51281	8.8.8.8	192.168.2.3
Jan 13, 2021 01:57:54.551243067 CET	49199	53	192.168.2.3	8.8.8.8
Jan 13, 2021 01:57:54.598515034 CET	53	49199	8.8.8.8	192.168.2.3
Jan 13, 2021 01:57:55.568295002 CET	50620	53	192.168.2.3	8.8.8.8
Jan 13, 2021 01:57:55.623869896 CET	53	50620	8.8.8.8	192.168.2.3
Jan 13, 2021 01:57:56.785502911 CET	64938	53	192.168.2.3	8.8.8.8
Jan 13, 2021 01:57:56.832742929 CET	53	64938	8.8.8.8	192.168.2.3
Jan 13, 2021 01:57:57.878401041 CET	60152	53	192.168.2.3	8.8.8.8
Jan 13, 2021 01:57:57.933851957 CET	53	60152	8.8.8.8	192.168.2.3
Jan 13, 2021 01:57:58.996651888 CET	57544	53	192.168.2.3	8.8.8.8
Jan 13, 2021 01:57:59.052225113 CET	53	57544	8.8.8.8	192.168.2.3
Jan 13, 2021 01:58:00.062534094 CET	55984	53	192.168.2.3	8.8.8.8
Jan 13, 2021 01:58:00.112534046 CET	53	55984	8.8.8.8	192.168.2.3
Jan 13, 2021 01:58:01.095796108 CET	64185	53	192.168.2.3	8.8.8.8
Jan 13, 2021 01:58:01.151580095 CET	53	64185	8.8.8.8	192.168.2.3
Jan 13, 2021 01:58:02.184326887 CET	65110	53	192.168.2.3	8.8.8.8
Jan 13, 2021 01:58:02.231594086 CET	53	65110	8.8.8.8	192.168.2.3
Jan 13, 2021 01:58:04.204910040 CET	58361	53	192.168.2.3	8.8.8.8
Jan 13, 2021 01:58:04.252127886 CET	53	58361	8.8.8.8	192.168.2.3
Jan 13, 2021 01:58:09.757668972 CET	63492	53	192.168.2.3	8.8.8.8
Jan 13, 2021 01:58:09.816150904 CET	53	63492	8.8.8.8	192.168.2.3
Jan 13, 2021 01:58:10.806243896 CET	60831	53	192.168.2.3	8.8.8.8
Jan 13, 2021 01:58:10.864552021 CET	53	60831	8.8.8.8	192.168.2.3
Jan 13, 2021 01:58:11.899563074 CET	60100	53	192.168.2.3	8.8.8.8
Jan 13, 2021 01:58:11.949646950 CET	53	60100	8.8.8.8	192.168.2.3
Jan 13, 2021 01:58:12.996886015 CET	53195	53	192.168.2.3	8.8.8.8
Jan 13, 2021 01:58:13.044276953 CET	53	53195	8.8.8.8	192.168.2.3
Jan 13, 2021 01:58:14.072880030 CET	50141	53	192.168.2.3	8.8.8.8
Jan 13, 2021 01:58:14.131541967 CET	53	50141	8.8.8.8	192.168.2.3
Jan 13, 2021 01:58:15.473736048 CET	53023	53	192.168.2.3	8.8.8.8
Jan 13, 2021 01:58:15.520993948 CET	53	53023	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 13, 2021 01:56:13.628463984 CET	192.168.2.3	8.8.8.8	0xde39	Standard query (0)	partnersinhealth.sharepoint.com	A (IP address)	IN (0x0001)
Jan 13, 2021 01:56:18.505795002 CET	192.168.2.3	8.8.8.8	0x8488	Standard query (0)	partnersinhealth.sharepoint.com	A (IP address)	IN (0x0001)
Jan 13, 2021 01:56:18.515054941 CET	192.168.2.3	8.8.8.8	0x4e3a	Standard query (0)	spoprod-a.akamaihd.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 13, 2021 01:56:13.749702930 CET	8.8.8.8	192.168.2.3	0xde39	No error (0)	partnersinhealth.sharepoint.com	433-ipv4e.clump.prod.aa-rt.sharepoint.com		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 01:56:13.749702930 CET	8.8.8.8	192.168.2.3	0xde39	No error (0)	433-ipv4e.clump.prod.aa-rt.sharepoint.com	18164-ipv4e.farm.prod.aa-rt.sharepoint.com		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 01:56:13.749702930 CET	8.8.8.8	192.168.2.3	0xde39	No error (0)	18164-ipv4e.farm.prod.aa-rt.sharepoint.com	18164-ipv4.farm.prod.aa-rt.sharepoint.com		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 01:56:13.749702930 CET	8.8.8.8	192.168.2.3	0xde39	No error (0)	18164-ipv4.farm.prod.aa-rt.sharepoint.com		40.108.137.41	A (IP address)	IN (0x0001)
Jan 13, 2021 01:56:18.571999073 CET	8.8.8.8	192.168.2.3	0x4e3a	No error (0)	spoprod-a.akamaihd.net	spoprod-a.akamaihd.net.edgesuite.net		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 01:56:18.607713938 CET	8.8.8.8	192.168.2.3	0x8488	No error (0)	partnersinhealth.sharepoint.com	433-ipv4e.clump.prod.aa-rt.sharepoint.com		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 01:56:18.607713938 CET	8.8.8.8	192.168.2.3	0x8488	No error (0)	433-ipv4e.clump.prod.aa-rt.sharepoint.com	18164-ipv4e.farm.prod.aa-rt.sharepoint.com		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 01:56:18.607713938 CET	8.8.8.8	192.168.2.3	0x8488	No error (0)	18164-ipv4e.farm.prod.aa-rt.sharepoint.com	18164-ipv4.farm.prod.aa-rt.sharepoint.com		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 01:56:18.607713938 CET	8.8.8.8	192.168.2.3	0x8488	No error (0)	18164-ipv4.farm.prod.aa-rt.sharepoint.com		40.108.137.41	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: cmd.exe PID: 5564 Parent PID: 2052

General

Start time:	01:56:11
Start date:	13/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://partnersinhealth.sharepoint.com/:x:/s/COVIDCommunityTeam-Massachusetts-EIU-EpidemicIntelligenceUnit/Ec_oHive0IlGh0zKWdNWJqwBv4CGuicjIXG6ZM__kHKiUQ?email=Bill.Sparrow%4099restaurants.com&e=4%3atJjRLx&at=9' > cmdline.out 2>&1
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: conhost.exe PID: 4792 Parent PID: 5564

General

Start time:	01:56:11
Start date:	13/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: wget.exe PID: 4972 Parent PID: 5564

General

Start time:	01:56:12
Start date:	13/01/2021
Path:	C:\Windows\SysWOW64\wget.exe
Wow64 process (32bit):	true
Commandline:	wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://partnersinhealth.sharepoint.com/:x:/s/COVIDCommunityTeam-Massachusetts-EIU-EpidemicIntelligenceUnit/Ec_oHive0IlGh0zKWdNWJqwBv4CGuicjIXG6ZM__kHKiUQ?email=Bill.Sparrow%4099restaurants.com&e=4%3atJjRLx&at=9'
Imagebase:	0x400000
File size:	3895184 bytes
MD5 hash:	3DADB6E2ECE9C4B3E1E322E617658B60
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: iexplore.exe PID: 464 Parent PID: 5644

General

Start time:	01:56:16
Start date:	13/01/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' C:\Users\user\Desktop\download\Ec_oHive0IlGh0zKWdNWJqwBv4CGuicjIXG6ZM__kHKiUQ@email=Bill.Sparrow@99restaurants.com&e=4%3AtJjRLx&at=9.html
Imagebase:	0x7ff6eb000000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: iexplore.exe PID: 2432 Parent PID: 464

General

Start time:	01:56:17
Start date:	13/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:464 CREDAT:17410 /prefetch:2
Imagebase:	0x180000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or `net view` using Net . Adversaries may also use local host files (ex: `C:\Windows\System32\Drivers\etc\hosts` or `/etc/hosts` ) in order to discover the hostname to IP address mappings of remote systems.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report https://partnersinhealth.sharepoint.com/:x:/s/COVIDCommunityTeam-Massachusetts-EIU-EpidemicIntelligenceUnit/Ec_oHive0IlGh0zKWdNWJqwBv4CGuicjIXG6ZM__kHKiUQ?email=Bill.Sparrow%4099restaurants.com&e=4%3atJjRLx&at=9

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

Compliance:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

No static file info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: cmd.exe PID: 5564 Parent PID: 2052

General

Analysis Process: conhost.exe PID: 4792 Parent PID: 5564

General

Analysis Process: wget.exe PID: 4972 Parent PID: 5564

General

Analysis Process: iexplore.exe PID: 464 Parent PID: 5644

General

Analysis Process: iexplore.exe PID: 2432 Parent PID: 464

General

Disassembly

Code Analysis