Play interactive tour

Edit tour

Analysis Report http://thebig-prizebox4.life

Overview

General Information

Sample URL:	http://thebig-prizebox4.life
Analysis ID:	348830
Most interesting Screenshot:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

No high impact signatures.

Classification

Startup

System is w10x64

iexplore.exe (PID: 6060 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 5392 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6060 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Show sources

Source: unknown	HTTPS traffic detected: 5.188.178.85:443 -> 192.168.2.7:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.188.178.85:443 -> 192.168.2.7:49720 version: TLS 1.2

Networking:

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: thebig-prizebox4.lifeConnection: Keep-Alive

Source: msapplication.xml0.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xbb9ec0b4,0x01d6fb64</date><accdate>0xbb9ec0b4,0x01d6fb64</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xbb9ec0b4,0x01d6fb64</date><accdate>0xbb9ec0b4,0x01d6fb64</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xbba3856b,0x01d6fb64</date><accdate>0xbba3856b,0x01d6fb64</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xbba3856b,0x01d6fb64</date><accdate>0xbba3856b,0x01d6fb64</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xbba5e7c7,0x01d6fb64</date><accdate>0xbba5e7c7,0x01d6fb64</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xbba5e7c7,0x01d6fb64</date><accdate>0xbba5e7c7,0x01d6fb64</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: thebig-prizebox4.life

Source: msapplication.xml.1.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.1.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.1.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.1.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.1.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.1.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.1.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.1.dr	String found in binary or memory: http://www.youtube.com/
Source: ~DF2F14F9883A070787.TMP.1.dr	String found in binary or memory: https://thebig-prizebox4.life/
Source: {E6230AEE-6757-11EB-90E6-ECF4BB82F7E0}.dat.1.dr	String found in binary or memory: https://thebig-prizebox4.life/Root

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719

Source: unknown	HTTPS traffic detected: 5.188.178.85:443 -> 192.168.2.7:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.188.178.85:443 -> 192.168.2.7:49720 version: TLS 1.2

System Summary:

Source: classification engine

Classification label: clean0.win@3/17@2/1

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E6230AEC-6757-11EB-90E6-ECF4BB82F7E0}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user~1\AppData\Local\Temp\~DF8C52B475A0AA4D27.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6060 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6060 CREDAT:17410 /prefetch:2	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping	File and Directory Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Ingress Tool Transfer1	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
http://thebig-prizebox4.life	0%	Avira URL Cloud	safe

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
https://thebig-prizebox4.life/Root	0%	Avira URL Cloud	safe
http://thebig-prizebox4.life/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
thebig-prizebox4.life	5.188.178.85	true	false		unknown
favicon.ico	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://thebig-prizebox4.life/	false		unknown
http://thebig-prizebox4.life/	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.wikipedia.com/	msapplication.xml6.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.amazon.com/	msapplication.xml.1.dr	false		high
http://www.nytimes.com/	msapplication.xml3.1.dr	false		high
http://www.live.com/	msapplication.xml2.1.dr	false		high
https://thebig-prizebox4.life/Root	{E6230AEE-6757-11EB-90E6-ECF4BB82F7E0}.dat.1.dr	false	Avira URL Cloud: safe	unknown
http://www.reddit.com/	msapplication.xml4.1.dr	false		high
http://www.twitter.com/	msapplication.xml5.1.dr	false		high
http://www.youtube.com/	msapplication.xml7.1.dr	false		high
https://thebig-prizebox4.life/	~DF2F14F9883A070787.TMP.1.dr	false		unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
5.188.178.85	unknown	Russian Federation		209813	FASTCONTENTDE	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	348830
Start date:	04.02.2021
Start time:	18:13:52
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	http://thebig-prizebox4.life
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean0.win@3/17@2/1
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, SgrmBroker.exe, svchost.exe Excluded IPs from analysis (whitelisted): 104.42.151.234, 104.43.139.144, 88.221.62.148, 2.18.68.82, 51.104.144.132, 152.199.19.161, 92.122.213.194, 92.122.213.247, 2.20.142.210, 2.20.142.209, 51.103.5.159, 52.155.217.156 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, go.microsoft.com, emea1.wns.notify.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, ie9comview.vo.msecnd.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, skypedataprdcolwus16.cloudapp.net, cs9.wpc.v0cdn.net VT rate limit hit for: http://thebig-prizebox4.life

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E6230AEC-6757-11EB-90E6-ECF4BB82F7E0}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	30296
Entropy (8bit):	1.8503941902548149
Encrypted:	false
SSDEEP:	192:rHZYZG2p9WuthifypXzMZPB61D9sfcpGjX:r549pUO+zPGQ1
MD5:	C95558C2E2D4B92B9FCE46853F0080E3
SHA1:	604A6654C949D1108087173F6A32633EF26FA111
SHA-256:	1503D58822296700205C65F9B3FA0AE9F8241ABB8AD91DEF68C9676406455932
SHA-512:	0B99A9844129E1A35668079CD50E7E619C96D393E1D52EF4A3D0798DBDCC371D88B1E0E1DABD074CB5F815310B37E86BD9D41F3F713D29598D0332B5E16B2FCC
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E6230AEE-6757-11EB-90E6-ECF4BB82F7E0}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27616
Entropy (8bit):	1.8056408247293156
Encrypted:	false
SSDEEP:	96:rGZJQd6XBSoFjx2okWwMXYwg/jPUdSyJSr:rGZJQd6XkoFjx2okWwMXYwCjPear
MD5:	3B042AF09D74AC01DEC681ED67C459F0
SHA1:	065ABE98FD26E06FF228749B9FAC725AC17F201D
SHA-256:	37388611DB0B566AEC69A13A5645A448DEEE5D623F01BB9A574DF46EAED7F5C0
SHA-512:	1D6EE790C71230A4EFF8BC3345D3C0B57D5E1A1F129140F2532D67A60EC09594BDD02178267463B038E95FD058120588B2FDA127A9A946C49C7A4A40B27E3E3A
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E6230AEF-6757-11EB-90E6-ECF4BB82F7E0}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	16984
Entropy (8bit):	1.5652347615269062
Encrypted:	false
SSDEEP:	48:Iwl5GcprFGwpaYG4pQIGrapbS1rGQpKbG7HpRwsTGIpG:rlfZPQI6WBS1FAaTw4A
MD5:	8A22E52A18F5FBEAA385B92EA29E320F
SHA1:	815D370720BC5B38BE7259E15547CCA0065B760C
SHA-256:	D6C67B6A37936C4AC3567F0F17CBD5393E48C40C1FD74DBA4F748B373CCA023F
SHA-512:	A3E79B62FDCD48D2F0A7937EFD32389B0A2F06E7727FB9F55E60D1DB4EAC2957262E01F9765842DCF1F69E377176814A9D937973FCD074D8EF07AF1CB2A2D4C8
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	660
Entropy (8bit):	5.107525981712353
Encrypted:	false
SSDEEP:	12:TMHdNMNxOEznWimI002EtM3MHdNMNxOEznWimI00OYVbkEtMb:2d6NxOeSZHKd6NxOeSZ7xb
MD5:	95F5B3BA6BDCE672D5A0F592741915B7
SHA1:	A0D91AC168C69DAC8091FC6CFC3772DA1B442113
SHA-256:	1A074954D78C8CDD0C0F5DF69147868FAA6D90E58F4046F9DF026B3F85B57362
SHA-512:	5A6C270C12C7F7FEC73CB8DF22EFFD375B09664C94BC14BB1CA5916E50240C56C688828A2BCD0865A6E62E5656545C73C4796D6688DEF04566BC4DACBDA19575
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xbba3856b,0x01d6fb64</date><accdate>0xbba3856b,0x01d6fb64</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xbba3856b,0x01d6fb64</date><accdate>0xbba3856b,0x01d6fb64</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	657
Entropy (8bit):	5.129375579655595
Encrypted:	false
SSDEEP:	12:TMHdNMNxe2kBVpVjnWimI002EtM3MHdNMNxe2kBVpVjnWimI00OYkak6EtMb:2d6Nxri/NSZHKd6Nxri/NSZ7Ja7b
MD5:	EEF827BB13953E042338D55FCFDCD8D1
SHA1:	4955D7DCCDB9ECB7B3A656B61FBD3EE11A8A8C96
SHA-256:	5A2AAE5211DC9E76114FCB6372EEE52C7DB1B91B0AE03DFC55FA309D74FB4123
SHA-512:	B78F2E3823BC73755F0500C6B8AA48362308D8BBC6A895BB2A4FFB53FA3DC28D4801EEF4FDBB6CDF7F6A8F972B6D2F0DF843D923A5EAC62A2E97AF677DDDC71E
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0xbb9c5e50,0x01d6fb64</date><accdate>0xbb9c5e50,0x01d6fb64</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0xbb9c5e50,0x01d6fb64</date><accdate>0xbb9c5e50,0x01d6fb64</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	666
Entropy (8bit):	5.101178021593645
Encrypted:	false
SSDEEP:	12:TMHdNMNxvL1nWimI002EtM3MHdNMNxvL1nWimI00OYmZEtMb:2d6NxvhSZHKd6NxvhSZ7Zb
MD5:	14097BF4C09DAF4DCDFA78833A3C4714
SHA1:	FEDFEF1DF3D26F881BFF96E80512603AB2E072F4
SHA-256:	E26D10D3F3B936D3C4E5D6EDDD26F6EAF04CF1AEF58EBF7DBC7B8D429C74D744
SHA-512:	AA0A55B69F152A93067B612B78CB451D53CB5CDA71EA81E9386D9B58705DC365F2716392453837D0B8FB2737874D8345A48B278EAEC925A46297337E7015C917
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0xbba5e7c7,0x01d6fb64</date><accdate>0xbba5e7c7,0x01d6fb64</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0xbba5e7c7,0x01d6fb64</date><accdate>0xbba5e7c7,0x01d6fb64</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	651
Entropy (8bit):	5.109513362552848
Encrypted:	false
SSDEEP:	12:TMHdNMNxiRmmnWimI002EtM3MHdNMNxiRmmnWimI00OYd5EtMb:2d6NxeSZHKd6NxeSZ7qjb
MD5:	70EAA3E45DA06D3783511081E96F12C3
SHA1:	3B43BE31A2FB78B3A4E04DEFF7EA33E9349840A4
SHA-256:	2027DEC345E2356C1D8F5CA9E077A9FD5FA2C69F8E20E1499530B80819AB006D
SHA-512:	8F21A98BAE5D3C63AFC60D8AA10DBA41AEE37A95DA8C1B7E3FEA3047E99930016AFE30BEA22AF72A70E17B4D7CAEE5C393FBE94A1E5645CF73462656C17E6D17
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0xbba12310,0x01d6fb64</date><accdate>0xbba12310,0x01d6fb64</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0xbba12310,0x01d6fb64</date><accdate>0xbba12310,0x01d6fb64</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	modified
Size (bytes):	660
Entropy (8bit):	5.113148601093593
Encrypted:	false
SSDEEP:	12:TMHdNMNxhGw1nWimI002EtM3MHdNMNxhGw1nWimI00OY8K075EtMb:2d6NxQ4SZHKd6NxQ4SZ7RKajb
MD5:	8F8DE68CF95D9BE6981A2080D6869FA1
SHA1:	378C357B306DC18009276675476C44C83F1C505F
SHA-256:	AEB319CF942BB2236E39B34A3F06A92CCF23AC28E22182E4C646D8957CE39337
SHA-512:	349C0EBCF24390931EAC667B4D5E01CDA6687CFC8CE75FD07FBD5481F64E34285B6AC12486F7A122C89EB1BB57534C08F5A31A1A56B774DB82C584A6B9631F9C
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xbba5e7c7,0x01d6fb64</date><accdate>0xbba5e7c7,0x01d6fb64</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xbba5e7c7,0x01d6fb64</date><accdate>0xbba5e7c7,0x01d6fb64</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	657
Entropy (8bit):	5.111041388659029
Encrypted:	false
SSDEEP:	12:TMHdNMNx0nznWimI002EtM3MHdNMNx0nznWimI00OYxEtMb:2d6Nx0zSZHKd6Nx0zSZ7+b
MD5:	D882CDE09D40C700C30918E2709A81ED
SHA1:	FA7B09061076BCC5F139E06B6729D66AD1883BE1
SHA-256:	F0AE4CF9600BF74740CFAA9E3F4483E29A92664F07EBAD5BB53304E9EE00D1B3
SHA-512:	FC547C130F78EC83F2F76BFD84C59E1DAC9D0274764E8E3E76F0FF3558D6246318CE8F7EFFBBBB7258B01E7E4F829FE87B9AC86CE8C95D53A9658AAD4517E92F
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0xbba3856b,0x01d6fb64</date><accdate>0xbba3856b,0x01d6fb64</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0xbba3856b,0x01d6fb64</date><accdate>0xbba3856b,0x01d6fb64</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	660
Entropy (8bit):	5.133499809289863
Encrypted:	false
SSDEEP:	12:TMHdNMNxxRmmnWimI002EtM3MHdNMNxxRmmnWimI00OY6Kq5EtMb:2d6NxfSZHKd6NxfSZ7Xb
MD5:	C7DB87CC57B4F699E2AE55414CA48318
SHA1:	E7FE8FC8086B437B770CC53C8E249F7DA93C29FD
SHA-256:	4AE3741853894BC394F57ECB87B19EEC1E6892CBA3A19635B210F06D86FE84A7
SHA-512:	D23B1F895C760C106EAD90138E50FE19B38226F715B8F1F956E12633630FC2297B14CB0C30EEA483DBE554CCA5AFDF49B4A13B11DAF46E5C887D973B731D439A
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0xbba12310,0x01d6fb64</date><accdate>0xbba12310,0x01d6fb64</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0xbba12310,0x01d6fb64</date><accdate>0xbba12310,0x01d6fb64</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	663
Entropy (8bit):	5.095048842072914
Encrypted:	false
SSDEEP:	12:TMHdNMNxcB8088nWimI002EtM3MHdNMNxcB8088nWimI00OYVEtMb:2d6Nxq8088SZHKd6Nxq8088SZ7Gb
MD5:	947D55576EBC1907AE10FCBCE96609F7
SHA1:	45100F2F349230CF182B2C96B16F228B36247CD9
SHA-256:	798B0A0550F737FA6D03C90E2C1AC472C68750CF459B3F22C724ABFCDBDCE6B3
SHA-512:	54ACA94C15EB6BC93E582CAA839B3526BDF1C088CF59428D8542976C2E4286264B01BDF831DD8F7F472481798E5DE03CFBD3A97BC3D38DF0B46B1CCEE4B224BC
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xbb9ec0b4,0x01d6fb64</date><accdate>0xbb9ec0b4,0x01d6fb64</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xbb9ec0b4,0x01d6fb64</date><accdate>0xbb9ec0b4,0x01d6fb64</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	657
Entropy (8bit):	5.095025536443272
Encrypted:	false
SSDEEP:	12:TMHdNMNxfnRmmnWimI002EtM3MHdNMNxfnRmmnWimI00OYe5EtMb:2d6NxtSZHKd6NxtSZ7Fjb
MD5:	5FD111908B3C07A91FCE9164344B2591
SHA1:	82885689BE1ECA79B63B85FE1BF8904E636A8849
SHA-256:	F5D5AF97DB45B7584F0AAE9B0FA5B1BAFA79495C0C908824CDC636FF1FEA6A41
SHA-512:	A099A5DBD2B586E9B1617A6C1E4A1252B88BD9A834E8AFEF4B3874A14ED322F92B26E8FD1AF865C455DB42E563CB07441D316F834F5E43B12CD070629B54F956
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0xbba12310,0x01d6fb64</date><accdate>0xbba12310,0x01d6fb64</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0xbba12310,0x01d6fb64</date><accdate>0xbba12310,0x01d6fb64</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\4GPWOJAM.htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	downloaded
Size (bytes):	676
Entropy (8bit):	5.721865310760231
Encrypted:	false
SSDEEP:	12:lnMEwuiuX4w4voq4Wh4C5/KenJeOEloEwMzWQnuh8rXmiKJcrYeeOEuGPXEuGjl4:lMNmMvx4Wr5wOEloE3zWL8rXmPrOEuQx
MD5:	6DD230DED7ED1C7530A0729ECFABEC9E
SHA1:	B5E2C54C5E704F98CD21103F1698FF738F318326
SHA-256:	EC1AA6B56580EE5332BCA164751B93B39974EEDB2E7FDB4B9ACF3BC6660F1BCC
SHA-512:	03B577117ED07420F29834FF06FF2C8522FC8A33EC834FEB54242CCCF3BE8720983F3C3CEF5F3E327DE2E52D81BA6827A2EF0E2F37003D1D356BD4ED4AA93B7F
Malicious:	false
Reputation:	low
IE Cache URL:	https://thebig-prizebox4.life/
Preview:	....<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">....<html xmlns="http://www.w3.org/1999/xhtml">..<head><title>....</title></head>..<body >.. <form method="post" action="404.aspx" id="form1">..<div class="aspNetHidden">..<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="cS22sLk2/wXAxtVs8lyjzJs5rlKRGQmvm6FxwZCkKkiA9tJOcYrh2tgdpkEVc+MFRsdCP7gcvFefKP1z4qlnOft56NEcAdSDf78Jp6C93Lw=" />..</div>....<div class="aspNetHidden">.....<input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="193A34DB" />..</div>....Under construction.. </form>..</body>..</html>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\96LR0YCY.htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	178
Entropy (8bit):	4.560890767001816
Encrypted:	false
SSDEEP:	3:qVoB3tUROGclXqyvXboAc9FKEIHiHby4AqWSZUXqXlIVLLP61IwcWWGu:q43tISl6kXiWHiHuwWSU6XlI5LP8IpfB
MD5:	CD2E0E43980A00FB6A2742D3AFD803B8
SHA1:	81FFBD1712AFE8CDF138B570C0FC9934742C33C1
SHA-256:	BD9DF047D51943ACC4BC6CF55D88EDB5B6785A53337EE2A0F74DD521AEDDE87D
SHA-512:	0344C6B2757D4D787ED4A31EC7043C9DC9BF57017E451F60CECB9AD8F5FEBF64ACF2A6C996346AE4B23297623EBF747954410AEE27EE3C2F3C6CCD15A15D0F2D
Malicious:	false
Reputation:	low
Preview:	<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx</center>..</body>..</html>..

C:\Users\user\AppData\Local\Temp\~DF2F14F9883A070787.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	35377
Entropy (8bit):	0.5024679209413202
Encrypted:	false
SSDEEP:	48:kBqoxKAuvScS+B/NMwIwk2Z2SQDKSBnfUa0dr2:kBqoxKAuvScS+B/NMPTfUdS
MD5:	223221517910946CB09947F74CDBB33B
SHA1:	45D7604E9F622004A8F5DA04E26EE6C47C6586A0
SHA-256:	11723BF772A2040CB6970A2F2201E22AB412B975B15CD90CEF563417C5951C88
SHA-512:	9E3BD146A4F2F11183CD39D8B4A9EB8E5DAC4655996F55C278F048B95BCAE25DCDDB89558D7CDDAAD595FE7E5001EA871CD2702C8F3813F84334EBCE2085A7E9
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF8C52B475A0AA4D27.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	13029
Entropy (8bit):	0.4771841235671884
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lo/dk9lo/d09lW/d17SW7S7StuRWRt:kBqoI/dP/dZ/d17SW7S7SwRWRt
MD5:	0D36F1DEF275D3174227BFA6B701E1A6
SHA1:	C5FD0710DC35772260FFC62C2FC8B91A31C5ADD6
SHA-256:	AA87AB7783B0B7C9BBE1B7A68655C93BC75073BE3A81F95820A91276B309597F
SHA-512:	846CB2354821E6E874FEA07EF87A600CC7968917BE86C1DFC9A22D37095575E33BD3FA55D17F9CA039696F99660D418433E1AA17E601D246477F33D3B46C094D
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFDBA9361659ED43C1.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	25441
Entropy (8bit):	0.28868685263923116
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRx/9lRJ9lTb9lTb9lSSU9lSSU9laAa/9laAd:kBqoxxJhHWSVSEabd
MD5:	D595447815AE4D919C17EF87BA3F4D53
SHA1:	EF50F9DAA4C708D5EFE0DE1058FEF3823D861799
SHA-256:	A35D8DC2F639F17AD0818A63AB962258C1422E326BF91062946A12E6C050E429
SHA-512:	8FD11F71C789262F2DFCF35FC0FD0244DB17C0401C3952EAC6810E0204663B883F66A6CD8217959C322CAF8B18D473C284CA9F2D59FD3DD48D09A4247C16A119
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

No static file info

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 4, 2021 18:14:41.142937899 CET	49716	80	192.168.2.7	5.188.178.85
Feb 4, 2021 18:14:41.144254923 CET	49717	80	192.168.2.7	5.188.178.85
Feb 4, 2021 18:14:41.196405888 CET	80	49716	5.188.178.85	192.168.2.7
Feb 4, 2021 18:14:41.196515083 CET	49716	80	192.168.2.7	5.188.178.85
Feb 4, 2021 18:14:41.197417974 CET	49716	80	192.168.2.7	5.188.178.85
Feb 4, 2021 18:14:41.197896957 CET	80	49717	5.188.178.85	192.168.2.7
Feb 4, 2021 18:14:41.198025942 CET	49717	80	192.168.2.7	5.188.178.85
Feb 4, 2021 18:14:41.249109030 CET	80	49716	5.188.178.85	192.168.2.7
Feb 4, 2021 18:14:41.249147892 CET	80	49716	5.188.178.85	192.168.2.7
Feb 4, 2021 18:14:41.249291897 CET	49716	80	192.168.2.7	5.188.178.85
Feb 4, 2021 18:14:41.259212971 CET	49719	443	192.168.2.7	5.188.178.85
Feb 4, 2021 18:14:41.311120033 CET	443	49719	5.188.178.85	192.168.2.7
Feb 4, 2021 18:14:41.311858892 CET	49719	443	192.168.2.7	5.188.178.85
Feb 4, 2021 18:14:41.318273067 CET	49719	443	192.168.2.7	5.188.178.85
Feb 4, 2021 18:14:41.371828079 CET	443	49719	5.188.178.85	192.168.2.7
Feb 4, 2021 18:14:41.372759104 CET	443	49719	5.188.178.85	192.168.2.7
Feb 4, 2021 18:14:41.372864008 CET	443	49719	5.188.178.85	192.168.2.7
Feb 4, 2021 18:14:41.372899055 CET	443	49719	5.188.178.85	192.168.2.7
Feb 4, 2021 18:14:41.372947931 CET	49719	443	192.168.2.7	5.188.178.85
Feb 4, 2021 18:14:41.373003960 CET	49719	443	192.168.2.7	5.188.178.85
Feb 4, 2021 18:14:41.373014927 CET	49719	443	192.168.2.7	5.188.178.85
Feb 4, 2021 18:14:41.420491934 CET	49719	443	192.168.2.7	5.188.178.85
Feb 4, 2021 18:14:41.427522898 CET	49719	443	192.168.2.7	5.188.178.85
Feb 4, 2021 18:14:41.472686052 CET	443	49719	5.188.178.85	192.168.2.7
Feb 4, 2021 18:14:41.472851992 CET	49719	443	192.168.2.7	5.188.178.85
Feb 4, 2021 18:14:41.482923985 CET	443	49719	5.188.178.85	192.168.2.7
Feb 4, 2021 18:14:41.482945919 CET	443	49719	5.188.178.85	192.168.2.7
Feb 4, 2021 18:14:41.491704941 CET	49719	443	192.168.2.7	5.188.178.85
Feb 4, 2021 18:14:41.501413107 CET	49719	443	192.168.2.7	5.188.178.85
Feb 4, 2021 18:14:41.553275108 CET	443	49719	5.188.178.85	192.168.2.7
Feb 4, 2021 18:14:41.693197012 CET	49720	443	192.168.2.7	5.188.178.85
Feb 4, 2021 18:14:41.745121956 CET	443	49720	5.188.178.85	192.168.2.7
Feb 4, 2021 18:14:41.745276928 CET	49720	443	192.168.2.7	5.188.178.85
Feb 4, 2021 18:14:41.746021032 CET	49720	443	192.168.2.7	5.188.178.85
Feb 4, 2021 18:14:41.797730923 CET	443	49720	5.188.178.85	192.168.2.7
Feb 4, 2021 18:14:41.798583031 CET	443	49720	5.188.178.85	192.168.2.7
Feb 4, 2021 18:14:41.798666000 CET	49720	443	192.168.2.7	5.188.178.85
Feb 4, 2021 18:14:41.798712969 CET	443	49720	5.188.178.85	192.168.2.7
Feb 4, 2021 18:14:41.798732996 CET	443	49720	5.188.178.85	192.168.2.7
Feb 4, 2021 18:14:41.798774004 CET	49720	443	192.168.2.7	5.188.178.85
Feb 4, 2021 18:14:41.798804998 CET	49720	443	192.168.2.7	5.188.178.85
Feb 4, 2021 18:14:41.802340031 CET	49720	443	192.168.2.7	5.188.178.85
Feb 4, 2021 18:14:41.802776098 CET	49720	443	192.168.2.7	5.188.178.85
Feb 4, 2021 18:14:41.854367018 CET	443	49720	5.188.178.85	192.168.2.7
Feb 4, 2021 18:14:41.854882956 CET	49720	443	192.168.2.7	5.188.178.85
Feb 4, 2021 18:14:41.856977940 CET	443	49720	5.188.178.85	192.168.2.7
Feb 4, 2021 18:14:41.857079029 CET	49720	443	192.168.2.7	5.188.178.85
Feb 4, 2021 18:15:11.249669075 CET	80	49717	5.188.178.85	192.168.2.7
Feb 4, 2021 18:15:11.249692917 CET	80	49716	5.188.178.85	192.168.2.7
Feb 4, 2021 18:15:11.249829054 CET	49717	80	192.168.2.7	5.188.178.85
Feb 4, 2021 18:15:11.249856949 CET	49716	80	192.168.2.7	5.188.178.85
Feb 4, 2021 18:15:11.856992006 CET	443	49720	5.188.178.85	192.168.2.7
Feb 4, 2021 18:15:11.857004881 CET	443	49720	5.188.178.85	192.168.2.7
Feb 4, 2021 18:15:11.857105017 CET	49720	443	192.168.2.7	5.188.178.85

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 4, 2021 18:14:35.132072926 CET	58717	53	192.168.2.7	8.8.8.8
Feb 4, 2021 18:14:35.179909945 CET	53	58717	8.8.8.8	192.168.2.7
Feb 4, 2021 18:14:36.341144085 CET	59762	53	192.168.2.7	8.8.8.8
Feb 4, 2021 18:14:36.386980057 CET	53	59762	8.8.8.8	192.168.2.7
Feb 4, 2021 18:14:37.642046928 CET	54329	53	192.168.2.7	8.8.8.8
Feb 4, 2021 18:14:37.687859058 CET	53	54329	8.8.8.8	192.168.2.7
Feb 4, 2021 18:14:38.594918013 CET	58052	53	192.168.2.7	8.8.8.8
Feb 4, 2021 18:14:38.642137051 CET	53	58052	8.8.8.8	192.168.2.7
Feb 4, 2021 18:14:39.890849113 CET	54008	53	192.168.2.7	8.8.8.8
Feb 4, 2021 18:14:39.933403015 CET	59451	53	192.168.2.7	8.8.8.8
Feb 4, 2021 18:14:39.947055101 CET	53	54008	8.8.8.8	192.168.2.7
Feb 4, 2021 18:14:39.979254007 CET	53	59451	8.8.8.8	192.168.2.7
Feb 4, 2021 18:14:41.074177980 CET	52914	53	192.168.2.7	8.8.8.8
Feb 4, 2021 18:14:41.133960962 CET	53	52914	8.8.8.8	192.168.2.7
Feb 4, 2021 18:14:41.170332909 CET	64569	53	192.168.2.7	8.8.8.8
Feb 4, 2021 18:14:41.217880011 CET	53	64569	8.8.8.8	192.168.2.7
Feb 4, 2021 18:14:42.674813986 CET	52816	53	192.168.2.7	8.8.8.8
Feb 4, 2021 18:14:42.723640919 CET	53	52816	8.8.8.8	192.168.2.7
Feb 4, 2021 18:14:44.129467010 CET	50781	53	192.168.2.7	8.8.8.8
Feb 4, 2021 18:14:44.178733110 CET	53	50781	8.8.8.8	192.168.2.7
Feb 4, 2021 18:14:45.247910976 CET	54230	53	192.168.2.7	8.8.8.8
Feb 4, 2021 18:14:45.293637991 CET	53	54230	8.8.8.8	192.168.2.7
Feb 4, 2021 18:14:46.376816988 CET	54911	53	192.168.2.7	8.8.8.8
Feb 4, 2021 18:14:46.435705900 CET	53	54911	8.8.8.8	192.168.2.7
Feb 4, 2021 18:14:48.098948956 CET	49958	53	192.168.2.7	8.8.8.8
Feb 4, 2021 18:14:48.156934977 CET	53	49958	8.8.8.8	192.168.2.7
Feb 4, 2021 18:14:49.289901972 CET	50860	53	192.168.2.7	8.8.8.8
Feb 4, 2021 18:14:49.338582993 CET	53	50860	8.8.8.8	192.168.2.7
Feb 4, 2021 18:14:50.301928043 CET	50452	53	192.168.2.7	8.8.8.8
Feb 4, 2021 18:14:50.350686073 CET	53	50452	8.8.8.8	192.168.2.7
Feb 4, 2021 18:14:51.509994984 CET	59730	53	192.168.2.7	8.8.8.8
Feb 4, 2021 18:14:51.558554888 CET	53	59730	8.8.8.8	192.168.2.7
Feb 4, 2021 18:14:57.450450897 CET	59310	53	192.168.2.7	8.8.8.8
Feb 4, 2021 18:14:57.509541035 CET	53	59310	8.8.8.8	192.168.2.7
Feb 4, 2021 18:15:00.566364050 CET	51919	53	192.168.2.7	8.8.8.8
Feb 4, 2021 18:15:00.712729931 CET	53	51919	8.8.8.8	192.168.2.7
Feb 4, 2021 18:15:03.282396078 CET	64296	53	192.168.2.7	8.8.8.8
Feb 4, 2021 18:15:03.331404924 CET	53	64296	8.8.8.8	192.168.2.7
Feb 4, 2021 18:15:10.022700071 CET	56680	53	192.168.2.7	8.8.8.8
Feb 4, 2021 18:15:10.077686071 CET	53	56680	8.8.8.8	192.168.2.7
Feb 4, 2021 18:15:10.653950930 CET	58820	53	192.168.2.7	8.8.8.8
Feb 4, 2021 18:15:10.705220938 CET	53	58820	8.8.8.8	192.168.2.7
Feb 4, 2021 18:15:11.163007021 CET	56680	53	192.168.2.7	8.8.8.8
Feb 4, 2021 18:15:11.210212946 CET	53	56680	8.8.8.8	192.168.2.7
Feb 4, 2021 18:15:11.805285931 CET	58820	53	192.168.2.7	8.8.8.8
Feb 4, 2021 18:15:11.854024887 CET	53	58820	8.8.8.8	192.168.2.7
Feb 4, 2021 18:15:12.175951958 CET	56680	53	192.168.2.7	8.8.8.8
Feb 4, 2021 18:15:12.223942041 CET	53	56680	8.8.8.8	192.168.2.7
Feb 4, 2021 18:15:12.817312002 CET	58820	53	192.168.2.7	8.8.8.8
Feb 4, 2021 18:15:12.866039991 CET	53	58820	8.8.8.8	192.168.2.7
Feb 4, 2021 18:15:14.192688942 CET	56680	53	192.168.2.7	8.8.8.8
Feb 4, 2021 18:15:14.238409042 CET	53	56680	8.8.8.8	192.168.2.7
Feb 4, 2021 18:15:14.832636118 CET	58820	53	192.168.2.7	8.8.8.8
Feb 4, 2021 18:15:14.881417036 CET	53	58820	8.8.8.8	192.168.2.7
Feb 4, 2021 18:15:15.941134930 CET	60983	53	192.168.2.7	8.8.8.8
Feb 4, 2021 18:15:16.986906052 CET	60983	53	192.168.2.7	8.8.8.8
Feb 4, 2021 18:15:17.041475058 CET	53	60983	8.8.8.8	192.168.2.7
Feb 4, 2021 18:15:18.207521915 CET	56680	53	192.168.2.7	8.8.8.8
Feb 4, 2021 18:15:18.261619091 CET	53	56680	8.8.8.8	192.168.2.7
Feb 4, 2021 18:15:18.849416971 CET	58820	53	192.168.2.7	8.8.8.8
Feb 4, 2021 18:15:23.226249933 CET	49247	53	192.168.2.7	8.8.8.8
Feb 4, 2021 18:15:23.280219078 CET	53	49247	8.8.8.8	192.168.2.7
Feb 4, 2021 18:15:25.162033081 CET	52286	53	192.168.2.7	8.8.8.8
Feb 4, 2021 18:15:25.167565107 CET	56064	53	192.168.2.7	8.8.8.8
Feb 4, 2021 18:15:25.213680029 CET	53	56064	8.8.8.8	192.168.2.7
Feb 4, 2021 18:15:25.216362000 CET	53	52286	8.8.8.8	192.168.2.7
Feb 4, 2021 18:15:25.635482073 CET	63744	53	192.168.2.7	8.8.8.8
Feb 4, 2021 18:15:25.691859961 CET	53	63744	8.8.8.8	192.168.2.7
Feb 4, 2021 18:15:26.193938971 CET	61457	53	192.168.2.7	8.8.8.8
Feb 4, 2021 18:15:26.243808031 CET	53	61457	8.8.8.8	192.168.2.7
Feb 4, 2021 18:15:26.659924030 CET	58367	53	192.168.2.7	8.8.8.8
Feb 4, 2021 18:15:26.714518070 CET	53	58367	8.8.8.8	192.168.2.7
Feb 4, 2021 18:15:27.263928890 CET	60599	53	192.168.2.7	8.8.8.8
Feb 4, 2021 18:15:27.323323011 CET	53	60599	8.8.8.8	192.168.2.7
Feb 4, 2021 18:15:27.818166018 CET	59571	53	192.168.2.7	8.8.8.8
Feb 4, 2021 18:15:27.864171028 CET	53	59571	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 4, 2021 18:14:41.074177980 CET	192.168.2.7	8.8.8.8	0x1aaf	Standard query (0)	thebig-prizebox4.life	A (IP address)	IN (0x0001)
Feb 4, 2021 18:14:57.450450897 CET	192.168.2.7	8.8.8.8	0x2f51	Standard query (0)	favicon.ico	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 4, 2021 18:14:41.133960962 CET	8.8.8.8	192.168.2.7	0x1aaf	No error (0)	thebig-prizebox4.life		5.188.178.85	A (IP address)	IN (0x0001)
Feb 4, 2021 18:14:57.509541035 CET	8.8.8.8	192.168.2.7	0x2f51	Name error (3)	favicon.ico	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

thebig-prizebox4.life

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.7	49716	5.188.178.85	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 4, 2021 18:14:41.197417974 CET	77	OUT	GET / HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: thebig-prizebox4.life Connection: Keep-Alive
Feb 4, 2021 18:14:41.249147892 CET	78	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Thu, 04 Feb 2021 17:14:41 GMT Content-Type: text/html Content-Length: 178 Connection: keep-alive Location: https://thebig-prizebox4.life/ Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body bgcolor="white"><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Feb 4, 2021 18:14:41.372864008 CET	5.188.178.85	443	192.168.2.7	49719	CN=thebig-prizebox4.life CN=R3, O=Let's Encrypt, C=US	CN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Sat Jan 09 15:28:16 CET 2021 Wed Oct 07 21:21:40 CEST 2020	Fri Apr 09 16:28:16 CEST 2021 Wed Sep 29 21:21:40 CEST 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 4, 2021 18:14:41.372864008 CET	5.188.178.85	443	192.168.2.7	49719	CN=R3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Oct 07 21:21:40 CEST 2020	Wed Sep 29 21:21:40 CEST 2021		9e10692f1b7f78228b2d4e424db3a98c
Feb 4, 2021 18:14:41.798712969 CET	5.188.178.85	443	192.168.2.7	49720	CN=thebig-prizebox4.life CN=R3, O=Let's Encrypt, C=US	CN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Sat Jan 09 15:28:16 CET 2021 Wed Oct 07 21:21:40 CEST 2020	Fri Apr 09 16:28:16 CEST 2021 Wed Sep 29 21:21:40 CEST 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 4, 2021 18:14:41.798712969 CET	5.188.178.85	443	192.168.2.7	49720	CN=R3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Oct 07 21:21:40 CEST 2020	Wed Sep 29 21:21:40 CEST 2021		9e10692f1b7f78228b2d4e424db3a98c

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: iexplore.exe PID: 6060 Parent PID: 792

General

Start time:	18:14:39
Start date:	04/02/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff72ef40000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: iexplore.exe PID: 5392 Parent PID: 6060

General

Start time:	18:14:39
Start date:	04/02/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6060 CREDAT:17410 /prefetch:2
Imagebase:	0x11f0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Reset < >

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report http://thebig-prizebox4.life

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

Compliance:

Networking:

System Summary:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

No static file info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: iexplore.exe PID: 6060 Parent PID: 792

General

Chronological Activities

Analysis Process: iexplore.exe PID: 5392 Parent PID: 6060

General

Chronological Activities

Disassembly