Play interactive tour

Edit tour

Analysis Report https://epgv01.fr/wp-admin/httpsaduaneiro.portaldasfinancas.gov.ptjspmain.jsp/

Overview

General Information

Sample URL:	https://epgv01.fr/wp-admin/httpsaduaneiro.portaldasfinancas.gov.ptjspmain.jsp/
Analysis ID:	356843
Infos:
Most interesting Screenshot:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

No high impact signatures.

Classification

Startup

System is w10x64

iexplore.exe (PID: 6424 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6476 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6424 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Uses secure TLS version for HTTPS connections

Show sources

Source: unknown	HTTPS traffic detected: 109.234.161.192:443 -> 192.168.2.4:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 109.234.161.192:443 -> 192.168.2.4:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 109.234.161.192:443 -> 192.168.2.4:49741 version: TLS 1.2

Networking:

Source: msapplication.xml0.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x28982a12,0x01d70a03</date><accdate>0x28982a12,0x01d70a03</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x28982a12,0x01d70a03</date><accdate>0x28982a12,0x01d70a03</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x289ceead,0x01d70a03</date><accdate>0x289ceead,0x01d70a03</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x289ceead,0x01d70a03</date><accdate>0x289f50f1,0x01d70a03</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x289f50f1,0x01d70a03</date><accdate>0x289f50f1,0x01d70a03</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x289f50f1,0x01d70a03</date><accdate>0x289f50f1,0x01d70a03</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: epgv01.fr

Source: msapplication.xml.1.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.1.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.1.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.1.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.1.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.1.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.1.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.1.dr	String found in binary or memory: http://www.youtube.com/
Source: ~DFD8333937E8295EA3.TMP.1.dr	String found in binary or memory: https://epgv01.fr/wp-admin/httpsaduaneiro.portaldasfinancas.gov.ptjspmain.jsp/
Source: {531088F2-75F6-11EB-90EB-ECF4BBEA1588}.dat.1.dr	String found in binary or memory: https://epgv01.fr/wp-admin/httpsaduaneiro.portaldasfinancas.gov.ptjspmain.jsp/Root

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728

Source: unknown	HTTPS traffic detected: 109.234.161.192:443 -> 192.168.2.4:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 109.234.161.192:443 -> 192.168.2.4:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 109.234.161.192:443 -> 192.168.2.4:49741 version: TLS 1.2

System Summary:

Source: classification engine

Classification label: clean0.win@3/15@2/1

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{531088F0-75F6-11EB-90EB-ECF4BBEA1588}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFE292AC63EA7454AC.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6424 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6424 CREDAT:17410 /prefetch:2

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping	File and Directory Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
https://epgv01.fr/wp-admin/httpsaduaneiro.portaldasfinancas.gov.ptjspmain.jsp/	1%	Virustotal		Browse
https://epgv01.fr/wp-admin/httpsaduaneiro.portaldasfinancas.gov.ptjspmain.jsp/	0%	Avira URL Cloud	safe

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
epgv01.fr	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
https://epgv01.fr/wp-admin/httpsaduaneiro.portaldasfinancas.gov.ptjspmain.jsp/Root	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
epgv01.fr	109.234.161.192	true	false	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://epgv01.fr/wp-admin/httpsaduaneiro.portaldasfinancas.gov.ptjspmain.jsp/	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.wikipedia.com/	msapplication.xml6.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.amazon.com/	msapplication.xml.1.dr	false		high
http://www.nytimes.com/	msapplication.xml3.1.dr	false		high
http://www.live.com/	msapplication.xml2.1.dr	false		high
https://epgv01.fr/wp-admin/httpsaduaneiro.portaldasfinancas.gov.ptjspmain.jsp/Root	{531088F2-75F6-11EB-90EB-ECF4BBEA1588}.dat.1.dr	false	Avira URL Cloud: safe	unknown
http://www.reddit.com/	msapplication.xml4.1.dr	false		high
http://www.twitter.com/	msapplication.xml5.1.dr	false		high
https://epgv01.fr/wp-admin/httpsaduaneiro.portaldasfinancas.gov.ptjspmain.jsp/	~DFD8333937E8295EA3.TMP.1.dr	false		unknown
http://www.youtube.com/	msapplication.xml7.1.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
109.234.161.192	unknown	France		50474	O2SWITCHFR	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	356843
Start date:	23.02.2021
Start time:	17:43:13
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 59s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	browseurl.jbs
Sample URL:	https://epgv01.fr/wp-admin/httpsaduaneiro.portaldasfinancas.gov.ptjspmain.jsp/
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean0.win@3/15@2/1
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 104.42.151.234, 23.211.6.115, 13.64.90.137, 40.88.32.150, 104.43.193.48, 88.221.62.148, 13.88.21.125, 51.132.208.181, 152.199.19.161, 52.155.217.156, 205.185.216.10, 205.185.216.42 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, go.microsoft.com, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, ie9comview.vo.msecnd.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, skypedataprdcolcus15.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, cs9.wpc.v0cdn.net

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{531088F0-75F6-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	30296
Entropy (8bit):	1.8483043941529347
Encrypted:	false
SSDEEP:	192:r2Z5Z/2UW8tR8ifIRwqzMViBJ8DFsfrwTjX:ryvuDIRRIUgYY0
MD5:	E7BE37A117E1CC38A735C9B40FB9312E
SHA1:	494B3F6616CE51FE272D031FEA4ADFC2ACAA8A65
SHA-256:	A55FDCB87CDDB0F44817D6AED0F321F5E3A21A960962BE79AAFB70C106FD506F
SHA-512:	CAAC5D1B99CCF2FFB34DB118874B36C8BB6352483AC493743096DD79D1BD4DC17C80572C2CFBB8AE4B84ADB6F4184AC5B0CD8B0C0CA229F325FC1023718B130B
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{531088F2-75F6-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	24268
Entropy (8bit):	1.6478078325574737
Encrypted:	false
SSDEEP:	48:IwMGcpr9GwpaSEG4pQY2GrapbS/GQpBuh5GHHpcujuTGUp8uwGzYpmu8zGop71gI:rQZnQS06Y4BSpj12FWrMjV1PK1g
MD5:	C282BFA23DEF76924D5070C40D1345A1
SHA1:	EA2E8A22FF5A39D58DBA329137A87B62005E1CB6
SHA-256:	61AB2112168D5599CFA9E0ECE7780699DF53638344B93E973B0B4D34912F923D
SHA-512:	F7F389E9F4862E73BB4E9E149B83226CC850F36CB861A072276B0A2F85B2FAF756DC23CEE20D74613F8CEC2622B7ED92CDE497073AADF30E9594BCCB282AEBC2
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{531088F3-75F6-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	16984
Entropy (8bit):	1.5632045984711684
Encrypted:	false
SSDEEP:	48:IwHGcpruGwpaBG4pQRGrapbSJGQpKxG7HpRiTGIpG:rtZGQT6hBSDAgT2A
MD5:	8DB6F7CB955A37B2BACBFF0EADE59FAF
SHA1:	7A0073C8D9B37B3046F8A18434D36DF9F5A2A79A
SHA-256:	19CB2400D895681E5607A2FF56B941C7DFD6D9B5E7EB75B9E242873EDD1D6271
SHA-512:	17276444A303F9906B0C295C1FB4FA7963DF37361A4744CFDA4791EE999ECDCD93734BDCAD366B628F9CC3956029864003C9FC3975F1E3BC9FED9DF7587F90A7
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.049403919161812
Encrypted:	false
SSDEEP:	12:TMHdNMNxOEMIZHIZAnWimI002EtM3MHdNMNxOEMIZcHZAnWimI00OYGVbkEtMb:2d6NxOtiBSZHKd6NxOtn6SZ7YLb
MD5:	7027D6B02119353222FACD6FF7177883
SHA1:	B3C4F2DAF1B3A75CA02D5FA65B8228D218D3A0C5
SHA-256:	BE15AC6056B8D9DA2E10E785515F99882116481C0A519C2E1F2C011F344C013B
SHA-512:	BB16C8396BACF7D9A78BC3A3E3A183863A48D51DA32B6CD7FF13B49028760ADAFE411C2151FFD297F6C7CABBBBF94DC2043204C9DEBE8D21134C1CDEE1606944
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x289ceead,0x01d70a03</date><accdate>0x289ceead,0x01d70a03</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x289ceead,0x01d70a03</date><accdate>0x289f50f1,0x01d70a03</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.1033719307571355
Encrypted:	false
SSDEEP:	12:TMHdNMNxe2kLZKZAnWimI002EtM3MHdNMNxe2kLZKZAnWimI00OYGkak6EtMb:2d6NxrISZHKd6NxrISZ7Yza7b
MD5:	022C79552EC36A8576B2F366B0BC7831
SHA1:	F6DBB6761663D939B7414467C6E767D2ADDD7526
SHA-256:	C4ABE7EEA0EB1E58E25D6D6EDC028557DA130A0CE19CE2F29D7BF9674F070BFA
SHA-512:	AC2AED32D486ECC6EC62DDA21CE7C6C33CEBE55875857A61CD4E0D25CF4767AF049E4B8BFF46941F92CC6FAFB86317E0CFFFC96DB4BEB6E6E6B78D4ECEF765E0
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x2895c78c,0x01d70a03</date><accdate>0x2895c78c,0x01d70a03</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x2895c78c,0x01d70a03</date><accdate>0x2895c78c,0x01d70a03</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	662
Entropy (8bit):	5.092226738415402
Encrypted:	false
SSDEEP:	12:TMHdNMNxvL5HZcHZAnWimI002EtM3MHdNMNxvL5HZcHZAnWimI00OYGmZEtMb:2d6Nxv1+6SZHKd6Nxv1+6SZ7Yjb
MD5:	2251EA02CF14D21368FF9537165E2A1F
SHA1:	A40EC4F4A27028CCCAEAB53542EF653103EB57D4
SHA-256:	8B37171810B2814B82C19A2A64450DA591CE5AB33810EEB853CC9B66FA59493E
SHA-512:	FB32B9408866D9A07FE4E3D6CDAF54CD32B08502B5A8A2E278723B7DF6E5B29A2149F76154088056F7D7C3752462FAE9AA185F314A2D8A210A0CE821084B366D
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x289f50f1,0x01d70a03</date><accdate>0x289f50f1,0x01d70a03</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x289f50f1,0x01d70a03</date><accdate>0x289f50f1,0x01d70a03</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	647
Entropy (8bit):	5.095890467940318
Encrypted:	false
SSDEEP:	12:TMHdNMNxiUIZvIZAnWimI002EtM3MHdNMNxiUIZvIZAnWimI00OYGd5EtMb:2d6Nx7KBSZHKd6Nx7KBSZ7YEjb
MD5:	A62488C983963E3FD6A2CD0ABD31E239
SHA1:	F473DBD30BEFE584339CD4C79CE2D58922AA4CF3
SHA-256:	3B97FF78BC32D333B14F5FE854A536ED7855BFB529B3EC4311DF4A38F94ABFF3
SHA-512:	9CE05DCCDA9C1C05892F02665D2A05DA7A0496F9D553E85A544F8C2A04C5A8E26153531C411D05F6D6B38B9A73C066470964C9E9C0E37538F257B214894A565C
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x289a8c4d,0x01d70a03</date><accdate>0x289a8c4d,0x01d70a03</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x289a8c4d,0x01d70a03</date><accdate>0x289a8c4d,0x01d70a03</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.106901969583294
Encrypted:	false
SSDEEP:	12:TMHdNMNxhGw5HZcHZAnWimI002EtM3MHdNMNxhGw5HZcHZAnWimI00OYG8K075Es:2d6NxQe+6SZHKd6NxQe+6SZ7YrKajb
MD5:	9E1C979AFC8A668B5DB1233536047511
SHA1:	069385EB03F2902E355CC344E4F24F089D3327E6
SHA-256:	B6835DE16E1094DE957EEE06F1EDEAB584BE2C2D919A10BE6513422EB55E0B4E
SHA-512:	F33C02019FEC2775BF2DF83127EB02F42AF102B4CEE2BA54392CE33C9B2216544F998954139834B6B2BC77C8907C03DD05169E85BF57AB1A075BA771A8B03528
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x289f50f1,0x01d70a03</date><accdate>0x289f50f1,0x01d70a03</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x289f50f1,0x01d70a03</date><accdate>0x289f50f1,0x01d70a03</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.038739919816462
Encrypted:	false
SSDEEP:	12:TMHdNMNx0nMIZHIZAnWimI002EtM3MHdNMNx0nMIZHIZAnWimI00OYGxEtMb:2d6Nx0MiBSZHKd6Nx0MiBSZ7Ygb
MD5:	1EA13A70BB903D624665833BE2854190
SHA1:	9A1150F950CD08D43E5B3959E396037884C4AF91
SHA-256:	295CC4783F4D1DC06B3C29F4F60CF998A906771A766B7D14F327C7778099DDC2
SHA-512:	1C60EE1B1BA03392A81AC56EB1A720482BCFAD278A5128BB0676D59BCB957A2F440F4D6E6FB3004ACF798277B9F4E027F5AF8AF6DC469460232A87F72D49B347
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x289ceead,0x01d70a03</date><accdate>0x289ceead,0x01d70a03</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x289ceead,0x01d70a03</date><accdate>0x289ceead,0x01d70a03</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.0774212491394275
Encrypted:	false
SSDEEP:	12:TMHdNMNxxMIZHIZAnWimI002EtM3MHdNMNxxMIZHIZAnWimI00OYG6Kq5EtMb:2d6NxuiBSZHKd6NxuiBSZ7Yhb
MD5:	ACB62CD0BE8CD90FBD021CC4D90663DD
SHA1:	8C5790A2CB367A02FD23DDC2C9471C433B72AB4B
SHA-256:	1F0A52DF60311CDF0B938B2353BDA40BBE9A2328C90F3700133BB21CC7F646F4
SHA-512:	673A4A9D407D105B32CD3A17224244B31CCFA635895937B0F01C37149E4C0EC0039DB47902BC272B73C8466C74329D8E5A0BE7713C6FD909B57A9842A6C5FA29
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x289ceead,0x01d70a03</date><accdate>0x289ceead,0x01d70a03</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x289ceead,0x01d70a03</date><accdate>0x289ceead,0x01d70a03</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	659
Entropy (8bit):	5.098514016671162
Encrypted:	false
SSDEEP:	12:TMHdNMNxc9VFZAVFZAnWimI002EtM3MHdNMNxc9VFZAVFZAnWimI00OYGVEtMb:2d6Nx2VkVMSZHKd6Nx2VkVMSZ7Ykb
MD5:	FE2A69F8373902FF602FFA58A30458D1
SHA1:	826580F2AAEBD8D3276496147A60B44C32AE675C
SHA-256:	267A061125EA662645738D9769FFE25D88C4B67EE9F096E6D8A2014E14545CA0
SHA-512:	090CC635B4E1E0F4331B8A53B4DF40572BDEEA709DA25DD6964AFAD9D02C310C7471DD92A7AD27144B4EEDC42E3A2B3BD368CC0171AC132CFFF7B0F2D2EB1095
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x28982a12,0x01d70a03</date><accdate>0x28982a12,0x01d70a03</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x28982a12,0x01d70a03</date><accdate>0x28982a12,0x01d70a03</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.081357741651513
Encrypted:	false
SSDEEP:	12:TMHdNMNxfnUIZvIZAnWimI002EtM3MHdNMNxfnUIZvIZAnWimI00OYGe5EtMb:2d6NxMKBSZHKd6NxMKBSZ7YLjb
MD5:	6270AEF6C971CB88D93821BDD6A0B808
SHA1:	AEC26B3B3ECD59A25B79C4363CC43C0D47B0AEC4
SHA-256:	B3420E161E152C046FC21B36605D8B366392BBB6CD32C53253E5579525379E50
SHA-512:	C8F9D008BA491CB835935F1FCA98D23CD7835C5717B224F86B4B26F6622011AEC02D1F7E7319F31366C7C0D348DB28DBF15629D2D5DA8376A21CB6054C93C06D
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x289a8c4d,0x01d70a03</date><accdate>0x289a8c4d,0x01d70a03</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x289a8c4d,0x01d70a03</date><accdate>0x289a8c4d,0x01d70a03</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Temp\~DF722B4C1F5C78EE5C.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	25441
Entropy (8bit):	0.3942731521936163
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRx/9lRJ9lTb9lTb9lSSU9lSSU9laAa/9laAggsW5LZGI4:kBqoxxJhHWSVSEabki3
MD5:	67E760658E9B9F38AD580C20286DD59D
SHA1:	8228E3E5CD97F343746CC8C7676F7B13BA840753
SHA-256:	1401C43821DCB55B594213EF0CC40B94B561CEAF9A230101E54267054A652DD8
SHA-512:	96C66D27E54FDE421AAD332F197C1E5D434E87AACF9DFF9770F454F7E2B7ABCE084E3F5A5024DE1139770C0F97E5A0944EE232125FEC7A9B4426967F09A8973F
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFD8333937E8295EA3.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	34461
Entropy (8bit):	0.3669297053833543
Encrypted:	false
SSDEEP:	48:kBqoxKAuvScS+utuzuxuQu8Iu851g8JJFu7:kBqoxKAuvScS+c6gBqn1P2
MD5:	2D5EA381755685CABB8610F12CD5275D
SHA1:	F94160A71B80EC8A81811677FA521EA7A2A2BF41
SHA-256:	D78DA396F64319B891022F6EE2AC41ED25A5349448C3D9F5ADA65788550B56EE
SHA-512:	86162F6221BF7F6D2C406A3F5334AF263A347D614B6072153A647FF4A805E434F4EFC9271DCE6BE6206D3D959C135DE027C3E77C3808AE80F43D6FDD02E99475
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFE292AC63EA7454AC.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	13029
Entropy (8bit):	0.4733130806026372
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loG9lo29lWEi4hZAn:kBqoIhnEi4HG
MD5:	6BFCC60A096A1D479E5D1E41E3A98AC5
SHA1:	3892C5149C858FAC04030B2CC3BCDA42FD2E1C92
SHA-256:	6CDA9AEE460AF11F96174A225D603CE0C9220EA130289E78C9FE358A787872A5
SHA-512:	F795C8E928071F30E5BEE680618372A54BF3D48FDD1A73B59241AE09FC03B5E3FA142E58A8D97DA9D139D251DBE2B7AA4362FAF9F903E80ADB889AA705AF3B21
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

No static file info

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 17:44:01.774405003 CET	49728	443	192.168.2.4	109.234.161.192
Feb 23, 2021 17:44:01.774593115 CET	49729	443	192.168.2.4	109.234.161.192
Feb 23, 2021 17:44:01.840387106 CET	443	49728	109.234.161.192	192.168.2.4
Feb 23, 2021 17:44:01.840435982 CET	443	49729	109.234.161.192	192.168.2.4
Feb 23, 2021 17:44:01.840624094 CET	49728	443	192.168.2.4	109.234.161.192
Feb 23, 2021 17:44:01.843005896 CET	49729	443	192.168.2.4	109.234.161.192
Feb 23, 2021 17:44:01.847568035 CET	49728	443	192.168.2.4	109.234.161.192
Feb 23, 2021 17:44:01.850157022 CET	49729	443	192.168.2.4	109.234.161.192
Feb 23, 2021 17:44:01.913582087 CET	443	49728	109.234.161.192	192.168.2.4
Feb 23, 2021 17:44:01.916107893 CET	443	49729	109.234.161.192	192.168.2.4
Feb 23, 2021 17:44:01.917471886 CET	443	49728	109.234.161.192	192.168.2.4
Feb 23, 2021 17:44:01.917498112 CET	443	49728	109.234.161.192	192.168.2.4
Feb 23, 2021 17:44:01.917510986 CET	443	49728	109.234.161.192	192.168.2.4
Feb 23, 2021 17:44:01.917598963 CET	49728	443	192.168.2.4	109.234.161.192
Feb 23, 2021 17:44:01.917717934 CET	49728	443	192.168.2.4	109.234.161.192
Feb 23, 2021 17:44:01.918339014 CET	443	49729	109.234.161.192	192.168.2.4
Feb 23, 2021 17:44:01.918374062 CET	443	49729	109.234.161.192	192.168.2.4
Feb 23, 2021 17:44:01.918394089 CET	443	49729	109.234.161.192	192.168.2.4
Feb 23, 2021 17:44:01.918433905 CET	49729	443	192.168.2.4	109.234.161.192
Feb 23, 2021 17:44:01.918481112 CET	49729	443	192.168.2.4	109.234.161.192
Feb 23, 2021 17:44:01.957362890 CET	49729	443	192.168.2.4	109.234.161.192
Feb 23, 2021 17:44:01.963838100 CET	49729	443	192.168.2.4	109.234.161.192
Feb 23, 2021 17:44:01.964087963 CET	49729	443	192.168.2.4	109.234.161.192
Feb 23, 2021 17:44:01.964451075 CET	49728	443	192.168.2.4	109.234.161.192
Feb 23, 2021 17:44:01.964848042 CET	49728	443	192.168.2.4	109.234.161.192
Feb 23, 2021 17:44:02.023942947 CET	443	49729	109.234.161.192	192.168.2.4
Feb 23, 2021 17:44:02.023996115 CET	443	49729	109.234.161.192	192.168.2.4
Feb 23, 2021 17:44:02.024132013 CET	49729	443	192.168.2.4	109.234.161.192
Feb 23, 2021 17:44:02.026194096 CET	49729	443	192.168.2.4	109.234.161.192
Feb 23, 2021 17:44:02.029777050 CET	443	49729	109.234.161.192	192.168.2.4
Feb 23, 2021 17:44:02.029920101 CET	49729	443	192.168.2.4	109.234.161.192
Feb 23, 2021 17:44:02.030596972 CET	443	49728	109.234.161.192	192.168.2.4
Feb 23, 2021 17:44:02.030613899 CET	443	49728	109.234.161.192	192.168.2.4
Feb 23, 2021 17:44:02.030623913 CET	443	49728	109.234.161.192	192.168.2.4
Feb 23, 2021 17:44:02.031270981 CET	49728	443	192.168.2.4	109.234.161.192
Feb 23, 2021 17:44:02.031791925 CET	49728	443	192.168.2.4	109.234.161.192
Feb 23, 2021 17:44:02.035600901 CET	443	49729	109.234.161.192	192.168.2.4
Feb 23, 2021 17:44:02.035708904 CET	49729	443	192.168.2.4	109.234.161.192
Feb 23, 2021 17:44:02.132802010 CET	443	49729	109.234.161.192	192.168.2.4
Feb 23, 2021 17:44:02.137803078 CET	443	49728	109.234.161.192	192.168.2.4
Feb 23, 2021 17:44:19.300313950 CET	49741	443	192.168.2.4	109.234.161.192
Feb 23, 2021 17:44:19.366262913 CET	443	49741	109.234.161.192	192.168.2.4
Feb 23, 2021 17:44:19.366386890 CET	49741	443	192.168.2.4	109.234.161.192
Feb 23, 2021 17:44:19.369275093 CET	49741	443	192.168.2.4	109.234.161.192
Feb 23, 2021 17:44:19.435199022 CET	443	49741	109.234.161.192	192.168.2.4
Feb 23, 2021 17:44:19.437788963 CET	443	49741	109.234.161.192	192.168.2.4
Feb 23, 2021 17:44:19.437815905 CET	443	49741	109.234.161.192	192.168.2.4
Feb 23, 2021 17:44:19.437828064 CET	443	49741	109.234.161.192	192.168.2.4
Feb 23, 2021 17:44:19.437913895 CET	49741	443	192.168.2.4	109.234.161.192
Feb 23, 2021 17:44:19.451877117 CET	49741	443	192.168.2.4	109.234.161.192
Feb 23, 2021 17:44:19.518189907 CET	443	49741	109.234.161.192	192.168.2.4
Feb 23, 2021 17:44:19.518404961 CET	49741	443	192.168.2.4	109.234.161.192
Feb 23, 2021 17:44:19.521835089 CET	49741	443	192.168.2.4	109.234.161.192
Feb 23, 2021 17:44:19.593396902 CET	443	49741	109.234.161.192	192.168.2.4
Feb 23, 2021 17:44:19.593638897 CET	49741	443	192.168.2.4	109.234.161.192
Feb 23, 2021 17:44:29.593487978 CET	443	49741	109.234.161.192	192.168.2.4
Feb 23, 2021 17:44:29.593519926 CET	443	49741	109.234.161.192	192.168.2.4
Feb 23, 2021 17:44:29.593671083 CET	49741	443	192.168.2.4	109.234.161.192
Feb 23, 2021 17:44:29.593713999 CET	49741	443	192.168.2.4	109.234.161.192

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 17:43:52.137718916 CET	59123	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:43:52.188033104 CET	53	59123	8.8.8.8	192.168.2.4
Feb 23, 2021 17:43:53.249624014 CET	54531	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:43:53.315901041 CET	53	54531	8.8.8.8	192.168.2.4
Feb 23, 2021 17:43:53.396850109 CET	49714	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:43:53.446530104 CET	53	49714	8.8.8.8	192.168.2.4
Feb 23, 2021 17:43:54.600701094 CET	58028	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:43:54.649281979 CET	53	58028	8.8.8.8	192.168.2.4
Feb 23, 2021 17:43:55.827440977 CET	53097	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:43:55.880356073 CET	53	53097	8.8.8.8	192.168.2.4
Feb 23, 2021 17:43:56.857758999 CET	49257	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:43:56.906609058 CET	53	49257	8.8.8.8	192.168.2.4
Feb 23, 2021 17:43:57.748107910 CET	62389	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:43:57.799635887 CET	53	62389	8.8.8.8	192.168.2.4
Feb 23, 2021 17:43:58.977467060 CET	49910	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:43:59.036834002 CET	53	49910	8.8.8.8	192.168.2.4
Feb 23, 2021 17:44:00.417783022 CET	55854	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:44:00.479438066 CET	53	55854	8.8.8.8	192.168.2.4
Feb 23, 2021 17:44:00.653147936 CET	64549	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:44:00.704828978 CET	53	64549	8.8.8.8	192.168.2.4
Feb 23, 2021 17:44:01.703193903 CET	63153	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:44:01.760426044 CET	53	63153	8.8.8.8	192.168.2.4
Feb 23, 2021 17:44:01.882622004 CET	52991	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:44:01.931305885 CET	53	52991	8.8.8.8	192.168.2.4
Feb 23, 2021 17:44:03.107620001 CET	53700	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:44:03.163305044 CET	53	53700	8.8.8.8	192.168.2.4
Feb 23, 2021 17:44:04.066895008 CET	51726	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:44:04.118603945 CET	53	51726	8.8.8.8	192.168.2.4
Feb 23, 2021 17:44:05.380031109 CET	56794	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:44:05.428798914 CET	53	56794	8.8.8.8	192.168.2.4
Feb 23, 2021 17:44:06.195550919 CET	56534	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:44:06.252938032 CET	53	56534	8.8.8.8	192.168.2.4
Feb 23, 2021 17:44:07.176353931 CET	56627	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:44:07.227972031 CET	53	56627	8.8.8.8	192.168.2.4
Feb 23, 2021 17:44:08.168010950 CET	56621	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:44:08.218712091 CET	53	56621	8.8.8.8	192.168.2.4
Feb 23, 2021 17:44:09.571212053 CET	63116	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:44:09.619802952 CET	53	63116	8.8.8.8	192.168.2.4
Feb 23, 2021 17:44:10.530621052 CET	64078	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:44:10.592886925 CET	53	64078	8.8.8.8	192.168.2.4
Feb 23, 2021 17:44:11.657725096 CET	64801	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:44:11.706607103 CET	53	64801	8.8.8.8	192.168.2.4
Feb 23, 2021 17:44:12.886965990 CET	61721	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:44:12.935606956 CET	53	61721	8.8.8.8	192.168.2.4
Feb 23, 2021 17:44:19.199953079 CET	51255	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:44:19.296509981 CET	53	51255	8.8.8.8	192.168.2.4
Feb 23, 2021 17:44:23.076642990 CET	61522	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:44:23.130390882 CET	53	61522	8.8.8.8	192.168.2.4
Feb 23, 2021 17:44:30.594599962 CET	52337	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:44:30.646084070 CET	53	52337	8.8.8.8	192.168.2.4
Feb 23, 2021 17:44:31.101973057 CET	55046	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:44:31.162763119 CET	53	55046	8.8.8.8	192.168.2.4
Feb 23, 2021 17:44:31.643599987 CET	52337	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:44:31.695133924 CET	53	52337	8.8.8.8	192.168.2.4
Feb 23, 2021 17:44:32.115499020 CET	55046	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:44:32.165030956 CET	53	55046	8.8.8.8	192.168.2.4
Feb 23, 2021 17:44:32.649301052 CET	52337	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:44:32.700994968 CET	53	52337	8.8.8.8	192.168.2.4
Feb 23, 2021 17:44:33.115680933 CET	55046	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:44:33.173142910 CET	53	55046	8.8.8.8	192.168.2.4
Feb 23, 2021 17:44:34.662961006 CET	52337	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:44:34.714688063 CET	53	52337	8.8.8.8	192.168.2.4
Feb 23, 2021 17:44:35.288866997 CET	55046	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:44:35.337625027 CET	53	55046	8.8.8.8	192.168.2.4
Feb 23, 2021 17:44:38.678900003 CET	52337	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:44:38.741183043 CET	53	52337	8.8.8.8	192.168.2.4
Feb 23, 2021 17:44:39.303554058 CET	55046	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:44:39.353883982 CET	53	55046	8.8.8.8	192.168.2.4
Feb 23, 2021 17:44:41.767663956 CET	49612	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:44:41.838164091 CET	53	49612	8.8.8.8	192.168.2.4
Feb 23, 2021 17:44:42.423985004 CET	49285	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:44:42.486073017 CET	53	49285	8.8.8.8	192.168.2.4
Feb 23, 2021 17:44:46.745043993 CET	50601	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:44:46.793883085 CET	53	50601	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 23, 2021 17:44:01.703193903 CET	192.168.2.4	8.8.8.8	0x5143	Standard query (0)	epgv01.fr	A (IP address)	IN (0x0001)
Feb 23, 2021 17:44:19.199953079 CET	192.168.2.4	8.8.8.8	0x619	Standard query (0)	epgv01.fr	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 23, 2021 17:44:01.760426044 CET	8.8.8.8	192.168.2.4	0x5143	No error (0)	epgv01.fr		109.234.161.192	A (IP address)	IN (0x0001)
Feb 23, 2021 17:44:19.296509981 CET	8.8.8.8	192.168.2.4	0x619	No error (0)	epgv01.fr		109.234.161.192	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Feb 23, 2021 17:44:01.917498112 CET	109.234.161.192	443	192.168.2.4	49728	CN=epgv01.fr CN=R3, O=Let's Encrypt, C=US	CN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Feb 10 12:38:44 CET 2021 Wed Oct 07 21:21:40 CEST 2020	Tue May 11 13:38:44 CEST 2021 Wed Sep 29 21:21:40 CEST 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 23, 2021 17:44:01.917498112 CET	109.234.161.192	443	192.168.2.4	49728	CN=R3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Oct 07 21:21:40 CEST 2020	Wed Sep 29 21:21:40 CEST 2021		9e10692f1b7f78228b2d4e424db3a98c
Feb 23, 2021 17:44:01.918374062 CET	109.234.161.192	443	192.168.2.4	49729	CN=epgv01.fr CN=R3, O=Let's Encrypt, C=US	CN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Feb 10 12:38:44 CET 2021 Wed Oct 07 21:21:40 CEST 2020	Tue May 11 13:38:44 CEST 2021 Wed Sep 29 21:21:40 CEST 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 23, 2021 17:44:01.918374062 CET	109.234.161.192	443	192.168.2.4	49729	CN=R3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Oct 07 21:21:40 CEST 2020	Wed Sep 29 21:21:40 CEST 2021		9e10692f1b7f78228b2d4e424db3a98c
Feb 23, 2021 17:44:19.437815905 CET	109.234.161.192	443	192.168.2.4	49741	CN=epgv01.fr CN=R3, O=Let's Encrypt, C=US	CN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Feb 10 12:38:44 CET 2021 Wed Oct 07 21:21:40 CEST 2020	Tue May 11 13:38:44 CEST 2021 Wed Sep 29 21:21:40 CEST 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Feb 23, 2021 17:44:19.437815905 CET	109.234.161.192	443	192.168.2.4	49741	CN=R3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Oct 07 21:21:40 CEST 2020	Wed Sep 29 21:21:40 CEST 2021		37f463bf4616ecd445d4a1937da06e19

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: iexplore.exe PID: 6424 Parent PID: 800

General

Start time:	17:43:58
Start date:	23/02/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff7f2610000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: iexplore.exe PID: 6476 Parent PID: 6424

General

Start time:	17:43:59
Start date:	23/02/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6424 CREDAT:17410 /prefetch:2
Imagebase:	0xf90000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Disassembly

Reset < >

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report https://epgv01.fr/wp-admin/httpsaduaneiro.portaldasfinancas.gov.ptjspmain.jsp/

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

Compliance:

Networking:

System Summary:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

No static file info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: iexplore.exe PID: 6424 Parent PID: 800

General

Analysis Process: iexplore.exe PID: 6476 Parent PID: 6424

General

Disassembly