Play interactive tour

Edit tour

Analysis Report https://odqjhg.stripocdn.email/content/guids/CABINET_ddb0b6cc92f077b151adc89d56559a54/images/21611615813878104.png

Overview

General Information

Sample URL:	https://odqjhg.stripocdn.email/content/guids/CABINET_ddb0b6cc92f077b151adc89d56559a54/images/21611615813878104.png
Analysis ID:	385481
Infos:
Most interesting Screenshot:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

No high impact signatures.

Classification

Startup

System is w10x64

iexplore.exe (PID: 5404 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6000 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5404 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source: unknown	HTTPS traffic detected: 78.47.111.159:443 -> 192.168.2.6:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.111.159:443 -> 192.168.2.6:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.111.159:443 -> 192.168.2.6:49711 version: TLS 1.2

Source: msapplication.xml0.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xbbff10b0,0x01d72fea</date><accdate>0xbbff10b0,0x01d72fea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xbbff10b0,0x01d72fea</date><accdate>0xbbff10b0,0x01d72fea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xbc0637a5,0x01d72fea</date><accdate>0xbc0637a5,0x01d72fea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xbc0637a5,0x01d72fea</date><accdate>0xbc0637a5,0x01d72fea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xbc089a13,0x01d72fea</date><accdate>0xbc089a13,0x01d72fea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xbc089a13,0x01d72fea</date><accdate>0xbc089a13,0x01d72fea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: odqjhg.stripocdn.email

Source: msapplication.xml.1.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.1.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.1.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.1.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.1.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.1.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.1.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.1.dr	String found in binary or memory: http://www.youtube.com/
Source: ~DF38E7AFB08A38990C.TMP.1.dr, {E634AF41-9BDD-11EB-90E5-ECF4BB2D2496}.dat.1.dr	String found in binary or memory: https://odqjhg.stripocdn.email/content/guids/CABINET_ddb0b6cc92f077b151adc89d56559a54/images/2161161

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

Source: unknown	HTTPS traffic detected: 78.47.111.159:443 -> 192.168.2.6:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.111.159:443 -> 192.168.2.6:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.111.159:443 -> 192.168.2.6:49711 version: TLS 1.2

Source: classification engine

Classification label: clean0.win@3/16@3/1

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E634AF3F-9BDD-11EB-90E5-ECF4BB2D2496}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF64FF2C782ED79278.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5404 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5404 CREDAT:17410 /prefetch:2

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping	File and Directory Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
https://odqjhg.stripocdn.email/content/guids/CABINET_ddb0b6cc92f077b151adc89d56559a54/images/21611615813878104.png	0%	Virustotal		Browse
https://odqjhg.stripocdn.email/content/guids/CABINET_ddb0b6cc92f077b151adc89d56559a54/images/21611615813878104.png	0%	Avira URL Cloud	safe

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
clientconfig.passport.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://odqjhg.stripocdn.email/content/guids/CABINET_ddb0b6cc92f077b151adc89d56559a54/images/21611615813878104.png	0%	Virustotal		Browse
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
https://odqjhg.stripocdn.email/content/guids/CABINET_ddb0b6cc92f077b151adc89d56559a54/images/2161161	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
odqjhg.stripocdn.email	78.47.111.159	true	false		unknown
clientconfig.passport.net	unknown	unknown	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://odqjhg.stripocdn.email/content/guids/CABINET_ddb0b6cc92f077b151adc89d56559a54/images/21611615813878104.png	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.wikipedia.com/	msapplication.xml6.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.amazon.com/	msapplication.xml.1.dr	false		high
http://www.nytimes.com/	msapplication.xml3.1.dr	false		high
https://odqjhg.stripocdn.email/content/guids/CABINET_ddb0b6cc92f077b151adc89d56559a54/images/2161161	~DF38E7AFB08A38990C.TMP.1.dr, {E634AF41-9BDD-11EB-90E5-ECF4BB2D2496}.dat.1.dr	false	Avira URL Cloud: safe	unknown
http://www.live.com/	msapplication.xml2.1.dr	false		high
http://www.reddit.com/	msapplication.xml4.1.dr	false		high
http://www.twitter.com/	msapplication.xml5.1.dr	false		high
http://www.youtube.com/	msapplication.xml7.1.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
78.47.111.159	odqjhg.stripocdn.email	Germany		24940	HETZNER-ASDE	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	385481
Start date:	12.04.2021
Start time:	15:24:05
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 0s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	browseurl.jbs
Sample URL:	https://odqjhg.stripocdn.email/content/guids/CABINET_ddb0b6cc92f077b151adc89d56559a54/images/21611615813878104.png
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean0.win@3/16@3/1
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 92.122.145.220, 104.42.151.234, 88.221.62.148, 52.255.188.83, 13.107.4.50, 52.147.198.201, 20.82.209.183, 92.123.150.225, 152.199.19.161, 92.122.213.247, 92.122.213.194, 104.43.193.48, 2.20.142.209, 2.20.142.210, 52.155.217.156 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, 2-01-3cf7-0009.cdx.cedexis.net, store-images.s-microsoft.com-c.edgekey.net, b1ns.c-0001.c-msedge.net, wu-fg-shim.trafficmanager.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e11290.dspg.akamaiedge.net, e13551.dscg.akamaiedge.net, iecvlist.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, msagfx.live.com-6.edgekey.net, authgfx.msa.akadns6.net, go.microsoft.com, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, b1ns.au-msedge.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, ie9comview.vo.msecnd.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, c-0001.c-msedge.net, ctldl.windowsupdate.com, download.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, cs9.wpc.v0cdn.net

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E634AF3F-9BDD-11EB-90E5-ECF4BB2D2496}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	30296
Entropy (8bit):	1.8549729598748326
Encrypted:	false
SSDEEP:	192:r0ZXZki2k9WkItkcfkzhMkOhkOykO5fkOTcX:rkpkBkUkskikekOhkOykOJkO8
MD5:	D8BA261EAF6C5EA140B09131B53022B4
SHA1:	DC2F4E80E360B6E531CB0D4036AAE511442AE2E3
SHA-256:	FE9AC079AF591696E4DCCE50BB3C6AE68A818E13CE5BD359E950F54DF1F4CFE1
SHA-512:	E66A1DC6BA01243082B682C8EC63F3F493718006A2126240E514414E4ED4B7FDD6D77477D48CDAAC3F2FCBE24C944A340033848435DB3B7AAEA3E18631B4F049
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E634AF41-9BDD-11EB-90E5-ECF4BB2D2496}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	24340
Entropy (8bit):	1.664027203920614
Encrypted:	false
SSDEEP:	48:IwGGcprTGwpaqG4pQmGrapbSXGQpBaDGHHpciTGUp8UGzYpmLtGopz1B1A/kTMqa:raZNQK6oBShjp2SWQMTH8/C9g
MD5:	D81752B7EA08D560B24FD1344EA305E0
SHA1:	55AE1B9BD8270DF1203B844C09EB4E10CE376B82
SHA-256:	E0012015BAF8DA68A81E167E34F2B5B90CF06C053EEDDD0C79DB5EA926E83446
SHA-512:	CCFA2954D51B2AC4A8B6840A260A8CF7BEFE34AB0C7B7D734C1CD99048012717F66621DC7D2872689949FBCE076E60E6AF1F0A77A032DA2C9224ECB240C9EBC0
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E634AF42-9BDD-11EB-90E5-ECF4BB2D2496}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	16984
Entropy (8bit):	1.5659271669300248
Encrypted:	false
SSDEEP:	48:Iw7GcprGGwpanG4pQrGrapbSdGQpKrG7HpRQTGIpG:rhZeQJ6fBSnAqTEA
MD5:	4A5AF7FDB07542D92F88877D079F8453
SHA1:	B3FE0D4C6E5E72FA2CA3B53564A2D6C05F635E8D
SHA-256:	AE529C68EAB245195EBACB877AEE576C75028D736FA208F75C0C0825781F7131
SHA-512:	A0E46747D5BF8BEEEC1071C77DC5C4AE583AA6D4BFE2BBF554798EA1944129DF600D2B9FCC2D5668F59D7FA7DCFAC63196F1BA7A629FB23E27CC1C9FFED0EE9F
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	659
Entropy (8bit):	5.056586421237749
Encrypted:	false
SSDEEP:	12:TMHdNMNxOE+AXNnWimI002EtM3MHdNMNxOE+AXNnWimI00OVbVbkEtMb:2d6NxOVAXNSZHKd6NxOVAXNSZ7V6b
MD5:	85295BCE480E88970AEEAB7B50F10F7B
SHA1:	DA833FC4BFFD2C94F78BCDB17A7681468A1F8969
SHA-256:	99DFD5DDE2FA2277FA96FAF3E4EB10ACF00E5C43623BB19F008AC778969D3BC8
SHA-512:	0DE15567F886060948CF1081F75FD7351495BE6CC37D23C3825229F0C7D61CE6600D861040268C359D4761C83A7FA5A6E17FB335F743FE7C2C33E1C88A3FC8DF
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xbc0637a5,0x01d72fea</date><accdate>0xbc0637a5,0x01d72fea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xbc0637a5,0x01d72fea</date><accdate>0xbc0637a5,0x01d72fea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.087484700607707
Encrypted:	false
SSDEEP:	12:TMHdNMNxe2kpNnWimI002EtM3MHdNMNxe2kPyNnWimI00OVbkak6EtMb:2d6NxrQNSZHKd6NxrsyNSZ7VAa7b
MD5:	A1D9910FCAAFFB0E8B8391E5425EE782
SHA1:	A21BD8A4BDCA7057A8D884B0A005E57B89BBE111
SHA-256:	46FAD45F0EC6F1465A54B3D65AE90385D1A3DC72CE64EEF64E9B3C59ED43F49F
SHA-512:	A6EEABCF06458D2DDE04E6408879038E1B44B876299FBA2599C110DDD2A7488FEE74463DC6B3F3F7D0731FED2E43A5FC6485EE90A6D7BD160AFC7A936C5E5FA0
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0xbbf7e94a,0x01d72fea</date><accdate>0xbbf7e94a,0x01d72fea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0xbbf7e94a,0x01d72fea</date><accdate>0xbbfa4ba1,0x01d72fea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	665
Entropy (8bit):	5.071360628379661
Encrypted:	false
SSDEEP:	12:TMHdNMNxvLPs+NnWimI002EtM3MHdNMNxvLPs+NnWimI00OVbmZEtMb:2d6NxvnNSZHKd6NxvnNSZ7Vmb
MD5:	926B2AC43C62CA26C47D9EFED1049D2C
SHA1:	70A8574700E919943AC32BEBFD0404C6FA74615F
SHA-256:	A2ED0EFAC816440518B518ECB88DDB0FEEC15E7F7F99E0EB54EFF774DA11604C
SHA-512:	C960755250A2C144237D5E1256E3D08FC3B9036EE8C2FC5BEDB6FBD9C4088589ABBA4F5058AD20CD8BDED9B0718A84023A5FCB6C3A02320D5EC118E4E276D755
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0xbc089a13,0x01d72fea</date><accdate>0xbc089a13,0x01d72fea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0xbc089a13,0x01d72fea</date><accdate>0xbc089a13,0x01d72fea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	650
Entropy (8bit):	5.054793538390455
Encrypted:	false
SSDEEP:	12:TMHdNMNxib1jNnWimI002EtM3MHdNMNxib1jNnWimI00OVbd5EtMb:2d6Nx81jNSZHKd6Nx81jNSZ7VJjb
MD5:	C9A2A88518E10407453BDBC64A9F5B6B
SHA1:	A3BE6656C36C47F2C2FFA4F3C992374251147868
SHA-256:	91D9E3F42C1963BA26977587C18B3827798E92E088A57368D3706ECCB7E93A77
SHA-512:	18892C8AC1BCFAC7192BC97484D28CC08526FCCB2AFBA377BAB62D6335D476310A2016B608703226674633B637D43C75D24F7BA5EBFEC47BFA48CD6D140DF738
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0xbc03d55d,0x01d72fea</date><accdate>0xbc03d55d,0x01d72fea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0xbc03d55d,0x01d72fea</date><accdate>0xbc03d55d,0x01d72fea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	659
Entropy (8bit):	5.083598802884951
Encrypted:	false
SSDEEP:	12:TMHdNMNxhGwPs+NnWimI002EtM3MHdNMNxhGwPs+NnWimI00OVb8K075EtMb:2d6NxQGNSZHKd6NxQGNSZ7VYKajb
MD5:	4C6912E2302A27412B443C868F5448A2
SHA1:	F4500B5D0087986F6A6FA699493DCEFE922521E1
SHA-256:	6D201C3E9B48A8149D391070D502999CEAB9E90F0A5ADF9F04DF4D0DB7CC7745
SHA-512:	857B1850328454717DB2358F5D6579024EE186B4EDC602351AAC96F17286451F5C65598AA7C7A5B4602B435E6EF2277EF9648FA953E4F77F5BF15B2086B12730
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xbc089a13,0x01d72fea</date><accdate>0xbc089a13,0x01d72fea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xbc089a13,0x01d72fea</date><accdate>0xbc089a13,0x01d72fea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.038846913569034
Encrypted:	false
SSDEEP:	12:TMHdNMNx0nb1jNnWimI002EtM3MHdNMNx0nb1jNnWimI00OVbxEtMb:2d6Nx0b1jNSZHKd6Nx0b1jNSZ7Vnb
MD5:	645AF71D370304A71A735C222D62B08A
SHA1:	7DF87154856AA103F25BB9D09D1F043989A567CB
SHA-256:	3F88186797D32436360E33320BA53EF81E0230C147F9138AC7D26D09F5E13947
SHA-512:	062046B0D9964FE01456AAFFA8AD723CF3E369800A745E54B9C24EDD15B546230F0E1B98847A6D4610639862249ADD47ABAADA5705BE067B2868D3C2467F7EDB
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0xbc03d55d,0x01d72fea</date><accdate>0xbc03d55d,0x01d72fea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0xbc03d55d,0x01d72fea</date><accdate>0xbc03d55d,0x01d72fea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	659
Entropy (8bit):	5.079753172336603
Encrypted:	false
SSDEEP:	12:TMHdNMNxxb1jNnWimI002EtM3MHdNMNxxb1jNnWimI00OVb6Kq5EtMb:2d6NxR1jNSZHKd6NxR1jNSZ7Vob
MD5:	0AFCF8C2561DB631DAB46DE79224B16D
SHA1:	E20CD1CF64ACE22667086E644482D069F11540E8
SHA-256:	FA14A5E8FFB7BB0735ED76F559B81AA2D8267CEBA661CE3BDFB17743EC158AA0
SHA-512:	964447C42A00021ABB0AE0A3211B2FE2F8C8675554DC1373744525A126C23606FFFEB505C37C31591EBEA996ADB2536DC5CB42B11549A3ED4B3FFE31D11D8B0D
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0xbc03d55d,0x01d72fea</date><accdate>0xbc03d55d,0x01d72fea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0xbc03d55d,0x01d72fea</date><accdate>0xbc03d55d,0x01d72fea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	662
Entropy (8bit):	5.031312827755064
Encrypted:	false
SSDEEP:	12:TMHdNMNxcPSUNnWimI002EtM3MHdNMNxcPSUNnWimI00OVbVEtMb:2d6NxeSUNSZHKd6NxeSUNSZ7VDb
MD5:	2EED365022775FA9C3A4EFBFADB94D60
SHA1:	09D17C3FDF51410860A584BC8D97E683AECBC825
SHA-256:	6685F0784E07EC2830BA251F3E112A23ADBE66A1DAF9A3BCAF0AC7B4C16A39C1
SHA-512:	DF5873897B112EC9D67C37C4813E16A5598648B2DD0E4A99C651A68244F4FB7345E398F96EEAC0608AC7DC9D3C6BD3EE2BF2E31C6B948B64CCBBDC5A3E069866
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xbbff10b0,0x01d72fea</date><accdate>0xbbff10b0,0x01d72fea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xbbff10b0,0x01d72fea</date><accdate>0xbbff10b0,0x01d72fea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.021217768574304
Encrypted:	false
SSDEEP:	12:TMHdNMNxfnPSUNnWimI002EtM3MHdNMNxfnPSUNnWimI00OVbe5EtMb:2d6Nx3SUNSZHKd6Nx3SUNSZ7Vijb
MD5:	168229EC3A12DA324746EF16C92F2A6C
SHA1:	294C00A30632E45C6BF92355278C0F184CFFB908
SHA-256:	CE64EF6295A725440E1B6B96B0EE807A35357339CF16B9DE20B1A79F8CE2C08E
SHA-512:	BF9EFB05C34776BD8F9CAE1E69AE64B387E48ECBB15F8FE2210C5B530FA42210B06E5026975DEB32E33E1180DEC36AE81B70E94BCDDCF9BD2A1A3551E41AB5A3
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0xbbff10b0,0x01d72fea</date><accdate>0xbbff10b0,0x01d72fea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0xbbff10b0,0x01d72fea</date><accdate>0xbbff10b0,0x01d72fea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\21611615813878104[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 200 x 200, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	9134
Entropy (8bit):	7.860063573887969
Encrypted:	false
SSDEEP:	192:AwVt/bjZ+jbtExqbYFJ/1yXIYlBfq02Cn7uXXMLmVzqx/+MMLzqnfDGGGGGGGGGI:AwVtvOtW1ybBfq02KqsNpn2efDGGGGGo
MD5:	5019EEAB7AC82A27C0173C27D2969BF9
SHA1:	D89252A3B6B5C7A5E92C3FCE769F3041D7CDCEE5
SHA-256:	8AECBD9A54EEE896A6D72DEFA4AE8EB4097C314B3EA254801E49388DD7CDE7D3
SHA-512:	4F2B258B196EB4BCF2D051E35F41BEC2286FC84BD370165E75C5E18CBE5E1297604BE9A6235958B36D77E35985231A9BC95623C5AC763DAA06F8C092A310C180
Malicious:	false
Reputation:	low
IE Cache URL:	https://odqjhg.stripocdn.email/content/guids/CABINET_ddb0b6cc92f077b151adc89d56559a54/images/21611615813878104.png
Preview:	.PNG........IHDR..............X....#uIDATx^........=.E.E$.."(.3..D.d..J0.d.@....`BA...(..Q...i.w.....[.{..N.t..Yk/...5...n>._g..\|.:'...t?.._..l...HTM.~..."j(.~..."j(.~..."j(.~..."j(.~..."j(.~..."j(.~..."j(.~..."j(.~..."j(.~..."j(.~..."j(.~.Um.......R.K...U.Tx.....R...U.....w.....UW...R\...........:..z.S..9q.yT[.;.y...._;D....\.B=..s.u......~.1.......q.{9.p.`.....Z..s.;........qC...9..K.{<..c..P...g._w+J...j...A74<t..=6W%^x.......3.....z0xP.G...=.PE'MV.a78...z.0SlN^..gUt.T...&...<.,.<:q..?..J,_...HO>...':..q.=~..!.c.3.,C.....Q..8....e.b..?.XE.LsL.........).9.7.....9.=.....a..a.....[K..mU..\t1=.r.h.\|}.J..5+..]...i..q..u..D7=r.H.\|..\.{.."zp...&.....#Tr....?P.e.Ut.x2]o.yTYx..].R...?S...Ur.n6....A.3..1.K..gq./.....0..~....J}..]..~YxqT"..-P.m;Tj.....J..P%..o&.\|<...=...E..U.Q.......mU..d.......m..YV..7*..E..o.W...o...}........7`.D.CK....e..^%7mQ..3U.......S...T..oU..T..i.9.....24.G..g..b....8..G. ..q.3?....Q...Ur.....J..R..eN.r...{.YE.6.g8..9.=...

C:\Users\user\AppData\Local\Temp\~DF38E7AFB08A38990C.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	34533
Entropy (8bit):	0.3805906892788415
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lwLF9lwati9l2v9l2v9K:kBqoxKAuvScS+CaJuHLILB1B1A/kTMq1
MD5:	C3E09AFD59EDBA23601994C42C855692
SHA1:	B7B1D5C447B6FC169D35B194FF78384225EE85C7
SHA-256:	F1D9D48C3D20D12833CC87973484463915632FD55A650A5E0034BD3FC4C11205
SHA-512:	05A5F461F13EA9AB780775536B22E3E5144A91E778F2B2D3DFFEE83918FEF2968A6C597A9C18CDF9BFAD4047142E02B256E4F24B5938DCBC083121CAA4C9ABBC
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF64FF2C782ED79278.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	13029
Entropy (8bit):	0.48025049839471284
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loozL9loozL9lWoz8X4xAbWx6oM:kBqoIkskyk2i8w6oM
MD5:	28A9C4FAFA9951115C8435A4452915D8
SHA1:	41841D3EF27AC940E416EB408D96B1CC43178F8D
SHA-256:	D3E68ABA39E6289B113CB0128F014C89B700A55081B3557EA84E8E0BF9795B76
SHA-512:	D81AA739104E3387340BCA10511FD4B90D981651C6364779BACBAB6A2365FF9C7C1E0FE484B39C1479E734AA88919A35886F76084E4D1B19F1B4855A786BD97A
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF95CDE5FC1CCC1F56.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	25441
Entropy (8bit):	0.27918767598683664
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRx/9lRJ9lTb9lTb9lSSU9lSSU9laAa/9laA:kBqoxxJhHWSVSEab
MD5:	AB889A32AB9ACD33E816C2422337C69A
SHA1:	1190C6B34DED2D295827C2A88310D10A8B90B59B
SHA-256:	4D6EC54B8D244E63B0F04FBE2B97402A3DF722560AD12F218665BA440F4CEFDA
SHA-512:	BD250855747BB4CEC61814D0E44F810156D390E3E9F120A12935EFDF80ACA33C4777AD66257CCA4E4003FEF0741692894980B9298F01C4CDD2D8A9C7BB522FB6
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

No static file info

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source IP	Dest IP
04/12/21-15:24:54.260594	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/12/21-15:24:54.297503	ICMP	449	ICMP Time-To-Live Exceeded in Transit	84.17.52.126	192.168.2.6
04/12/21-15:24:54.302989	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/12/21-15:24:54.338072	ICMP	449	ICMP Time-To-Live Exceeded in Transit	5.56.20.161	192.168.2.6
04/12/21-15:24:54.338511	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/12/21-15:24:54.373966	ICMP	449	ICMP Time-To-Live Exceeded in Transit	91.206.52.152	192.168.2.6
04/12/21-15:24:54.374363	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/12/21-15:24:58.249473	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/12/21-15:25:02.249153	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/12/21-15:25:06.249640	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/12/21-15:25:10.751476	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/12/21-15:25:14.750463	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/12/21-15:25:18.750780	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/12/21-15:25:22.751353	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/12/21-15:25:26.751648	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/12/21-15:25:30.775605	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/12/21-15:25:34.752698	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/12/21-15:25:38.752124	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2021 15:24:54.219543934 CEST	49704	443	192.168.2.6	78.47.111.159
Apr 12, 2021 15:24:54.219549894 CEST	49703	443	192.168.2.6	78.47.111.159
Apr 12, 2021 15:24:54.291520119 CEST	443	49704	78.47.111.159	192.168.2.6
Apr 12, 2021 15:24:54.291831970 CEST	49704	443	192.168.2.6	78.47.111.159
Apr 12, 2021 15:24:54.294608116 CEST	443	49703	78.47.111.159	192.168.2.6
Apr 12, 2021 15:24:54.294718981 CEST	49703	443	192.168.2.6	78.47.111.159
Apr 12, 2021 15:24:54.300086021 CEST	49704	443	192.168.2.6	78.47.111.159
Apr 12, 2021 15:24:54.301366091 CEST	49703	443	192.168.2.6	78.47.111.159
Apr 12, 2021 15:24:54.372143984 CEST	443	49704	78.47.111.159	192.168.2.6
Apr 12, 2021 15:24:54.372230053 CEST	443	49704	78.47.111.159	192.168.2.6
Apr 12, 2021 15:24:54.372291088 CEST	443	49704	78.47.111.159	192.168.2.6
Apr 12, 2021 15:24:54.372356892 CEST	443	49704	78.47.111.159	192.168.2.6
Apr 12, 2021 15:24:54.372355938 CEST	49704	443	192.168.2.6	78.47.111.159
Apr 12, 2021 15:24:54.372396946 CEST	49704	443	192.168.2.6	78.47.111.159
Apr 12, 2021 15:24:54.372414112 CEST	49704	443	192.168.2.6	78.47.111.159
Apr 12, 2021 15:24:54.372414112 CEST	443	49704	78.47.111.159	192.168.2.6
Apr 12, 2021 15:24:54.372463942 CEST	49704	443	192.168.2.6	78.47.111.159
Apr 12, 2021 15:24:54.373176098 CEST	443	49704	78.47.111.159	192.168.2.6
Apr 12, 2021 15:24:54.373236895 CEST	443	49704	78.47.111.159	192.168.2.6
Apr 12, 2021 15:24:54.373270035 CEST	49704	443	192.168.2.6	78.47.111.159
Apr 12, 2021 15:24:54.373302937 CEST	49704	443	192.168.2.6	78.47.111.159
Apr 12, 2021 15:24:54.373997927 CEST	443	49703	78.47.111.159	192.168.2.6
Apr 12, 2021 15:24:54.374449968 CEST	443	49703	78.47.111.159	192.168.2.6
Apr 12, 2021 15:24:54.374504089 CEST	443	49703	78.47.111.159	192.168.2.6
Apr 12, 2021 15:24:54.374538898 CEST	443	49703	78.47.111.159	192.168.2.6
Apr 12, 2021 15:24:54.374543905 CEST	49703	443	192.168.2.6	78.47.111.159
Apr 12, 2021 15:24:54.374567032 CEST	49703	443	192.168.2.6	78.47.111.159
Apr 12, 2021 15:24:54.374568939 CEST	443	49703	78.47.111.159	192.168.2.6
Apr 12, 2021 15:24:54.374619961 CEST	49703	443	192.168.2.6	78.47.111.159
Apr 12, 2021 15:24:54.375905037 CEST	443	49703	78.47.111.159	192.168.2.6
Apr 12, 2021 15:24:54.375938892 CEST	443	49703	78.47.111.159	192.168.2.6
Apr 12, 2021 15:24:54.376065016 CEST	49703	443	192.168.2.6	78.47.111.159
Apr 12, 2021 15:24:54.376106977 CEST	49703	443	192.168.2.6	78.47.111.159
Apr 12, 2021 15:24:54.426146030 CEST	49704	443	192.168.2.6	78.47.111.159
Apr 12, 2021 15:24:54.426248074 CEST	49703	443	192.168.2.6	78.47.111.159
Apr 12, 2021 15:24:54.433418036 CEST	49704	443	192.168.2.6	78.47.111.159
Apr 12, 2021 15:24:54.433656931 CEST	49704	443	192.168.2.6	78.47.111.159
Apr 12, 2021 15:24:54.434040070 CEST	49703	443	192.168.2.6	78.47.111.159
Apr 12, 2021 15:24:54.502368927 CEST	443	49703	78.47.111.159	192.168.2.6
Apr 12, 2021 15:24:54.502418041 CEST	443	49703	78.47.111.159	192.168.2.6
Apr 12, 2021 15:24:54.502566099 CEST	49703	443	192.168.2.6	78.47.111.159
Apr 12, 2021 15:24:54.503736973 CEST	49703	443	192.168.2.6	78.47.111.159
Apr 12, 2021 15:24:54.509402037 CEST	443	49703	78.47.111.159	192.168.2.6
Apr 12, 2021 15:24:54.509608030 CEST	49703	443	192.168.2.6	78.47.111.159
Apr 12, 2021 15:24:54.526181936 CEST	443	49704	78.47.111.159	192.168.2.6
Apr 12, 2021 15:24:54.526237965 CEST	443	49704	78.47.111.159	192.168.2.6
Apr 12, 2021 15:24:54.526627064 CEST	443	49704	78.47.111.159	192.168.2.6
Apr 12, 2021 15:24:54.526664972 CEST	443	49704	78.47.111.159	192.168.2.6
Apr 12, 2021 15:24:54.526694059 CEST	443	49704	78.47.111.159	192.168.2.6
Apr 12, 2021 15:24:54.526721001 CEST	443	49704	78.47.111.159	192.168.2.6
Apr 12, 2021 15:24:54.526745081 CEST	443	49704	78.47.111.159	192.168.2.6
Apr 12, 2021 15:24:54.526768923 CEST	443	49704	78.47.111.159	192.168.2.6
Apr 12, 2021 15:24:54.526792049 CEST	443	49704	78.47.111.159	192.168.2.6
Apr 12, 2021 15:24:54.526822090 CEST	443	49704	78.47.111.159	192.168.2.6
Apr 12, 2021 15:24:54.526843071 CEST	49704	443	192.168.2.6	78.47.111.159
Apr 12, 2021 15:24:54.526902914 CEST	49704	443	192.168.2.6	78.47.111.159
Apr 12, 2021 15:24:54.526953936 CEST	49704	443	192.168.2.6	78.47.111.159
Apr 12, 2021 15:24:54.527872086 CEST	49704	443	192.168.2.6	78.47.111.159
Apr 12, 2021 15:24:54.622685909 CEST	443	49703	78.47.111.159	192.168.2.6
Apr 12, 2021 15:24:54.644092083 CEST	443	49704	78.47.111.159	192.168.2.6
Apr 12, 2021 15:24:54.811476946 CEST	49704	443	192.168.2.6	78.47.111.159
Apr 12, 2021 15:24:54.882560968 CEST	443	49704	78.47.111.159	192.168.2.6
Apr 12, 2021 15:24:54.885437965 CEST	443	49704	78.47.111.159	192.168.2.6
Apr 12, 2021 15:24:54.885590076 CEST	49704	443	192.168.2.6	78.47.111.159
Apr 12, 2021 15:25:12.031239033 CEST	49711	443	192.168.2.6	78.47.111.159
Apr 12, 2021 15:25:12.104378939 CEST	443	49711	78.47.111.159	192.168.2.6
Apr 12, 2021 15:25:12.104584932 CEST	49711	443	192.168.2.6	78.47.111.159
Apr 12, 2021 15:25:12.112149954 CEST	49711	443	192.168.2.6	78.47.111.159
Apr 12, 2021 15:25:12.185089111 CEST	443	49711	78.47.111.159	192.168.2.6
Apr 12, 2021 15:25:12.185123920 CEST	443	49711	78.47.111.159	192.168.2.6
Apr 12, 2021 15:25:12.185142994 CEST	443	49711	78.47.111.159	192.168.2.6
Apr 12, 2021 15:25:12.185158968 CEST	443	49711	78.47.111.159	192.168.2.6
Apr 12, 2021 15:25:12.185173035 CEST	443	49711	78.47.111.159	192.168.2.6
Apr 12, 2021 15:25:12.185293913 CEST	49711	443	192.168.2.6	78.47.111.159
Apr 12, 2021 15:25:12.185336113 CEST	49711	443	192.168.2.6	78.47.111.159
Apr 12, 2021 15:25:12.186816931 CEST	443	49711	78.47.111.159	192.168.2.6
Apr 12, 2021 15:25:12.186836958 CEST	443	49711	78.47.111.159	192.168.2.6
Apr 12, 2021 15:25:12.186985016 CEST	49711	443	192.168.2.6	78.47.111.159
Apr 12, 2021 15:25:12.228157043 CEST	49711	443	192.168.2.6	78.47.111.159
Apr 12, 2021 15:25:12.301342964 CEST	443	49711	78.47.111.159	192.168.2.6
Apr 12, 2021 15:25:12.301543951 CEST	49711	443	192.168.2.6	78.47.111.159
Apr 12, 2021 15:25:12.498387098 CEST	49711	443	192.168.2.6	78.47.111.159
Apr 12, 2021 15:25:12.613697052 CEST	443	49711	78.47.111.159	192.168.2.6
Apr 12, 2021 15:25:12.657264948 CEST	443	49711	78.47.111.159	192.168.2.6
Apr 12, 2021 15:25:12.657511950 CEST	49711	443	192.168.2.6	78.47.111.159

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2021 15:24:45.736588955 CEST	58377	53	192.168.2.6	8.8.8.8
Apr 12, 2021 15:24:45.795840979 CEST	53	58377	8.8.8.8	192.168.2.6
Apr 12, 2021 15:24:52.031934977 CEST	55074	53	192.168.2.6	8.8.8.8
Apr 12, 2021 15:24:52.081084967 CEST	53	55074	8.8.8.8	192.168.2.6
Apr 12, 2021 15:24:52.896624088 CEST	54513	53	192.168.2.6	8.8.8.8
Apr 12, 2021 15:24:52.957304955 CEST	53	54513	8.8.8.8	192.168.2.6
Apr 12, 2021 15:24:53.225832939 CEST	62044	53	192.168.2.6	8.8.8.8
Apr 12, 2021 15:24:53.282948017 CEST	53	62044	8.8.8.8	192.168.2.6
Apr 12, 2021 15:24:54.150809050 CEST	63791	53	192.168.2.6	8.8.8.8
Apr 12, 2021 15:24:54.189246893 CEST	64267	53	192.168.2.6	8.8.8.8
Apr 12, 2021 15:24:54.209623098 CEST	53	63791	8.8.8.8	192.168.2.6
Apr 12, 2021 15:24:54.243685007 CEST	49448	53	192.168.2.6	8.8.8.8
Apr 12, 2021 15:24:54.259696960 CEST	53	64267	8.8.8.8	192.168.2.6
Apr 12, 2021 15:24:54.292617083 CEST	53	49448	8.8.8.8	192.168.2.6
Apr 12, 2021 15:24:55.210688114 CEST	60342	53	192.168.2.6	8.8.8.8
Apr 12, 2021 15:24:55.265562057 CEST	53	60342	8.8.8.8	192.168.2.6
Apr 12, 2021 15:24:57.177197933 CEST	61346	53	192.168.2.6	8.8.8.8
Apr 12, 2021 15:24:57.226172924 CEST	53	61346	8.8.8.8	192.168.2.6
Apr 12, 2021 15:24:58.039995909 CEST	51774	53	192.168.2.6	8.8.8.8
Apr 12, 2021 15:24:58.088700056 CEST	53	51774	8.8.8.8	192.168.2.6
Apr 12, 2021 15:24:58.969584942 CEST	56023	53	192.168.2.6	8.8.8.8
Apr 12, 2021 15:24:59.026729107 CEST	53	56023	8.8.8.8	192.168.2.6
Apr 12, 2021 15:24:59.821578026 CEST	58384	53	192.168.2.6	8.8.8.8
Apr 12, 2021 15:24:59.873086929 CEST	53	58384	8.8.8.8	192.168.2.6
Apr 12, 2021 15:25:11.965707064 CEST	60261	53	192.168.2.6	8.8.8.8
Apr 12, 2021 15:25:12.027753115 CEST	53	60261	8.8.8.8	192.168.2.6
Apr 12, 2021 15:25:13.080965996 CEST	56061	53	192.168.2.6	8.8.8.8
Apr 12, 2021 15:25:13.129590034 CEST	53	56061	8.8.8.8	192.168.2.6
Apr 12, 2021 15:25:20.632241964 CEST	58336	53	192.168.2.6	8.8.8.8
Apr 12, 2021 15:25:20.695504904 CEST	53	58336	8.8.8.8	192.168.2.6
Apr 12, 2021 15:25:20.761161089 CEST	53781	53	192.168.2.6	8.8.8.8
Apr 12, 2021 15:25:20.809804916 CEST	53	53781	8.8.8.8	192.168.2.6
Apr 12, 2021 15:25:20.924654961 CEST	54064	53	192.168.2.6	8.8.8.8
Apr 12, 2021 15:25:20.984225035 CEST	53	54064	8.8.8.8	192.168.2.6
Apr 12, 2021 15:25:22.906380892 CEST	52811	53	192.168.2.6	8.8.8.8
Apr 12, 2021 15:25:22.969477892 CEST	53	52811	8.8.8.8	192.168.2.6
Apr 12, 2021 15:25:23.801974058 CEST	55299	53	192.168.2.6	8.8.8.8
Apr 12, 2021 15:25:23.853641987 CEST	53	55299	8.8.8.8	192.168.2.6
Apr 12, 2021 15:25:23.908456087 CEST	52811	53	192.168.2.6	8.8.8.8
Apr 12, 2021 15:25:23.969579935 CEST	53	52811	8.8.8.8	192.168.2.6
Apr 12, 2021 15:25:24.813292027 CEST	55299	53	192.168.2.6	8.8.8.8
Apr 12, 2021 15:25:24.873336077 CEST	53	55299	8.8.8.8	192.168.2.6
Apr 12, 2021 15:25:24.947293997 CEST	52811	53	192.168.2.6	8.8.8.8
Apr 12, 2021 15:25:25.008708000 CEST	53	52811	8.8.8.8	192.168.2.6
Apr 12, 2021 15:25:25.828905106 CEST	55299	53	192.168.2.6	8.8.8.8
Apr 12, 2021 15:25:25.880558968 CEST	53	55299	8.8.8.8	192.168.2.6
Apr 12, 2021 15:25:26.954565048 CEST	52811	53	192.168.2.6	8.8.8.8
Apr 12, 2021 15:25:27.006006002 CEST	53	52811	8.8.8.8	192.168.2.6
Apr 12, 2021 15:25:27.844811916 CEST	55299	53	192.168.2.6	8.8.8.8
Apr 12, 2021 15:25:27.896354914 CEST	53	55299	8.8.8.8	192.168.2.6
Apr 12, 2021 15:25:29.106684923 CEST	63745	53	192.168.2.6	8.8.8.8
Apr 12, 2021 15:25:29.165714979 CEST	53	63745	8.8.8.8	192.168.2.6
Apr 12, 2021 15:25:30.969933033 CEST	52811	53	192.168.2.6	8.8.8.8
Apr 12, 2021 15:25:31.029943943 CEST	53	52811	8.8.8.8	192.168.2.6
Apr 12, 2021 15:25:31.910943985 CEST	55299	53	192.168.2.6	8.8.8.8
Apr 12, 2021 15:25:31.967730045 CEST	53	55299	8.8.8.8	192.168.2.6
Apr 12, 2021 15:25:36.014111042 CEST	50055	53	192.168.2.6	8.8.8.8
Apr 12, 2021 15:25:36.062761068 CEST	53	50055	8.8.8.8	192.168.2.6
Apr 12, 2021 15:25:39.744132042 CEST	61374	53	192.168.2.6	8.8.8.8
Apr 12, 2021 15:25:39.802067995 CEST	53	61374	8.8.8.8	192.168.2.6
Apr 12, 2021 15:25:40.602191925 CEST	50339	53	192.168.2.6	8.8.8.8
Apr 12, 2021 15:25:40.659502029 CEST	53	50339	8.8.8.8	192.168.2.6
Apr 12, 2021 15:25:41.193212986 CEST	63307	53	192.168.2.6	8.8.8.8
Apr 12, 2021 15:25:41.250354052 CEST	53	63307	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 12, 2021 15:24:54.150809050 CEST	192.168.2.6	8.8.8.8	0xf848	Standard query (0)	odqjhg.stripocdn.email	A (IP address)	IN (0x0001)
Apr 12, 2021 15:25:11.965707064 CEST	192.168.2.6	8.8.8.8	0xaa47	Standard query (0)	odqjhg.stripocdn.email	A (IP address)	IN (0x0001)
Apr 12, 2021 15:25:20.924654961 CEST	192.168.2.6	8.8.8.8	0xfa67	Standard query (0)	clientconfig.passport.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 12, 2021 15:24:54.209623098 CEST	8.8.8.8	192.168.2.6	0xf848	No error (0)	odqjhg.stripocdn.email		78.47.111.159	A (IP address)	IN (0x0001)
Apr 12, 2021 15:25:12.027753115 CEST	8.8.8.8	192.168.2.6	0xaa47	No error (0)	odqjhg.stripocdn.email		78.47.111.159	A (IP address)	IN (0x0001)
Apr 12, 2021 15:25:20.984225035 CEST	8.8.8.8	192.168.2.6	0xfa67	No error (0)	clientconfig.passport.net	authgfx.msa.akadns6.net		CNAME (Canonical name)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Apr 12, 2021 15:24:54.373236895 CEST	78.47.111.159	443	192.168.2.6	49704	CN=*.stripocdn.email CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Mon Nov 30 01:00:00 CET 2020 Fri Nov 02 01:00:00 CET 2018 Tue Mar 12 01:00:00 CET 2019 Thu Jan 01 01:00:00 CET 2004	Fri Dec 10 00:59:59 CET 2021 Wed Jan 01 00:59:59 CET 2031 Mon Jan 01 00:59:59 CET 2029 Mon Jan 01 00:59:59 CET 2029	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
					CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB	CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	Fri Nov 02 01:00:00 CET 2018	Wed Jan 01 00:59:59 CET 2031
					CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Tue Mar 12 01:00:00 CET 2019	Mon Jan 01 00:59:59 CET 2029
					CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Thu Jan 01 01:00:00 CET 2004	Mon Jan 01 00:59:59 CET 2029
Apr 12, 2021 15:24:54.375938892 CEST	78.47.111.159	443	192.168.2.6	49703	CN=*.stripocdn.email CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Mon Nov 30 01:00:00 CET 2020 Fri Nov 02 01:00:00 CET 2018 Tue Mar 12 01:00:00 CET 2019 Thu Jan 01 01:00:00 CET 2004	Fri Dec 10 00:59:59 CET 2021 Wed Jan 01 00:59:59 CET 2031 Mon Jan 01 00:59:59 CET 2029 Mon Jan 01 00:59:59 CET 2029	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
					CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB	CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	Fri Nov 02 01:00:00 CET 2018	Wed Jan 01 00:59:59 CET 2031
					CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Tue Mar 12 01:00:00 CET 2019	Mon Jan 01 00:59:59 CET 2029
					CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Thu Jan 01 01:00:00 CET 2004	Mon Jan 01 00:59:59 CET 2029
Apr 12, 2021 15:25:12.186836958 CEST	78.47.111.159	443	192.168.2.6	49711	CN=*.stripocdn.email CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Mon Nov 30 01:00:00 CET 2020 Fri Nov 02 01:00:00 CET 2018 Tue Mar 12 01:00:00 CET 2019 Thu Jan 01 01:00:00 CET 2004	Fri Dec 10 00:59:59 CET 2021 Wed Jan 01 00:59:59 CET 2031 Mon Jan 01 00:59:59 CET 2029 Mon Jan 01 00:59:59 CET 2029	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
					CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB	CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	Fri Nov 02 01:00:00 CET 2018	Wed Jan 01 00:59:59 CET 2031
					CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Tue Mar 12 01:00:00 CET 2019	Mon Jan 01 00:59:59 CET 2029
					CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Thu Jan 01 01:00:00 CET 2004	Mon Jan 01 00:59:59 CET 2029

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: iexplore.exe PID: 5404 Parent PID: 792

General

Start time:	15:24:52
Start date:	12/04/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff721e20000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: iexplore.exe PID: 6000 Parent PID: 5404

General

Start time:	15:24:53
Start date:	12/04/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5404 CREDAT:17410 /prefetch:2
Imagebase:	0x300000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Disassembly

Reset < >

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report https://odqjhg.stripocdn.email/content/guids/CABINET_ddb0b6cc92f077b151adc89d56559a54/images/21611615813878104.png

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

Compliance:

Networking:

System Summary:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

No static file info

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: iexplore.exe PID: 5404 Parent PID: 792

General

Analysis Process: iexplore.exe PID: 6000 Parent PID: 5404

General

Disassembly