Play interactive tour

Edit tour

Analysis Report _VM0_03064853.HtM

Overview

General Information

Sample Name:	_VM0_03064853.HtM
Analysis ID:	432925
MD5:	92e4da33dcd2719acc55db45b697e55a
SHA1:	eea5adf15a8d732ef1d588dd8008db60c234d95d
SHA256:	219829ff681bf8517b43528ebe319cbcd12905d41deae509c8a8c0bc5a613c2a
Infos:
Most interesting Screenshot:

Detection

Captcha Phish HTMLPhisher

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Phishing site detected (based on shot template match)

Yara detected Captcha Phish

Yara detected HtmlPhish44

Performs DNS queries to domains with low reputation

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Classification

Process Tree

System is w10x64

iexplore.exe (PID: 6320 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6380 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6320 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
_VM0_03064853.HtM	JoeSecurity_HtmlPhish_44	Yara detected HtmlPhish_44	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

Phishing:

Phishing site detected (based on shot template match)

Show sources

Source: https://noname.vvtl-srv.xyz/main/

Matcher: Template: captcha matched

Yara detected Captcha Phish

Show sources

Source: Yara match

File source: 305090.pages.csv, type: HTML

Yara detected HtmlPhish44

Show sources

Source: Yara match

File source: _VM0_03064853.HtM, type: SAMPLE

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source: unknown	HTTPS traffic detected: 23.94.52.94:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.94.52.94:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.10.207:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.10.207:443 -> 192.168.2.5:49714 version: TLS 1.2

Networking:

Performs DNS queries to domains with low reputation

Show sources

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

DNS query: noname.vvtl-srv.xyz

Source: Joe Sandbox View

IP Address: 104.18.10.207 104.18.10.207

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Source: msapplication.xml0.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x23245db3,0x01d75e8b</date><accdate>0x23245db3,0x01d75e8b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x23245db3,0x01d75e8b</date><accdate>0x23245db3,0x01d75e8b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x2358d131,0x01d75e8b</date><accdate>0x2358d131,0x01d75e8b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x2358d131,0x01d75e8b</date><accdate>0x2358d131,0x01d75e8b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x2358d131,0x01d75e8b</date><accdate>0x2358d131,0x01d75e8b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x2358d131,0x01d75e8b</date><accdate>0x2358d131,0x01d75e8b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: noname.vvtl-srv.xyz

Source: msapplication.xml.1.dr	String found in binary or memory: http://www.amazon.com/
Source: KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf.2.dr, KFOmCnqEu92Fr1Mu4mxP[1].ttf.2.dr, KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf.2.dr	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: msapplication.xml1.1.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.1.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.1.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.1.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.1.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.1.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.1.dr	String found in binary or memory: http://www.youtube.com/
Source: recaptcha__en[1].js.2.dr	String found in binary or memory: https://developers.google.com/recaptcha/docs/faq#are-there-any-qps-or-daily-limits-on-my-use-of-reca
Source: recaptcha__en[1].js.2.dr	String found in binary or memory: https://developers.google.com/recaptcha/docs/faq#localhost_support
Source: recaptcha__en[1].js.2.dr	String found in binary or memory: https://developers.google.com/recaptcha/docs/faq#my-computer-or-network-may-be-sending-automated-que
Source: bootstrap.min[1].css.2.dr	String found in binary or memory: https://getbootstrap.com/)
Source: bootstrap.min[1].css.2.dr	String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: {4C644D00-CA7E-11EB-90E5-ECF4BB570DC9}.dat.1.dr	String found in binary or memory: https://noname.vvtl-srs/Desktop/_VM0_03064853.HtMv.xyz/main/M0_03064853.HtMRoot
Source: ~DF1C90FA8CEB081D8F.TMP.1.dr, main[1].htm.2.dr	String found in binary or memory: https://noname.vvtl-srv.xyz/main/
Source: ~DF1C90FA8CEB081D8F.TMP.1.dr	String found in binary or memory: https://noname.vvtl-srv.xyz/main/Bhttps://noname.vvtl-srv.xyz/main/
Source: ~DF1C90FA8CEB081D8F.TMP.1.dr	String found in binary or memory: https://noname.vvtl-srv.xyz/main/M0_03064853.HtMd
Source: recaptcha__en[1].js.2.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: main[1].htm0.2.dr	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css
Source: recaptcha__en[1].js.2.dr	String found in binary or memory: https://support.google.com/recaptcha
Source: recaptcha__en[1].js.2.dr	String found in binary or memory: https://support.google.com/recaptcha#6262736
Source: recaptcha__en[1].js.2.dr	String found in binary or memory: https://support.google.com/recaptcha/#6175971
Source: recaptcha__en[1].js.2.dr	String found in binary or memory: https://support.google.com/recaptcha/?hl=en#6223828
Source: recaptcha__en[1].js.2.dr	String found in binary or memory: https://www.google.com/log?format=json&hasfast=true
Source: main[1].htm0.2.dr	String found in binary or memory: https://www.google.com/recaptcha/api.js
Source: recaptcha__en[1].js.2.dr, bframe[1].htm.2.dr, anchor[1].htm.2.dr, api[1].js.2.dr	String found in binary or memory: https://www.google.com/recaptcha/api2/
Source: ~DF1C90FA8CEB081D8F.TMP.1.dr	String found in binary or memory: https://www.google.com/recaptcha/api2/anchor?ar=1&k=6Lcej-kaAAAAAL_Wy-oJMo5FTzZ65UGVugbtvlkh&co=aHR0
Source: ~DF1C90FA8CEB081D8F.TMP.1.dr	String found in binary or memory: https://www.google.com/recaptcha/api2/bframe?hl=en&v=CdDdhZfPbLLrfYLBdThNS0-Y&k=6Lcej-kaAAAAAL_Wy-oJ
Source: webworker[1].js.2.dr, bframe[1].htm.2.dr, anchor[1].htm.2.dr, api[1].js.2.dr	String found in binary or memory: https://www.gstatic.com/recaptcha/releases/CdDdhZfPbLLrfYLBdThNS0-Y/recaptcha__en.js
Source: bframe[1].htm.2.dr	String found in binary or memory: https://www.gstatic.com/recaptcha/releases/CdDdhZfPbLLrfYLBdThNS0-Y/styles__ltr.css

Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 23.94.52.94:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.94.52.94:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.10.207:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.10.207:443 -> 192.168.2.5:49714 version: TLS 1.2

Source: classification engine

Classification label: mal68.phis.troj.winHTM@3/29@3/2

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4C644CFE-CA7E-11EB-90E5-ECF4BB570DC9}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFCA112C58FC16D456.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6320 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6320 CREDAT:17410 /prefetch:2

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping	File and Directory Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
noname.vvtl-srv.xyz	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://noname.vvtl-srv.xyz/main/M0_03064853.HtMd	0%	Avira URL Cloud	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
https://noname.vvtl-srs/Desktop/_VM0_03064853.HtMv.xyz/main/M0_03064853.HtMRoot	0%	Avira URL Cloud	safe
https://noname.vvtl-srv.xyz/main/Bhttps://noname.vvtl-srv.xyz/main/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
stackpath.bootstrapcdn.com	104.18.10.207	true	false		high
noname.vvtl-srv.xyz	23.94.52.94	true	true	0%, Virustotal, Browse	unknown
favicon.ico	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://noname.vvtl-srv.xyz/main/	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://noname.vvtl-srv.xyz/main/M0_03064853.HtMd	~DF1C90FA8CEB081D8F.TMP.1.dr	true	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf.2.dr, KFOmCnqEu92Fr1Mu4mxP[1].ttf.2.dr, KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf.2.dr	false		high
http://www.nytimes.com/	msapplication.xml3.1.dr	false		high
https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css	main[1].htm0.2.dr	false		high
http://www.youtube.com/	msapplication.xml7.1.dr	false		high
https://github.com/twbs/bootstrap/blob/master/LICENSE)	bootstrap.min[1].css.2.dr	false		high
http://www.wikipedia.com/	msapplication.xml6.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.amazon.com/	msapplication.xml.1.dr	false		high
http://www.live.com/	msapplication.xml2.1.dr	false		high
https://noname.vvtl-srs/Desktop/_VM0_03064853.HtMv.xyz/main/M0_03064853.HtMRoot	{4C644D00-CA7E-11EB-90E5-ECF4BB570DC9}.dat.1.dr	false	Avira URL Cloud: safe	unknown
https://getbootstrap.com/)	bootstrap.min[1].css.2.dr	false		high
https://noname.vvtl-srv.xyz/main/	~DF1C90FA8CEB081D8F.TMP.1.dr, main[1].htm.2.dr	true		unknown
http://www.reddit.com/	msapplication.xml4.1.dr	false		high
http://www.twitter.com/	msapplication.xml5.1.dr	false		high
https://noname.vvtl-srv.xyz/main/Bhttps://noname.vvtl-srv.xyz/main/	~DF1C90FA8CEB081D8F.TMP.1.dr	true	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.18.10.207	stackpath.bootstrapcdn.com	United States		13335	CLOUDFLARENETUS	false
23.94.52.94	noname.vvtl-srv.xyz	United States		36352	AS-COLOCROSSINGUS	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	432925
Start date:	10.06.2021
Start time:	23:28:08
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 34s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	_VM0_03064853.HtM
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.phis.troj.winHTM@3/29@3/2
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .HtM
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, RuntimeBroker.exe, backgroundTaskHost.exe, audiodg.exe, BackgroundTransferHost.exe, ielowutil.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 93.184.220.29, 104.43.193.48, 51.103.5.159, 204.79.197.200, 13.107.21.200, 20.82.210.154, 13.88.21.125, 184.30.21.144, 88.221.62.148, 142.250.180.196, 142.250.201.195, 172.217.18.67, 184.30.24.56, 152.199.19.161, 92.122.213.247, 92.122.213.194, 20.54.7.98, 20.54.26.129 Excluded domains from analysis (whitelisted): gstaticadssl.l.google.com, cs9.wac.phicdn.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, vip1-par02p.wns.notify.trafficmanager.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, go.microsoft.com, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, www.google.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, www.gstatic.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, fonts.gstatic.com, ie9comview.vo.msecnd.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, cs9.wpc.v0cdn.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtDeviceIoControlFile calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
104.18.10.207	payload.html	Get hash	malicious	Browse
	Evershedsnicea NDA file attach...htm	Get hash	malicious	Browse
	7 #U039c#U0456#U0455#U0455#U0435d #U0441#U0430II#U0455.htm	Get hash	malicious	Browse
	The Village.html	Get hash	malicious	Browse
	GoogleChrome6.8.10.apk	Get hash	malicious	Browse
	#Ud83d#Udda8rocket.com 1208421(69-queue-2615.htm	Get hash	malicious	Browse
	receipt620.htm	Get hash	malicious	Browse
	Secured-Message_7634-7.html	Get hash	malicious	Browse
	original phishing email.html	Get hash	malicious	Browse
	Return-message4928.html	Get hash	malicious	Browse
	_.html	Get hash	malicious	Browse
	Sealant Specialists, Inc. Projects #2021-Proposal #19100.html	Get hash	malicious	Browse
	PAID Invoice name@gmail.com.htm	Get hash	malicious	Browse
	mal.html	Get hash	malicious	Browse
	mal.html	Get hash	malicious	Browse
	mal.html	Get hash	malicious	Browse
	hwJn3new_fax-message.html	Get hash	malicious	Browse
	ATT11972.HTM	Get hash	malicious	Browse
	VoicePlayback for Mjsansegundo Hispasat.htm	Get hash	malicious	Browse
	#U266c Voice_Audio_845021.htm	Get hash	malicious	Browse
23.94.52.94	_Vm064855583.HtM	Get hash	malicious	Browse
23.94.52.94	_064855583.HtM	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
stackpath.bootstrapcdn.com	Check 57549.Html	Get hash	malicious	Browse	104.18.11.207
	Secured-Message_7634-7.html	Get hash	malicious	Browse	104.18.10.207
	New_Messagejacob@steinborn.comMessage.html	Get hash	malicious	Browse	104.18.11.207
	Return-message4928.html	Get hash	malicious	Browse	104.18.11.207
	VM_5823_05_24_2-2.html	Get hash	malicious	Browse	104.18.11.207
	Secured-Message_7634-7.html	Get hash	malicious	Browse	104.18.11.207
	_Vm064855583.HtM	Get hash	malicious	Browse	104.18.11.207
	_.html	Get hash	malicious	Browse	104.18.10.207
	PAID Invoice name@gmail.com.htm	Get hash	malicious	Browse	104.18.10.207
	#U266c Voice_Audio_845021.htm	Get hash	malicious	Browse	104.18.10.207
	#U266c Voice_Audio_845021.htm	Get hash	malicious	Browse	104.18.10.207
	VM.HTML	Get hash	malicious	Browse	104.18.10.207
	#U266c Voice_Audio_845021.htm	Get hash	malicious	Browse	104.18.11.207
	Agreement_052521.html	Get hash	malicious	Browse	104.18.10.207
	Retrieve_Messages65904_40_55am.html	Get hash	malicious	Browse	104.18.11.207
	89934.Htm	Get hash	malicious	Browse	104.18.10.207
	SwiftPaymentRef94049.html	Get hash	malicious	Browse	104.18.10.207
	_064855583.HtM	Get hash	malicious	Browse	104.18.10.207
	#Ud83d#Udccc Domesticandgeneral Agreement_052421 Mark.bridges.html	Get hash	malicious	Browse	104.18.10.207
	SKM_Invoice ES27752POP.html	Get hash	malicious	Browse	104.18.10.207

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	payload.html	Get hash	malicious	Browse	104.16.18.94
	wa71myDkbQ.exe	Get hash	malicious	Browse	104.21.10.26
	80va15z6m1.exe	Get hash	malicious	Browse	162.159.134.233
	Ref#Doc30504871 Wyg.htm	Get hash	malicious	Browse	104.16.18.94
	DNPr7t0GMY.exe	Get hash	malicious	Browse	23.227.38.74
	o8RYFTZsuU.exe	Get hash	malicious	Browse	162.159.129.233
	MrjC4jkPL8.exe	Get hash	malicious	Browse	162.159.129.233
	3c2pU82NQD.exe	Get hash	malicious	Browse	104.21.19.200
	#Ud83d#Udce9-peter.nash.htm	Get hash	malicious	Browse	104.18.11.207
	SKlGhwkzTi.exe	Get hash	malicious	Browse	104.21.65.7
	RFQ-sib.exe	Get hash	malicious	Browse	104.21.19.200
	PO.doc	Get hash	malicious	Browse	104.21.19.200
	Evershedsnicea NDA file attach...htm	Get hash	malicious	Browse	104.16.18.94
	SecuriteInfo.com.Trojan.PackedNET.825.24532.exe	Get hash	malicious	Browse	172.67.188.154
	090049000009000.exe	Get hash	malicious	Browse	104.21.19.200
	Letter 1019.xlsx	Get hash	malicious	Browse	172.67.161.4
	fTxhRIDnrC.dll	Get hash	malicious	Browse	104.20.185.68
	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Get hash	malicious	Browse	23.227.38.74
	UGGJ4NnzFz.exe	Get hash	malicious	Browse	23.227.38.74
	Order.exe	Get hash	malicious	Browse	104.21.40.174
AS-COLOCROSSINGUS	1LvgZjt4iv.exe	Get hash	malicious	Browse	198.46.177.119
	PAYMENT 02.BHN-DK.2021 (PO#4500111226).xlsx	Get hash	malicious	Browse	198.23.221.170
	Purchase Order Price List 061021.xlsx	Get hash	malicious	Browse	198.12.127.155
	xYKsdzAUj8.exe	Get hash	malicious	Browse	192.210.198.12
	lsQ72VytAw.exe	Get hash	malicious	Browse	192.210.198.12
	EDxI6b8IKs.exe	Get hash	malicious	Browse	192.210.198.12
	ouGTVjHuUq.exe	Get hash	malicious	Browse	192.210.198.12
	vbc.xlsx	Get hash	malicious	Browse	107.173.219.35
	PO.xlsx	Get hash	malicious	Browse	198.12.110.183
	Duplicated Orders.xlsx	Get hash	malicious	Browse	198.12.110.183
	pago.xlsx	Get hash	malicious	Browse	192.227.228.121
	DEPOSITAR.xlsx	Get hash	malicious	Browse	198.12.110.183
	HT.xlsx	Get hash	malicious	Browse	198.12.110.183
	order 4806125050.xlsx	Get hash	malicious	Browse	192.227.228.121
	PO -TXGU5022187.xlsx	Get hash	malicious	Browse	192.227.228.121
	Ref 0180066743.xlsx	Get hash	malicious	Browse	198.12.127.155
	Naro#U010dite 5039066002128.xlsx	Get hash	malicious	Browse	192.227.228.121
	Proforma Inv.xlsx	Get hash	malicious	Browse	192.3.122.169
	Payment_Doc.xlsx	Get hash	malicious	Browse	107.173.219.35
	Purchase Order Price List.xlsx	Get hash	malicious	Browse	198.12.127.155

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
9e10692f1b7f78228b2d4e424db3a98c	payload.html	Get hash	malicious	Browse	23.94.52.94 104.18.10.207
	Ref#Doc30504871 Wyg.htm	Get hash	malicious	Browse	23.94.52.94 104.18.10.207
	#Ud83d#Udce9-peter.nash.htm	Get hash	malicious	Browse	23.94.52.94 104.18.10.207
	fTxhRIDnrC.dll	Get hash	malicious	Browse	23.94.52.94 104.18.10.207
	RRY0yKj2HM.dll	Get hash	malicious	Browse	23.94.52.94 104.18.10.207
	Check 57549.Html	Get hash	malicious	Browse	23.94.52.94 104.18.10.207
	sat1_0609_2.dll	Get hash	malicious	Browse	23.94.52.94 104.18.10.207
	7 #U039c#U0456#U0455#U0455#U0435d #U0441#U0430II#U0455.htm	Get hash	malicious	Browse	23.94.52.94 104.18.10.207
	Yl6482CO6U.exe	Get hash	malicious	Browse	23.94.52.94 104.18.10.207
	ManyToOneMailMerge Ver 18.2.dotm	Get hash	malicious	Browse	23.94.52.94 104.18.10.207
	Sleek_Free.exe	Get hash	malicious	Browse	23.94.52.94 104.18.10.207
	WV Northern Community College.docx	Get hash	malicious	Browse	23.94.52.94 104.18.10.207
	LVh23zF9x9.exe	Get hash	malicious	Browse	23.94.52.94 104.18.10.207
	d7b9ef581459a0d8f94b789ae07a9e0892c0f0d0bcc74.dll	Get hash	malicious	Browse	23.94.52.94 104.18.10.207
	d7b9ef581459a0d8f94b789ae07a9e0892c0f0d0bcc74.dll	Get hash	malicious	Browse	23.94.52.94 104.18.10.207
	The Village.html	Get hash	malicious	Browse	23.94.52.94 104.18.10.207
	RFQ-INV-PAYMENT.Htm	Get hash	malicious	Browse	23.94.52.94 104.18.10.207
	#Ud83d#Udcde VM_58490931 Recoding.wav - 20223 PM.htm.htm	Get hash	malicious	Browse	23.94.52.94 104.18.10.207
	Bills Pending Approval.html	Get hash	malicious	Browse	23.94.52.94 104.18.10.207
	#Ud83d#Udda8northerntrust.hscni.net 692233150-queue-7828.htm	Get hash	malicious	Browse	23.94.52.94 104.18.10.207

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\DSW732N5\www.google[1].xml Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	98
Entropy (8bit):	4.937648977829677
Encrypted:	false
SSDEEP:	3:D9yRtFwsW+pEeAqom+NH9jSnLDAqSeUTJFA0aKb:JUFy+pEeAq8NdiLYeWb
MD5:	0134462F2FF5FD396FAD6793C0FABCE5
SHA1:	C7115689ED98922717B41E6816D8F8CFA916527C
SHA-256:	0527626FDA8646338FD63AE823803F916892C905ADE0BC715ED7035FD943DEB1
SHA-512:	DED2A5F1F165ACCD8D46D9A5B5799A0149440D1BCD0DF5132CE06663AB770A19116DE1244C7054190B116AE8761EED0DEDEC635A422D9571844ABD321B83A2C6
Malicious:	false
Reputation:	low
Preview:	<root><item name="rc::a" value="MTl1dm8zNTdpYzRoMw==" ltime="293685936" htime="30891659" /></root>

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4C644CFE-CA7E-11EB-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	30296
Entropy (8bit):	1.8458894714517007
Encrypted:	false
SSDEEP:	192:r5YZEZm23W5tlqflPxlM9PBMPSMiJfMiwcX:r+0dGrlolPg9PBMPSMi5Mip
MD5:	CADA37829CAC132055FF7DA579D3DB4F
SHA1:	594528F9DD7FC642A86C9048925EAD68B79A8160
SHA-256:	F3B24651E5F010646D8906F74C7A16507A7F0A7E40124BC45786ECA89478FED9
SHA-512:	F1C7FBDEF9209B5FCD105685AFEC251DA58D92AD451335C7F54D3B893C0B3F2C26E5FCA8CB7800E97417F0ACC05E36066126D4B75820684FC2FCEE581A46DF4F
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{4C644D00-CA7E-11EB-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	34064
Entropy (8bit):	2.399306090019309
Encrypted:	false
SSDEEP:	192:r2ZdQZ6HkrjR2KWQMwrBvKWJ545d5H0M0bPLQEjz2BW+tVUuGi6jXg:ryi0EXAJlmhrAWP9Mtj1
MD5:	0098E76C1E954AC6C4CC828547717BCE
SHA1:	5DEB74D7080D6B8C08F59345FA9D7E9154619E14
SHA-256:	25BCEE210EA7FF87082127C786FA7C334832096D7A34B9C67A2CCF3D08A5CA30
SHA-512:	AAA006ADFF8CA5CEB22131CFAD31965737AD4376CDD4BFAAA2BD80445EB5EDE59C519014BF0C3467F79FBAB581EED6B94100ADCB9E1850BCC6BA7DBB88E478E8
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{5269EEE7-CA7E-11EB-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	16984
Entropy (8bit):	1.5671144746765155
Encrypted:	false
SSDEEP:	48:IwpGcpr9GwpabG4pQDGrapbSyGQpKsG7HpRYTGIpG:rvZnQ96nBSaAHT8A
MD5:	CA2DAAFF7395BDB03D34DC02ADBC865B
SHA1:	E3A99D3C71969945561D2B9F0D5C54EA1A96D3B6
SHA-256:	0E45152592518DAE3A4CF50E7CA93960BEAC78C5FCA88DE724D00A07476DD563
SHA-512:	B0D65AB72C556CC045B86C23921C1150949411E4CE4A07549D6CC433435C137AD03A9E9FCDF6AC46F9AFC56B4415B65F0B8AEB6A533D5A62E654F02A5A37F9FB
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	657
Entropy (8bit):	5.080205017953846
Encrypted:	false
SSDEEP:	12:TMHdNMNxOECavTav6nWimI002EtM3MHdNMNxOECavTav6nWimI00ONVbkEtMb:2d6NxOCW6SZHKd6NxOCW6SZ7Qb
MD5:	112CCE55F341110EE28B54CD681AD391
SHA1:	F6688BDD0B2A586C563125E05A25583965BC38B9
SHA-256:	960AFADABB5834602CF300A116F61CBB62FF4DB9B11013F21D2A145378A82F8F
SHA-512:	37F6A531CBE5C8083834CB074536D9F7F5030F4F5AC5E0FB6E00C31DB57B8F5E5F8F516D18F5BD5CD0D24D2D2664F0A0DD5772E058350FF83322ABDCBA3E6201
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x2358d131,0x01d75e8b</date><accdate>0x2358d131,0x01d75e8b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x2358d131,0x01d75e8b</date><accdate>0x2358d131,0x01d75e8b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.137831838363624
Encrypted:	false
SSDEEP:	12:TMHdNMNxe2kZXOX6nWimI002EtM3MHdNMNxe2kZXOX6nWimI00ONkak6EtMb:2d6NxraXOX6SZHKd6NxraXOX6SZ72a7b
MD5:	048386CA584B71581BB5909D5E491C0B
SHA1:	0961A44DFBCD34B03AF95C7F7AE353DD48E003E4
SHA-256:	93CF1F05795992C9A6CF0F9D7A82201E7284417CBFD7F0116F70F1DB4A26D1F3
SHA-512:	F8CDAC05499BF2F30EAEDD23F85333D34E42BCB869E2863B074BB53C7B69C6938306A68AD407B487753E70795045FCC48F79513B7270BAB108978A4FB01AF7D9
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x23245db3,0x01d75e8b</date><accdate>0x23245db3,0x01d75e8b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x23245db3,0x01d75e8b</date><accdate>0x23245db3,0x01d75e8b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	663
Entropy (8bit):	5.099059995062356
Encrypted:	false
SSDEEP:	12:TMHdNMNxvLCavTav6nWimI002EtM3MHdNMNxvLCavTav6nWimI00ONmZEtMb:2d6NxvjW6SZHKd6NxvjW6SZ7Ub
MD5:	47F11E1B2F08B28E826F5A1B1D697A15
SHA1:	5C56F73F9273A5A337CC061778B23A8A76EB627F
SHA-256:	A22FD3BA6B8A94473D3767BF1BC6DF6597C925CBE897286F60E087B16869DA1E
SHA-512:	59C351AC89A75858CDA4910775718A5EDA161DD62BEA2C0394E37F3DF3752B67FCFB108637B922798069C626FADDD8651447C04FEE42E95FBD5AE3BC0B499CE9
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x2358d131,0x01d75e8b</date><accdate>0x2358d131,0x01d75e8b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x2358d131,0x01d75e8b</date><accdate>0x2358d131,0x01d75e8b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	648
Entropy (8bit):	5.09518084599109
Encrypted:	false
SSDEEP:	12:TMHdNMNxiCavTav6nWimI002EtM3MHdNMNxiCavTav6nWimI00ONd5EtMb:2d6NxIW6SZHKd6NxIW6SZ7njb
MD5:	969056543B35D0D86B05CD6FBDB4B334
SHA1:	CF6E856F71C1387B0E055258E5859C0A57EEB8A3
SHA-256:	02C0A74EE5E5863B25F4882CE1B06CEDFC27A46F4955D418D8A640BEADD38CD8
SHA-512:	812D37285F32D32DF96D2668E40A6B24169EAED5ACDD54ACE30EA0005C6F9386C0203A61CEF36E6BE3737DAD2C41DEE848475D2EEE35F5FB91A48026A9C5242B
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x2358d131,0x01d75e8b</date><accdate>0x2358d131,0x01d75e8b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x2358d131,0x01d75e8b</date><accdate>0x2358d131,0x01d75e8b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	657
Entropy (8bit):	5.110797848890145
Encrypted:	false
SSDEEP:	12:TMHdNMNxhGwCavTav6nWimI002EtM3MHdNMNxhGwCavTav6nWimI00ON8K075Ety:2d6NxQ2W6SZHKd6NxQ2W6SZ7uKajb
MD5:	80B6B2A39A9417574E7811488DEA83B3
SHA1:	6B862458F99F2DBB8D502AA58CBA6CE54FDEDC1B
SHA-256:	3C6667B8758665FC3221163171A350024EBE341B9617898E4D910853D8917EC3
SHA-512:	47F54469D54FDB7D10089F389ABDFEEA9A3E575CD72A0FDF0CE4D77D48F1A1645D71E9C7F078721DA4018CC15186B0375EFB7744D96D1FB172460B855E410819
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x2358d131,0x01d75e8b</date><accdate>0x2358d131,0x01d75e8b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x2358d131,0x01d75e8b</date><accdate>0x2358d131,0x01d75e8b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.081341988475556
Encrypted:	false
SSDEEP:	12:TMHdNMNx0nCavTav6nWimI002EtM3MHdNMNx0nCavTav6nWimI00ONxEtMb:2d6Nx03W6SZHKd6Nx03W6SZ7Vb
MD5:	69665038865617691872D1621FA1DD88
SHA1:	633620A1CE86C4FB478C02ADEEC19DFBAE50D3BE
SHA-256:	9323F5C7229FC25E546AD911F4673048F8584C432DC1021A22E20C8D932486B7
SHA-512:	5AFA27EC3F090F180FF00E8CEE55CE2B01F79E90C0F2EBCD3F0004C2D85169CC1F065F37B7BA7F3E2CF735A525E530F2393BF38A554C6A1505988B5D1858F41F
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x2358d131,0x01d75e8b</date><accdate>0x2358d131,0x01d75e8b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x2358d131,0x01d75e8b</date><accdate>0x2358d131,0x01d75e8b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	657
Entropy (8bit):	5.119779969611431
Encrypted:	false
SSDEEP:	12:TMHdNMNxxCavTav6nWimI002EtM3MHdNMNxxCavTav6nWimI00ON6Kq5EtMb:2d6NxpW6SZHKd6NxpW6SZ7ub
MD5:	5D977747C37DC7FC74D26CCAC5034386
SHA1:	30A1B9F55B37AB1170F754CA105628561F4444ED
SHA-256:	816657F5B9A2AC7673E85A9F9331EFC0FEACE48500BDAB033BE79005D4A63B5E
SHA-512:	0935B64E8334978C3D56D4C2C046EAB16192A6371E970E441BA3B107746E4D77D0D66BFA01FE96733EC48834C4ADD80CDAF78A7F39C9B14270199B6FAE735745
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x2358d131,0x01d75e8b</date><accdate>0x2358d131,0x01d75e8b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x2358d131,0x01d75e8b</date><accdate>0x2358d131,0x01d75e8b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	660
Entropy (8bit):	5.1244848165116705
Encrypted:	false
SSDEEP:	12:TMHdNMNxcZXOX6nWimI002EtM3MHdNMNxcZXOX6nWimI00ONVEtMb:2d6NxyXOX6SZHKd6NxyXOX6SZ71b
MD5:	457EC700FD6E2E2F3289D070B06A3B98
SHA1:	CB9241B1CF0EE6205C1324183A618F66BAC2BAFB
SHA-256:	784826FA46B6A6A7EE7375F02706B4D8935AE00A9939C8DEFF61C7D9151D5ACB
SHA-512:	AB02A84C97D5F157D32F39AC88EEC2BA805FB5FB2F107B8FC737512897C00E4B6FF3814284F54AE2EB8C33AD3E7B159208BD81F87EDBD7AB70E3DCABDD8BA540
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x23245db3,0x01d75e8b</date><accdate>0x23245db3,0x01d75e8b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x23245db3,0x01d75e8b</date><accdate>0x23245db3,0x01d75e8b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.08058685466488
Encrypted:	false
SSDEEP:	12:TMHdNMNxfnCavTav6nWimI002EtM3MHdNMNxfnCavTav6nWimI00ONe5EtMb:2d6Nx/W6SZHKd6Nx/W6SZ7Ejb
MD5:	5F789D696F15AAACE8A372449075E171
SHA1:	5C8307435CE4D9FC01A7B09041733B589CD70E98
SHA-256:	18353466AE90B1A699F980A964E4C00CE9B17CFD88C2CFE64F9D2782C2F9103F
SHA-512:	0CF4DF2B8E882C3C312442A6DF81FE9A3CE7D898A791CA0BA95B7B8CCE16F4F67E6607967B38FB0EC1587F73446F6935EDA5CA454F71E2F8569F87B41A05E207
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x2358d131,0x01d75e8b</date><accdate>0x2358d131,0x01d75e8b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x2358d131,0x01d75e8b</date><accdate>0x2358d131,0x01d75e8b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\api[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	850
Entropy (8bit):	5.503830300919296
Encrypted:	false
SSDEEP:	24:2jkm94/zKPccAv+KVCetjK1iO0FsLqo40RWUnYN:VKEctKoehK1iO0iLrwUnG
MD5:	CF53B22306EE06B534812A53D3D05132
SHA1:	A70176BE630BEA42DA4E4C1E5BE4913A14E26510
SHA-256:	5E0DD79E80C5C235810A628CCEB4BE0610ACC96A33CF676ABB09AA266719728E
SHA-512:	23E60144852E2675075A5FCE33608B98ABDF2FDCFB00AE868FEFB05E7C5EDCA6976CE12B63BF996D673E7C858ED0BDB696684D0B63EA46CDF34DB2B90CEB21D8
Malicious:	false
Reputation:	low
IE Cache URL:	https://www.google.com/recaptcha/api.js
Preview:	/* PLEASE DO NOT COPY AND PASTE THIS CODE. */(function(){var w=window,C='___grecaptcha_cfg',cfg=w[C]=w[C]\|\|{},N='grecaptcha';var gr=w[N]=w[N]\|\|{};gr.ready=gr.ready\|\|function(f){(cfg['fns']=cfg['fns']\|\|[]).push(f);};w['__recaptcha_api']='https://www.google.com/recaptcha/api2/';(cfg['render']=cfg['render']\|\|[]).push('onload');w['__google_recaptcha_client']=true;var d=document,po=d.createElement('script');po.type='text/javascript';po.async=true;po.src='https://www.gstatic.com/recaptcha/releases/CdDdhZfPbLLrfYLBdThNS0-Y/recaptcha__en.js';po.crossOrigin='anonymous';po.integrity='sha384-3pNlpjOSWmuah66pVKQKOiPacG4Zb6CkqGCd1vLD1fLs77yx0HzO8mvn4afvVxw4';var e=d.querySelector('script[nonce]'),n=e&&(e['nonce']\|\|e.getAttribute('nonce'));if(n){po.setAttribute('nonce',n);}var s=d.getElementsByTagName('script')[0];s.parentNode.insertBefore(po, s);})();

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\webworker[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	102
Entropy (8bit):	4.886208891621214
Encrypted:	false
SSDEEP:	3:JSbMqSL1cdXWKQKDnYjWaee:PLKdXNQKjsL
MD5:	5DAD08199F07751D5FDFDFDDDA665BCE
SHA1:	A1E4DF09407F5002629A892D6C2409D57BDA6912
SHA-256:	5A1B737B86A66360A825DF3C28F91CA2140A49954967A4F56CC3D90502E24897
SHA-512:	183F0648B3612426490522FF2E0A8A1FC4690329A73B93B4051886A0B58D062E0EA59167F2172CB7CA7F9FE23430F59F32DFC877AEB79055B26135C38D85587A
Malicious:	false
IE Cache URL:	https://www.google.com/recaptcha/api2/webworker.js?hl=en&v=CdDdhZfPbLLrfYLBdThNS0-Y
Preview:	importScripts('https://www.gstatic.com/recaptcha/releases/CdDdhZfPbLLrfYLBdThNS0-Y/recaptcha__en.js');

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	TrueType Font data, 18 tables, 1st "GDEF", 8 names, Microsoft, language 0x409, Copyright 2011 Google Inc. All Rights Reserved.Roboto BlackRegularVersion 2.137; 2017Roboto-Bla
Category:	downloaded
Size (bytes):	35208
Entropy (8bit):	6.392518822467014
Encrypted:	false
SSDEEP:	768:53Dmu13ucOmpIN22bN8o6Ze0XlGV+uM49pSeCu7XniviDffw6mo/quUR:lD13DjSNz0XlG0uL9YeCu7Xn4iTo9o/4
MD5:	4D99B85FA964307056C1410F78F51439
SHA1:	F8E30A1A61011F1EE42435D7E18BA7E21D4EE894
SHA-256:	01027695832F4A3850663C9E798EB03EADFD1462D0B76E7C5AC6465D2D77DBD0
SHA-512:	13D93544B16453FE9AC9FC025C3D4320C1C83A2ECA4CD01132CE5C68B12E150BC7D96341F10CBAA2777526CF72B2CA0CD64458B3DF1875A184BBB907C5E3D731
Malicious:	false
IE Cache URL:	https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmYUtfBBc9.ttf
Preview:	........... GDEF......z\...dGPOS......z.....GSUB7b..........OS/2ve#...p....`cmap......r....Lcvt ...=..xX...Zfpgm..#...ud....gasp......zP....glyf.......,..i~hdmx......q ....head...R..l....6hhea.]....p....$hmtx..<...l.....locaK./...j.....maxp......j.... name..9...x....\|post.m.d..z0... prep...C..w ...8...d...(.............P...EX../....>Y..EX../....>Y......9......9......9......9........9......9......01!!.!.......!.5.!.(.<..6......................}.w...x.^.^..^....g...........<......9.........EX../....>Y..EX../....>Y.....+X!...Y..../01.!.!.462..."&....+.g..k.kk.k......J__.__.......^.......&......9........./......9../........01..#.3..#.3.+..._+...v.S.8..S.8.......z.......... !..9.........EX../....>Y..EX../....>Y..EX../....>Y..EX../....>Y......9../.....+X!...Y............../.....+X!...Y...............................01.#.#.#53.#53.3.3.3.3.!.3.!.#.3.#.d.C.C..,..E.D.E.E...,...C.@.,....f.........`...`.....f.Q......S.&.Q...-.r.+./..9...EX../....>Y..EX.!/..!.>Y..!...9........!..9......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\anchor[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	43014
Entropy (8bit):	5.904524064362026
Encrypted:	false
SSDEEP:	768:v/SGlmEXTF1meO36bwOXPR0nC7zQdTjzrHWd0d3KEw8dlQpa8eF3Wk:tkE51zO36b5p0nmz8TP40wu/Qy5Wk
MD5:	AE6A1DCD500A071E0FD497433EE22045
SHA1:	E598821187961520E179A13A05AAFAC96874C772
SHA-256:	1FE7AC3BD374F31742A6968DF1B99845FD805923A8650DDD88BE4FC4D7D21351
SHA-512:	963290604ACFF667D9396D2143F250DF51BC40414724E19B4C0C4E00ACFE7B3FE971E6ADB23DECB705D4EFFA157542D2E3A87CA26D44EBA8C1E054CB2ED3C8A0
Malicious:	false
Preview:	<!DOCTYPE HTML><html dir="ltr" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.<meta http-equiv="X-UA-Compatible" content="IE=edge">.<title>reCAPTCHA</title>.<style type="text/css">.@font-face {. font-family: 'Roboto';. font-style: normal;. font-weight: 400;. src: url(//fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu4mxP.ttf) format('truetype');.}.@font-face {. font-family: 'Roboto';. font-style: normal;. font-weight: 500;. src: url(//fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmEU9fBBc9.ttf) format('truetype');.}.@font-face {. font-family: 'Roboto';. font-style: normal;. font-weight: 900;. src: url(//fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmYUtfBBc9.ttf) format('truetype');.}..</style>.<link rel="stylesheet" type="text/css" href="https://www.gstatic.com/recaptcha/releases/CdDdhZfPbLLrfYLBdThNS0-Y/styles__ltr.css">.<script nonce="AFcqJpRcjWZG9CXRr7kUsQ" type="text/javascript">window['__recaptcha_api'] = 'https://www.google.com/rec

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\bframe[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	1522
Entropy (8bit):	5.542192567752752
Encrypted:	false
SSDEEP:	24:D0ksPkGAy/iOYsFYxMJ0/iOYXFYx1S/iOYrFYxAQNPGtjb5jgvPCtjv30NSAL3BY:Dc1A1OLKIXOgKNOMK5N+hlwqhKVIvp
MD5:	2E7C50554EEB2F67EED2D45F1572D1C4
SHA1:	C363FD0D1F542EE6F9FD02E2A1C0AFA39AD1639C
SHA-256:	82F2DE24DEEB0DA7D0CA8AE560ED60DE1E703F30171115D1AEFCBA102DB0B226
SHA-512:	AB2C167DB9540FBC6F8CBE596C0CDEEE204A8693079CECE2AB50FF76AC3FBA1631CF163C02C8FE10EBE1FC9A5E93AE2D9E58B4E6718B4A7443A063620B484C6B
Malicious:	false
Preview:	<!DOCTYPE HTML><html dir="ltr" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.<meta http-equiv="X-UA-Compatible" content="IE=edge">..<title>reCAPTCHA</title>.<style type="text/css">.@font-face {. font-family: 'Roboto';. font-style: normal;. font-weight: 400;. src: url(//fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu4mxP.ttf) format('truetype');.}.@font-face {. font-family: 'Roboto';. font-style: normal;. font-weight: 500;. src: url(//fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmEU9fBBc9.ttf) format('truetype');.}.@font-face {. font-family: 'Roboto';. font-style: normal;. font-weight: 900;. src: url(//fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmYUtfBBc9.ttf) format('truetype');.}..</style>.<link rel="stylesheet" type="text/css" href="https://www.gstatic.com/recaptcha/releases/CdDdhZfPbLLrfYLBdThNS0-Y/styles__ltr.css">.<script nonce="s6wy2QW//L0tuLl2kyskmw" type="text/javascript">window['__recaptcha_api'] = 'https://www.google.com/re

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\main[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	241
Entropy (8bit):	5.106390205652668
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwol6hEr6VX16hu9nPxQTL/HbU+KqD:J0+ox0RJWWPxQTL7T
MD5:	E9902A004494A7D6344D9782636A2C84
SHA1:	D7F92A5A3A5C6370B5EE4836AE645D008EAD6CA0
SHA-256:	F0779DC815556DDD544CBAB55299C5827705FB302119F430BF84B73DFB4DB031
SHA-512:	B6515181B2620AD5B471BD2E9226F5E47F54D1CBBA3CB3CC00D792F1F0EF51CA5B15F4697A1391682B17FDF3FB513E7C1C8D80E3FB095BEC8B8D169DF61EEB24
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="https://noname.vvtl-srv.xyz/main/">here</a>.</p>.</body></html>.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\styles__ltr[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	52867
Entropy (8bit):	5.958224586944697
Encrypted:	false
SSDEEP:	768:+LUmmAWTe2uXYp8Mi+yKSrKebyBwd/Dl+x2d5YPcPoiDH1fkQJVEwY:4UcW6v+2rKwFDlDP7dnY
MD5:	B1207A1EFB3FC87C56B8EEC39EC65B4C
SHA1:	C1F3A3A13E5D0595AC22227B12FEF4949C7C79E0
SHA-256:	5FE20047C1CC1BE61A786D56C5C02B96453B9C60656D6C8429A1ADD79017E47F
SHA-512:	A4F7279F7C1BB35B9239712C4B954E752FF98739AB38520F1B8E12A75485EA6F2890EBA6AD7FDF074C94928FFA7ECA5A84B32AEAC9EBB10467AC6F082BE189E7
Malicious:	false
IE Cache URL:	https://www.gstatic.com/recaptcha/releases/CdDdhZfPbLLrfYLBdThNS0-Y/styles__ltr.css
Preview:	.goog-inline-block{position:relative;display:-moz-inline-box;display:inline-block}* html .goog-inline-block{display:inline}*:first-child+html .goog-inline-block{display:inline}.recaptcha-checkbox{border:none;font-size:1px;height:28px;margin:4px;width:28px;overflow:visible;outline:0;vertical-align:text-bottom}.recaptcha-checkbox-border{-webkit-border-radius:2px;-moz-border-radius:2px;border-radius:2px;background-color:#fff;border:2px solid #c1c1c1;font-size:1px;height:24px;position:absolute;width:24px;z-index:1}.recaptcha-checkbox-borderAnimation{background-image:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAFQAAANICAYAAABZl8i8AAAABmJLR0QA/wD/AP+gvaeTAAAACXBIWXMAAABIAAAASABGyWs+AAAACXZwQWcAAABUAAADSAC4K4y8AAA4oElEQVR42u2dCZRV1ZX3q5iE4IQIiKQQCKBt0JLEIUZwCCk7pBNFiRMajZrIl9aOLZ8sY4CWdkDbT2McooaAEmNixFhpaYE2dCiLScWiQHCgoGQoGQuhGArKKl7V+c5/n33fO/V4w733nVuheXuv9V/rrnvP2Xud3zvTPee+ewsKxMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExP4OdtlT6ztAbRWvvLy8A3QkwxzH6tBGMMexI

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	TrueType Font data, 18 tables, 1st "GDEF", 8 names, Microsoft, language 0x409, Copyright 2011 Google Inc. All Rights Reserved.Roboto MediumRegularVersion 2.137; 2017Roboto-Me
Category:	downloaded
Size (bytes):	35588
Entropy (8bit):	6.410135551455154
Encrypted:	false
SSDEEP:	768:6yVJgIpAqZsXgDNHOBBPXNOKdhT1N+06XAxGrzmoqpxk0SnuUR:enq805OBBdhT1NP6XAxGryoqp2
MD5:	4D88404F733741EAACFDA2E318840A98
SHA1:	49E0F3D32666AC36205F84AC7457030CA0A9D95F
SHA-256:	B464107219AF95400AF44C949574D9617DE760E100712D4DEC8F51A76C50DDA1
SHA-512:	2E5D3280D5F7E70CA3EA29E7C01F47FEB57FE93FC55FD0EA63641E99E5D699BB4B1F1F686DA25C91BA4F64833F9946070F7546558CBD68249B0D853949FF85C5
Malicious:	false
IE Cache URL:	https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmEU9fBBc9.ttf
Preview:	........... GDEF......{....dGPOS......\|<....GSUB7b.....8....OS/2t.#...r....`cmap......st...Lcvt 1..K..y....\fpgm..$...v.....gasp......{.....glyf.'.....,..j.hdmx......r\|....head...r..n....6hhea......q....$hmtx..MO..n@....loca\v@z..l(....maxp......l.... name..:...z,....post.m.d..{.... prep...)..x\|...S...d...(.............o......9........................EX../... >Y..EX../....>Y......9......9......9......9........9......9......01!!.!.......!.5.!.(.<..6......................}.w...x.^.^..^...............<......9.........EX../... >Y..EX../....>Y.....+X!...Y..../01.#.!.462...."&.~......J.JH.H......9KK97JJ....e...@.......%...EX../...">Y..../..../......./01..#.3..#.3..#...-#...w.}....}.....`...............EX../... >Y..EX../... >Y..EX../....>Y..EX../....>Y......9../.....+X!...Y............../.....+X!...Y...............................01.#.#.#5!.#5!.3.3.3.3.#.3.#.#.3.#...L.L...:...N.N.N.N..:..L.v.:....f....9....`...`....f.8.9...d.-.&...,...*-...9...EX../... >Y..EX../... >Y..EX.#/.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\KFOmCnqEu92Fr1Mu4mxP[1].ttf Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	TrueType Font data, 18 tables, 1st "GDEF", 8 names, Microsoft, language 0x409, Copyright 2011 Google Inc. All Rights Reserved.RobotoRegularVersion 2.137; 2017Roboto-Regularht
Category:	downloaded
Size (bytes):	35408
Entropy (8bit):	6.412277939913633
Encrypted:	false
SSDEEP:	768:PX4i+tezjtQYgu30G0xL9nQbuEL7LQo9SBxQbptqKmomjJlvh:PJ2z3G0xpUusLEBKptqNomjV
MD5:	372D0CC3288FE8E97DF49742BAEFCE90
SHA1:	754D9EAA4A009C42E8D6D40C632A1DAD6D44EC21
SHA-256:	466989FD178CA6ED13641893B7003E5D6EC36E42C2A816DEE71F87B775EA097F
SHA-512:	8447BC59795B16877974CD77C52729F6FF08A1E741F68FF445C087ECC09C8C4822B83E8907D156A00BE81CB2C0259081926E758C12B3AEA023AC574E4A6C9885
Malicious:	false
IE Cache URL:	https://fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu4mxP.ttf
Preview:	........... GDEF......{`...dGPOS...h..{.....GSUB7b..........OS/2tq#...q....`cmap......s....Lcvt +.....yl...Tfpgmw.`...vd....gasp......{T....glyf.......,..j.hdmx......r ....head.j.z..m....6hhea......q....$hmtx..Vl..m.....loca?.#...k.....maxp......k.... name.U9...y....tpost.m.d..{4... prep.f....x ...I...d...(.............q......9........................EX../....>Y..EX../....>Y......9......9......9......9..........9......9.......01!!.!.......!.5.!.(.<..6......................}.w...x.^.^..^.......{.......0...EX../....>Y..EX../....>Y.....+X!...Y......901.#.3.462..."&.[....7l88l7......-==Z;;........#.........../......9../........01..#.3..#.3...o.....o...x...........w...............EX../....>Y..EX../....>Y..EX../....>Y..EX../....>Y......9\|../......+X!...Y............../.....+X!...Y...............................01.!.#.#5!.!5!.3.!.3.3.#.3.#.#.!.!....P.P...E....R.R..R.R..E..P....E.....f....b....`...`.....f.#.b....n.0.....+.i...EX../....>Y..EX."/..".>Y.."...9..................+X!.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\recaptcha__en[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	downloaded
Size (bytes):	349568
Entropy (8bit):	5.719470557851192
Encrypted:	false
SSDEEP:	6144:vkoBKV7P3kPLI5yhOftr91660YoYDKrC/jvOwu0pFK/76iLthcQ63X+r4zt68+w7:vkoWPU8ftH4I/zOwuSFKjrxhcQ6n+r9q
MD5:	28936BBDD08D5295ED2D058552DFB90B
SHA1:	2209BDB7B6CB70DAD606487A1475955663A08C07
SHA-256:	734160057D9682A89035825F63793CD0F945523EFA3F8D33B8BEF89BD7BDEF5E
SHA-512:	8D5758E8F31BBDEE0C603B8CA6349E0FBD55B3612CDADA4CDEFB1159B3F0DAF3A49E81077E881370470F58490669A33764B1F61F75FFD5E899495134BD3F13B7
Malicious:	false
IE Cache URL:	https://www.gstatic.com/recaptcha/releases/CdDdhZfPbLLrfYLBdThNS0-Y/recaptcha__en.js
Preview:	(function(){/.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var m=function(){return[function(T,h,Q,B,G,w){if(!((T\|((T>>1)%(w=[2,3,9],19)\|\|(G=h.constructor===Uint8Array?h:h.constructor===ArrayBuffer?new Uint8Array(h):h.constructor===Array?new Uint8Array(h):h.constructor===String?R[19](w[0],"",1,w[1],4,h):h instanceof Uint8Array?new Uint8Array(h.buffer,h.byteOffset,h.byteLength):new Uint8Array(0)),w)[0])%11))try{G=h()}catch(u){G=Q}return(T\|4)%((T^970)%((T<<w[0])%24\|\|(Q.Nf&&(H[37](29,Q.Nf),H[37](56,Q.V),H[37](1,Q.JJ),Q.V=h,Q.Nf=h,Q.JJ=h),Q.oC=-1,Q.xZ=h,Q.RC=.-1),8)\|\|(B=R[26](6,h,Q),G=null==B?B:!!B),w)[2]\|\|(L&&!H[31](15,h)?(B=Q.getAttributeNode("tabindex"),G=null!=B&&B.specified):G=Q.hasAttribute("tabindex")),G},function(T,h,Q,B,G,w,u,g){if(!((1==(T-(4==((T^4)&((T<<2)%((g=[42,9,39],T+g[1])%12\|\|(u=Q.$W\|\|(Q.$W=":"+(Q.PW.V++).toString(h))),20)\|\|(Q=new iE,u=R[3](19,Q,h,h)),7))&&(w=B.TC,G='<div class="'+J[16](11,"rc-anchor-invisible-text")+'"><span>',G=G+"pro

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\bootstrap.min[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	downloaded
Size (bytes):	155758
Entropy (8bit):	5.06621719317054
Encrypted:	false
SSDEEP:	1536:b/xImT+IcCQYYDnDEBi83NcuSEk/ekX/uKiq3SYiLENM6HN26F:b/Riz7G3q3SYiLENM6HN26F
MD5:	A15C2AC3234AA8F6064EF9C1F7383C37
SHA1:	6E10354828454898FDA80F55F3DECB347FD9ED21
SHA-256:	60B19E5DA6A9234FF9220668A5EC1125C157A268513256188EE80F2D2C8D8D36
SHA-512:	B435CF71A9AE66C59677A3AC285C87EA702A87F32367FE5893CF13E68F9A31FCA0A8D14F6A7D692F23C5027751CE63961CA4FE8D20F35A926FF24AE3EB1D4B30
Malicious:	false
IE Cache URL:	https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css
Preview:	/!. Bootstrap v4.3.1 (https://getbootstrap.com/). * Copyright 2011-2019 The Bootstrap Authors. * Copyright 2011-2019 Twitter, Inc.. * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE). /:root{--blue:#007bff;--indigo:#6610f2;--purple:#6f42c1;--pink:#e83e8c;--red:#dc3545;--orange:#fd7e14;--yellow:#ffc107;--green:#28a745;--teal:#20c997;--cyan:#17a2b8;--white:#fff;--gray:#6c757d;--gray-dark:#343a40;--primary:#007bff;--secondary:#6c757d;--success:#28a745;--info:#17a2b8;--warning:#ffc107;--danger:#dc3545;--light:#f8f9fa;--dark:#343a40;--breakpoint-xs:0;--breakpoint-sm:576px;--breakpoint-md:768px;--breakpoint-lg:992px;--breakpoint-xl:1200px;--font-family-sans-serif:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Helvetica Neue",Arial,"Noto Sans",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";--font-family-monospace:SFMono-Regular,Menlo,Monaco,Consolas,"Liberation Mono","Courier New",monospace},::after,::before{box-sizing:

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\logo_48[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	2228
Entropy (8bit):	7.82817506159911
Encrypted:	false
SSDEEP:	48:4/6MuQu6DYYEcBDlBVzqawiHI1Oupgl8m7NCnagQJFknwD:4SabhtXqMHyCl8m7N0ag6D
MD5:	EF9941290C50CD3866E2BA6B793F010D
SHA1:	4736508C795667DCEA21F8D864233031223B7832
SHA-256:	1B9EFB22C938500971AAC2B2130A475FA23684DD69E43103894968DF83145B8A
SHA-512:	A0C69C70117C5713CAF8B12F3B6E8BBB9CDAF72768E5DB9DB5831A3C37541B87613C6B020DD2F9B8760064A8C7337F175E7234BFE776EEE5E3588DC5662419D9
Malicious:	false
IE Cache URL:	https://www.gstatic.com/recaptcha/api2/logo_48.png
Preview:	.PNG........IHDR...0...0.....W.......gAMA......a.... cHRM..z&..............u0...`..:....p..Q<....bKGD.......C......pHYs.................IDATh...P....=..8.....Nx. ..PlP8..;.C.1iL#6....Z..!......3.po .o.L.i.I..1fl..4..ujL&6$...............w...........,Z..z. ~.....\.._.C.eK...g..%..P..L7...96..q....L.....k6.....,xz.._......B."#...L(n..f..Yb....8.;....K)N...H).%.F"Ic.LB.........jG.uD..B....Tm....T..).A.}D.f..3.V.....O.....t_..].x.{o..........x?!W...j..@..G=Ed.XF.........J..E?../]..?p..W..H..d5% WA+.....)2r..+..'qk8.../HS.[...u..z.P.....-.A.}.......I .P.....S....\|...)..KS4....I.....W...@....S.s..s..$`.X9.....E.x.=.u.iJ...........k......'...!.a....*+.....(...S..\h....@............I.$..%.2....l......a.\|.....U....y.....t..8....TF.o.p.+.@<.g........-.M.....:.@..(.......@......>..=.ofm.WM{...e..,..D.r.......w....T.L.os..T@Rv..;.....9....56<.x...........2.k.1....dd.V.....m..y5../4\|...G.p.V.......6...}.....B........5...&..v..yTd.6...../m.K...(.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\main[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1007
Entropy (8bit):	5.349673856836519
Encrypted:	false
SSDEEP:	24:0WIzQDFtDSywMCpM8E3PUYUXZr+YAtm4spFudQRRlGMK:0WRTZCi8wUph2CpFudQzK
MD5:	D54495DE0F404D43DE2F8F47CAEA21A9
SHA1:	0C5E4082F66137732EA34FCCB2D195BAF46E4735
SHA-256:	2E5F1BD94E5ED235CFF509BCF219AD8956ADF0B78A50E78908BA8541C74144CE
SHA-512:	60708EBB5AA94D67ECF5C93C37881D130F9A5A2EDF9D019726102388FA8C4BB183D45FE131B056C3D8D9B80FB4BECF41C7BE77B2EFC8ABA529F6A5EF6A5DF276
Malicious:	false
Preview:	<!doctype html>..<html lang="en">.. <head>.. <meta charset="utf-8">.. <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">.. <meta name="description" content="">....<link href="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-ggOyR0iXCbMQv3Xipma34MD+dH/1fQ784/j6cY/iJTQUOhcWr7x9JvoRxT2MZw1T" crossorigin="anonymous">....<script src="https://www.google.com/recaptcha/api.js" async defer></script>.... </head>.. <body>.. <div class="container h-100 d-flex justify-content-center">.. <div class="my-auto">.. <form method="post" action="main.php" style="margin-top:45%" id="myForm">... <div class="g-recaptcha" data-callback="recaptchaCallback" data-sitekey="6Lcej-kaAAAAAL_Wy-oJMo5FTzZ65UGVugbtvlkh"></div>...... .......... ....</form>.. </div>..</div>..</form>..<script>....function recaptchaCallback() {..document.getElementById("myForm").submit();..};..</script>..</body>..</

C:\Users\user\AppData\Local\Temp\~DF1C90FA8CEB081D8F.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	44714
Entropy (8bit):	1.0582161174430464
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+rl3elm20J545d5H0M0bPLQEjz2BW+tVUuGi6j:kBqoxKAuqR+rl3elm20AWP9Mtj
MD5:	03F70E4340179A8EF865744EC0329101
SHA1:	4F6E4DF6D9C65AC9EB89BDBDC4C67F777E56FEDA
SHA-256:	B9E5AAE3B73F10DCE5283FE885FD3024937549DAF78F5B03DAF6775560237C0A
SHA-512:	574634236ECC9A37E8653802CBA52A54305521DA09CC7B94E879BB1D0C3B1780C371B4B69E866ECD5F6DDA164BEB2AF6D3BD81DA74761C0FF4A036FC4504355E
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFCA112C58FC16D456.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	13029
Entropy (8bit):	0.47461324302066665
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loq9loa9lWMbF84W:kBqoI1jMu
MD5:	426C6388F07C8575EE0BE8626E0988AF
SHA1:	8E6B3760BD2870A5778616357740B95860D59383
SHA-256:	CDAC0BE097BADFD689AD45745B77289D2A00B99C291A3A3B6882B50D9FA0AC8B
SHA-512:	BB5731D7BA1AF989E81DC640937B8906AAAA368FE7BFECB43FB80598DB1FAEAE14D41E42766FDFD35A2681E7F65F6C70033C0ACDC67607A7F51A5FF099FDCA73
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFF7BC578E1495B755.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	25441
Entropy (8bit):	0.27918767598683664
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRx/9lRJ9lTb9lTb9lSSU9lSSU9laAa/9laA:kBqoxxJhHWSVSEab
MD5:	AB889A32AB9ACD33E816C2422337C69A
SHA1:	1190C6B34DED2D295827C2A88310D10A8B90B59B
SHA-256:	4D6EC54B8D244E63B0F04FBE2B97402A3DF722560AD12F218665BA440F4CEFDA
SHA-512:	BD250855747BB4CEC61814D0E44F810156D390E3E9F120A12935EFDF80ACA33C4777AD66257CCA4E4003FEF0741692894980B9298F01C4CDD2D8A9C7BB522FB6
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	HTML document, ASCII text, with very long lines, with no line terminators
Entropy (8bit):	4.054740715066031
TrID:
File name:	_VM0_03064853.HtM
File size:	651
MD5:	92e4da33dcd2719acc55db45b697e55a
SHA1:	eea5adf15a8d732ef1d588dd8008db60c234d95d
SHA256:	219829ff681bf8517b43528ebe319cbcd12905d41deae509c8a8c0bc5a613c2a
SHA512:	11ef0a6088b53bb7ed03400937ce03a0b51374436d3e3ae43b6a19ef7310f0f6fffb85d9f4b572ba2e839f624a99f55d8e0e576bf07a4c63331b63bf4015db03
SSDEEP:	12:SuSPyXHqQqgc6S0poWsM2P2ZoW47yOsJfcGb:SaXHNp2iN5LJfcGb
File Content Preview:	<script language="javascript">document.write( unescape( '%3C%21%44%4F%43%54%59%50%45%20%48%54%4D%4C%3E%0A%3C%68%74%6D%6C%20%6C%61%6E%67%3D%22%65%6E%2D%55%53%22%3E%0A%20%20%20%20%3C%68%65%61%64%3E%0A%20%20%20%20%20%20%20%20%3C%73%63%72%69%70%74%20%74%79%70

File Icon


Icon Hash:	f8c89c9a9a998cb8

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 10, 2021 23:28:59.208894014 CEST	49713	443	192.168.2.5	23.94.52.94
Jun 10, 2021 23:28:59.209563017 CEST	49712	443	192.168.2.5	23.94.52.94
Jun 10, 2021 23:28:59.347695112 CEST	443	49713	23.94.52.94	192.168.2.5
Jun 10, 2021 23:28:59.347795963 CEST	443	49712	23.94.52.94	192.168.2.5
Jun 10, 2021 23:28:59.347841024 CEST	49713	443	192.168.2.5	23.94.52.94
Jun 10, 2021 23:28:59.347872972 CEST	49712	443	192.168.2.5	23.94.52.94
Jun 10, 2021 23:28:59.352171898 CEST	49713	443	192.168.2.5	23.94.52.94
Jun 10, 2021 23:28:59.352221012 CEST	49712	443	192.168.2.5	23.94.52.94
Jun 10, 2021 23:28:59.490536928 CEST	443	49712	23.94.52.94	192.168.2.5
Jun 10, 2021 23:28:59.490662098 CEST	443	49713	23.94.52.94	192.168.2.5
Jun 10, 2021 23:28:59.507863045 CEST	443	49712	23.94.52.94	192.168.2.5
Jun 10, 2021 23:28:59.507909060 CEST	443	49712	23.94.52.94	192.168.2.5
Jun 10, 2021 23:28:59.507941008 CEST	443	49712	23.94.52.94	192.168.2.5
Jun 10, 2021 23:28:59.507980108 CEST	443	49712	23.94.52.94	192.168.2.5
Jun 10, 2021 23:28:59.508003950 CEST	49712	443	192.168.2.5	23.94.52.94
Jun 10, 2021 23:28:59.508038044 CEST	49712	443	192.168.2.5	23.94.52.94
Jun 10, 2021 23:28:59.508079052 CEST	49712	443	192.168.2.5	23.94.52.94
Jun 10, 2021 23:28:59.528934002 CEST	443	49713	23.94.52.94	192.168.2.5
Jun 10, 2021 23:28:59.528960943 CEST	443	49713	23.94.52.94	192.168.2.5
Jun 10, 2021 23:28:59.528971910 CEST	443	49713	23.94.52.94	192.168.2.5
Jun 10, 2021 23:28:59.528983116 CEST	443	49713	23.94.52.94	192.168.2.5
Jun 10, 2021 23:28:59.529100895 CEST	49713	443	192.168.2.5	23.94.52.94
Jun 10, 2021 23:28:59.529174089 CEST	49713	443	192.168.2.5	23.94.52.94
Jun 10, 2021 23:28:59.550910950 CEST	49712	443	192.168.2.5	23.94.52.94
Jun 10, 2021 23:28:59.550993919 CEST	49713	443	192.168.2.5	23.94.52.94
Jun 10, 2021 23:28:59.561429977 CEST	49713	443	192.168.2.5	23.94.52.94
Jun 10, 2021 23:28:59.690361977 CEST	443	49712	23.94.52.94	192.168.2.5
Jun 10, 2021 23:28:59.690562010 CEST	49712	443	192.168.2.5	23.94.52.94
Jun 10, 2021 23:28:59.691107035 CEST	443	49713	23.94.52.94	192.168.2.5
Jun 10, 2021 23:28:59.691217899 CEST	49713	443	192.168.2.5	23.94.52.94
Jun 10, 2021 23:28:59.702971935 CEST	443	49713	23.94.52.94	192.168.2.5
Jun 10, 2021 23:28:59.703142881 CEST	49713	443	192.168.2.5	23.94.52.94
Jun 10, 2021 23:28:59.705916882 CEST	49713	443	192.168.2.5	23.94.52.94
Jun 10, 2021 23:28:59.846745968 CEST	443	49713	23.94.52.94	192.168.2.5
Jun 10, 2021 23:28:59.846918106 CEST	49713	443	192.168.2.5	23.94.52.94
Jun 10, 2021 23:28:59.850653887 CEST	49713	443	192.168.2.5	23.94.52.94
Jun 10, 2021 23:28:59.992376089 CEST	443	49713	23.94.52.94	192.168.2.5
Jun 10, 2021 23:28:59.992580891 CEST	49713	443	192.168.2.5	23.94.52.94
Jun 10, 2021 23:29:00.242429972 CEST	49714	443	192.168.2.5	104.18.10.207
Jun 10, 2021 23:29:00.245238066 CEST	49715	443	192.168.2.5	104.18.10.207
Jun 10, 2021 23:29:00.285132885 CEST	443	49714	104.18.10.207	192.168.2.5
Jun 10, 2021 23:29:00.285300016 CEST	49714	443	192.168.2.5	104.18.10.207
Jun 10, 2021 23:29:00.287411928 CEST	443	49715	104.18.10.207	192.168.2.5
Jun 10, 2021 23:29:00.287542105 CEST	49715	443	192.168.2.5	104.18.10.207
Jun 10, 2021 23:29:00.742782116 CEST	49714	443	192.168.2.5	104.18.10.207
Jun 10, 2021 23:29:00.742813110 CEST	49715	443	192.168.2.5	104.18.10.207
Jun 10, 2021 23:29:00.786484003 CEST	443	49715	104.18.10.207	192.168.2.5
Jun 10, 2021 23:29:00.786818981 CEST	443	49714	104.18.10.207	192.168.2.5
Jun 10, 2021 23:29:00.787683964 CEST	443	49715	104.18.10.207	192.168.2.5
Jun 10, 2021 23:29:00.787708044 CEST	443	49715	104.18.10.207	192.168.2.5
Jun 10, 2021 23:29:00.787748098 CEST	49715	443	192.168.2.5	104.18.10.207
Jun 10, 2021 23:29:00.787780046 CEST	49715	443	192.168.2.5	104.18.10.207
Jun 10, 2021 23:29:00.787962914 CEST	443	49714	104.18.10.207	192.168.2.5
Jun 10, 2021 23:29:00.787985086 CEST	443	49714	104.18.10.207	192.168.2.5
Jun 10, 2021 23:29:00.788019896 CEST	49714	443	192.168.2.5	104.18.10.207
Jun 10, 2021 23:29:00.788052082 CEST	49714	443	192.168.2.5	104.18.10.207
Jun 10, 2021 23:29:00.802073002 CEST	49714	443	192.168.2.5	104.18.10.207
Jun 10, 2021 23:29:00.802501917 CEST	49714	443	192.168.2.5	104.18.10.207
Jun 10, 2021 23:29:00.802697897 CEST	49714	443	192.168.2.5	104.18.10.207
Jun 10, 2021 23:29:00.804234028 CEST	49715	443	192.168.2.5	104.18.10.207
Jun 10, 2021 23:29:00.804698944 CEST	49715	443	192.168.2.5	104.18.10.207
Jun 10, 2021 23:29:00.844502926 CEST	443	49714	104.18.10.207	192.168.2.5
Jun 10, 2021 23:29:00.844877958 CEST	443	49714	104.18.10.207	192.168.2.5
Jun 10, 2021 23:29:00.845009089 CEST	443	49714	104.18.10.207	192.168.2.5
Jun 10, 2021 23:29:00.846136093 CEST	443	49715	104.18.10.207	192.168.2.5
Jun 10, 2021 23:29:00.846311092 CEST	443	49715	104.18.10.207	192.168.2.5
Jun 10, 2021 23:29:00.846340895 CEST	443	49715	104.18.10.207	192.168.2.5
Jun 10, 2021 23:29:00.846369028 CEST	443	49714	104.18.10.207	192.168.2.5
Jun 10, 2021 23:29:00.846394062 CEST	49715	443	192.168.2.5	104.18.10.207
Jun 10, 2021 23:29:00.846430063 CEST	49715	443	192.168.2.5	104.18.10.207
Jun 10, 2021 23:29:00.846677065 CEST	443	49715	104.18.10.207	192.168.2.5
Jun 10, 2021 23:29:00.846709967 CEST	443	49715	104.18.10.207	192.168.2.5
Jun 10, 2021 23:29:00.846759081 CEST	49714	443	192.168.2.5	104.18.10.207
Jun 10, 2021 23:29:00.846795082 CEST	49715	443	192.168.2.5	104.18.10.207
Jun 10, 2021 23:29:00.847141981 CEST	443	49714	104.18.10.207	192.168.2.5
Jun 10, 2021 23:29:00.847248077 CEST	49714	443	192.168.2.5	104.18.10.207
Jun 10, 2021 23:29:00.847497940 CEST	49714	443	192.168.2.5	104.18.10.207
Jun 10, 2021 23:29:00.849904060 CEST	49715	443	192.168.2.5	104.18.10.207
Jun 10, 2021 23:29:00.858230114 CEST	443	49714	104.18.10.207	192.168.2.5
Jun 10, 2021 23:29:00.858274937 CEST	443	49714	104.18.10.207	192.168.2.5
Jun 10, 2021 23:29:00.858311892 CEST	443	49714	104.18.10.207	192.168.2.5
Jun 10, 2021 23:29:00.858340025 CEST	443	49714	104.18.10.207	192.168.2.5
Jun 10, 2021 23:29:00.858377934 CEST	443	49714	104.18.10.207	192.168.2.5
Jun 10, 2021 23:29:00.858380079 CEST	49714	443	192.168.2.5	104.18.10.207
Jun 10, 2021 23:29:00.858416080 CEST	443	49714	104.18.10.207	192.168.2.5
Jun 10, 2021 23:29:00.858422995 CEST	49714	443	192.168.2.5	104.18.10.207
Jun 10, 2021 23:29:00.858444929 CEST	49714	443	192.168.2.5	104.18.10.207
Jun 10, 2021 23:29:00.858478069 CEST	49714	443	192.168.2.5	104.18.10.207
Jun 10, 2021 23:29:00.859184980 CEST	443	49714	104.18.10.207	192.168.2.5
Jun 10, 2021 23:29:00.859217882 CEST	443	49714	104.18.10.207	192.168.2.5
Jun 10, 2021 23:29:00.859289885 CEST	49714	443	192.168.2.5	104.18.10.207
Jun 10, 2021 23:29:00.859324932 CEST	49714	443	192.168.2.5	104.18.10.207
Jun 10, 2021 23:29:00.859709978 CEST	443	49714	104.18.10.207	192.168.2.5
Jun 10, 2021 23:29:00.859752893 CEST	443	49714	104.18.10.207	192.168.2.5
Jun 10, 2021 23:29:00.859776020 CEST	49714	443	192.168.2.5	104.18.10.207
Jun 10, 2021 23:29:00.859813929 CEST	49714	443	192.168.2.5	104.18.10.207
Jun 10, 2021 23:29:00.860730886 CEST	443	49714	104.18.10.207	192.168.2.5
Jun 10, 2021 23:29:00.860773087 CEST	443	49714	104.18.10.207	192.168.2.5
Jun 10, 2021 23:29:00.860820055 CEST	49714	443	192.168.2.5	104.18.10.207
Jun 10, 2021 23:29:00.860861063 CEST	49714	443	192.168.2.5	104.18.10.207

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 10, 2021 23:28:49.661653042 CEST	53	53784	8.8.8.8	192.168.2.5
Jun 10, 2021 23:28:50.310969114 CEST	65307	53	192.168.2.5	8.8.8.8
Jun 10, 2021 23:28:50.371601105 CEST	53	65307	8.8.8.8	192.168.2.5
Jun 10, 2021 23:28:50.655810118 CEST	64344	53	192.168.2.5	8.8.8.8
Jun 10, 2021 23:28:50.705928087 CEST	53	64344	8.8.8.8	192.168.2.5
Jun 10, 2021 23:28:51.805619955 CEST	62060	53	192.168.2.5	8.8.8.8
Jun 10, 2021 23:28:51.836127996 CEST	61805	53	192.168.2.5	8.8.8.8
Jun 10, 2021 23:28:51.855986118 CEST	53	62060	8.8.8.8	192.168.2.5
Jun 10, 2021 23:28:51.896017075 CEST	53	61805	8.8.8.8	192.168.2.5
Jun 10, 2021 23:28:51.905690908 CEST	54795	53	192.168.2.5	8.8.8.8
Jun 10, 2021 23:28:51.964858055 CEST	53	54795	8.8.8.8	192.168.2.5
Jun 10, 2021 23:28:53.075537920 CEST	49557	53	192.168.2.5	8.8.8.8
Jun 10, 2021 23:28:53.125781059 CEST	53	49557	8.8.8.8	192.168.2.5
Jun 10, 2021 23:28:54.199822903 CEST	61733	53	192.168.2.5	8.8.8.8
Jun 10, 2021 23:28:54.251372099 CEST	53	61733	8.8.8.8	192.168.2.5
Jun 10, 2021 23:28:55.380254030 CEST	65447	53	192.168.2.5	8.8.8.8
Jun 10, 2021 23:28:55.430318117 CEST	53	65447	8.8.8.8	192.168.2.5
Jun 10, 2021 23:28:56.081474066 CEST	52441	53	192.168.2.5	8.8.8.8
Jun 10, 2021 23:28:56.141516924 CEST	53	52441	8.8.8.8	192.168.2.5
Jun 10, 2021 23:28:56.632311106 CEST	62176	53	192.168.2.5	8.8.8.8
Jun 10, 2021 23:28:56.682434082 CEST	53	62176	8.8.8.8	192.168.2.5
Jun 10, 2021 23:28:57.662391901 CEST	59596	53	192.168.2.5	8.8.8.8
Jun 10, 2021 23:28:57.722302914 CEST	53	59596	8.8.8.8	192.168.2.5
Jun 10, 2021 23:28:58.119024038 CEST	65296	53	192.168.2.5	8.8.8.8
Jun 10, 2021 23:28:58.172508001 CEST	53	65296	8.8.8.8	192.168.2.5
Jun 10, 2021 23:28:59.129923105 CEST	63183	53	192.168.2.5	8.8.8.8
Jun 10, 2021 23:28:59.199583054 CEST	53	63183	8.8.8.8	192.168.2.5
Jun 10, 2021 23:29:00.021569014 CEST	60151	53	192.168.2.5	8.8.8.8
Jun 10, 2021 23:29:00.053189039 CEST	56969	53	192.168.2.5	8.8.8.8
Jun 10, 2021 23:29:00.080029964 CEST	53	60151	8.8.8.8	192.168.2.5
Jun 10, 2021 23:29:00.106601954 CEST	53	56969	8.8.8.8	192.168.2.5
Jun 10, 2021 23:29:01.028875113 CEST	55161	53	192.168.2.5	8.8.8.8
Jun 10, 2021 23:29:01.089329958 CEST	53	55161	8.8.8.8	192.168.2.5
Jun 10, 2021 23:29:01.787822962 CEST	54757	53	192.168.2.5	8.8.8.8
Jun 10, 2021 23:29:01.849661112 CEST	53	54757	8.8.8.8	192.168.2.5
Jun 10, 2021 23:29:02.119626045 CEST	49992	53	192.168.2.5	8.8.8.8
Jun 10, 2021 23:29:02.180118084 CEST	53	49992	8.8.8.8	192.168.2.5
Jun 10, 2021 23:29:02.963155031 CEST	60075	53	192.168.2.5	8.8.8.8
Jun 10, 2021 23:29:03.013681889 CEST	53	60075	8.8.8.8	192.168.2.5
Jun 10, 2021 23:29:04.090238094 CEST	55016	53	192.168.2.5	8.8.8.8
Jun 10, 2021 23:29:04.149132967 CEST	53	55016	8.8.8.8	192.168.2.5
Jun 10, 2021 23:29:07.949600935 CEST	64345	53	192.168.2.5	8.8.8.8
Jun 10, 2021 23:29:07.999644041 CEST	53	64345	8.8.8.8	192.168.2.5
Jun 10, 2021 23:29:09.129960060 CEST	57128	53	192.168.2.5	8.8.8.8
Jun 10, 2021 23:29:09.194214106 CEST	53	57128	8.8.8.8	192.168.2.5
Jun 10, 2021 23:29:16.112225056 CEST	54791	53	192.168.2.5	8.8.8.8
Jun 10, 2021 23:29:16.172135115 CEST	53	54791	8.8.8.8	192.168.2.5
Jun 10, 2021 23:29:19.396851063 CEST	50463	53	192.168.2.5	8.8.8.8
Jun 10, 2021 23:29:19.458379030 CEST	53	50463	8.8.8.8	192.168.2.5
Jun 10, 2021 23:29:27.744234085 CEST	50394	53	192.168.2.5	8.8.8.8
Jun 10, 2021 23:29:27.795881987 CEST	53	50394	8.8.8.8	192.168.2.5
Jun 10, 2021 23:29:28.604585886 CEST	58530	53	192.168.2.5	8.8.8.8
Jun 10, 2021 23:29:28.655035973 CEST	53	58530	8.8.8.8	192.168.2.5
Jun 10, 2021 23:29:28.738094091 CEST	50394	53	192.168.2.5	8.8.8.8
Jun 10, 2021 23:29:28.789602041 CEST	53	50394	8.8.8.8	192.168.2.5
Jun 10, 2021 23:29:29.648986101 CEST	58530	53	192.168.2.5	8.8.8.8
Jun 10, 2021 23:29:29.699645042 CEST	53	58530	8.8.8.8	192.168.2.5
Jun 10, 2021 23:29:29.770265102 CEST	50394	53	192.168.2.5	8.8.8.8
Jun 10, 2021 23:29:29.823194027 CEST	53	50394	8.8.8.8	192.168.2.5
Jun 10, 2021 23:29:30.700696945 CEST	58530	53	192.168.2.5	8.8.8.8
Jun 10, 2021 23:29:30.754451990 CEST	53	58530	8.8.8.8	192.168.2.5
Jun 10, 2021 23:29:30.958817005 CEST	53813	53	192.168.2.5	8.8.8.8
Jun 10, 2021 23:29:31.029829979 CEST	53	53813	8.8.8.8	192.168.2.5
Jun 10, 2021 23:29:31.786936045 CEST	50394	53	192.168.2.5	8.8.8.8
Jun 10, 2021 23:29:31.848119974 CEST	53	50394	8.8.8.8	192.168.2.5
Jun 10, 2021 23:29:32.700948000 CEST	58530	53	192.168.2.5	8.8.8.8
Jun 10, 2021 23:29:32.751575947 CEST	53	58530	8.8.8.8	192.168.2.5
Jun 10, 2021 23:29:35.826546907 CEST	50394	53	192.168.2.5	8.8.8.8
Jun 10, 2021 23:29:35.888895035 CEST	53	50394	8.8.8.8	192.168.2.5
Jun 10, 2021 23:29:36.749763012 CEST	58530	53	192.168.2.5	8.8.8.8
Jun 10, 2021 23:29:36.808224916 CEST	53	58530	8.8.8.8	192.168.2.5
Jun 10, 2021 23:29:45.598273993 CEST	63732	53	192.168.2.5	8.8.8.8
Jun 10, 2021 23:29:45.660310030 CEST	53	63732	8.8.8.8	192.168.2.5
Jun 10, 2021 23:30:12.618707895 CEST	57344	53	192.168.2.5	8.8.8.8
Jun 10, 2021 23:30:12.678580046 CEST	53	57344	8.8.8.8	192.168.2.5
Jun 10, 2021 23:30:32.916131973 CEST	54450	53	192.168.2.5	8.8.8.8
Jun 10, 2021 23:30:32.974869967 CEST	53	54450	8.8.8.8	192.168.2.5
Jun 10, 2021 23:30:33.690099955 CEST	59261	53	192.168.2.5	8.8.8.8
Jun 10, 2021 23:30:33.751766920 CEST	53	59261	8.8.8.8	192.168.2.5
Jun 10, 2021 23:30:34.334275007 CEST	57151	53	192.168.2.5	8.8.8.8
Jun 10, 2021 23:30:34.396456003 CEST	53	57151	8.8.8.8	192.168.2.5
Jun 10, 2021 23:30:34.509681940 CEST	59413	53	192.168.2.5	8.8.8.8
Jun 10, 2021 23:30:34.563978910 CEST	53	59413	8.8.8.8	192.168.2.5
Jun 10, 2021 23:30:35.063323021 CEST	60516	53	192.168.2.5	8.8.8.8
Jun 10, 2021 23:30:35.127074003 CEST	53	60516	8.8.8.8	192.168.2.5
Jun 10, 2021 23:30:35.845021009 CEST	51649	53	192.168.2.5	8.8.8.8
Jun 10, 2021 23:30:35.898365974 CEST	53	51649	8.8.8.8	192.168.2.5
Jun 10, 2021 23:30:36.767107964 CEST	65086	53	192.168.2.5	8.8.8.8
Jun 10, 2021 23:30:36.828792095 CEST	53	65086	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 10, 2021 23:28:59.129923105 CEST	192.168.2.5	8.8.8.8	0x1215	Standard query (0)	noname.vvtl-srv.xyz	A (IP address)	IN (0x0001)
Jun 10, 2021 23:29:00.021569014 CEST	192.168.2.5	8.8.8.8	0xcb08	Standard query (0)	stackpath.bootstrapcdn.com	A (IP address)	IN (0x0001)
Jun 10, 2021 23:29:16.112225056 CEST	192.168.2.5	8.8.8.8	0x8958	Standard query (0)	favicon.ico	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 10, 2021 23:28:59.199583054 CEST	8.8.8.8	192.168.2.5	0x1215	No error (0)	noname.vvtl-srv.xyz		23.94.52.94	A (IP address)	IN (0x0001)
Jun 10, 2021 23:29:00.080029964 CEST	8.8.8.8	192.168.2.5	0xcb08	No error (0)	stackpath.bootstrapcdn.com		104.18.10.207	A (IP address)	IN (0x0001)
Jun 10, 2021 23:29:00.080029964 CEST	8.8.8.8	192.168.2.5	0xcb08	No error (0)	stackpath.bootstrapcdn.com		104.18.11.207	A (IP address)	IN (0x0001)
Jun 10, 2021 23:29:16.172135115 CEST	8.8.8.8	192.168.2.5	0x8958	Name error (3)	favicon.ico	none	none	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jun 10, 2021 23:28:59.507980108 CEST	23.94.52.94	443	192.168.2.5	49712	CN=noname.vvtl-srv.xyz CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US	CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Mon May 24 08:28:37 CEST 2021 Fri Sep 04 02:00:00 CEST 2020 Wed Jan 20 20:14:03 CET 2021	Sun Aug 22 08:28:37 CEST 2021 Mon Sep 15 18:00:00 CEST 2025 Mon Sep 30 20:14:03 CEST 2024	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
					CN=R3, O=Let's Encrypt, C=US	CN=ISRG Root X1, O=Internet Security Research Group, C=US	Fri Sep 04 02:00:00 CEST 2020	Mon Sep 15 18:00:00 CEST 2025
					CN=ISRG Root X1, O=Internet Security Research Group, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Jan 20 20:14:03 CET 2021	Mon Sep 30 20:14:03 CEST 2024
Jun 10, 2021 23:28:59.528983116 CEST	23.94.52.94	443	192.168.2.5	49713	CN=noname.vvtl-srv.xyz CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US	CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Mon May 24 08:28:37 CEST 2021 Fri Sep 04 02:00:00 CEST 2020 Wed Jan 20 20:14:03 CET 2021	Sun Aug 22 08:28:37 CEST 2021 Mon Sep 15 18:00:00 CEST 2025 Mon Sep 30 20:14:03 CEST 2024	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
					CN=R3, O=Let's Encrypt, C=US	CN=ISRG Root X1, O=Internet Security Research Group, C=US	Fri Sep 04 02:00:00 CEST 2020	Mon Sep 15 18:00:00 CEST 2025
					CN=ISRG Root X1, O=Internet Security Research Group, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Jan 20 20:14:03 CET 2021	Mon Sep 30 20:14:03 CEST 2024
Jun 10, 2021 23:29:00.787708044 CEST	104.18.10.207	443	192.168.2.5	49715	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Mar 01 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Tue Mar 01 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jun 10, 2021 23:29:00.787708044 CEST	104.18.10.207	443	192.168.2.5	49715	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		9e10692f1b7f78228b2d4e424db3a98c
Jun 10, 2021 23:29:00.787985086 CEST	104.18.10.207	443	192.168.2.5	49714	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Mar 01 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Tue Mar 01 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jun 10, 2021 23:29:00.787985086 CEST	104.18.10.207	443	192.168.2.5	49714	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		9e10692f1b7f78228b2d4e424db3a98c

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: iexplore.exe PID: 6320 Parent PID: 792

General

Start time:	23:28:56
Start date:	10/06/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff789cb0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 6380 Parent PID: 6320

General

Start time:	23:28:57
Start date:	10/06/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6320 CREDAT:17410 /prefetch:2
Imagebase:	0x1280000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Reset < >

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report _VM0_03064853.HtM

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Initial Sample

Sigma Overview

Signature Overview

Phishing:

Compliance:

Networking:

System Summary:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: iexplore.exe PID: 6320 Parent PID: 792

General

Analysis Process: iexplore.exe PID: 6380 Parent PID: 6320

General

Disassembly