Play interactive tour

Edit tour

Analysis Report https://apds.us-east-1.linodeobjects.com/redirect.html

Overview

General Information

Sample URL:	https://apds.us-east-1.linodeobjects.com/redirect.html
Analysis ID:	352148
Most interesting Screenshot:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Classification

Startup

System is w10x64

iexplore.exe (PID: 1152 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 5876 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1152 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

• AV Detection
• Compliance
• Networking
• System Summary

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: https://apds.us-east-1.linodeobjects.com/redirect.html

SlashNext: detection malicious, Label: Fake Login Page type: Phishing & Social Engineering

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Show sources

Source: unknown	HTTPS traffic detected: 45.56.104.115:443 -> 192.168.2.3:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.56.104.115:443 -> 192.168.2.3:49718 version: TLS 1.2

Networking:

Source: msapplication.xml0.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x883e573a,0x01d700f6</date><accdate>0x883e573a,0x01d700f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x883e573a,0x01d700f6</date><accdate>0x883e573a,0x01d700f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x8840b971,0x01d700f6</date><accdate>0x8840b971,0x01d700f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x8840b971,0x01d700f6</date><accdate>0x8840b971,0x01d700f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x88431bdf,0x01d700f6</date><accdate>0x88431bdf,0x01d700f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x88431bdf,0x01d700f6</date><accdate>0x88431bdf,0x01d700f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: apds.us-east-1.linodeobjects.com

Source: msapplication.xml.1.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.1.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.1.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.1.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.1.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.1.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.1.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.1.dr	String found in binary or memory: http://www.youtube.com/
Source: ~DF60B09430B299F44D.TMP.1.dr	String found in binary or memory: https://apds.us-east-1.linodeobjects.com/redirect.html
Source: {B2BDDC19-6CE9-11EB-90E4-ECF4BB862DED}.dat.1.dr	String found in binary or memory: https://apds.us-east-1.linodeobjects.com/redirect.htmlRoot
Source: redirect[1].htm.2.dr	String found in binary or memory: https://owxchngs.herokuapp.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443

Source: unknown	HTTPS traffic detected: 45.56.104.115:443 -> 192.168.2.3:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.56.104.115:443 -> 192.168.2.3:49718 version: TLS 1.2

System Summary:

Source: classification engine

Classification label: mal48.win@3/16@2/1

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF2135CBE33953F430.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1152 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1152 CREDAT:17410 /prefetch:2	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping	File and Directory Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
https://apds.us-east-1.linodeobjects.com/redirect.html	0%	Virustotal		Browse
https://apds.us-east-1.linodeobjects.com/redirect.html	0%	Avira URL Cloud	safe
https://apds.us-east-1.linodeobjects.com/redirect.html	100%	SlashNext	Fake Login Page type: Phishing & Social Engineering

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
us-east-1.linodeobjects.com	0%	Virustotal		Browse
apds.us-east-1.linodeobjects.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
https://owxchngs.herokuapp.com	0%	Virustotal		Browse
https://owxchngs.herokuapp.com	0%	Avira URL Cloud	safe
https://apds.us-east-1.linodeobjects.com/redirect.htmlRoot	0%	Avira URL Cloud	safe

Domains and IPs Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
us-east-1.linodeobjects.com	45.56.104.115	true	false	0%, Virustotal, Browse	unknown
apds.us-east-1.linodeobjects.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
favicon.ico	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://apds.us-east-1.linodeobjects.com/redirect.html	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.wikipedia.com/	msapplication.xml6.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.amazon.com/	msapplication.xml.1.dr	false		high
http://www.nytimes.com/	msapplication.xml3.1.dr	false		high
http://www.live.com/	msapplication.xml2.1.dr	false		high
https://owxchngs.herokuapp.com	redirect[1].htm.2.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.reddit.com/	msapplication.xml4.1.dr	false		high
http://www.twitter.com/	msapplication.xml5.1.dr	false		high
http://www.youtube.com/	msapplication.xml7.1.dr	false		high
https://apds.us-east-1.linodeobjects.com/redirect.html	~DF60B09430B299F44D.TMP.1.dr	true		unknown
https://apds.us-east-1.linodeobjects.com/redirect.htmlRoot	{B2BDDC19-6CE9-11EB-90E4-ECF4BB862DED}.dat.1.dr	true	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.56.104.115	unknown	United States		63949	LINODE-APLinodeLLCUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	352148
Start date:	11.02.2021
Start time:	20:20:07
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://apds.us-east-1.linodeobjects.com/redirect.html
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.win@3/16@2/1
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, audiodg.exe, ielowutil.exe, backgroundTaskHost.exe, SgrmBroker.exe, svchost.exe Excluded IPs from analysis (whitelisted): 52.147.198.201, 52.255.188.83, 88.221.62.148, 51.11.168.160, 184.30.20.56, 152.199.19.161, 2.20.142.209, 2.20.142.210, 52.251.11.100 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, bn2eap.displaycatalog.md.mp.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, ie9comview.vo.msecnd.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcoleus16.cloudapp.net, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, cs9.wpc.v0cdn.net

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B2BDDC17-6CE9-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	30296
Entropy (8bit):	1.8499427414694365
Encrypted:	false
SSDEEP:	384:rrWBKBofBoSdBoSlUBoSlDIBoSPJDUBoSPoDEBoSPocD2BoSPocDcc:q
MD5:	38FA5EB628F10F801774E6083B4D6EF9
SHA1:	EE5A040539EB2D4EC42C52583172383E9DC287A8
SHA-256:	B54B3A3E64425033F8DF03C4B4090EE64736CE5024F9DD85882675ED42DA5D11
SHA-512:	8CF7BA49AA2DD9CE701C43DB04C1F45071B27C53DAA03D01511BD8A3B261DA360E6E9B3F9AA25770ECDBE340DD218D767D74E270C5589908EF3EE0AD9AB5A548
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B2BDDC19-6CE9-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	24220
Entropy (8bit):	1.633517181116565
Encrypted:	false
SSDEEP:	48:Iw/7GcpraGwpaN1G4pQznGrapbStGQpBqGHHpcFtTGUp8FIGzYpmFNOGopL1rNxS:rJZCQ963BSXjx2FvWFMMFQF1rf1g
MD5:	1D5CD1386BC954DEA27F06DFC996CF66
SHA1:	DD3100AD2FEEA10DD9E14CA23FD44DF49CB1023D
SHA-256:	1A389E17E2110DE0F382AC4C62EF9A6BD7F2F739DB09A6D9543A5C6ABDB75D4D
SHA-512:	80EAC11C06BCB58999564271A7969299A86EA0EDF19FD7ED9EA1F790FE575E5C6F41CD34E13969E9C2042170418628DB2491FE8DE3E813618F781145053D6234
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B2BDDC1A-6CE9-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	16984
Entropy (8bit):	1.5601350035299446
Encrypted:	false
SSDEEP:	48:IwxGcprcGwpaOG4pQSGrapbSPGQpKdG7HpRcTGIpG:rHZUQu6UBSZA8TIA
MD5:	5D3BF470CA9858AFE1B995BD5B156F8E
SHA1:	699405CD2C89448F756665EC086CCDBDBDB42EC2
SHA-256:	7DE6ED71F5E722A26476EB53306C697C25F3321C2DD12C9A66A457A999BFCE76
SHA-512:	492F516CBFEC460B20EA0E39A1289518C7BF5BC60D13855BFA71869938D6507D0788C116667372B7940AF944821A7F9FC041A4A4779AAFB6F4BF46F7C6BDCEA8
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.105974341376356
Encrypted:	false
SSDEEP:	12:TMHdNMNxOEEwFwynWimI002EtM3MHdNMNxOEEwFwynWimI00ObVbkEtMb:2d6NxOBwFwySZHKd6NxOBwFwySZ76b
MD5:	45270642D0809968DE07A554204B64EE
SHA1:	E9615A76B4F2DD7F25C3D8A9A5091ED619A50765
SHA-256:	ECB7868771398D5D036E22876326DFEE583F29161049761420D291055BCE910A
SHA-512:	398B73BC6AB7AF3AB188D318782C6B666715E00C6F938E297157998C9FBE6E7A28A5FBDFC8B19CB2A096C31CD0DEBFBCED1562A049C6FB53A0EB40388D87D03E
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x8840b971,0x01d700f6</date><accdate>0x8840b971,0x01d700f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x8840b971,0x01d700f6</date><accdate>0x8840b971,0x01d700f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.113896280500924
Encrypted:	false
SSDEEP:	12:TMHdNMNxe2kE1inWimI002EtM3MHdNMNxe2kE1inWimI00Obkak6EtMb:2d6Nxrh1iSZHKd6Nxrh1iSZ7Aa7b
MD5:	923D6DCCA107127F5250C8EF5601293B
SHA1:	D3BB16BA0AED9D36DB1E5A54CD5305036612BA53
SHA-256:	66420ED6E9729445DAFE932786422F7DC9C0149FE8BAD5EF0684181D534F72A2
SHA-512:	31421F9D0C42EA79B833D737C70792721FC6FEED8FB8566D17D52172A9DABC593F9B7EE4C0A94599AF917A11EA920DC1BE2665CECEBAD00C2DF2D6E8CDAFF0CF
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x883bf4c8,0x01d700f6</date><accdate>0x883bf4c8,0x01d700f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x883bf4c8,0x01d700f6</date><accdate>0x883bf4c8,0x01d700f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	662
Entropy (8bit):	5.125184589283341
Encrypted:	false
SSDEEP:	12:TMHdNMNxvLEwFwynWimI002EtM3MHdNMNxvLEwFDE7nWimI00ObmZEtMb:2d6NxvIwFwySZHKd6NxvIwFaSZ7mb
MD5:	252E6CD2B9F5853B3EA538F77B8FFD2A
SHA1:	992940756D1F9AF6C1D3FB71F98D104545E06B67
SHA-256:	B9A434CD812251D8E038283453FFAAE13B10C2145D1D327D83ECE4297A0A88CE
SHA-512:	3AB64281453E6E89B924FBB29ACB1662E96470C0F2BA2EE718EDB694943379AA9690D796A980E1EE0DF41269800FAA77831C120619A041D7C21CA11DD9D63264
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x8840b971,0x01d700f6</date><accdate>0x8840b971,0x01d700f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x8840b971,0x01d700f6</date><accdate>0x88431bdf,0x01d700f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	647
Entropy (8bit):	5.086740024311339
Encrypted:	false
SSDEEP:	12:TMHdNMNxiEWoFWoynWimI002EtM3MHdNMNxiEWoFWoynWimI00Obd5EtMb:2d6NxfWoFWoySZHKd6NxfWoFWoySZ7J/
MD5:	621E22C78104C02C353F9DE68984047B
SHA1:	A078E1C66CEAB94E5C64BD1D212722A5858C5D35
SHA-256:	02500AA5C716D807F67A24EC37361D15FA6A4CCEB94C32F869F785AD49CBCCD5
SHA-512:	ECCD7D32798DF19F2B09D13BEA658AF42DB0B1F115AE61C3E6FEF15A3D6C9DE4DC921352B4A82BEAEB9A2E9AFA8C47C9E88B168BAC14A09B004BF5F0676D5FC4
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x883e573a,0x01d700f6</date><accdate>0x883e573a,0x01d700f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x883e573a,0x01d700f6</date><accdate>0x883e573a,0x01d700f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.12320059027592
Encrypted:	false
SSDEEP:	12:TMHdNMNxhGwEDEkDE7nWimI002EtM3MHdNMNxhGwEDEkDE7nWimI00Ob8K075Ety:2d6NxQttaSZHKd6NxQttaSZ7YKajb
MD5:	C68DD402917040A582B5C9807729BA5C
SHA1:	114A2DE4AF541EDF888C2C5A5F62B88C07AECBFC
SHA-256:	30145A97DE6EFA7A908735C120B712B8CB32BA3915C394A7C517D42A0E002B96
SHA-512:	270DDEB81BB745DD4EC288309B0908816FE6E78DD32133E90984148ADB3684AC20DB1A031B9C67107CF8AAFB993C86C1988DB4B9549A821CB132F27083EBBE3C
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x88431bdf,0x01d700f6</date><accdate>0x88431bdf,0x01d700f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x88431bdf,0x01d700f6</date><accdate>0x88431bdf,0x01d700f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.109198595974789
Encrypted:	false
SSDEEP:	12:TMHdNMNx0nEwFwynWimI002EtM3MHdNMNx0nEwFwynWimI00ObxEtMb:2d6Nx0EwFwySZHKd6Nx0EwFwySZ7nb
MD5:	7F03CB274E458BED0E6B0E3BF309F175
SHA1:	0D0D57B2A6C01712375F3CDC3AC43C3F0BD4E653
SHA-256:	16F5C579C77B655039CF2434A5D10F8017C63B568E959507AE3A84444AE3D5CF
SHA-512:	5AD3043FE64618011E67EFC4EB449792C9B82E910134AD93CB639FC9EB9E2A696778F1A03B6851A5F032350E82CFD33152DF9E53CBE7653AD2143896DA58D3C2
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x8840b971,0x01d700f6</date><accdate>0x8840b971,0x01d700f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x8840b971,0x01d700f6</date><accdate>0x8840b971,0x01d700f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.146398042647053
Encrypted:	false
SSDEEP:	12:TMHdNMNxxEwFwynWimI002EtM3MHdNMNxxEwFwynWimI00Ob6Kq5EtMb:2d6Nx2wFwySZHKd6Nx2wFwySZ7ob
MD5:	93C0144523D39FED3FA6FB911C05B9AF
SHA1:	927050F19E5D2314F7FE030B8CF08F28E75BCA02
SHA-256:	E5598C798F2E9288269FC0C0A622FB03984A2E8D209B91C403B3F6B49FFBA6EE
SHA-512:	88AF87F5D76B8DE300B4F7363237659B32C3C950BCC4FEAABFBF8E4DBF0A9BF25C41B9A9406E894CA68D1CEEF49FA5EF18802D8931561C8D610F4CE29B059BAA
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x8840b971,0x01d700f6</date><accdate>0x8840b971,0x01d700f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x8840b971,0x01d700f6</date><accdate>0x8840b971,0x01d700f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	659
Entropy (8bit):	5.090909515100001
Encrypted:	false
SSDEEP:	12:TMHdNMNxcEWoFWoynWimI002EtM3MHdNMNxcEWoFWoynWimI00ObVEtMb:2d6NxJWoFWoySZHKd6NxJWoFWoySZ7Db
MD5:	589C134A4DB3447C98E931F5AE474CF8
SHA1:	3C85ADDFC60348408178EFBBC474BF6C33FC106D
SHA-256:	88CB76151B7E330C3A0C5112426C12D44FA0B7F459E9CE789F56794C9A0EE45E
SHA-512:	FFE631C3CED18B8338B8F3D467225AB509FCE18C22AA00693F793085911C0B075CE4911F6C698D0F38D7B78431224701AF904F5BB1EC61708F2F7466738C7C92
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x883e573a,0x01d700f6</date><accdate>0x883e573a,0x01d700f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x883e573a,0x01d700f6</date><accdate>0x883e573a,0x01d700f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.0726276362781375
Encrypted:	false
SSDEEP:	12:TMHdNMNxfnEWoFWoynWimI002EtM3MHdNMNxfnEWoFWoynWimI00Obe5EtMb:2d6NxsWoFWoySZHKd6NxsWoFWoySZ7i/
MD5:	942BFF4ED05CF04699239B7DFF591DDF
SHA1:	5A63CAB51AEF92970DE35C697827C4AF3B1CA126
SHA-256:	B5CBE57B85E2C7CAB8B4202BA81F87BC3A647DB4FF34096CC9244AC24484AE80
SHA-512:	44A15D3F9A0C26BA7131EC03AA5BE355B4AC1436F1E8336949053DED23C0D0FB83B84D69971AD2AB5E51D6479586C1BF9282B07D299717CD161359E2039496EE
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x883e573a,0x01d700f6</date><accdate>0x883e573a,0x01d700f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x883e573a,0x01d700f6</date><accdate>0x883e573a,0x01d700f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\redirect[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	downloaded
Size (bytes):	493
Entropy (8bit):	4.834912337517154
Encrypted:	false
SSDEEP:	12:hPEhkACy7C/UMKLf7fyrL6220EmSMJLITySMWPGb:hPRCLH6rL6UqySMf
MD5:	2845AA52ED09EF2D3BD12CBE19E04A89
SHA1:	536FEAA9E1A0E53C22B3E63428338A47F44B1972
SHA-256:	1E48EDEC16D34A03AD9AAC988950618BBE3D6AEEA4207B05368208F32C4A3D03
SHA-512:	8E7913E22250E5AA908F4750F416055CBA1E63EA3350D3708F5A1612E5286653D0D1E40681831A07AEA65F00A2D48E3920A9CA95CA37E04284018AB7073D1A21
Malicious:	false
Reputation:	low
IE Cache URL:	https://apds.us-east-1.linodeobjects.com/redirect.html
Preview:	<!DOCTYPE html>..<html lang="en">..<head>.. <meta charset="UTF-8">.. <meta name="viewport" content="width=device-width, initial-scale=1.0">.. <title>REDIRECTING</title>..</head>..<body>.. <script>.. .. let url = 'https://owxchngs.herokuapp.com';.. .. const email = new URLSearchParams(location.search).get('email');.. if (email){.. url = url + '?email='+email;.. }.. location.replace(url).. </script>..</body>..</html>

C:\Users\user\AppData\Local\Temp\~DF15638CCE730377E2.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	25441
Entropy (8bit):	0.27918767598683664
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRx/9lRJ9lTb9lTb9lSSU9lSSU9laAa/9laA:kBqoxxJhHWSVSEab
MD5:	AB889A32AB9ACD33E816C2422337C69A
SHA1:	1190C6B34DED2D295827C2A88310D10A8B90B59B
SHA-256:	4D6EC54B8D244E63B0F04FBE2B97402A3DF722560AD12F218665BA440F4CEFDA
SHA-512:	BD250855747BB4CEC61814D0E44F810156D390E3E9F120A12935EFDF80ACA33C4777AD66257CCA4E4003FEF0741692894980B9298F01C4CDD2D8A9C7BB522FB6
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF2135CBE33953F430.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	13029
Entropy (8bit):	0.47888686012744225
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loBVF9loBP9lWBoScKDScgocgocDco:kBqoIBQBuBoScKDScgocgocDco
MD5:	AF3ABD0EC5A54BA6B8C1C30B29A42187
SHA1:	AAA44F976704989B4696B8C631AFA40F24833DE5
SHA-256:	083F4A757416B701177DF7EE75753D0FFB26EF01E063A6E60252146373F00406
SHA-512:	3F616D5EE4868ED6369A6BE7EF490E53B60D71DADD5AD575BCEEA1102CFCDDB209EE993103BF71F90F0BAC2EEE2E30692F746BE1C86F413C26E5DF75C12C76F0
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF60B09430B299F44D.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	34413
Entropy (8bit):	0.35679171238736757
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lwF9lwl9l2FV9l2FV9lB:kBqoxKAuvScS+WQFAFhFNIFNp1rNxF14
MD5:	147A29B931A98D0B488C3899E3B80F12
SHA1:	B7F074558A93F9FCC80950EB4F7635D687DF5F18
SHA-256:	6EFE79A894EDCC0D964F6BEC8ACD8AF93458A66C03907866C57F655D9E3F17B3
SHA-512:	9C880FBEEC719B0E52D7605F7AA17CEA26B416ACFE5693A18ED92B9FCDBEC7174881F4DC7886679A4864AC7EB07830E3D81238FF75E97CA80BAD231A022EE362
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

No static file info

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 52
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 11, 2021 20:20:57.487493038 CET	49717	443	192.168.2.3	45.56.104.115
Feb 11, 2021 20:20:57.488174915 CET	49718	443	192.168.2.3	45.56.104.115
Feb 11, 2021 20:20:57.611442089 CET	443	49717	45.56.104.115	192.168.2.3
Feb 11, 2021 20:20:57.611488104 CET	443	49718	45.56.104.115	192.168.2.3
Feb 11, 2021 20:20:57.611599922 CET	49717	443	192.168.2.3	45.56.104.115
Feb 11, 2021 20:20:57.611661911 CET	49718	443	192.168.2.3	45.56.104.115
Feb 11, 2021 20:20:57.618062019 CET	49717	443	192.168.2.3	45.56.104.115
Feb 11, 2021 20:20:57.618158102 CET	49718	443	192.168.2.3	45.56.104.115
Feb 11, 2021 20:20:57.740168095 CET	443	49718	45.56.104.115	192.168.2.3
Feb 11, 2021 20:20:57.740211010 CET	443	49717	45.56.104.115	192.168.2.3
Feb 11, 2021 20:20:57.741727114 CET	443	49717	45.56.104.115	192.168.2.3
Feb 11, 2021 20:20:57.741767883 CET	443	49717	45.56.104.115	192.168.2.3
Feb 11, 2021 20:20:57.741797924 CET	443	49717	45.56.104.115	192.168.2.3
Feb 11, 2021 20:20:57.741875887 CET	49717	443	192.168.2.3	45.56.104.115
Feb 11, 2021 20:20:57.741930962 CET	49717	443	192.168.2.3	45.56.104.115
Feb 11, 2021 20:20:57.743360043 CET	443	49718	45.56.104.115	192.168.2.3
Feb 11, 2021 20:20:57.743401051 CET	443	49718	45.56.104.115	192.168.2.3
Feb 11, 2021 20:20:57.743431091 CET	443	49718	45.56.104.115	192.168.2.3
Feb 11, 2021 20:20:57.743539095 CET	49718	443	192.168.2.3	45.56.104.115
Feb 11, 2021 20:20:57.743592024 CET	49718	443	192.168.2.3	45.56.104.115
Feb 11, 2021 20:20:57.780242920 CET	49717	443	192.168.2.3	45.56.104.115
Feb 11, 2021 20:20:57.780286074 CET	49718	443	192.168.2.3	45.56.104.115
Feb 11, 2021 20:20:57.787945986 CET	49717	443	192.168.2.3	45.56.104.115
Feb 11, 2021 20:20:57.903662920 CET	443	49718	45.56.104.115	192.168.2.3
Feb 11, 2021 20:20:57.903743029 CET	49718	443	192.168.2.3	45.56.104.115
Feb 11, 2021 20:20:57.903867960 CET	443	49717	45.56.104.115	192.168.2.3
Feb 11, 2021 20:20:57.904004097 CET	49717	443	192.168.2.3	45.56.104.115
Feb 11, 2021 20:20:57.918543100 CET	443	49717	45.56.104.115	192.168.2.3
Feb 11, 2021 20:20:57.918725014 CET	49717	443	192.168.2.3	45.56.104.115
Feb 11, 2021 20:20:57.962397099 CET	443	49717	45.56.104.115	192.168.2.3
Feb 11, 2021 20:20:57.962570906 CET	49717	443	192.168.2.3	45.56.104.115
Feb 11, 2021 20:20:58.168999910 CET	49717	443	192.168.2.3	45.56.104.115
Feb 11, 2021 20:20:58.297746897 CET	443	49717	45.56.104.115	192.168.2.3
Feb 11, 2021 20:20:58.297846079 CET	49717	443	192.168.2.3	45.56.104.115
Feb 11, 2021 20:20:58.299017906 CET	49717	443	192.168.2.3	45.56.104.115
Feb 11, 2021 20:20:58.342015982 CET	443	49717	45.56.104.115	192.168.2.3
Feb 11, 2021 20:20:58.342195034 CET	49717	443	192.168.2.3	45.56.104.115
Feb 11, 2021 20:20:58.421808004 CET	443	49717	45.56.104.115	192.168.2.3
Feb 11, 2021 20:20:58.421957016 CET	49717	443	192.168.2.3	45.56.104.115

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 11, 2021 20:20:51.923475981 CET	65110	53	192.168.2.3	8.8.8.8
Feb 11, 2021 20:20:51.975022078 CET	53	65110	8.8.8.8	192.168.2.3
Feb 11, 2021 20:20:52.768841028 CET	58361	53	192.168.2.3	8.8.8.8
Feb 11, 2021 20:20:52.820602894 CET	53	58361	8.8.8.8	192.168.2.3
Feb 11, 2021 20:20:53.645001888 CET	63492	53	192.168.2.3	8.8.8.8
Feb 11, 2021 20:20:53.693646908 CET	53	63492	8.8.8.8	192.168.2.3
Feb 11, 2021 20:20:54.597033978 CET	60831	53	192.168.2.3	8.8.8.8
Feb 11, 2021 20:20:54.647531986 CET	53	60831	8.8.8.8	192.168.2.3
Feb 11, 2021 20:20:55.477087975 CET	60100	53	192.168.2.3	8.8.8.8
Feb 11, 2021 20:20:55.527875900 CET	53	60100	8.8.8.8	192.168.2.3
Feb 11, 2021 20:20:56.305133104 CET	53195	53	192.168.2.3	8.8.8.8
Feb 11, 2021 20:20:56.363836050 CET	53	53195	8.8.8.8	192.168.2.3
Feb 11, 2021 20:20:56.606189966 CET	50141	53	192.168.2.3	8.8.8.8
Feb 11, 2021 20:20:56.656296015 CET	53	50141	8.8.8.8	192.168.2.3
Feb 11, 2021 20:20:57.400681019 CET	53023	53	192.168.2.3	8.8.8.8
Feb 11, 2021 20:20:57.471004009 CET	53	53023	8.8.8.8	192.168.2.3
Feb 11, 2021 20:20:57.558717966 CET	49563	53	192.168.2.3	8.8.8.8
Feb 11, 2021 20:20:57.618663073 CET	53	49563	8.8.8.8	192.168.2.3
Feb 11, 2021 20:20:58.502022982 CET	51352	53	192.168.2.3	8.8.8.8
Feb 11, 2021 20:20:58.555598021 CET	53	51352	8.8.8.8	192.168.2.3
Feb 11, 2021 20:21:01.085074902 CET	59349	53	192.168.2.3	8.8.8.8
Feb 11, 2021 20:21:01.135871887 CET	53	59349	8.8.8.8	192.168.2.3
Feb 11, 2021 20:21:01.926112890 CET	57084	53	192.168.2.3	8.8.8.8
Feb 11, 2021 20:21:01.983169079 CET	53	57084	8.8.8.8	192.168.2.3
Feb 11, 2021 20:21:13.893389940 CET	58823	53	192.168.2.3	8.8.8.8
Feb 11, 2021 20:21:13.950628042 CET	53	58823	8.8.8.8	192.168.2.3
Feb 11, 2021 20:21:21.140662909 CET	57568	53	192.168.2.3	8.8.8.8
Feb 11, 2021 20:21:21.189323902 CET	53	57568	8.8.8.8	192.168.2.3
Feb 11, 2021 20:21:25.299669981 CET	50540	53	192.168.2.3	8.8.8.8
Feb 11, 2021 20:21:25.359957933 CET	53	50540	8.8.8.8	192.168.2.3
Feb 11, 2021 20:21:26.318655014 CET	54366	53	192.168.2.3	8.8.8.8
Feb 11, 2021 20:21:26.375672102 CET	53	54366	8.8.8.8	192.168.2.3
Feb 11, 2021 20:21:27.050801992 CET	53034	53	192.168.2.3	8.8.8.8
Feb 11, 2021 20:21:27.100817919 CET	53	53034	8.8.8.8	192.168.2.3
Feb 11, 2021 20:21:27.329832077 CET	54366	53	192.168.2.3	8.8.8.8
Feb 11, 2021 20:21:27.389419079 CET	53	54366	8.8.8.8	192.168.2.3
Feb 11, 2021 20:21:28.063885927 CET	53034	53	192.168.2.3	8.8.8.8
Feb 11, 2021 20:21:28.112740040 CET	53	53034	8.8.8.8	192.168.2.3
Feb 11, 2021 20:21:28.345556021 CET	54366	53	192.168.2.3	8.8.8.8
Feb 11, 2021 20:21:28.394296885 CET	53	54366	8.8.8.8	192.168.2.3
Feb 11, 2021 20:21:29.063412905 CET	53034	53	192.168.2.3	8.8.8.8
Feb 11, 2021 20:21:29.121007919 CET	53	53034	8.8.8.8	192.168.2.3
Feb 11, 2021 20:21:30.345966101 CET	54366	53	192.168.2.3	8.8.8.8
Feb 11, 2021 20:21:30.403183937 CET	53	54366	8.8.8.8	192.168.2.3
Feb 11, 2021 20:21:31.079015017 CET	53034	53	192.168.2.3	8.8.8.8
Feb 11, 2021 20:21:31.127780914 CET	53	53034	8.8.8.8	192.168.2.3
Feb 11, 2021 20:21:34.367379904 CET	54366	53	192.168.2.3	8.8.8.8
Feb 11, 2021 20:21:34.425858021 CET	53	54366	8.8.8.8	192.168.2.3
Feb 11, 2021 20:21:35.098031998 CET	53034	53	192.168.2.3	8.8.8.8
Feb 11, 2021 20:21:35.146750927 CET	53	53034	8.8.8.8	192.168.2.3
Feb 11, 2021 20:21:40.527472019 CET	57762	53	192.168.2.3	8.8.8.8
Feb 11, 2021 20:21:40.589328051 CET	53	57762	8.8.8.8	192.168.2.3
Feb 11, 2021 20:21:43.494111061 CET	55435	53	192.168.2.3	8.8.8.8
Feb 11, 2021 20:21:43.556556940 CET	53	55435	8.8.8.8	192.168.2.3
Feb 11, 2021 20:21:44.358345985 CET	50713	53	192.168.2.3	8.8.8.8
Feb 11, 2021 20:21:44.420578957 CET	53	50713	8.8.8.8	192.168.2.3
Feb 11, 2021 20:21:45.321896076 CET	56132	53	192.168.2.3	8.8.8.8
Feb 11, 2021 20:21:45.386368036 CET	53	56132	8.8.8.8	192.168.2.3
Feb 11, 2021 20:21:46.106184006 CET	58987	53	192.168.2.3	8.8.8.8
Feb 11, 2021 20:21:46.166330099 CET	53	58987	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 11, 2021 20:20:57.400681019 CET	192.168.2.3	8.8.8.8	0x9014	Standard query (0)	apds.us-east-1.linodeobjects.com	A (IP address)	IN (0x0001)
Feb 11, 2021 20:21:13.893389940 CET	192.168.2.3	8.8.8.8	0x2246	Standard query (0)	favicon.ico	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 11, 2021 20:20:57.471004009 CET	8.8.8.8	192.168.2.3	0x9014	No error (0)	apds.us-east-1.linodeobjects.com	us-east-1.linodeobjects.com		CNAME (Canonical name)	IN (0x0001)
Feb 11, 2021 20:20:57.471004009 CET	8.8.8.8	192.168.2.3	0x9014	No error (0)	us-east-1.linodeobjects.com		45.56.104.115	A (IP address)	IN (0x0001)
Feb 11, 2021 20:20:57.471004009 CET	8.8.8.8	192.168.2.3	0x9014	No error (0)	us-east-1.linodeobjects.com		45.79.137.127	A (IP address)	IN (0x0001)
Feb 11, 2021 20:20:57.471004009 CET	8.8.8.8	192.168.2.3	0x9014	No error (0)	us-east-1.linodeobjects.com		96.126.106.143	A (IP address)	IN (0x0001)
Feb 11, 2021 20:20:57.471004009 CET	8.8.8.8	192.168.2.3	0x9014	No error (0)	us-east-1.linodeobjects.com		97.107.137.245	A (IP address)	IN (0x0001)
Feb 11, 2021 20:20:57.471004009 CET	8.8.8.8	192.168.2.3	0x9014	No error (0)	us-east-1.linodeobjects.com		45.79.157.59	A (IP address)	IN (0x0001)
Feb 11, 2021 20:20:57.471004009 CET	8.8.8.8	192.168.2.3	0x9014	No error (0)	us-east-1.linodeobjects.com		173.255.231.96	A (IP address)	IN (0x0001)
Feb 11, 2021 20:21:13.950628042 CET	8.8.8.8	192.168.2.3	0x2246	Name error (3)	favicon.ico	none	none	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Feb 11, 2021 20:20:57.741797924 CET	45.56.104.115	443	192.168.2.3	49717	CN=us-east-1.linodeobjects.com CN=R3, O=Let's Encrypt, C=US	CN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Dec 16 16:44:23 CET 2020 Wed Oct 07 21:21:40 CEST 2020	Tue Mar 16 16:44:23 CET 2021 Wed Sep 29 21:21:40 CEST 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 11, 2021 20:20:57.741797924 CET	45.56.104.115	443	192.168.2.3	49717	CN=R3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Oct 07 21:21:40 CEST 2020	Wed Sep 29 21:21:40 CEST 2021		9e10692f1b7f78228b2d4e424db3a98c
Feb 11, 2021 20:20:57.743431091 CET	45.56.104.115	443	192.168.2.3	49718	CN=us-east-1.linodeobjects.com CN=R3, O=Let's Encrypt, C=US	CN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Dec 16 16:44:23 CET 2020 Wed Oct 07 21:21:40 CEST 2020	Tue Mar 16 16:44:23 CET 2021 Wed Sep 29 21:21:40 CEST 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 11, 2021 20:20:57.743431091 CET	45.56.104.115	443	192.168.2.3	49718	CN=R3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Oct 07 21:21:40 CEST 2020	Wed Sep 29 21:21:40 CEST 2021		9e10692f1b7f78228b2d4e424db3a98c

Code Manipulations

Statistics

CPU Usage

• iexplore.exe
• iexplore.exe

Click to jump to process

Memory Usage

• iexplore.exe
• iexplore.exe

Click to jump to process

Behavior

• iexplore.exe
• iexplore.exe

Click to jump to process

System Behavior

Analysis Process: iexplore.exe PID: 1152 Parent PID: 792

Function Logs

General

Start time:	20:20:55
Start date:	11/02/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff646f90000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Process Activities

Process Information Set

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Language or Locale ID Queried

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Window UI Enumerated

Show Windows behavior

Network Activities

Show Windows behavior

Object Security Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: iexplore.exe PID: 5876 Parent PID: 1152

Function Logs

General

Start time:	20:20:56
Start date:	11/02/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1152 CREDAT:17410 /prefetch:2
Imagebase:	0xd70000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Process Information Set

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Show Windows behavior

Network Activities

Show Windows behavior

Object Security Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Disassembly

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report https://apds.us-east-1.linodeobjects.com/redirect.html

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

No static file info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: iexplore.exe PID: 1152 Parent PID: 792

General

File Activities

File Opened

File Created

File Written

File Read

File Attributes Queried

Directory Queried

Volume Information Queried

Device IO

Section Activities

Sections loaded by Windows

Registry Activities

Key Opened

Key Created

Key Value Created