Create Interactive Tour

Analysis Report http://linkprotect.cudasvc.com

Overview

General Information

Sample URL:	http://linkprotect.cudasvc.com
Analysis ID:	354402
Most interesting Screenshot:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Queries the volume information (name, serial number etc) of a device

Classification

Startup

System is w10x64

cmd.exe (PID: 6524 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://linkprotect.cudasvc.com' > cmdline.out 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

wget.exe (PID: 6564 cmdline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://linkprotect.cudasvc.com' MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)

iexplore.exe (PID: 6812 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' C:\Users\user\Desktop\download\index.html MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6864 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6812 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

• Compliance
• Networking
• System Summary
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Networking:

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: */*Accept-Encoding: identityHost: linkprotect.cudasvc.comConnection: Keep-Alive

Source: msapplication.xml0.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x173b76d4,0x01d705ac</date><accdate>0x173b76d4,0x01d705ac</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x173b76d4,0x01d705ac</date><accdate>0x173b76d4,0x01d705ac</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x173dd914,0x01d705ac</date><accdate>0x173dd914,0x01d705ac</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x173dd914,0x01d705ac</date><accdate>0x173dd914,0x01d705ac</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x17403b62,0x01d705ac</date><accdate>0x17403b62,0x01d705ac</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x17403b62,0x01d705ac</date><accdate>0x17403b62,0x01d705ac</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: linkprotect.cudasvc.com

Source: wget.exe, 00000002.00000002.220538093.0000000000B10000.00000004.00000020.sdmp	String found in binary or memory: http://linkprotect.cudasvc.com
Source: wget.exe, 00000002.00000002.220522465.0000000000AC5000.00000004.00000040.sdmp, cmdline.out.2.dr	String found in binary or memory: http://linkprotect.cudasvc.com/
Source: wget.exe, 00000002.00000002.220518369.0000000000AC0000.00000004.00000040.sdmp	String found in binary or memory: http://linkprotect.cudasvc.com/vc.com
Source: msapplication.xml.4.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.4.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.4.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.4.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.4.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.4.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.4.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.4.dr	String found in binary or memory: http://www.youtube.com/

System Summary:

Source: classification engine

Classification label: clean0.win@7/15@1/1

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\Desktop\cmdline.out

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6532:120:WilError_01

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF6F7DB8435D169CFC.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\wget.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\wget.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://linkprotect.cudasvc.com' > cmdline.out 2>&1
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://linkprotect.cudasvc.com'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' C:\Users\user\Desktop\download\index.html
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6812 CREDAT:17410 /prefetch:2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://linkprotect.cudasvc.com'	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6812 CREDAT:17410 /prefetch:2	Jump to behavior

Source: C:\Windows\SysWOW64\wget.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Language, Device and Operating System Detection:

Source: C:\Windows\SysWOW64\wget.exe

Queries volume information: C:\Users\user\Desktop\download VolumeInformation

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping	File and Directory Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Non-Application Layer Protocol2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	System Information Discovery11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Remote System Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Ingress Tool Transfer1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
http://linkprotect.cudasvc.com	0%	Virustotal		Browse
http://linkprotect.cudasvc.com	0%	Avira URL Cloud	safe

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
linkprotect.cudasvc.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://linkprotect.cudasvc.com/vc.com	0%	Avira URL Cloud	safe
http://linkprotect.cudasvc.com/	0%	Virustotal		Browse
http://linkprotect.cudasvc.com/	0%	Avira URL Cloud	safe

Domains and IPs Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
linkprotect.cudasvc.com	52.57.231.177	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://linkprotect.cudasvc.com/	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.wikipedia.com/	msapplication.xml6.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.amazon.com/	msapplication.xml.4.dr	false		high
http://www.nytimes.com/	msapplication.xml3.4.dr	false		high
http://www.live.com/	msapplication.xml2.4.dr	false		high
http://www.reddit.com/	msapplication.xml4.4.dr	false		high
http://www.twitter.com/	msapplication.xml5.4.dr	false		high
http://linkprotect.cudasvc.com	wget.exe, 00000002.00000002.220538093.0000000000B10000.00000004.00000020.sdmp	false		unknown
http://linkprotect.cudasvc.com/vc.com	wget.exe, 00000002.00000002.220518369.0000000000AC0000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	unknown
http://www.youtube.com/	msapplication.xml7.4.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
52.57.231.177	unknown	United States		16509	AMAZON-02US	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	354402
Start date:	17.02.2021
Start time:	20:09:50
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	urldownload.jbs
Sample URL:	http://linkprotect.cudasvc.com
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean0.win@7/15@1/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 23.54.113.53, 40.88.32.150, 52.255.188.83, 104.43.139.144, 88.221.62.148, 184.30.24.56, 51.104.144.132, 92.122.213.247, 92.122.213.194, 152.199.19.161, 20.54.26.129, 93.184.221.240, 51.103.5.159, 51.104.139.180 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, vip1-par02p.wns.notify.trafficmanager.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, wns.notify.trafficmanager.net, go.microsoft.com, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, client.wns.windows.com, fs.microsoft.com, ie9comview.vo.msecnd.net, wu.ec.azureedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, cs9.wpc.v0cdn.net

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{421CBA58-719F-11EB-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	24152
Entropy (8bit):	1.757905421203335
Encrypted:	false
SSDEEP:	48:Iw0GcprdGwpL7G/ap8IGIpcemGxGvnZpve/GvHZp9eNoGoNiqpve0Go4J0KpcqPx:roZHZb2oWXrtBfb7tcJ0KWx086
MD5:	C27BDD75DAC973DA72D0D1938E91174A
SHA1:	EA3011A15FF30803E6C1FAAA48306051F963343A
SHA-256:	1B2E63495B338AED306BEC3433DF750E14F15C572C62E808C9F66D7B756463D6
SHA-512:	0BFE8CA76F5CA8AF09B79CF0566377ED49C33328D4733737C9D56D80630408D11DE9C71D556BED1FF233F785809D7EB6B1AF851F0038E9BB6CF627B62C32A896
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{421CBA5A-719F-11EB-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	23772
Entropy (8bit):	1.7396765922993924
Encrypted:	false
SSDEEP:	48:IwpGcprAGwpawG4pQ/GrHpbSoTGQp7SqGPYpAIGSXpYYGAEpId3GI0pjk93GFpR:rvZIQw6+BS0hSSKmSQECdU1kUL
MD5:	153DD3C954034A3C9165C96A6EEDECA7
SHA1:	D125F5AD851DBF68C46271ED97A9452276BD61E9
SHA-256:	77BE51BE7909FAE8790C7BF7FFFCD94511B499FF8E209D632E3A934C7EC5D3B1
SHA-512:	7BE9B920781FF178EA157FBCAC23CA50F2039F9335879A0AD02E06800FAB097FD33B3EE22E57C96B75D37C2C0376F1BBD4A80F2C95CCFA9726E7145E4592A179
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	657
Entropy (8bit):	5.058056409597284
Encrypted:	false
SSDEEP:	12:TMHdNMNxOEAjQcjCnWimI002EtM3MHdNMNxOEAjQcjCnWimI00ONVbkEtMb:2d6NxOFQYCSZHKd6NxOFQYCSZ7Qb
MD5:	D7B725D89BE2C93037FFA0AAD7FB9ED6
SHA1:	050F478B4B9B12ECCD80A1A832194A0F4EB5F263
SHA-256:	FD538E023D4AAA3E3565566E4051015925B93BF28B01D0F42D3FC36EF718D25A
SHA-512:	9E14AD92E5C31203ED246ECF259D2DD5A6FFB1D7711CDE532908F9FEFE519DBC108B82E44B705D5B0F010CB59DCB3C7E53871D62244DE602AE5B311F765695C9
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x173dd914,0x01d705ac</date><accdate>0x173dd914,0x01d705ac</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x173dd914,0x01d705ac</date><accdate>0x173dd914,0x01d705ac</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.1049070351567165
Encrypted:	false
SSDEEP:	12:TMHdNMNxe2k8FIZnWimI002EtM3MHdNMNxe2k8FIZnWimI00ONkak6EtMb:2d6NxrNaSZHKd6NxrNaSZ72a7b
MD5:	98CAADE3CAE7BC8C557FE6EA37955C33
SHA1:	6009CF8010F9B24CC153AFCCEAF9C3A38282D544
SHA-256:	526174169EA3B373EED0BD1D42A14D87789B660234823037AC3FB0A014D333EF
SHA-512:	79170B25C905BAC76956254A88A7C16C2E982A4190111E87CC240C715ABC43E3B31E82846CA12DACB51CC8F82E21730C45E1C4CE350AE76E6A284E4BB40FAE03
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x17391461,0x01d705ac</date><accdate>0x17391461,0x01d705ac</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x17391461,0x01d705ac</date><accdate>0x17391461,0x01d705ac</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	663
Entropy (8bit):	5.075138379963591
Encrypted:	false
SSDEEP:	12:TMHdNMNxvLAjQcjCnWimI002EtM3MHdNMNxvLAjQcjCnWimI00ONmZEtMb:2d6Nxv4QYCSZHKd6Nxv4QYCSZ7Ub
MD5:	DB420FEDF2C771023782A9AF3FEE5073
SHA1:	2A1911D058EA83D35F5BF286BFEEB5980575C584
SHA-256:	A5253CF6481C3ABAE76A89867CC9B100F27DF45778B71B49BC3B57A4A7E29CFF
SHA-512:	29F2D535C7B03D21D69480517FE8623C4F8FE0EFF78DD2B71A31D44487B80DE3CD8CA47306BE879B4B30FFAF8EC7151D267C97F442B8CB1F322FA748BF4D96B7
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x173dd914,0x01d705ac</date><accdate>0x173dd914,0x01d705ac</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x173dd914,0x01d705ac</date><accdate>0x173dd914,0x01d705ac</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	648
Entropy (8bit):	5.087645812074439
Encrypted:	false
SSDEEP:	12:TMHdNMNxinQjCnWimI002EtM3MHdNMNxinQjCnWimI00ONd5EtMb:2d6Nx0QjCSZHKd6Nx0QjCSZ7njb
MD5:	DC2BD4E2A2917DCBD636E8BB820B2255
SHA1:	5D668CD1A6F5A651C8ED397028C301582F9717CA
SHA-256:	764AD43E0F861D2F7189FCE8219EE9698C00C542E5D258EDFFA0C12234F3C1DF
SHA-512:	75A241EDAACD5DB78CE93411132FCD3B0D4A87B041E315B19B423BDBC5F91C13C3367B511515505F03A3ABC859C1EE30EF5CCE3A2E214067E2D27E45B80B208C
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x173b76d4,0x01d705ac</date><accdate>0x173b76d4,0x01d705ac</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x173b76d4,0x01d705ac</date><accdate>0x173b76d4,0x01d705ac</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	657
Entropy (8bit):	5.118057043984281
Encrypted:	false
SSDEEP:	12:TMHdNMNxhGwEVcQV+nWimI002EtM3MHdNMNxhGwEVcQV+nWimI00ON8K075EtMb:2d6NxQjVcQV+SZHKd6NxQjVcQV+SZ7uV
MD5:	5D3D57212C79C18577C5F104FF936740
SHA1:	9F5EE79EF6A1C5EF8DD9F40095A3EF3E8FAF20BB
SHA-256:	815139E249BC951235CECEADF30E8BF74F76523BAFF288ADEC19AA82C1081480
SHA-512:	6103726320C0C07B9331AF5766FE860D859AD9175AFB8F8F15DFE17A85370087CD47725D35222E199271418FD65E1D78AD3A1DE1A5FE89F3839981C400CE2B02
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x17403b62,0x01d705ac</date><accdate>0x17403b62,0x01d705ac</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x17403b62,0x01d705ac</date><accdate>0x17403b62,0x01d705ac</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.05695914020753
Encrypted:	false
SSDEEP:	12:TMHdNMNx0nAjQcjCnWimI002EtM3MHdNMNx0nAjQcjCnWimI00ONxEtMb:2d6Nx00QYCSZHKd6Nx00QYCSZ7Vb
MD5:	C5EF45A46794F6E78C211C7C78137A70
SHA1:	E77EC9C465FFD0B19A70739886C232CB01826CFC
SHA-256:	8685243375D9116940F398554C966315D0DDFE622A78590754E0056F419D158A
SHA-512:	84D9524BB1C97CA83A41B486E0CD5A2A57910D36F1AF16DA76CEEA9C63444D05C8CC474E4B9EA27A0C2FB098E5833FB94F84DC8A7CD8E11D298FD2C4C17A4E1B
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x173dd914,0x01d705ac</date><accdate>0x173dd914,0x01d705ac</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x173dd914,0x01d705ac</date><accdate>0x173dd914,0x01d705ac</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	657
Entropy (8bit):	5.114689391865986
Encrypted:	false
SSDEEP:	12:TMHdNMNxxnQjCnWimI002EtM3MHdNMNxxnQcjCnWimI00ON6Kq5EtMb:2d6NxtQjCSZHKd6NxtQYCSZ7ub
MD5:	DE31FF7769452F9EFEDE4AC1629A11EE
SHA1:	5B3EEC5E19547A00B637FFEC3E02905901D64EB4
SHA-256:	447813F14D072B2049E902212E4E50830BD973650F50404DAE3DC27E5E09663B
SHA-512:	0460DE5B1156694156B51144D3C14D22B61FD666D2B6D482F73C58F455EDF0FDEDAA5FDE8642C2DCDCDFF054E1E7B6772EC7ED656A6D26238F6C53B9EAC816F0
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x173b76d4,0x01d705ac</date><accdate>0x173b76d4,0x01d705ac</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x173b76d4,0x01d705ac</date><accdate>0x173dd914,0x01d705ac</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	660
Entropy (8bit):	5.088144036457147
Encrypted:	false
SSDEEP:	12:TMHdNMNxcnQjCnWimI002EtM3MHdNMNxcnQjCnWimI00ONVEtMb:2d6NxaQjCSZHKd6NxaQjCSZ71b
MD5:	E2C71C59D5A8DB841B16B2B7486B768C
SHA1:	CC1616A1A5317CD39D35D2AF8C5D427538227A56
SHA-256:	E942A22D54B8A2DA7F23FDBBB7DC341A6D612D89F6E54BBD97863A45D90EE97D
SHA-512:	7694C17DEF4A9E8DE86EB6662D052B664590EBCEBB0BFD591D3DDD972D91A2AD34DF79250DAD0D2A9183B44585976C535196F67B39F1D554C2DCA792473795CE
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x173b76d4,0x01d705ac</date><accdate>0x173b76d4,0x01d705ac</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x173b76d4,0x01d705ac</date><accdate>0x173b76d4,0x01d705ac</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.073120949499759
Encrypted:	false
SSDEEP:	12:TMHdNMNxfnnQjCnWimI002EtM3MHdNMNxfnnQjCnWimI00ONe5EtMb:2d6NxvQjCSZHKd6NxvQjCSZ7Ejb
MD5:	F5A48708F364C5DBD0C7453B34252266
SHA1:	3337FD3945EA05DBF5D0CB02233D0F654135A86E
SHA-256:	C3FB8BA725463402AA210168996DB73234E665BD6A8A59CCF0DA8B69749D3C78
SHA-512:	5A1C08142D0043DBBAABCB40D949FC2169E7394BAEC30BC7E6D48474F3EAAEEDDB00FCFB0F1F99F0285BC4EDD5E561DCC5E506638E0247BAA8D96443C6CD127F
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x173b76d4,0x01d705ac</date><accdate>0x173b76d4,0x01d705ac</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x173b76d4,0x01d705ac</date><accdate>0x173b76d4,0x01d705ac</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Temp\~DF2AC8FBD26491883C.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	34721
Entropy (8bit):	0.4529231694709768
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTq9lTK9lSSV9lSS19lK69lKa9lbUi9lbUS9lT:kBqoxKA2HSUSc/uXntDykS8
MD5:	273CFDF797FC668C2D0209CDDD23092F
SHA1:	CC1B3ADA9F94CACA64EE446880E017EE2AB1FA40
SHA-256:	CE90EFE00B991A89B80254FC89D733BB99AC5BF73ECDCC60B671CB4175135BA1
SHA-512:	C64B531ACC3FAF3CDEF999B73CA45AA3B286EFAE7CCB4143D605A5A276D261D78A120F023E238A07D03F54C39D3C50C37792E0D717D7E452592ACDD78EB5EAC7
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF6F7DB8435D169CFC.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12965
Entropy (8bit):	0.42003979176985395
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loE9loU9lWA1bpQDPc:kBqoIv5+bpQDPc
MD5:	F714053929B5D49BD76D319F6C89CEC3
SHA1:	D544F5E11F49230FA513F5D4688CC8E9AD03F1BC
SHA-256:	CFC2F2F76093B382CF6371771673B59CC9425CB10E6480DE43FD3EB214859342
SHA-512:	2A41DCA72E16249517723C1526C1B8A9970551FAF156923943ADD5D501CA97D31866EA0A8F211B0CA4956244F421437A3E1A2BA43EE3FC749274886E64BBAFE6
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\cmdline.out Download File
Process:	C:\Windows\SysWOW64\wget.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	559
Entropy (8bit):	5.015273468922649
Encrypted:	false
SSDEEP:	12:H41Fb1De5RhKWU61DbV3JRbKjVov/DWGCiV3JRbKjVNz:Y1ZxePgWU61NPbWVAWGCQPbWVt
MD5:	E2C4F56C670E733717223F43F4AC7592
SHA1:	08119CE944D9928280F7817DC63770A607B3BB37
SHA-256:	EEC54954ACDE7E4EFA5EDF00AC0A5EA3BB940AF6A111C8A73182C707982E3155
SHA-512:	B781EFA5B9870AC40803D00898B38DF16DFCEFE0766F9B30C58FD13EE791D41A3DD4E3F548F88370ACC134DD0DA2505204468FBF6769F2A75B1479ADEAAE8805
Malicious:	false
Reputation:	low
Preview:	--2021-02-17 20:10:37-- http://linkprotect.cudasvc.com/..Resolving linkprotect.cudasvc.com (linkprotect.cudasvc.com)... 52.57.231.177, 3.127.56.120..Connecting to linkprotect.cudasvc.com (linkprotect.cudasvc.com)\|52.57.231.177\|:80... connected...HTTP request sent, awaiting response... 200 OK..Length: 22 [text/html]..Saving to: 'C:/Users/user/Desktop/download/index.html'.... 0K 100% 29.3K=0.001s....2021-02-17 20:10:37 (29.3 KB/s) - 'C:/Users/user/Desktop/download/index.html' saved [22/22]....

C:\Users\user\Desktop\download\index.html Download File
Process:	C:\Windows\SysWOW64\wget.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	22
Entropy (8bit):	3.754441845713345
Encrypted:	false
SSDEEP:	3:ZOQmGR:0QmGR
MD5:	4A3A21E9E06DC64B3F2B1BBC6ADD532F
SHA1:	7742E5E646859724B3CE58A5C60A7DF897A25C22
SHA-256:	B3302D798DB9B78D1467F6B240A7C5B6F11CA83FCCC7A8CAAB14A630D4CCEBC0
SHA-512:	DA94474FF6AD3A01143A185434F1A47E95DE215220D3169E54AC8454B8E3E28C40C66EB3C37CFEB80530A98875C604EF3426B8134438C32EC8B5499D5D41CD93
Malicious:	false
Reputation:	low
Preview:	Barracuda Link Protect

Static File Info

No static file info

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 36
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 17, 2021 20:10:37.851130962 CET	49718	80	192.168.2.5	52.57.231.177
Feb 17, 2021 20:10:37.892729998 CET	80	49718	52.57.231.177	192.168.2.5
Feb 17, 2021 20:10:37.892867088 CET	49718	80	192.168.2.5	52.57.231.177
Feb 17, 2021 20:10:37.894326925 CET	49718	80	192.168.2.5	52.57.231.177
Feb 17, 2021 20:10:37.935559988 CET	80	49718	52.57.231.177	192.168.2.5
Feb 17, 2021 20:10:37.936146021 CET	80	49718	52.57.231.177	192.168.2.5
Feb 17, 2021 20:10:37.981797934 CET	49718	80	192.168.2.5	52.57.231.177
Feb 17, 2021 20:10:38.273525000 CET	49718	80	192.168.2.5	52.57.231.177

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 17, 2021 20:10:30.420521975 CET	54795	53	192.168.2.5	8.8.8.8
Feb 17, 2021 20:10:30.479372025 CET	53	54795	8.8.8.8	192.168.2.5
Feb 17, 2021 20:10:30.589962959 CET	49557	53	192.168.2.5	8.8.8.8
Feb 17, 2021 20:10:30.647211075 CET	53	49557	8.8.8.8	192.168.2.5
Feb 17, 2021 20:10:31.429851055 CET	61733	53	192.168.2.5	8.8.8.8
Feb 17, 2021 20:10:31.478574038 CET	53	61733	8.8.8.8	192.168.2.5
Feb 17, 2021 20:10:32.323035002 CET	65447	53	192.168.2.5	8.8.8.8
Feb 17, 2021 20:10:32.374670982 CET	53	65447	8.8.8.8	192.168.2.5
Feb 17, 2021 20:10:33.119308949 CET	52441	53	192.168.2.5	8.8.8.8
Feb 17, 2021 20:10:33.168123007 CET	53	52441	8.8.8.8	192.168.2.5
Feb 17, 2021 20:10:34.037091017 CET	62176	53	192.168.2.5	8.8.8.8
Feb 17, 2021 20:10:34.093991995 CET	53	62176	8.8.8.8	192.168.2.5
Feb 17, 2021 20:10:35.170001030 CET	59596	53	192.168.2.5	8.8.8.8
Feb 17, 2021 20:10:35.221786022 CET	53	59596	8.8.8.8	192.168.2.5
Feb 17, 2021 20:10:35.960870028 CET	65296	53	192.168.2.5	8.8.8.8
Feb 17, 2021 20:10:36.012506962 CET	53	65296	8.8.8.8	192.168.2.5
Feb 17, 2021 20:10:37.463808060 CET	63183	53	192.168.2.5	8.8.8.8
Feb 17, 2021 20:10:37.512617111 CET	53	63183	8.8.8.8	192.168.2.5
Feb 17, 2021 20:10:37.780383110 CET	60151	53	192.168.2.5	8.8.8.8
Feb 17, 2021 20:10:37.843050003 CET	53	60151	8.8.8.8	192.168.2.5
Feb 17, 2021 20:10:38.533117056 CET	56969	53	192.168.2.5	8.8.8.8
Feb 17, 2021 20:10:38.584698915 CET	53	56969	8.8.8.8	192.168.2.5
Feb 17, 2021 20:10:40.069272041 CET	55161	53	192.168.2.5	8.8.8.8
Feb 17, 2021 20:10:40.130603075 CET	53	55161	8.8.8.8	192.168.2.5
Feb 17, 2021 20:10:58.379581928 CET	54757	53	192.168.2.5	8.8.8.8
Feb 17, 2021 20:10:58.443594933 CET	53	54757	8.8.8.8	192.168.2.5
Feb 17, 2021 20:11:01.327341080 CET	49992	53	192.168.2.5	8.8.8.8
Feb 17, 2021 20:11:01.376121998 CET	53	49992	8.8.8.8	192.168.2.5
Feb 17, 2021 20:11:07.254704952 CET	60075	53	192.168.2.5	8.8.8.8
Feb 17, 2021 20:11:07.313750029 CET	53	60075	8.8.8.8	192.168.2.5
Feb 17, 2021 20:11:10.068995953 CET	55016	53	192.168.2.5	8.8.8.8
Feb 17, 2021 20:11:10.117837906 CET	53	55016	8.8.8.8	192.168.2.5
Feb 17, 2021 20:11:10.788084030 CET	64345	53	192.168.2.5	8.8.8.8
Feb 17, 2021 20:11:10.837275028 CET	53	64345	8.8.8.8	192.168.2.5
Feb 17, 2021 20:11:11.064356089 CET	55016	53	192.168.2.5	8.8.8.8
Feb 17, 2021 20:11:11.113111019 CET	53	55016	8.8.8.8	192.168.2.5
Feb 17, 2021 20:11:11.782371044 CET	64345	53	192.168.2.5	8.8.8.8
Feb 17, 2021 20:11:11.831043959 CET	53	64345	8.8.8.8	192.168.2.5
Feb 17, 2021 20:11:12.064201117 CET	55016	53	192.168.2.5	8.8.8.8
Feb 17, 2021 20:11:12.113513947 CET	53	55016	8.8.8.8	192.168.2.5
Feb 17, 2021 20:11:12.797512054 CET	64345	53	192.168.2.5	8.8.8.8
Feb 17, 2021 20:11:12.846574068 CET	53	64345	8.8.8.8	192.168.2.5
Feb 17, 2021 20:11:14.079025030 CET	55016	53	192.168.2.5	8.8.8.8
Feb 17, 2021 20:11:14.127655983 CET	53	55016	8.8.8.8	192.168.2.5
Feb 17, 2021 20:11:14.813795090 CET	64345	53	192.168.2.5	8.8.8.8
Feb 17, 2021 20:11:14.871339083 CET	53	64345	8.8.8.8	192.168.2.5
Feb 17, 2021 20:11:18.094708920 CET	55016	53	192.168.2.5	8.8.8.8
Feb 17, 2021 20:11:18.143446922 CET	53	55016	8.8.8.8	192.168.2.5
Feb 17, 2021 20:11:18.237629890 CET	57128	53	192.168.2.5	8.8.8.8
Feb 17, 2021 20:11:18.302758932 CET	53	57128	8.8.8.8	192.168.2.5
Feb 17, 2021 20:11:18.829340935 CET	64345	53	192.168.2.5	8.8.8.8
Feb 17, 2021 20:11:24.914387941 CET	54791	53	192.168.2.5	8.8.8.8
Feb 17, 2021 20:11:24.966063023 CET	53	54791	8.8.8.8	192.168.2.5
Feb 17, 2021 20:11:26.367531061 CET	50463	53	192.168.2.5	8.8.8.8
Feb 17, 2021 20:11:26.419462919 CET	53	50463	8.8.8.8	192.168.2.5
Feb 17, 2021 20:11:27.920979023 CET	50394	53	192.168.2.5	8.8.8.8
Feb 17, 2021 20:11:27.969691038 CET	53	50394	8.8.8.8	192.168.2.5
Feb 17, 2021 20:11:30.903167963 CET	58530	53	192.168.2.5	8.8.8.8
Feb 17, 2021 20:11:30.976171017 CET	53	58530	8.8.8.8	192.168.2.5
Feb 17, 2021 20:11:30.986126900 CET	53813	53	192.168.2.5	8.8.8.8
Feb 17, 2021 20:11:31.048196077 CET	53	53813	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 17, 2021 20:10:37.780383110 CET	192.168.2.5	8.8.8.8	0x9218	Standard query (0)	linkprotect.cudasvc.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 17, 2021 20:10:37.843050003 CET	8.8.8.8	192.168.2.5	0x9218	No error (0)	linkprotect.cudasvc.com		52.57.231.177	A (IP address)	IN (0x0001)
Feb 17, 2021 20:10:37.843050003 CET	8.8.8.8	192.168.2.5	0x9218	No error (0)	linkprotect.cudasvc.com		3.127.56.120	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

linkprotect.cudasvc.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49718	52.57.231.177	80	C:\Windows\SysWOW64\wget.exe

Timestamp	kBytes transferred	Direction	Data
Feb 17, 2021 20:10:37.894326925 CET	1102	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko Accept: / Accept-Encoding: identity Host: linkprotect.cudasvc.com Connection: Keep-Alive
Feb 17, 2021 20:10:37.936146021 CET	1103	IN	HTTP/1.1 200 OK Cache-Control: max-age=0, no-cache, no-store, must-revalidate Content-Security-Policy: default-src 'self'; style-src 'self' fonts.googleapis.com; font-src 'self' fonts.gstatic.com; frame-src 'self'; frame-ancestors 'none' Content-Type: text/html Date: Wed, 17 Feb 2021 19:10:37 GMT Expires: -1 Pragma: no-cache Referrer-Policy: no-referrer Server: nginx Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Content-Length: 22 Connection: keep-alive Data Raw: 42 61 72 72 61 63 75 64 61 20 4c 69 6e 6b 20 50 72 6f 74 65 63 74 Data Ascii: Barracuda Link Protect

Code Manipulations

Statistics

CPU Usage

• cmd.exe
• conhost.exe
• wget.exe
• iexplore.exe
• iexplore.exe

Click to jump to process

Memory Usage

• cmd.exe
• conhost.exe
• wget.exe
• iexplore.exe
• iexplore.exe

Click to jump to process

High Level Behavior Distribution

• File
• Network

Click to dive into process behavior distribution

Behavior

• cmd.exe
• conhost.exe
• wget.exe
• iexplore.exe
• iexplore.exe

Click to jump to process

System Behavior

Analysis Process: cmd.exe PID: 6524 Parent PID: 3904

Function Logs

General

Start time:	20:10:35
Start date:	17/02/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://linkprotect.cudasvc.com' > cmdline.out 2>&1
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

File Opened

File Created

File Attributes Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Process Activities

Process Created

Process Information Set

Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: conhost.exe PID: 6532 Parent PID: 6524

Function Logs

General

Start time:	20:10:36
Start date:	17/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

File Attributes Queried

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Show Windows behavior

Thread Activities

Thread Created

Thread Delayed

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Show Windows behavior

Windows UI Activities

Window Created

Window UI Enumerated

Message Posted to Windows UI

Window UIs Event Hook Set

Show Windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: wget.exe PID: 6564 Parent PID: 6524

Function Logs

General

Start time:	20:10:37
Start date:	17/02/2021
Path:	C:\Windows\SysWOW64\wget.exe
Wow64 process (32bit):	true
Commandline:	wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://linkprotect.cudasvc.com'
Imagebase:	0x400000
File size:	3895184 bytes
MD5 hash:	3DADB6E2ECE9C4B3E1E322E617658B60
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

File Opened

File Created

Device IO

Show Windows behavior

Section Activities

Thread Activities

Thread Created

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Protection Changed

Memory Usage Statistics

Show Windows behavior

System Activities

Show Windows behavior

Windows UI Activities

Show Windows behavior

Network Activities

Socket bound

Socket connected

Show Windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: iexplore.exe PID: 6812 Parent PID: 5828

Function Logs

General

Start time:	20:10:39
Start date:	17/02/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' C:\Users\user\Desktop\download\index.html
Imagebase:	0x7ff6a5810000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Process Information Set

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Language or Locale ID Queried

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Window UI Enumerated

Show Windows behavior

Network Activities

Show Windows behavior

Object Security Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: iexplore.exe PID: 6864 Parent PID: 6812

Function Logs

General

Start time:	20:10:40
Start date:	17/02/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6812 CREDAT:17410 /prefetch:2
Imagebase:	0xb50000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Process Information Set

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Show Windows behavior

Network Activities

Show Windows behavior

Object Security Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Disassembly

Code Analysis

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or `net view` using Net . Adversaries may also use local host files (ex: `C:\Windows\System32\Drivers\etc\hosts` or `/etc/hosts` ) in order to discover the hostname to IP address mappings of remote systems.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report http://linkprotect.cudasvc.com

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

Compliance:

Networking:

System Summary:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

No static file info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: cmd.exe PID: 6524 Parent PID: 3904

General

File Activities

File Opened

File Created

File Attributes Queried

Volume Information Queried

Section Activities

Sections loaded by Windows

Process Activities

Process Created

Process Queried

Process Information Set

Process Terminated