Play interactive tour

Edit tour

Analysis Report https://urldefense.com/v3/https:/kenfill.co/DD/;!!KT1mMmMyND0!YjkdgwzuJK95QCU0ZIOK_9KXCsXihuX3Ee0Au_sacRmNU64inH4KLl8etCuzbBS5yjMGhETwmSo$

Overview

General Information

Sample URL:	https://urldefense.com/v3/__https:/kenfill.co/DD/__;!!KT1mMmMyND0!YjkdgwzuJK95QCU0ZIOK_9KXCsXihuX3Ee0Au_sacRmNU64inH4KLl8etCuzbBS5yjMGhETwmSo$
Analysis ID:	369325
Infos:
Most interesting Screenshot:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

No high impact signatures.

Classification

Startup

System is w10x64

iexplore.exe (PID: 6052 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6108 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6052 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

• Compliance
• Networking
• System Summary

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 52.71.28.102:443 -> 192.168.2.3:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.71.28.102:443 -> 192.168.2.3:49698 version: TLS 1.2

Source: msapplication.xml0.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x80110724,0x01d71aa5</date><accdate>0x80110724,0x01d71aa5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x80110724,0x01d71aa5</date><accdate>0x80110724,0x01d71aa5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x8015cbcd,0x01d71aa5</date><accdate>0x8015cbcd,0x01d71aa5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x8015cbcd,0x01d71aa5</date><accdate>0x8015cbcd,0x01d71aa5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x8015cbcd,0x01d71aa5</date><accdate>0x8015cbcd,0x01d71aa5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x8015cbcd,0x01d71aa5</date><accdate>0x8015cbcd,0x01d71aa5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: urldefense.com

Source: msapplication.xml.1.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.1.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.1.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.1.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.1.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.1.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.1.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.1.dr	String found in binary or memory: http://www.youtube.com/
Source: ~DF898D058EB67694B2.TMP.1.dr, {AA765229-8698-11EB-90E4-ECF4BB862DED}.dat.1.dr	String found in binary or memory: https://urldefense.com/jblocked?u=https%3A%2Fkenfill.co%2FDD%2F&c=tasconline_hosted&sig=WrVHYuTxcmEs

Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698

Source: unknown	HTTPS traffic detected: 52.71.28.102:443 -> 192.168.2.3:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.71.28.102:443 -> 192.168.2.3:49698 version: TLS 1.2

Source: classification engine

Classification label: clean0.win@3/18@2/1

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF610E2E71856BFF74.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6052 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6052 CREDAT:17410 /prefetch:2	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping	File and Directory Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
https://urldefense.com/v3/__https:/kenfill.co/DD/__;!!KT1mMmMyND0!YjkdgwzuJK95QCU0ZIOK_9KXCsXihuX3Ee0Au_sacRmNU64inH4KLl8etCuzbBS5yjMGhETwmSo$	0%	Avira URL Cloud	safe

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
https://urldefense.com/jblocked?u=https%3A%2Fkenfill.co%2FDD%2F&c=tasconline_hosted&sig=WrVHYuTxcmEs	0%	Avira URL Cloud	safe

Domains and IPs Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
urldefense.com	52.71.28.102	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://urldefense.com/jblocked?u=https%3A%2Fkenfill.co%2FDD%2F&c=tasconline_hosted&sig=WrVHYuTxcmEsW1G81tAam5eHNdrbRmefwNPE16yBPmlBZZDwc9IX1yGonl11UrQl	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.wikipedia.com/	msapplication.xml6.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.amazon.com/	msapplication.xml.1.dr	false		high
http://www.nytimes.com/	msapplication.xml3.1.dr	false		high
http://www.live.com/	msapplication.xml2.1.dr	false		high
http://www.reddit.com/	msapplication.xml4.1.dr	false		high
http://www.twitter.com/	msapplication.xml5.1.dr	false		high
http://www.youtube.com/	msapplication.xml7.1.dr	false		high
https://urldefense.com/jblocked?u=https%3A%2Fkenfill.co%2FDD%2F&c=tasconline_hosted&sig=WrVHYuTxcmEs	~DF898D058EB67694B2.TMP.1.dr, {AA765229-8698-11EB-90E4-ECF4BB862DED}.dat.1.dr	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
52.71.28.102	urldefense.com	United States		14618	AMAZON-AESUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	369325
Start date:	16.03.2021
Start time:	13:45:38
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://urldefense.com/v3/__https:/kenfill.co/DD/__;!!KT1mMmMyND0!YjkdgwzuJK95QCU0ZIOK_9KXCsXihuX3Ee0Au_sacRmNU64inH4KLl8etCuzbBS5yjMGhETwmSo$
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean0.win@3/18@2/1
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, ielowutil.exe, svchost.exe Excluded IPs from analysis (whitelisted): 13.88.21.125, 104.43.139.144, 172.227.100.57, 13.64.90.137, 168.61.161.212, 152.199.19.161, 23.57.80.111 Excluded domains from analysis (whitelisted): skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, ie9comview.vo.msecnd.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus15.cloudapp.net, cs9.wpc.v0cdn.net

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{AA765227-8698-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	30296
Entropy (8bit):	1.8536198468884053
Encrypted:	false
SSDEEP:	48:IwnGcpraGwpL7G/ap89GIpcqsmGvnZpvqstGoKqp9qs+Go4dpmqgQGWAQ9q5GWWD:rNZCZb2vWqwtqKfqAdMqhqfqZfqP8X
MD5:	17B1FD3B045D78C0FECBF3288CD35209
SHA1:	0E00AD18C3D687F4A1741EE4515598E657D043D2
SHA-256:	1FEEA4757B63647E3676CE768650CF49654F01CADC59F806652604A208B3F83D
SHA-512:	FE71B779DFA23EC94D9852386CCC66C168D8187D40B21592FD172ED675B211C3B156C396883609A5FEAEC33B250FCF0940EDDF85B9357ED7D3A5726A7F264123
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{AA765229-8698-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	24416
Entropy (8bit):	1.6816038013369243
Encrypted:	false
SSDEEP:	48:IwgGcpr5Gwpa1G4pQpGrapbSdGQpBKGHHpc7TGUp8jGzYpmnNGop1Rf0yBFGsnpm:rEZzQn6JBSnjR2VW5M/7KyNg
MD5:	75D938E9B40BBA5D55FA70CA4E9DAF34
SHA1:	31FE7B9F5B083E31FE9F36171996BB7FBD90A95E
SHA-256:	C63FFA13D1E3EBE779699834DBE894BC78385F80C13A419CCB1EC8C9092D020F
SHA-512:	B9E09E3DBD276381E6DE39F40FDDF3B8BD5C690BC4A7F94EEAA78DE0CAC26FE9C8DEC3C65FE92E5AD3BBE51157058E045810BC3D5BA8067AABE80C42C81CA10B
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{AA76522A-8698-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	16984
Entropy (8bit):	1.5620703270764746
Encrypted:	false
SSDEEP:	48:Iw9sGcprBGwpaoG4pQY7GrapbSRGQpKLG7HpRwTGIpG:rWZbQ46qBSrAKTkA
MD5:	737569705B523AAB86EEF7B7845195AC
SHA1:	E6715E7194294F68541B917053010ED79929D77E
SHA-256:	EB5B27E4DC5506F560D7C4291A8E27A77A84B534BD8EF972B1665369CADD4FC5
SHA-512:	CA5D2ABF4F8233783A536D00BE909099B5D79FE05AF22431DB5E0809E0E9F67352CB757E5F768D136B61B9B6BAB0F1956297FE140FD8AB2C8483E25F58EC21DC
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.036138037329965
Encrypted:	false
SSDEEP:	12:TMHdNMNxOEMgQgHnWimI002EtM3MHdNMNxOEMgQgHnWimI00ObVbkEtMb:2d6NxOJgQgHSZHKd6NxOJgQgHSZ76b
MD5:	1DE74CCCB9E3B312CB143DC51A4AFAD8
SHA1:	4F072FC9DB7FD0D0E5767BF709678678A6004DE6
SHA-256:	56A80CB2A756A7513D73CC480C50415881719DC702F0AA23E86CDB9C332AF9DD
SHA-512:	0ADF4D08D7FB1246E1E3ABE1BBFC653B016B22D56C0A9CA741855359713FECFB1A43D6A05E576A0C79E5CCA8AD3ECC3D22F9196CB350E7AB73882FF1FE43BCD7
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x8015cbcd,0x01d71aa5</date><accdate>0x8015cbcd,0x01d71aa5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x8015cbcd,0x01d71aa5</date><accdate>0x8015cbcd,0x01d71aa5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.049550966427021
Encrypted:	false
SSDEEP:	12:TMHdNMNxe2kMXQXHnWimI002EtM3MHdNMNxe2kMXQXHnWimI00Obkak6EtMb:2d6NxrpXQXHSZHKd6NxrpXQXHSZ7Aa7b
MD5:	DFD4F8AEEB26568772A8EDB00598D5A6
SHA1:	B3CF7988E9F4A357E6593AF0EF8A45F52153A6A0
SHA-256:	1FD228FA29FB4F0604B04A1903ECB0675031ADCC47A8752C7DA7852704C6E45C
SHA-512:	92BE342ACDACD96444DB7293144031A77A42C7DEDB116C20D31B503C59B308008C6E004C1C0E804D997FB0E3CF71B0D60060C669B952B21FEF2C1AFB72BF58DE
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x800ea4cd,0x01d71aa5</date><accdate>0x800ea4cd,0x01d71aa5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x800ea4cd,0x01d71aa5</date><accdate>0x800ea4cd,0x01d71aa5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	662
Entropy (8bit):	5.053769375095509
Encrypted:	false
SSDEEP:	12:TMHdNMNxvLMgQgHnWimI002EtM3MHdNMNxvLMgQgHnWimI00ObmZEtMb:2d6NxvAgQgHSZHKd6NxvAgQgHSZ7mb
MD5:	1B66E7A943FB90C0D64A7CC21E621E57
SHA1:	8458AA5F5F5AF0447FE776E31C7DC3E05AD0105B
SHA-256:	9BEE0F5DA35E4A913CCB647A1EB79393DCDF55526AE8C6FC3FF00181A767BC80
SHA-512:	9D3455F09B02A1EC0155FBC6AC8E7D9EDB514510851239D2DD042FCE3B67F42538283BA80B554AD0EF275E602AF65D67C78F3ACD37D83DCC728E7A290575A261
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x8015cbcd,0x01d71aa5</date><accdate>0x8015cbcd,0x01d71aa5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x8015cbcd,0x01d71aa5</date><accdate>0x8015cbcd,0x01d71aa5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	647
Entropy (8bit):	5.111172769294188
Encrypted:	false
SSDEEP:	12:TMHdNMNxiM3XYQ3XYHnWimI002EtM3MHdNMNxiM3XYQ3XYHnWimI00Obd5EtMb:2d6NxX393iSZHKd6NxX393iSZ7Jjb
MD5:	C988E8E44D25A2C554C56C089940ADA4
SHA1:	F21FCE321CB0BAE1560BABA87E30FE142DFE2019
SHA-256:	47009541F6F7D652501AE9C39747EA5359DA3FA8DEC28F7D80B80E5C030A0249
SHA-512:	EF76A10BEB6DFD993344D0B3CF9634563132144198757E1A8B9A9E193367A0C203169ED06050F8088761AE3E84278A5EB00146F7A55306380B7F49DF9C221770
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x80136976,0x01d71aa5</date><accdate>0x80136976,0x01d71aa5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x80136976,0x01d71aa5</date><accdate>0x80136976,0x01d71aa5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.067238536878838
Encrypted:	false
SSDEEP:	12:TMHdNMNxhGwMgQgHnWimI002EtM3MHdNMNxhGwMgQgHnWimI00Ob8K075EtMb:2d6NxQlgQgHSZHKd6NxQlgQgHSZ7YKa/
MD5:	69A63FD708C20E4694AFCBE22B5F9384
SHA1:	F70854D5C98DD5DE45CD6DD22154447650C00D25
SHA-256:	FB26E58F9BF7F6AB7BE888B7124FE6E0E8B0E9E77609F8C9FD67A63DB5F9F6D9
SHA-512:	361BC1FFDE36A33EBDB05FB6A7CD1534FE0DD1832D2F02BFDF783367FD38E5C549C4FECE82B5AF21F73814B8BC616813DD9AAF0D06375D62B487B7567EE402EF
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x8015cbcd,0x01d71aa5</date><accdate>0x8015cbcd,0x01d71aa5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x8015cbcd,0x01d71aa5</date><accdate>0x8015cbcd,0x01d71aa5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.091136818836844
Encrypted:	false
SSDEEP:	12:TMHdNMNx0nM3XYQ3XYHnWimI002EtM3MHdNMNx0nM3XYQgHnWimI00ObxEtMb:2d6Nx0M393iSZHKd6Nx0M39gHSZ7nb
MD5:	178FF9EB0C5BC8180979F5685F17A674
SHA1:	8558F77C24765BE9D8ED00C4D2616455FBEDF932
SHA-256:	742EAF70CDA6F2F41D198CB77D71F8B83C0C7986E2A87DD9906C43C694A9660A
SHA-512:	85BE0EF397A965DAA971B801983E27C60946BB22997BDEF703CE4789D7078F9E65FDA1999D80575498448C3CCED026D9667114348B085F7B960939E14C6DDB0A
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x80136976,0x01d71aa5</date><accdate>0x80136976,0x01d71aa5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x80136976,0x01d71aa5</date><accdate>0x8015cbcd,0x01d71aa5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.135822699885881
Encrypted:	false
SSDEEP:	12:TMHdNMNxxM3XYQ3XYHnWimI002EtM3MHdNMNxxM3XYQ3XYHnWimI00Ob6Kq5EtMb:2d6Nx+393iSZHKd6Nx+393iSZ7ob
MD5:	1119C8B027688855D77B8D5DE150D7D9
SHA1:	877F066FB552665392F1F35E8187B30972AB3878
SHA-256:	E87318BC42A47FB781637D0F94702E6A1009AFD8F3879B8D5842D83246C5E83B
SHA-512:	CB223B05DBCA3084BC4F351A225677A33237F8FC25840C52CACB4741A43AFB3E4B2AF4CD232B2E8055ABDFF35B25DE5C7A4817DDFCABFB6BCE937B52E4647DAD
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x80136976,0x01d71aa5</date><accdate>0x80136976,0x01d71aa5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x80136976,0x01d71aa5</date><accdate>0x80136976,0x01d71aa5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	659
Entropy (8bit):	5.090872167682073
Encrypted:	false
SSDEEP:	12:TMHdNMNxcMTQTHnWimI002EtM3MHdNMNxcMTQTHnWimI00ObVEtMb:2d6NxBTQTHSZHKd6NxBTQTHSZ7Db
MD5:	1AF720DFCB7696FED9CACE67A8F35E7A
SHA1:	8963040799C135AF4D94FA921BA9E0842202F27C
SHA-256:	D9C3DAF5A67B1868EE559A6D34C20E5DCFDB1568F02F8C73CAACFFFC2EFE3E46
SHA-512:	789FCFFBBA917688B8B56E8DE282F0420965EADF8895D31CEDA3E8553854F12F0C482B35A2D4131E186B2403FD8E2A4845F28B45A815C4FDB56892044368259A
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x80110724,0x01d71aa5</date><accdate>0x80110724,0x01d71aa5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x80110724,0x01d71aa5</date><accdate>0x80110724,0x01d71aa5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.096835884369872
Encrypted:	false
SSDEEP:	12:TMHdNMNxfnM3XYQ3XYHnWimI002EtM3MHdNMNxfnM3XYQ3XYHnWimI00Obe5EtMb:2d6Nxk393iSZHKd6Nxk393iSZ7ijb
MD5:	44E754F124981ABA673E61682B60DD1F
SHA1:	2545C38E542944100DE06A7890A930117667B39F
SHA-256:	CFC469137AA2114BDF50D324E945CC4AC9043A98AF43EA312DBA65A04D3128E4
SHA-512:	9358DC4665A109A7A8AD804605B73FB0FF5B2B7321EDE0AE179F0DF82833EBB7C24B0E4D8C3C4CAAB0D8E837AF7ED58FA61D0D6CFD42CF463419C732E63D95BD
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x80136976,0x01d71aa5</date><accdate>0x80136976,0x01d71aa5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x80136976,0x01d71aa5</date><accdate>0x80136976,0x01d71aa5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\warning[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	4803
Entropy (8bit):	7.945415885603797
Encrypted:	false
SSDEEP:	96:bXPZaTvJQ6JqwminbkmNmxvkX76/rNQPQm0iPLfROzIya:L8jJFJqOkzxvczL0UbRO5a
MD5:	B69B8937C432C824243F1FF03FE4A169
SHA1:	CFF98ABE81FE41B5A2FAF269CB0F6859B616ED51
SHA-256:	8A552613C9B52A23149A7CEFE7C15C321E62162AED70E9A736E6C96BBB07BC5F
SHA-512:	75943C9F3728E8A7BB98D5C108C5F5B7982C3C18C559353B818A4BCE1EED8CD408B868964B853BAC42A8F3BC662AE242C91D344D1D53EC4F1048C4FA59AB2DAC
Malicious:	false
Reputation:	low
IE Cache URL:	https://urldefense.com/jasset/images/warning.png
Preview:	.PNG........IHDR...@...@......iq.....sRGB........}IDATx..y..U..?..~U..Z.'.t..:..$$!....DV.....[D...t.:.2...#g.....D..A.....9s...,.$!!Io.[u-..{w..u7.tc....v..._u.z.{......5...rX.._.....Z..._.".........._...n....&v.......(a.Rj......[.\|./.....nR6wk..@:SQA<Q.~:.H...Z./...Jw"1.N.o.........37N....3R).g.R.:)q..P....K....e.....X....\|.P..;._.p..]{>3..7....{U.....a4.%F...K&...Q...R..-_<o....].....Cj..'6.....:_....!.....1N.."..D.H..Q...L.\....t...o\|[z.7./..=.WO..Z5..t..!.X..2.B.......q5..5....../...2\|..s.y...o?..emF;R...MW.O.W....+.&...d.}.......x.A..a.a.>Z..g..t...{..m.......I..2.k<...Q.0..,\@../A....z.6\L.I.(..C..Q..j.d.(..1..o+..:...;:.WUVi,]N,o..(.B..khy.{q^.Q......}..;.BJ%<[.S%.KRQ[..:.N......-....kj.w.tu..iSD5@.E4.'..}.z....Y.8...5M.^...."!...).YS%.%...y.=..t.[........LoCbq,J..p...yT.x<.X.QT.V...u.O^.@G.%..z.j..>.m-.;.....4..6~&...)."U.A...\|.R@oI..!Q............JjW.!.La.%......i.2.'..}...6...`..?.V....[TJ%T.J..18...NX. ......."..0...E...I)....<

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\common[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	2864
Entropy (8bit):	5.139585964425596
Encrypted:	false
SSDEEP:	48:K/maEciRyMzMoKVJV1VAVMVwVJVNVZVMVoVcVqNHAVJV1VAVMVwVUVPVn5csN9Y5:5wiRJgo7NHut5csTUFPVLTP
MD5:	2FEC9CA2BE9C015E692928EB54429CA1
SHA1:	EAD795B071563A70FB00600551DDF1C7B2E2D07D
SHA-256:	080218E94B8FBE62AB1CBA4465CD549A03737E69C25F4FC375DA5AD9DC58DC35
SHA-512:	FA7DDE474AE3E0CBFA42E93C7D6836F66610D288FF02E9739BD7C749EDC9811CC9D34AE3D770E4F044C8BDE9C7F3D76C16CE68D3417F384BABEB2B82A85B2C29
Malicious:	false
Reputation:	low
IE Cache URL:	https://urldefense.com/jasset/stylesheets/common.css
Preview:	html{..min-height:100%;..background:#0094bc;..background:-moz-linear-gradient(#0094bc, #3dd6ff);..background:-ms-linear-gradient(#0094bc, #3dd6ff 100%);..background:-webkit-gradient(linear, left top, left bottom, from(#0094bc), to(#3dd6ff));..background:-webkit-linear-gradient(#0094bc, #3dd6ff 100%);..background:-o-linear-gradient(#0094bc, #3dd6ff 100%);..filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='$background-gradient-start', endColorstr='$background-gradient-end');..-ms-filter:"progid:DXImageTransform.Microsoft.gradient(startColorstr='$background-gradient-start', endColorstr='$background-gradient-end')";..background:linear-gradient(#0094bc, #3dd6ff 100%).}.body{..font-family:arial, verdana, helvetica;font-size:12px.}...warningbox{..-moz-box-shadow:3px 3px 10px 3px #006c89;..-webkit-box-shadow:3px 3px 10px 3px #006c89;..box-shadow:3px 3px 10px 3px #006c89;..-webkit-border-top-left-radius:16px;..-moz-border-top-left-radius:16px;..border-top-left-radius:16px;..-webk

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\proofpoint_logo[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	[TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CC 2015 (Macintosh), datetime=2015:10:01 15:42:26], baseline, precision 8, 187x64, frames 1
Category:	downloaded
Size (bytes):	20820
Entropy (8bit):	6.115298643155388
Encrypted:	false
SSDEEP:	192:1EknPBU4QsGajrPA0yUIcQgVeQ74ukmFOe5aEoQ8my3kyIMgEa/owNI60o2DiJKv:xnPq4QshyjJdItcMdC0qBlP3
MD5:	2354AE0C3B30ED5A5A6CE13853946CDE
SHA1:	62A4EDF895F221D051B6B7509490F64721A15CCD
SHA-256:	C3161B65DA3DA019547FBC4072E5E7DA13C1FABCE048107019FEFC72DE02E21A
SHA-512:	D1E3E4D245B63E6FC771213229A4533E62817F845BCBAF2249FC1377F226447D003D1469F7BB584927CD8C833ACAD8A032D4B936971BEAF4A7FC6E03EB846986
Malicious:	false
Reputation:	low
IE Cache URL:	https://urldefense.com/jasset/images/proofpoint_logo.jpeg
Preview:	......JFIF.....,.,.....nPhotoshop 3.0.8BIM.......6..Z...%G.........>..20150924..?..150838-0700.....Print8BIM.%...........~..Q.,.........Exif..MM.*.............................b...........j.(...........1.....$...r.2...........i.................,.......,....Adobe Photoshop CC 2015 (Macintosh).2015:10:01 15:42:26.................................................`....2015:09:24 15:08:38...=.http://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="XMP Core 5.4.0"> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:xmpTPg="http://ns.adobe.com/xap/1.0/t/pg/" xmlns:xmpG="http://ns.adobe.com/xap/1.0/g/" xmlns:stDim="http://ns.adobe.com/xap/1.0/sType/Dimensions#" xmlns:dc="http://purl.org/dc/elements/1.1/" xm

C:\Users\user\AppData\Local\Temp\~DF48B792C37CA30058.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	25441
Entropy (8bit):	0.27918767598683664
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRx/9lRJ9lTb9lTb9lSSU9lSSU9laAa/9laA:kBqoxxJhHWSVSEab
MD5:	AB889A32AB9ACD33E816C2422337C69A
SHA1:	1190C6B34DED2D295827C2A88310D10A8B90B59B
SHA-256:	4D6EC54B8D244E63B0F04FBE2B97402A3DF722560AD12F218665BA440F4CEFDA
SHA-512:	BD250855747BB4CEC61814D0E44F810156D390E3E9F120A12935EFDF80ACA33C4777AD66257CCA4E4003FEF0741692894980B9298F01C4CDD2D8A9C7BB522FB6
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF610E2E71856BFF74.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	13029
Entropy (8bit):	0.4778729570665291
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loVF9loP9lWVQsQQy3:kBqoIQuVQsQQy3
MD5:	2E70829B8F8F4B65CF378B1F15604AF8
SHA1:	D93A96644750F44379D23EDA0617DFF78332968B
SHA-256:	E0175D215366698D4963FC5C8907EA3C84969B5E117687612BF5C0550A3513E2
SHA-512:	ABED8C5DFF6461D9C430B38352052967E9E2734F380A3960455E27CA924642E6F406436516E86A1C4297509910355A87EC329555753F1110924AECBD502D0BBD
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF898D058EB67694B2.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	34609
Entropy (8bit):	0.3953257398314376
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lw99lwd9l2r9l2r9l/ng:kBqoxKAuvScS+eYSbnInXRf0yBz
MD5:	8522AFB1B7423EF088935CBB35AD5071
SHA1:	07F9517D69C35416D395522BB39858A36343E31B
SHA-256:	C7C3E4CC586BC999D4F88C8CE9CBF7D409E5FB1B3B18610834416CBD84033699
SHA-512:	D4B0BDD89F0F966590DE9D4A5CB25B0CD13D377F36E70C30BA12233B4DB9B2BFEDB50145852576D8882CDE6625E8C361D136DB94B0BB8F6BE08965F2C377E031
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

No static file info

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 76
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 16, 2021 13:46:24.834016085 CET	49698	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:24.834608078 CET	49699	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:24.963437080 CET	443	49699	52.71.28.102	192.168.2.3
Mar 16, 2021 13:46:24.963660955 CET	49699	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:24.964000940 CET	443	49698	52.71.28.102	192.168.2.3
Mar 16, 2021 13:46:24.964142084 CET	49698	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:24.975368023 CET	49698	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:24.975418091 CET	49699	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:25.102164030 CET	443	49699	52.71.28.102	192.168.2.3
Mar 16, 2021 13:46:25.102967978 CET	443	49698	52.71.28.102	192.168.2.3
Mar 16, 2021 13:46:25.104641914 CET	443	49699	52.71.28.102	192.168.2.3
Mar 16, 2021 13:46:25.104661942 CET	443	49699	52.71.28.102	192.168.2.3
Mar 16, 2021 13:46:25.104676962 CET	443	49699	52.71.28.102	192.168.2.3
Mar 16, 2021 13:46:25.104830027 CET	49699	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:25.104872942 CET	49699	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:25.107268095 CET	443	49698	52.71.28.102	192.168.2.3
Mar 16, 2021 13:46:25.107294083 CET	443	49698	52.71.28.102	192.168.2.3
Mar 16, 2021 13:46:25.107310057 CET	443	49698	52.71.28.102	192.168.2.3
Mar 16, 2021 13:46:25.107381105 CET	49698	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:25.107424974 CET	49698	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:25.152797937 CET	49699	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:25.153019905 CET	49698	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:25.159215927 CET	49699	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:25.159262896 CET	49698	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:25.159394026 CET	49699	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:25.281244040 CET	443	49699	52.71.28.102	192.168.2.3
Mar 16, 2021 13:46:25.281281948 CET	443	49699	52.71.28.102	192.168.2.3
Mar 16, 2021 13:46:25.281461000 CET	49699	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:25.281511068 CET	49699	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:25.282630920 CET	443	49698	52.71.28.102	192.168.2.3
Mar 16, 2021 13:46:25.282660961 CET	443	49698	52.71.28.102	192.168.2.3
Mar 16, 2021 13:46:25.282763004 CET	49698	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:25.282829046 CET	49698	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:25.283673048 CET	49699	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:25.284101963 CET	49698	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:25.287372112 CET	443	49699	52.71.28.102	192.168.2.3
Mar 16, 2021 13:46:25.287420988 CET	443	49699	52.71.28.102	192.168.2.3
Mar 16, 2021 13:46:25.287591934 CET	49699	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:25.288322926 CET	443	49698	52.71.28.102	192.168.2.3
Mar 16, 2021 13:46:25.288439035 CET	49698	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:25.291114092 CET	443	49699	52.71.28.102	192.168.2.3
Mar 16, 2021 13:46:25.291286945 CET	49699	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:25.298631907 CET	49699	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:25.426834106 CET	443	49699	52.71.28.102	192.168.2.3
Mar 16, 2021 13:46:25.427419901 CET	443	49699	52.71.28.102	192.168.2.3
Mar 16, 2021 13:46:25.427659035 CET	49699	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:25.451766014 CET	443	49698	52.71.28.102	192.168.2.3
Mar 16, 2021 13:46:25.502100945 CET	49699	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:25.502470970 CET	49699	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:25.630640030 CET	443	49699	52.71.28.102	192.168.2.3
Mar 16, 2021 13:46:25.631870985 CET	443	49699	52.71.28.102	192.168.2.3
Mar 16, 2021 13:46:25.631912947 CET	443	49699	52.71.28.102	192.168.2.3
Mar 16, 2021 13:46:25.631951094 CET	443	49699	52.71.28.102	192.168.2.3
Mar 16, 2021 13:46:25.631990910 CET	443	49699	52.71.28.102	192.168.2.3
Mar 16, 2021 13:46:25.632010937 CET	49699	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:25.632028103 CET	443	49699	52.71.28.102	192.168.2.3
Mar 16, 2021 13:46:25.632045984 CET	49699	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:25.632050991 CET	49699	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:25.632067919 CET	49699	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:25.632069111 CET	443	49699	52.71.28.102	192.168.2.3
Mar 16, 2021 13:46:25.632107973 CET	443	49699	52.71.28.102	192.168.2.3
Mar 16, 2021 13:46:25.632112980 CET	49699	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:25.632154942 CET	443	49699	52.71.28.102	192.168.2.3
Mar 16, 2021 13:46:25.632158041 CET	49699	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:25.632164955 CET	49699	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:25.632195950 CET	443	49699	52.71.28.102	192.168.2.3
Mar 16, 2021 13:46:25.632215977 CET	49699	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:25.632234097 CET	443	49699	52.71.28.102	192.168.2.3
Mar 16, 2021 13:46:25.632253885 CET	49699	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:25.632291079 CET	49699	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:25.759510994 CET	443	49699	52.71.28.102	192.168.2.3
Mar 16, 2021 13:46:25.759563923 CET	443	49699	52.71.28.102	192.168.2.3
Mar 16, 2021 13:46:25.759602070 CET	443	49699	52.71.28.102	192.168.2.3
Mar 16, 2021 13:46:25.759638071 CET	443	49699	52.71.28.102	192.168.2.3
Mar 16, 2021 13:46:25.759676933 CET	443	49699	52.71.28.102	192.168.2.3
Mar 16, 2021 13:46:25.759715080 CET	443	49699	52.71.28.102	192.168.2.3
Mar 16, 2021 13:46:25.759712934 CET	49699	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:25.759742975 CET	49699	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:25.759769917 CET	443	49699	52.71.28.102	192.168.2.3
Mar 16, 2021 13:46:25.759833097 CET	49699	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:25.759902000 CET	49699	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:25.810846090 CET	49699	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:25.938484907 CET	443	49699	52.71.28.102	192.168.2.3
Mar 16, 2021 13:46:25.938546896 CET	443	49699	52.71.28.102	192.168.2.3
Mar 16, 2021 13:46:25.938591957 CET	443	49699	52.71.28.102	192.168.2.3
Mar 16, 2021 13:46:25.938627005 CET	443	49699	52.71.28.102	192.168.2.3
Mar 16, 2021 13:46:25.938654900 CET	443	49699	52.71.28.102	192.168.2.3
Mar 16, 2021 13:46:25.938764095 CET	49699	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:25.938813925 CET	49699	443	192.168.2.3	52.71.28.102
Mar 16, 2021 13:46:25.938822031 CET	49699	443	192.168.2.3	52.71.28.102

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 16, 2021 13:46:18.520215034 CET	52238	53	192.168.2.3	8.8.8.8
Mar 16, 2021 13:46:18.573995113 CET	53	52238	8.8.8.8	192.168.2.3
Mar 16, 2021 13:46:19.645018101 CET	49873	53	192.168.2.3	8.8.8.8
Mar 16, 2021 13:46:19.693886995 CET	53	49873	8.8.8.8	192.168.2.3
Mar 16, 2021 13:46:20.901103020 CET	53196	53	192.168.2.3	8.8.8.8
Mar 16, 2021 13:46:20.952696085 CET	53	53196	8.8.8.8	192.168.2.3
Mar 16, 2021 13:46:22.329071045 CET	56777	53	192.168.2.3	8.8.8.8
Mar 16, 2021 13:46:22.381635904 CET	53	56777	8.8.8.8	192.168.2.3
Mar 16, 2021 13:46:23.368251085 CET	58643	53	192.168.2.3	8.8.8.8
Mar 16, 2021 13:46:23.422538042 CET	53	58643	8.8.8.8	192.168.2.3
Mar 16, 2021 13:46:23.697966099 CET	60985	53	192.168.2.3	8.8.8.8
Mar 16, 2021 13:46:23.756597996 CET	53	60985	8.8.8.8	192.168.2.3
Mar 16, 2021 13:46:24.757301092 CET	50200	53	192.168.2.3	8.8.8.8
Mar 16, 2021 13:46:24.816446066 CET	53	50200	8.8.8.8	192.168.2.3
Mar 16, 2021 13:46:24.864480019 CET	51281	53	192.168.2.3	8.8.8.8
Mar 16, 2021 13:46:24.914591074 CET	53	51281	8.8.8.8	192.168.2.3
Mar 16, 2021 13:46:26.089977980 CET	49199	53	192.168.2.3	8.8.8.8
Mar 16, 2021 13:46:26.138895035 CET	53	49199	8.8.8.8	192.168.2.3
Mar 16, 2021 13:46:29.792803049 CET	50620	53	192.168.2.3	8.8.8.8
Mar 16, 2021 13:46:29.844082117 CET	53	50620	8.8.8.8	192.168.2.3
Mar 16, 2021 13:46:31.547941923 CET	64938	53	192.168.2.3	8.8.8.8
Mar 16, 2021 13:46:31.609698057 CET	53	64938	8.8.8.8	192.168.2.3
Mar 16, 2021 13:46:32.813860893 CET	60152	53	192.168.2.3	8.8.8.8
Mar 16, 2021 13:46:32.865541935 CET	53	60152	8.8.8.8	192.168.2.3
Mar 16, 2021 13:46:34.074631929 CET	57544	53	192.168.2.3	8.8.8.8
Mar 16, 2021 13:46:34.126274109 CET	53	57544	8.8.8.8	192.168.2.3
Mar 16, 2021 13:46:35.250922918 CET	55984	53	192.168.2.3	8.8.8.8
Mar 16, 2021 13:46:35.308326006 CET	53	55984	8.8.8.8	192.168.2.3
Mar 16, 2021 13:46:36.540301085 CET	64185	53	192.168.2.3	8.8.8.8
Mar 16, 2021 13:46:36.589296103 CET	53	64185	8.8.8.8	192.168.2.3
Mar 16, 2021 13:46:42.852502108 CET	65110	53	192.168.2.3	8.8.8.8
Mar 16, 2021 13:46:42.916914940 CET	53	65110	8.8.8.8	192.168.2.3
Mar 16, 2021 13:46:42.991374969 CET	58361	53	192.168.2.3	8.8.8.8
Mar 16, 2021 13:46:43.043343067 CET	53	58361	8.8.8.8	192.168.2.3
Mar 16, 2021 13:46:44.139936924 CET	63492	53	192.168.2.3	8.8.8.8
Mar 16, 2021 13:46:44.197702885 CET	53	63492	8.8.8.8	192.168.2.3
Mar 16, 2021 13:46:45.085822105 CET	60831	53	192.168.2.3	8.8.8.8
Mar 16, 2021 13:46:45.134886980 CET	53	60831	8.8.8.8	192.168.2.3
Mar 16, 2021 13:46:53.703970909 CET	60100	53	192.168.2.3	8.8.8.8
Mar 16, 2021 13:46:53.754544973 CET	53	60100	8.8.8.8	192.168.2.3
Mar 16, 2021 13:46:54.388834953 CET	53195	53	192.168.2.3	8.8.8.8
Mar 16, 2021 13:46:54.437769890 CET	53	53195	8.8.8.8	192.168.2.3
Mar 16, 2021 13:46:54.699498892 CET	60100	53	192.168.2.3	8.8.8.8
Mar 16, 2021 13:46:54.756833076 CET	53	60100	8.8.8.8	192.168.2.3
Mar 16, 2021 13:46:55.386109114 CET	53195	53	192.168.2.3	8.8.8.8
Mar 16, 2021 13:46:55.446414948 CET	53	53195	8.8.8.8	192.168.2.3
Mar 16, 2021 13:46:55.698542118 CET	60100	53	192.168.2.3	8.8.8.8
Mar 16, 2021 13:46:55.747338057 CET	53	60100	8.8.8.8	192.168.2.3
Mar 16, 2021 13:46:56.047975063 CET	50141	53	192.168.2.3	8.8.8.8
Mar 16, 2021 13:46:56.120217085 CET	53	50141	8.8.8.8	192.168.2.3
Mar 16, 2021 13:46:56.414944887 CET	53195	53	192.168.2.3	8.8.8.8
Mar 16, 2021 13:46:56.464545012 CET	53	53195	8.8.8.8	192.168.2.3
Mar 16, 2021 13:46:58.501749039 CET	53195	53	192.168.2.3	8.8.8.8
Mar 16, 2021 13:46:58.503217936 CET	60100	53	192.168.2.3	8.8.8.8
Mar 16, 2021 13:46:58.559556007 CET	53	53195	8.8.8.8	192.168.2.3
Mar 16, 2021 13:46:58.560980082 CET	53	60100	8.8.8.8	192.168.2.3
Mar 16, 2021 13:47:02.511540890 CET	53195	53	192.168.2.3	8.8.8.8
Mar 16, 2021 13:47:02.511888981 CET	60100	53	192.168.2.3	8.8.8.8
Mar 16, 2021 13:47:02.560339928 CET	53	60100	8.8.8.8	192.168.2.3
Mar 16, 2021 13:47:02.568480015 CET	53	53195	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Mar 16, 2021 13:46:24.757301092 CET	192.168.2.3	8.8.8.8	0x6e41	Standard query (0)	urldefense.com	A (IP address)	IN (0x0001)
Mar 16, 2021 13:46:42.852502108 CET	192.168.2.3	8.8.8.8	0xf17f	Standard query (0)	urldefense.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Mar 16, 2021 13:46:24.816446066 CET	8.8.8.8	192.168.2.3	0x6e41	No error (0)	urldefense.com	52.71.28.102	A (IP address)	IN (0x0001)
Mar 16, 2021 13:46:24.816446066 CET	8.8.8.8	192.168.2.3	0x6e41	No error (0)	urldefense.com	52.6.56.188	A (IP address)	IN (0x0001)
Mar 16, 2021 13:46:24.816446066 CET	8.8.8.8	192.168.2.3	0x6e41	No error (0)	urldefense.com	52.204.90.22	A (IP address)	IN (0x0001)
Mar 16, 2021 13:46:42.916914940 CET	8.8.8.8	192.168.2.3	0xf17f	No error (0)	urldefense.com	52.6.56.188	A (IP address)	IN (0x0001)
Mar 16, 2021 13:46:42.916914940 CET	8.8.8.8	192.168.2.3	0xf17f	No error (0)	urldefense.com	52.71.28.102	A (IP address)	IN (0x0001)
Mar 16, 2021 13:46:42.916914940 CET	8.8.8.8	192.168.2.3	0xf17f	No error (0)	urldefense.com	52.204.90.22	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Mar 16, 2021 13:46:25.104676962 CET	52.71.28.102	443	192.168.2.3	49699	CN=www.urldefense.com, OU=Ops, O="Proofpoint, Inc.", STREET=892 Ross Drive, L=Sunnyvale, ST=California, OID.2.5.4.17=94089, C=US CN=Sectigo RSA Organization Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB	CN=Sectigo RSA Organization Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	Tue Nov 03 01:00:00 CET 2020 Fri Nov 02 01:00:00 CET 2018	Thu Nov 04 00:59:59 CET 2021 Wed Jan 01 00:59:59 CET 2031	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Mar 16, 2021 13:46:25.104676962 CET	52.71.28.102	443	192.168.2.3	49699	CN=Sectigo RSA Organization Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB	CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	Fri Nov 02 01:00:00 CET 2018	Wed Jan 01 00:59:59 CET 2031		9e10692f1b7f78228b2d4e424db3a98c
Mar 16, 2021 13:46:25.107310057 CET	52.71.28.102	443	192.168.2.3	49698	CN=www.urldefense.com, OU=Ops, O="Proofpoint, Inc.", STREET=892 Ross Drive, L=Sunnyvale, ST=California, OID.2.5.4.17=94089, C=US CN=Sectigo RSA Organization Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB	CN=Sectigo RSA Organization Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	Tue Nov 03 01:00:00 CET 2020 Fri Nov 02 01:00:00 CET 2018	Thu Nov 04 00:59:59 CET 2021 Wed Jan 01 00:59:59 CET 2031	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Mar 16, 2021 13:46:25.107310057 CET	52.71.28.102	443	192.168.2.3	49698	CN=Sectigo RSA Organization Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB	CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	Fri Nov 02 01:00:00 CET 2018	Wed Jan 01 00:59:59 CET 2031		9e10692f1b7f78228b2d4e424db3a98c

Code Manipulations

Statistics

CPU Usage

• iexplore.exe
• iexplore.exe

Click to jump to process

Memory Usage

• iexplore.exe
• iexplore.exe

Click to jump to process

Behavior

• iexplore.exe
• iexplore.exe

Click to jump to process

System Behavior

Analysis Process: iexplore.exe PID: 6052 Parent PID: 792

Function Logs

General

Start time:	13:46:22
Start date:	16/03/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff7a95d0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Process Activities

Process Information Set

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Language or Locale ID Queried

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Window UI Enumerated

Show Windows behavior

Network Activities

Show Windows behavior

Object Security Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: iexplore.exe PID: 6108 Parent PID: 6052

Function Logs

General

Start time:	13:46:23
Start date:	16/03/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6052 CREDAT:17410 /prefetch:2
Imagebase:	0xd30000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Process Information Set

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Show Windows behavior

Network Activities

Show Windows behavior

Object Security Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Disassembly

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report https://urldefense.com/v3/__https:/kenfill.co/DD/__;!!KT1mMmMyND0!YjkdgwzuJK95QCU0ZIOK_9KXCsXihuX3Ee0Au_sacRmNU64inH4KLl8etCuzbBS5yjMGhETwmSo$

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

Compliance:

Networking:

System Summary:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

No static file info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: iexplore.exe PID: 6052 Parent PID: 792

General

File Activities

File Opened

File Created

File Written

File Read

File Attributes Queried

Directory Queried

Volume Information Queried

Device IO

Section Activities

Sections loaded by Windows

Registry Activities

Key Opened

Key Created

Key Value Created

Key Value Modified

Analysis Report https://urldefense.com/v3/https:/kenfill.co/DD/;!!KT1mMmMyND0!YjkdgwzuJK95QCU0ZIOK_9KXCsXihuX3Ee0Au_sacRmNU64inH4KLl8etCuzbBS5yjMGhETwmSo$