Play interactive tour

Edit tour

Analysis Report https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css

Overview

General Information

Sample URL:	https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css
Analysis ID:	375721
Infos:
Most interesting Screenshot:

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Potential browser exploit detected (process start blacklist hit)

Queries the volume information (name, serial number etc) of a device

Classification

Startup

System is w10x64

iexplore.exe (PID: 5600 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 4484 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5600 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

notepad.exe (PID: 4012 cmdline: 'C:\Windows\system32\NOTEPAD.EXE' C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\bootstrap.min.css MD5: BB9A06B8F2DD9D24C77F389D7B2B58D2)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.18.11.207:443 -> 192.168.2.5:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.11.207:443 -> 192.168.2.5:49698 version: TLS 1.2

Source: C:\Program Files\internet explorer\iexplore.exe

Process created: C:\Windows\System32\notepad.exe

Source: unknown

DNS traffic detected: queries for: maxcdn.bootstrapcdn.com

Source: notepad.exe, 00000003.00000002.481841822.00000236871F4000.00000004.00000020.sdmp, bootstrap.min[1].css.2.dr	String found in binary or memory: http://getbootstrap.com)
Source: notepad.exe, 00000003.00000002.481841822.00000236871F4000.00000004.00000020.sdmp, bootstrap.min[1].css.2.dr	String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)

Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698

Source: unknown	HTTPS traffic detected: 104.18.11.207:443 -> 192.168.2.5:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.11.207:443 -> 192.168.2.5:49698 version: TLS 1.2

Source: classification engine

Classification label: clean1.win@5/9@1/1

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A11D393A-8D8C-11EB-90E5-ECF4BB570DC9}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF069320DF2E75A728.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\notepad.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5600 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Windows\System32\notepad.exe 'C:\Windows\system32\NOTEPAD.EXE' C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\bootstrap.min.css
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5600 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Windows\System32\notepad.exe 'C:\Windows\system32\NOTEPAD.EXE' C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\bootstrap.min.css	Jump to behavior

Source: C:\Windows\System32\notepad.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: notepad.exe, 00000003.00000002.482205341.0000023687700000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: notepad.exe, 00000003.00000002.482205341.0000023687700000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: notepad.exe, 00000003.00000002.482205341.0000023687700000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: notepad.exe, 00000003.00000002.482205341.0000023687700000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: notepad.exe, 00000003.00000002.482205341.0000023687700000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\notepad.exe

Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\bootstrap.min.css VolumeInformation

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Exploitation for Client Execution1	Path Interception	Process Injection2	Masquerading1	OS Credential Dumping	Process Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection2	LSASS Memory	File and Directory Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	System Information Discovery11	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css	0%	Virustotal		Browse
https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css	0%	Avira URL Cloud	safe

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
0	1%	Virustotal		Browse
http://getbootstrap.com)	0%	Avira URL Cloud	safe

Domains and IPs Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
maxcdn.bootstrapcdn.com	104.18.11.207	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
0	false	1%, Virustotal, Browse	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/twbs/bootstrap/blob/master/LICENSE)	notepad.exe, 00000003.00000002.481841822.00000236871F4000.00000004.00000020.sdmp, bootstrap.min[1].css.2.dr	false		high
http://getbootstrap.com)	notepad.exe, 00000003.00000002.481841822.00000236871F4000.00000004.00000020.sdmp, bootstrap.min[1].css.2.dr	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.18.11.207	maxcdn.bootstrapcdn.com	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	375721
Start date:	25.03.2021
Start time:	10:07:05
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean1.win@5/9@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 51.104.139.180, 52.255.188.83, 23.54.113.53, 23.60.220.29, 104.42.151.234, 13.64.90.137, 23.54.113.104, 20.82.210.154, 93.184.221.240, 168.61.161.212, 104.123.31.226, 52.147.198.201, 23.10.249.26, 23.10.249.43, 20.54.26.129 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e15275.g.akamaiedge.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, e11290.dspg.akamaiedge.net, e12564.dspb.akamaiedge.net, go.microsoft.com, wildcard.weather.microsoft.com.edgekey.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, wu.ec.azureedge.net, ris-prod.trafficmanager.net, tile-service.weather.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus17.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, skypedataprdcolwus16.cloudapp.net Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A11D393A-8D8C-11EB-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	32344
Entropy (8bit):	1.7967147824374439
Encrypted:	false
SSDEEP:	96:r9ZSZ122WOtZzbf/HzizKMwzazqIzIz/zppz/zTazGzM2:r9ZSZ122WOtBf/NME15o2
MD5:	26D2FA3B48F43CB022C390199F9FC7E2
SHA1:	490C25378B80283ED4E428B46F7886D32E0BA656
SHA-256:	CEF499B6A011D17636778491517DE960C4120EBB688A074D8C8EC45570A5FC7F
SHA-512:	96D3AE72501F16CC92DEA9E265E43E824029871F124376F2D33EC63F2D7FCF736140D84A3F91FB481EBE24BB8F6DADE692A1445BA66FB9F392F064AE46F49DD1
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A11D393C-8D8C-11EB-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	19032
Entropy (8bit):	1.6003677777005771
Encrypted:	false
SSDEEP:	48:IwdGcprwGwpaFG4pQpGrapbSmGQpBaGHHpcDTGUpQGrGcpm:rDZYQX6JBSejh2d6eg
MD5:	C4C5C6EF01C6395241FAE89889D649C0
SHA1:	4B0F71C3888133F1AC6ED9CAC1F7132712A88181
SHA-256:	52A8637A47690527A10A1ED1FEAD81F2352F7719AFC2F14A6993B955DB1140D3
SHA-512:	A7D66147CAB9F1939ACFEB9FD801C570E93DE2F3A9B7C638C1BA63E18E1621B4180CE04E7940C00CBFE05F6DFE9461A3ED1FF7ACACB235F1355FE35D989F0865
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\bootstrap.min[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	dropped
Size (bytes):	121200
Entropy (8bit):	5.0982146191887106
Encrypted:	false
SSDEEP:	768:Vy3Gxw/Vc/QWlJxtQOIuiHlq5mzI4X8OAduFKbv2ctg2Bd8JP7ecQVvH1FS:nw/a1fIuiHlq5mN8lDbNmPbh
MD5:	EC3BB52A00E176A7181D454DFFAEA219
SHA1:	6527D8BF3E1E9368BAB8C7B60F56BC01FA3AFD68
SHA-256:	F75E846CC83BD11432F4B1E21A45F31BC85283D11D372F7B19ACCD1BF6A2635C
SHA-512:	E8C5DAF01EAE68ED7C1E277A6E544C7AD108A0FA877FB531D6D9F2210769B7DA88E4E002C7B0BE3B72154EBF7CBF01A795C8342CE2DAD368BD6351E956195F8B
Malicious:	false
Reputation:	low
Preview:	/!. Bootstrap v3.3.7 (http://getbootstrap.com). * Copyright 2011-2016 Twitter, Inc.. * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE). //! normalize.css v3.0.3 \| MIT License \| github.com/necolas/normalize.css */html{font-family:sans-serif;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%}body{margin:0}article,aside,details,figcaption,figure,footer,header,hgroup,main,menu,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align:baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background-color:transparent}a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:700}dfn{font-style:italic}h1{margin:.67em 0;font-size:2em}mark{color:#000;background:#ff0}small{font-size:80%}sub,sup{position:relative;font-size:75%;line-height:0;vertical-align:baseline}sup{top:-.5em}sub{bottom:-.25em}img{border:0}svg:not(:root){overflow:hidden}figure{margin:1em 40px}hr

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\bootstrap.min.css.2rtx0im.partial Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	dropped
Size (bytes):	121200
Entropy (8bit):	5.0982146191887106
Encrypted:	false
SSDEEP:	768:Vy3Gxw/Vc/QWlJxtQOIuiHlq5mzI4X8OAduFKbv2ctg2Bd8JP7ecQVvH1FS:nw/a1fIuiHlq5mN8lDbNmPbh
MD5:	EC3BB52A00E176A7181D454DFFAEA219
SHA1:	6527D8BF3E1E9368BAB8C7B60F56BC01FA3AFD68
SHA-256:	F75E846CC83BD11432F4B1E21A45F31BC85283D11D372F7B19ACCD1BF6A2635C
SHA-512:	E8C5DAF01EAE68ED7C1E277A6E544C7AD108A0FA877FB531D6D9F2210769B7DA88E4E002C7B0BE3B72154EBF7CBF01A795C8342CE2DAD368BD6351E956195F8B
Malicious:	false
Reputation:	low
Preview:	/!. Bootstrap v3.3.7 (http://getbootstrap.com). * Copyright 2011-2016 Twitter, Inc.. * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE). //! normalize.css v3.0.3 \| MIT License \| github.com/necolas/normalize.css */html{font-family:sans-serif;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%}body{margin:0}article,aside,details,figcaption,figure,footer,header,hgroup,main,menu,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align:baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background-color:transparent}a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:700}dfn{font-style:italic}h1{margin:.67em 0;font-size:2em}mark{color:#000;background:#ff0}small{font-size:80%}sub,sup{position:relative;font-size:75%;line-height:0;vertical-align:baseline}sup{top:-.5em}sub{bottom:-.25em}img{border:0}svg:not(:root){overflow:hidden}figure{margin:1em 40px}hr

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\bootstrap.min.css.2rtx0im.partial:Zone.Identifier Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:gAWY3n:qY3n
MD5:	FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA1:	D59FC84CDD5217C6CF74785703655F78DA6B582B
SHA-256:	EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
SHA-512:	AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
Malicious:	false
Reputation:	low
Preview:	[ZoneTransfer]..ZoneId=3..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\bootstrap.min.css:Zone.Identifier Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	very short file (no magic)
Category:	modified
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:W:W
MD5:	ECCBC87E4B5CE2FE28308FD9F2A7BAF3
SHA1:	77DE68DAECD823BABBB58EDB1C8E14D7106E83BB
SHA-256:	4E07408562BEDB8B60CE05C1DECFE3AD16B72230967DE01F640B7E4729B49FCE
SHA-512:	3BAFBF08882A2D10133093A1B8433F50563B93C14ACD05B79028EB1D12799027241450980651994501423A66C276AE26C43B739BC65C4E16B10C3AF6C202AEBB
Malicious:	false
Reputation:	low
Preview:	3

C:\Users\user\AppData\Local\Temp\JavaDeployReg.log Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	89
Entropy (8bit):	4.386818790536793
Encrypted:	false
SSDEEP:	3:oVXUNJfQXLt08JOGXnENJfQXLtvun:o9Ub4Z0qEb4Zvu
MD5:	675DB0BEC146108AF287118E91BD1932
SHA1:	D43AFF8001904566EB6585B46F2592B5224AF15B
SHA-256:	154D6A14E025A0C472D5845165BB519F0B0926C9AB5E8AE82AD85C267DC79FCC
SHA-512:	54FB05E36C7FECBF3471816604825E5092738FADAB3F4F135E51197DA36EA3AD3434F9786285A264BB30869B016EF754AB8D46A314CBAB31EBC97376F17071D4
Malicious:	false
Reputation:	low
Preview:	[2021/03/25 10:07:52.276] Latest deploy version: ..[2021/03/25 10:07:52.276] 11.211.2 ..

C:\Users\user\AppData\Local\Temp\~DF069320DF2E75A728.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12981
Entropy (8bit):	0.4450281466127354
Encrypted:	false
SSDEEP:	12:c9lCg5/9lCgeK9l26an9l26an9l8fRc9l8fRs9lTqLJmGbiop:c9lLh9lLh9lIn9lIn9loc9los9lWLRLp
MD5:	0072ECB163460BA32D5482484866C9DB
SHA1:	A994B4A3CAD58172BE679A4FFB2FC48A2C9565A8
SHA-256:	EB2E34337E8045A2525F04F1ECD63511F598F6CEFB9C0EB9FFA37253CA8A0FF2
SHA-512:	38ADA7C2F93A0006845AC3A058B643B90DF0578ABA79B55D3A692D581C02FAC946B6319409E48AEA4B121D5ECEC93EBC20BC7221941A9F07E4956B03F8A6FBCC
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF0B1E5AF5887A95FA.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	29989
Entropy (8bit):	0.33048832418606144
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lwAn9lwAn9l2ATl/9l2d:kBqoxKAuvScS+35K+3Gy
MD5:	6305CCF18B5FE3A41F49E1BF01A9F2DF
SHA1:	4178844762008BCABB047A1597BF5AF761AF2A9F
SHA-256:	54A2AF137BBECE984B241C6205BBA53C76DED0757DBE8F245B96A14136BE7F26
SHA-512:	C27D47E52614869B0340F333E0465D063C9249334DA3A9E18A8A969D9D3AF29F3EF0A3006B78CBCA74658E9B42FA851F234E6FB5AA4D5FDF4694DBD573530C68
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

No static file info

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 63
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 25, 2021 10:07:53.069865942 CET	49698	443	192.168.2.5	104.18.11.207
Mar 25, 2021 10:07:53.069976091 CET	49699	443	192.168.2.5	104.18.11.207
Mar 25, 2021 10:07:53.084395885 CET	443	49698	104.18.11.207	192.168.2.5
Mar 25, 2021 10:07:53.084424019 CET	443	49699	104.18.11.207	192.168.2.5
Mar 25, 2021 10:07:53.084522963 CET	49698	443	192.168.2.5	104.18.11.207
Mar 25, 2021 10:07:53.084583998 CET	49699	443	192.168.2.5	104.18.11.207
Mar 25, 2021 10:07:53.103336096 CET	49698	443	192.168.2.5	104.18.11.207
Mar 25, 2021 10:07:53.103352070 CET	49699	443	192.168.2.5	104.18.11.207
Mar 25, 2021 10:07:53.116955042 CET	443	49699	104.18.11.207	192.168.2.5
Mar 25, 2021 10:07:53.116991997 CET	443	49698	104.18.11.207	192.168.2.5
Mar 25, 2021 10:07:53.117013931 CET	443	49699	104.18.11.207	192.168.2.5
Mar 25, 2021 10:07:53.117033005 CET	443	49699	104.18.11.207	192.168.2.5
Mar 25, 2021 10:07:53.117110968 CET	49699	443	192.168.2.5	104.18.11.207
Mar 25, 2021 10:07:53.117140055 CET	49699	443	192.168.2.5	104.18.11.207
Mar 25, 2021 10:07:53.130007029 CET	443	49698	104.18.11.207	192.168.2.5
Mar 25, 2021 10:07:53.130032063 CET	443	49698	104.18.11.207	192.168.2.5
Mar 25, 2021 10:07:53.130103111 CET	49698	443	192.168.2.5	104.18.11.207
Mar 25, 2021 10:07:53.130120993 CET	49698	443	192.168.2.5	104.18.11.207
Mar 25, 2021 10:07:53.167572975 CET	49698	443	192.168.2.5	104.18.11.207
Mar 25, 2021 10:07:53.167718887 CET	49699	443	192.168.2.5	104.18.11.207
Mar 25, 2021 10:07:53.176337957 CET	49699	443	192.168.2.5	104.18.11.207
Mar 25, 2021 10:07:53.176597118 CET	49699	443	192.168.2.5	104.18.11.207
Mar 25, 2021 10:07:53.176660061 CET	49698	443	192.168.2.5	104.18.11.207
Mar 25, 2021 10:07:53.180778027 CET	443	49699	104.18.11.207	192.168.2.5
Mar 25, 2021 10:07:53.180840015 CET	443	49698	104.18.11.207	192.168.2.5
Mar 25, 2021 10:07:53.181196928 CET	443	49698	104.18.11.207	192.168.2.5
Mar 25, 2021 10:07:53.181269884 CET	49698	443	192.168.2.5	104.18.11.207
Mar 25, 2021 10:07:53.181272030 CET	443	49698	104.18.11.207	192.168.2.5
Mar 25, 2021 10:07:53.181327105 CET	49698	443	192.168.2.5	104.18.11.207
Mar 25, 2021 10:07:53.182005882 CET	443	49699	104.18.11.207	192.168.2.5
Mar 25, 2021 10:07:53.182029963 CET	443	49699	104.18.11.207	192.168.2.5
Mar 25, 2021 10:07:53.182069063 CET	49698	443	192.168.2.5	104.18.11.207
Mar 25, 2021 10:07:53.182099104 CET	49699	443	192.168.2.5	104.18.11.207
Mar 25, 2021 10:07:53.182126999 CET	49699	443	192.168.2.5	104.18.11.207
Mar 25, 2021 10:07:53.182672977 CET	49699	443	192.168.2.5	104.18.11.207
Mar 25, 2021 10:07:53.190233946 CET	443	49699	104.18.11.207	192.168.2.5
Mar 25, 2021 10:07:53.190259933 CET	443	49699	104.18.11.207	192.168.2.5
Mar 25, 2021 10:07:53.190268993 CET	443	49698	104.18.11.207	192.168.2.5
Mar 25, 2021 10:07:53.191101074 CET	443	49698	104.18.11.207	192.168.2.5
Mar 25, 2021 10:07:53.191195011 CET	49698	443	192.168.2.5	104.18.11.207
Mar 25, 2021 10:07:53.192346096 CET	443	49699	104.18.11.207	192.168.2.5
Mar 25, 2021 10:07:53.192460060 CET	49699	443	192.168.2.5	104.18.11.207
Mar 25, 2021 10:07:53.203663111 CET	443	49699	104.18.11.207	192.168.2.5
Mar 25, 2021 10:07:53.203696012 CET	443	49699	104.18.11.207	192.168.2.5
Mar 25, 2021 10:07:53.203738928 CET	443	49699	104.18.11.207	192.168.2.5
Mar 25, 2021 10:07:53.203780890 CET	443	49699	104.18.11.207	192.168.2.5
Mar 25, 2021 10:07:53.203800917 CET	443	49699	104.18.11.207	192.168.2.5
Mar 25, 2021 10:07:53.203809977 CET	49699	443	192.168.2.5	104.18.11.207
Mar 25, 2021 10:07:53.203877926 CET	49699	443	192.168.2.5	104.18.11.207
Mar 25, 2021 10:07:53.204024076 CET	443	49699	104.18.11.207	192.168.2.5
Mar 25, 2021 10:07:53.204068899 CET	443	49699	104.18.11.207	192.168.2.5
Mar 25, 2021 10:07:53.204082012 CET	49699	443	192.168.2.5	104.18.11.207
Mar 25, 2021 10:07:53.204088926 CET	443	49699	104.18.11.207	192.168.2.5
Mar 25, 2021 10:07:53.204108000 CET	443	49699	104.18.11.207	192.168.2.5
Mar 25, 2021 10:07:53.204133034 CET	49699	443	192.168.2.5	104.18.11.207
Mar 25, 2021 10:07:53.204169035 CET	443	49699	104.18.11.207	192.168.2.5
Mar 25, 2021 10:07:53.204190969 CET	49699	443	192.168.2.5	104.18.11.207
Mar 25, 2021 10:07:53.204211950 CET	49699	443	192.168.2.5	104.18.11.207
Mar 25, 2021 10:07:53.204754114 CET	443	49699	104.18.11.207	192.168.2.5
Mar 25, 2021 10:07:53.204775095 CET	443	49699	104.18.11.207	192.168.2.5
Mar 25, 2021 10:07:53.204849958 CET	49699	443	192.168.2.5	104.18.11.207
Mar 25, 2021 10:07:53.204858065 CET	443	49699	104.18.11.207	192.168.2.5
Mar 25, 2021 10:07:53.204880953 CET	49699	443	192.168.2.5	104.18.11.207
Mar 25, 2021 10:07:53.204907894 CET	49699	443	192.168.2.5	104.18.11.207
Mar 25, 2021 10:07:53.204937935 CET	443	49699	104.18.11.207	192.168.2.5
Mar 25, 2021 10:07:53.205003023 CET	49699	443	192.168.2.5	104.18.11.207
Mar 25, 2021 10:07:53.205157995 CET	443	49699	104.18.11.207	192.168.2.5
Mar 25, 2021 10:07:53.205213070 CET	49699	443	192.168.2.5	104.18.11.207
Mar 25, 2021 10:07:53.205492973 CET	443	49699	104.18.11.207	192.168.2.5
Mar 25, 2021 10:07:53.205511093 CET	443	49699	104.18.11.207	192.168.2.5
Mar 25, 2021 10:07:53.205539942 CET	443	49699	104.18.11.207	192.168.2.5
Mar 25, 2021 10:07:53.205549955 CET	49699	443	192.168.2.5	104.18.11.207
Mar 25, 2021 10:07:53.205575943 CET	443	49699	104.18.11.207	192.168.2.5
Mar 25, 2021 10:07:53.205588102 CET	49699	443	192.168.2.5	104.18.11.207
Mar 25, 2021 10:07:53.205615997 CET	443	49699	104.18.11.207	192.168.2.5
Mar 25, 2021 10:07:53.205640078 CET	49699	443	192.168.2.5	104.18.11.207
Mar 25, 2021 10:07:53.205676079 CET	49699	443	192.168.2.5	104.18.11.207
Mar 25, 2021 10:07:53.206465006 CET	443	49699	104.18.11.207	192.168.2.5
Mar 25, 2021 10:07:53.206554890 CET	49699	443	192.168.2.5	104.18.11.207
Mar 25, 2021 10:07:53.206628084 CET	443	49699	104.18.11.207	192.168.2.5
Mar 25, 2021 10:07:53.206686020 CET	49699	443	192.168.2.5	104.18.11.207
Mar 25, 2021 10:07:53.237657070 CET	443	49698	104.18.11.207	192.168.2.5
Mar 25, 2021 10:07:53.785556078 CET	49698	443	192.168.2.5	104.18.11.207
Mar 25, 2021 10:07:53.788183928 CET	49699	443	192.168.2.5	104.18.11.207

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 25, 2021 10:07:44.007296085 CET	53784	53	192.168.2.5	8.8.8.8
Mar 25, 2021 10:07:44.019449949 CET	53	53784	8.8.8.8	192.168.2.5
Mar 25, 2021 10:07:45.123008013 CET	65307	53	192.168.2.5	8.8.8.8
Mar 25, 2021 10:07:45.135602951 CET	53	65307	8.8.8.8	192.168.2.5
Mar 25, 2021 10:07:47.532324076 CET	64344	53	192.168.2.5	8.8.8.8
Mar 25, 2021 10:07:47.552104950 CET	53	64344	8.8.8.8	192.168.2.5
Mar 25, 2021 10:07:51.835531950 CET	62060	53	192.168.2.5	8.8.8.8
Mar 25, 2021 10:07:51.853871107 CET	53	62060	8.8.8.8	192.168.2.5
Mar 25, 2021 10:07:53.039866924 CET	61805	53	192.168.2.5	8.8.8.8
Mar 25, 2021 10:07:53.060141087 CET	53	61805	8.8.8.8	192.168.2.5
Mar 25, 2021 10:07:57.291553974 CET	54795	53	192.168.2.5	8.8.8.8
Mar 25, 2021 10:07:57.304416895 CET	53	54795	8.8.8.8	192.168.2.5
Mar 25, 2021 10:07:58.622545004 CET	49557	53	192.168.2.5	8.8.8.8
Mar 25, 2021 10:07:58.636246920 CET	53	49557	8.8.8.8	192.168.2.5
Mar 25, 2021 10:07:59.304817915 CET	61733	53	192.168.2.5	8.8.8.8
Mar 25, 2021 10:07:59.317728996 CET	53	61733	8.8.8.8	192.168.2.5
Mar 25, 2021 10:08:00.449923992 CET	65447	53	192.168.2.5	8.8.8.8
Mar 25, 2021 10:08:00.462745905 CET	53	65447	8.8.8.8	192.168.2.5
Mar 25, 2021 10:08:01.560529947 CET	52441	53	192.168.2.5	8.8.8.8
Mar 25, 2021 10:08:01.573302984 CET	53	52441	8.8.8.8	192.168.2.5
Mar 25, 2021 10:08:07.542192936 CET	62176	53	192.168.2.5	8.8.8.8
Mar 25, 2021 10:08:07.555145025 CET	53	62176	8.8.8.8	192.168.2.5
Mar 25, 2021 10:08:10.819824934 CET	59596	53	192.168.2.5	8.8.8.8
Mar 25, 2021 10:08:10.832489014 CET	53	59596	8.8.8.8	192.168.2.5
Mar 25, 2021 10:08:18.297807932 CET	65296	53	192.168.2.5	8.8.8.8
Mar 25, 2021 10:08:18.316639900 CET	53	65296	8.8.8.8	192.168.2.5
Mar 25, 2021 10:08:20.232852936 CET	63183	53	192.168.2.5	8.8.8.8
Mar 25, 2021 10:08:20.245563030 CET	53	63183	8.8.8.8	192.168.2.5
Mar 25, 2021 10:08:39.518923044 CET	60151	53	192.168.2.5	8.8.8.8
Mar 25, 2021 10:08:39.533531904 CET	53	60151	8.8.8.8	192.168.2.5
Mar 25, 2021 10:08:43.561641932 CET	56969	53	192.168.2.5	8.8.8.8
Mar 25, 2021 10:08:43.577632904 CET	53	56969	8.8.8.8	192.168.2.5
Mar 25, 2021 10:08:45.606892109 CET	55161	53	192.168.2.5	8.8.8.8
Mar 25, 2021 10:08:45.620342970 CET	53	55161	8.8.8.8	192.168.2.5
Mar 25, 2021 10:08:51.203358889 CET	54757	53	192.168.2.5	8.8.8.8
Mar 25, 2021 10:08:51.222260952 CET	53	54757	8.8.8.8	192.168.2.5
Mar 25, 2021 10:08:58.330693960 CET	49992	53	192.168.2.5	8.8.8.8
Mar 25, 2021 10:08:58.343363047 CET	53	49992	8.8.8.8	192.168.2.5
Mar 25, 2021 10:09:19.606857061 CET	60075	53	192.168.2.5	8.8.8.8
Mar 25, 2021 10:09:19.625107050 CET	53	60075	8.8.8.8	192.168.2.5
Mar 25, 2021 10:09:48.524141073 CET	55016	53	192.168.2.5	8.8.8.8
Mar 25, 2021 10:09:48.559257030 CET	53	55016	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Mar 25, 2021 10:07:53.039866924 CET	192.168.2.5	8.8.8.8	0xfcb0	Standard query (0)	maxcdn.bootstrapcdn.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Mar 25, 2021 10:07:53.060141087 CET	8.8.8.8	192.168.2.5	0xfcb0	No error (0)	maxcdn.bootstrapcdn.com		104.18.11.207	A (IP address)	IN (0x0001)
Mar 25, 2021 10:07:53.060141087 CET	8.8.8.8	192.168.2.5	0xfcb0	No error (0)	maxcdn.bootstrapcdn.com		104.18.10.207	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Mar 25, 2021 10:07:53.117033005 CET	104.18.11.207	443	192.168.2.5	49699	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Mar 01 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Tue Mar 01 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Mar 25, 2021 10:07:53.117033005 CET	104.18.11.207	443	192.168.2.5	49699	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		9e10692f1b7f78228b2d4e424db3a98c
Mar 25, 2021 10:07:53.130032063 CET	104.18.11.207	443	192.168.2.5	49698	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Mar 01 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Tue Mar 01 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Mar 25, 2021 10:07:53.130032063 CET	104.18.11.207	443	192.168.2.5	49698	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		9e10692f1b7f78228b2d4e424db3a98c

Code Manipulations

Statistics

CPU Usage

• iexplore.exe
• iexplore.exe
• notepad.exe

Click to jump to process

Memory Usage

• iexplore.exe
• iexplore.exe
• notepad.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• iexplore.exe
• iexplore.exe
• notepad.exe

Click to jump to process

System Behavior

Analysis Process: iexplore.exe PID: 5600 Parent PID: 792

Function Logs

General

Start time:	10:07:50
Start date:	25/03/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff755b50000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Process Activities

Process Information Set

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Language or Locale ID Queried

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Window UI Enumerated

Show Windows behavior

Network Activities

Show Windows behavior

Object Security Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: iexplore.exe PID: 4484 Parent PID: 5600

Function Logs

General

Start time:	10:07:51
Start date:	25/03/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5600 CREDAT:17410 /prefetch:2
Imagebase:	0x900000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Process Information Set

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Window UI Enumerated

Show Windows behavior

Network Activities

Show Windows behavior

Object Security Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: notepad.exe PID: 4012 Parent PID: 5600

Function Logs

General

Start time:	10:07:54
Start date:	25/03/2021
Path:	C:\Windows\System32\notepad.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\NOTEPAD.EXE' C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\bootstrap.min.css
Imagebase:	0x7ff60acb0000
File size:	245760 bytes
MD5 hash:	BB9A06B8F2DD9D24C77F389D7B2B58D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

File Opened

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

Key Opened

Key Value Queried

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Process Queried

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Queried

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Window Created

Window UI Enumerated

Message Posted to Windows UI

Show Windows behavior

LPC Port Activities

Chronological Activities

Disassembly

Code Analysis

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

No static file info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: iexplore.exe PID: 5600 Parent PID: 792

General

File Activities

File Opened

File Created

File Written

File Read

File Attributes Queried

Directory Queried

Other File Operations

Volume Information Queried

Device IO

Section Activities