Play interactive tour

Edit tour

Analysis Report http://wxhiojortldjyegtkx.bid

Overview

General Information

Sample URL:	http://wxhiojortldjyegtkx.bid
Analysis ID:	415761
Infos:
Most interesting Screenshot:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

No high impact signatures.

Classification

Startup

System is w10x64

iexplore.exe (PID: 6484 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6544 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6484 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

• Compliance
• Networking
• System Summary

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: wxhiojortldjyegtkx.bidConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: wxhiojortldjyegtkx.bidConnection: Keep-Alive

Source: msapplication.xml0.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xb98b215f,0x01d74afc</date><accdate>0xb98b215f,0x01d74afc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xb98b215f,0x01d74afc</date><accdate>0xb98b215f,0x01d74afc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xb992488e,0x01d74afc</date><accdate>0xb992488e,0x01d74afc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xb992488e,0x01d74afc</date><accdate>0xb992488e,0x01d74afc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xb992488e,0x01d74afc</date><accdate>0xb992488e,0x01d74afc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xb992488e,0x01d74afc</date><accdate>0xb994aaa3,0x01d74afc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: wxhiojortldjyegtkx.bid

Source: msapplication.xml.1.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.1.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.1.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.1.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.1.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.1.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.1.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.1.dr	String found in binary or memory: http://www.youtube.com/
Source: ~DFDC7E3E7AAD541689.TMP.1.dr	String found in binary or memory: http://wxhiojortldjyegtkx.bid/
Source: {E363C2E5-B6EF-11EB-90EB-ECF4BBEA1588}.dat.1.dr	String found in binary or memory: http://wxhiojortldjyegtkx.bid/Root
Source: I6DGMNFI.htm.2.dr	String found in binary or memory: https://www.google-analytics.com/analytics.js

Source: classification engine

Classification label: clean0.win@3/16@2/2

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E363C2E3-B6EF-11EB-90EB-ECF4BBEA1588}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF16672EEF924C14DA.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6484 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6484 CREDAT:17410 /prefetch:2	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping	File and Directory Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Non-Application Layer Protocol2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Ingress Tool Transfer1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
http://wxhiojortldjyegtkx.bid	0%	Virustotal		Browse
http://wxhiojortldjyegtkx.bid	0%	Avira URL Cloud	safe

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
wxhiojortldjyegtkx.bid	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://wxhiojortldjyegtkx.bid/Root	0%	Avira URL Cloud	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://wxhiojortldjyegtkx.bid/favicon.ico	0%	Virustotal		Browse
http://wxhiojortldjyegtkx.bid/favicon.ico	0%	Avira URL Cloud	safe

Domains and IPs Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
wxhiojortldjyegtkx.bid	104.21.29.172	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://wxhiojortldjyegtkx.bid/	false		unknown
http://wxhiojortldjyegtkx.bid/favicon.ico	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://wxhiojortldjyegtkx.bid/	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://wxhiojortldjyegtkx.bid/Root	{E363C2E5-B6EF-11EB-90EB-ECF4BBEA1588}.dat.1.dr	false	Avira URL Cloud: safe	unknown
http://www.wikipedia.com/	msapplication.xml6.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.amazon.com/	msapplication.xml.1.dr	false		high
http://www.nytimes.com/	msapplication.xml3.1.dr	false		high
http://www.live.com/	msapplication.xml2.1.dr	false		high
http://www.reddit.com/	msapplication.xml4.1.dr	false		high
http://www.twitter.com/	msapplication.xml5.1.dr	false		high
http://www.youtube.com/	msapplication.xml7.1.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.29.172	wxhiojortldjyegtkx.bid	United States		13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	415761
Start date:	17.05.2021
Start time:	11:10:53
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	http://wxhiojortldjyegtkx.bid
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean0.win@3/16@2/2
Cookbook Comments:	Adjust boot time Enable AMSI

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E363C2E3-B6EF-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	30296
Entropy (8bit):	1.8530246212606485
Encrypted:	false
SSDEEP:	192:ruZApZdk2TfW2et0ifAsuzMwmBDgDRsfTsvjX:r6WNq5J5zuUc
MD5:	CF3CCC94A02C9661708F9AC75B7BE2AF
SHA1:	A5ADD143BD517AD17D66B01357965C21B589E898
SHA-256:	DDDF22E873214D3E814C49D84BD037599EBFE531BA1D7682760F4B0ABDB72267
SHA-512:	424D0D8EEC0CE75B916CBC26F2121E41EDE4D766C756EBB8DE509E6F4192197DDEC21DC19D1F77C01F257008CC1BFCFDCF3CF38D316831D4FBF62D370B7A9C54
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E363C2E5-B6EF-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	24172
Entropy (8bit):	1.6322567147155134
Encrypted:	false
SSDEEP:	48:IwRGcprcGwpaNG4pQJGrapbSTjGQpBqGHHpccETGUp8rGzYpmfwQGopalRB5GA/w:rnZUQv6pBSBjx25WRM5wb/g
MD5:	15DDD40264A64457E289ED9E85C6D93D
SHA1:	5851A6C71300B7E0E28F4924683DE5868BFD0D22
SHA-256:	3FD23A9E575E2388AB0F452EBC308E488E1024C8E9C43E0EB071893378EDAB16
SHA-512:	172DD2FCA34D9ECC324FE6D78E3823777DB51DC0D85837FABD2D345CBB8C76254EAFC6C74A2DC340CA5567196B5D285A6A97B18A0891DEFF6269E823FE31E34F
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E363C2E6-B6EF-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	16984
Entropy (8bit):	1.5664670682167225
Encrypted:	false
SSDEEP:	48:IwwGcprIGwpaRG4pQpGrapbSBjGQpKpG7HpRKETGIpG:r0ZQQD6JBSvAIT7A
MD5:	33CCD3395290A292BB3E780FEF9E884F
SHA1:	463E028100526E30868C7B4D5A9BB402CE47D1F8
SHA-256:	AA474DCD0B5C4F083852D1B86157BDFC2031F89A5D27FAF70D36B71DAD84F972
SHA-512:	E474069CF4C335D205DD005519BF05477FD9416F561001A7739E095BF02536BF58994D1D6726E4BC01793475A3C6937E9780EA9BCC46EDD5630203C5F64C77D8
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.113421596870004
Encrypted:	false
SSDEEP:	12:TMHdNMNxOEFvRSgnWimI002EtM3MHdNMNxOEFvRSgnWimI00OYGVbkEtMb:2d6NxOu8gSZHKd6NxOu8gSZ7YLb
MD5:	934B6BDE30905A564F55C3B1BA0FF9A9
SHA1:	8D00C86415CFA8A9AB32C3463E48DA4A33DB26F0
SHA-256:	50CE8A5932E960ED76EB4035C5AFDA5D0850F721C9611CC9322C26713298E4FB
SHA-512:	647B0622FCB335010809A75C77E329221BC68F42DBF06586456E7D57D105D06C67A2B5F84610160D1A21E3E4AC066DA9280FCC516CF1793DD72A9A46DD50B2FE
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xb992488e,0x01d74afc</date><accdate>0xb992488e,0x01d74afc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xb992488e,0x01d74afc</date><accdate>0xb992488e,0x01d74afc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.0919704758644935
Encrypted:	false
SSDEEP:	12:TMHdNMNxe2kxFlqR6FlNnWimI002EtM3MHdNMNxe2kxFlqR6FlNnWimI00OYGkan:2d6NxreFVF/SZHKd6NxreFVF/SZ7Yzan
MD5:	46FC5B1965863AD4620BF9B7C7B3B09B
SHA1:	DDBBF3831BE691564BC1F2F5674376B7F6B277C7
SHA-256:	C147D22787E681345EF91C3F09E5C19A400E01C7BBB17998A5DB3E53BF1FA9B2
SHA-512:	1FF50A7849133AF39CB320F9422C4E3BD8E25A3DEDF29AF3553ED5765DC05F3A3F4B61968AEB65EDEBC9EBC0FE8131E3FCF43921E481D93E9F13C7CE982963F7
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0xb988beec,0x01d74afc</date><accdate>0xb988beec,0x01d74afc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0xb988beec,0x01d74afc</date><accdate>0xb988beec,0x01d74afc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	662
Entropy (8bit):	5.132677839285247
Encrypted:	false
SSDEEP:	12:TMHdNMNxvLFvRSgnWimI002EtM3MHdNMNxvLFvRSgnWimI00OYGmZEtMb:2d6NxvZ8gSZHKd6NxvZ8gSZ7Yjb
MD5:	16AF8BB8C5D9117BF46EF2381E7D36CB
SHA1:	D80EE75488203F6EAE3680ABDA92A0F85A580F7B
SHA-256:	2ADF7406BE71D2F346BDF0EB6232F88E65E759C5BA968E73CB77CBA77499BF3F
SHA-512:	F4592EBA5563BA6386B67609544A41CB4B90448697E8F00DBCCDF11D4CD50AAF8C60EDBAA3785C96E7A640A3B8EADA14CB43BF7B0A9C714B849105C5D93B9732
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0xb992488e,0x01d74afc</date><accdate>0xb992488e,0x01d74afc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0xb992488e,0x01d74afc</date><accdate>0xb992488e,0x01d74afc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	647
Entropy (8bit):	5.105217966495034
Encrypted:	false
SSDEEP:	12:TMHdNMNxix4sR64/nWimI002EtM3MHdNMNxix4sR64/nWimI00OYGd5EtMb:2d6NxM4V4/SZHKd6NxM4V4/SZ7YEjb
MD5:	143DBB448B02AD8D7C14333C801B69BC
SHA1:	E80C2BC409FA9C22E015BFCC2F3C6FE512C24F8E
SHA-256:	4200237D126BD3A093140CE1C6DA9D957FA3465BBD05EA4C1530FF209D98C1AA
SHA-512:	FF90EE71EF1EA5BDE61E54B3611B4840B3361B8BCA934A071722FCF3209628D34D95F286100A21BDB29389E6C06EF77A780CA42E9463BE7C8520A2617FF00D8E
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0xb98d83c4,0x01d74afc</date><accdate>0xb98d83c4,0x01d74afc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0xb98d83c4,0x01d74afc</date><accdate>0xb98d83c4,0x01d74afc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.137618741498024
Encrypted:	false
SSDEEP:	12:TMHdNMNxhGwFvRSgnWimI002EtM3MHdNMNxhGwFvRV4nWimI00OYG8K075EtMb:2d6NxQ68gSZHKd6NxQ6v4SZ7YrKajb
MD5:	D67BD82CF8B6DADBE15BF823608DE0E5
SHA1:	5BA98BBBD77C2DB12B973226D40C862DE90FFF4D
SHA-256:	1A1D702E9EBD2B03755451FAAA5EF47101F129041E3633F6075D8D366D2F8492
SHA-512:	19AC5D3213C11F38957AA5A9897CB5C68E8BF1756C17FCFAAB6570B7AA72DEC7F507C76FE491F8A69965B941B244E169DD70B788D60960CDD6F795C70D0D2FA6
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xb992488e,0x01d74afc</date><accdate>0xb992488e,0x01d74afc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xb992488e,0x01d74afc</date><accdate>0xb994aaa3,0x01d74afc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.1227898258462305
Encrypted:	false
SSDEEP:	12:TMHdNMNx0nxiIvR6iIgnWimI002EtM3MHdNMNx0nxiIvR6iIgnWimI00OYGxEtMb:2d6Nx0xiFiPSZHKd6Nx0xiFiPSZ7Ygb
MD5:	788D8D9BB9C8802BE7B627B7B62B80DD
SHA1:	B2AFF86E12DAE2CF019403A55CE07DC56DA6AEE1
SHA-256:	20A87ED617A6223B5781CAF516B3FBF9DF999D71A26418DE2A91C3DAE5B80CAA
SHA-512:	C89B82C28B440D00239AB8B5991EE738F2EF5293BFDB9DF61DDC50558DCF98CF6E4E3545BC8EF90757F047544BFF10382560C7B4FAA065E165D1188B3DFF9542
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0xb98fe629,0x01d74afc</date><accdate>0xb98fe629,0x01d74afc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0xb98fe629,0x01d74afc</date><accdate>0xb98fe629,0x01d74afc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.158548098946649
Encrypted:	false
SSDEEP:	12:TMHdNMNxxxiIvR6iIgnWimI002EtM3MHdNMNxxxiIvR6iIgnWimI00OYG6Kq5Ety:2d6NxjiFiPSZHKd6NxjiFiPSZ7Yhb
MD5:	A8145BAF775F8E3BA40DF3ACBB523B5B
SHA1:	FEA6FDE359D71643545A6784226F7BD17DEED86A
SHA-256:	B70369114A6FA816F54DFF5F7F93894919992034F927174AD372EC76EE51A5EC
SHA-512:	991225DE34A021A21007D95867AACF314BE145377FA1022D389DE671DDD2564DF9D8C1F416B42F696A094CE0CCF17F68CA08024E48B623CC6E7D4514A467C242
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0xb98fe629,0x01d74afc</date><accdate>0xb98fe629,0x01d74afc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0xb98fe629,0x01d74afc</date><accdate>0xb98fe629,0x01d74afc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	659
Entropy (8bit):	5.124498867440821
Encrypted:	false
SSDEEP:	12:TMHdNMNxcxBosR6Bo/nWimI002EtM3MHdNMNxcxBosR6Bo/nWimI00OYGVEtMb:2d6NxWBmBuSZHKd6NxWBmBuSZ7Ykb
MD5:	886261492621AF7FA4B098096CF5D03E
SHA1:	2102CD6B79B5125FE92AE8897F8CDD71A63DFAD9
SHA-256:	3379E765D7DE370768AFF817CB68A67AC54D20B0FAC969D282DA1BB1294C0CE5
SHA-512:	17BE81AF820620C6B7B1C4E15F5D98473A7F642D825A2F1665114F9DB1DA258E7180E6597DAD6CA3AC54F7D0873792B5AD010C31723962ED691D8936E0480AE2
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xb98b215f,0x01d74afc</date><accdate>0xb98b215f,0x01d74afc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xb98b215f,0x01d74afc</date><accdate>0xb98b215f,0x01d74afc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.090599535778466
Encrypted:	false
SSDEEP:	12:TMHdNMNxfnx4sR64/nWimI002EtM3MHdNMNxfnx4sR64/nWimI00OYGe5EtMb:2d6Nxp4V4/SZHKd6Nxp4V4/SZ7YLjb
MD5:	4C3379244454A652793252BBF640E63B
SHA1:	07C163E9AEE2C740A1067480F9610EFA409A0E5D
SHA-256:	8F30AA3F29996763BB2E33D4E00AA9080199C3ACF4C5BBF21F417DBE246D924B
SHA-512:	328FC90472F440B8504578915F4BB956C0C2BBE20E4ACB5A78900254C5CAAB82CA6CBD48F6DA9EBF2E0B17F714FD4EF48593648B1EE612C66A08D63955F9D4FD
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0xb98d83c4,0x01d74afc</date><accdate>0xb98d83c4,0x01d74afc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0xb98d83c4,0x01d74afc</date><accdate>0xb98d83c4,0x01d74afc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\I6DGMNFI.htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text
Category:	downloaded
Size (bytes):	751
Entropy (8bit):	5.2973711104094585
Encrypted:	false
SSDEEP:	12:lkx+HVPlamqAJNBui+tqmfrgtR7O/y3dYnRWlHYI6vIwv6PikxYOv+y:CoVP8dAJNytDgtR7O/yNYnRWl4IgIQ6F
MD5:	FB4A7EE1C03630FBF7B4D09F4DEB36DF
SHA1:	775CEF3DC1FF839B1F1D22179B6D966DBE8899B4
SHA-256:	4902008AA1B784A09F6F6D0EF9A5CE6DAA6883C838932B1B337433C4275200FA
SHA-512:	BBB6F300F3F0D4C273F8EB69D283ECBBB81C4CF5EE53D0EDA250F767E931C392AAA2244039384D3419D070CE40CC773DAAF16A84A735A5E7E0DB70AB0D65015A
Malicious:	false
Reputation:	low
IE Cache URL:	http://wxhiojortldjyegtkx.bid/
Preview:	<html>..<head>..</head>..</html>..<body>..<br/><center>This domain is used to track traffic and ensure its quality to our advertisers. If you are seeing this on your traffic analytics, this is an expected behaviour...<br/>..<br/>....For advertisement inquiries: <br/><br/>bizdev@cpx24.com..</center>....<script>.. /(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]\|\|function(){.. (i[r].q=i[r].q\|\|[]).push(arguments)},i[r].l=1new Date();a=s.createElement(o),.. m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m).. })(window,document,'script','https://www.google-analytics.com/analytics.js','ga');.... ga('create', 'UA-62025534-1', 'auto');.. ga('send', 'pageview');*/....</script>....</body>..</html>

C:\Users\user\AppData\Local\Temp\~DF16672EEF924C14DA.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	13029
Entropy (8bit):	0.4776359514942392
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9log9low9lWcyg3VifyG:kBqoIb9cZyn
MD5:	B64C70A1A95FAB31352B65CB1E22829D
SHA1:	87558AE5E737A28B0DEF6F4BE11263BB8586D476
SHA-256:	0CA437AEE56E5136F141811F1199C713F0D5C2EEFB1CCA4063D990630BDC6A16
SHA-512:	E528105CD0462895C1884C778BF5FC5AF2058D0DFDF3D4C74E619EFBAAEF1F955C2BD53E40975B6C9F20E20383868338D25B805FE9DBB200B097ED4617CE02A9
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFDC7E3E7AAD541689.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	34365
Entropy (8bit):	0.35050565238500986
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lwQ29lwl9l2T9l2T9l//:kBqoxKAuvScS+WQKjfIfklRT
MD5:	825E469C396EB185C95E328A34ABB99E
SHA1:	3CC74A4CE107EC5034AD97926F5AA134EFC05834
SHA-256:	C977C6F53FC7CC4B1FCE4562421660F1AF902C86357EC8FC143613DA056396C1
SHA-512:	3DBBDC395051E9F4BEEC5A434F849187959244255673D30EED8A8F98848CC65052DE904F0ED2508BE257B0C3C362E0E51AE460FCB987D272367515B6829A2E83
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFEB1D9C631C221556.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	25441
Entropy (8bit):	0.3017411557699378
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRx/9lRJ9lTb9lTb9lSSU9lSSU9laAa/9laABs:kBqoxxJhHWSVSEabB
MD5:	E3AC6B25013CB06BB01DB0F8CDAAF0A6
SHA1:	48605B15D198F7B358B01DF2F6C40772197DC96B
SHA-256:	9FAF5E64201D6AB473008B23DAE8DE219469D791532EDFAD733DBD85F2B4FCC1
SHA-512:	ABF7BFC2F1D9D49D0992CF2087BF83C463F5CDA38A97B622B110A19984A6616B21CB5FC6ED4EEC2CC09F0FCC57B2668A180FABF8964713FC35049114AC2676CD
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

No static file info

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 49
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 17, 2021 11:11:42.977241039 CEST	49732	80	192.168.2.4	104.21.29.172
May 17, 2021 11:11:42.978118896 CEST	49733	80	192.168.2.4	104.21.29.172
May 17, 2021 11:11:43.019872904 CEST	80	49732	104.21.29.172	192.168.2.4
May 17, 2021 11:11:43.020032883 CEST	49732	80	192.168.2.4	104.21.29.172
May 17, 2021 11:11:43.020909071 CEST	80	49733	104.21.29.172	192.168.2.4
May 17, 2021 11:11:43.020997047 CEST	49733	80	192.168.2.4	104.21.29.172
May 17, 2021 11:11:43.021940947 CEST	49732	80	192.168.2.4	104.21.29.172
May 17, 2021 11:11:43.065022945 CEST	80	49732	104.21.29.172	192.168.2.4
May 17, 2021 11:11:43.338330030 CEST	80	49732	104.21.29.172	192.168.2.4
May 17, 2021 11:11:43.338361979 CEST	80	49732	104.21.29.172	192.168.2.4
May 17, 2021 11:11:43.338820934 CEST	49732	80	192.168.2.4	104.21.29.172
May 17, 2021 11:11:43.819684982 CEST	49732	80	192.168.2.4	104.21.29.172
May 17, 2021 11:11:43.860965014 CEST	80	49732	104.21.29.172	192.168.2.4
May 17, 2021 11:11:43.869256020 CEST	80	49732	104.21.29.172	192.168.2.4
May 17, 2021 11:11:43.870095968 CEST	49732	80	192.168.2.4	104.21.29.172
May 17, 2021 11:11:58.065437078 CEST	80	49733	104.21.29.172	192.168.2.4
May 17, 2021 11:11:58.065607071 CEST	49733	80	192.168.2.4	104.21.29.172

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 17, 2021 11:11:32.128125906 CEST	49714	53	192.168.2.4	8.8.8.8
May 17, 2021 11:11:32.179090977 CEST	53	49714	8.8.8.8	192.168.2.4
May 17, 2021 11:11:32.346550941 CEST	58028	53	192.168.2.4	8.8.8.8
May 17, 2021 11:11:32.397164106 CEST	53	58028	8.8.8.8	192.168.2.4
May 17, 2021 11:11:33.641041994 CEST	53097	53	192.168.2.4	8.8.8.8
May 17, 2021 11:11:33.691919088 CEST	53	53097	8.8.8.8	192.168.2.4
May 17, 2021 11:11:35.535842896 CEST	49257	53	192.168.2.4	8.8.8.8
May 17, 2021 11:11:35.586759090 CEST	53	49257	8.8.8.8	192.168.2.4
May 17, 2021 11:11:36.190228939 CEST	62389	53	192.168.2.4	8.8.8.8
May 17, 2021 11:11:36.259221077 CEST	53	62389	8.8.8.8	192.168.2.4
May 17, 2021 11:11:36.782378912 CEST	49910	53	192.168.2.4	8.8.8.8
May 17, 2021 11:11:36.834564924 CEST	53	49910	8.8.8.8	192.168.2.4
May 17, 2021 11:11:38.100277901 CEST	55854	53	192.168.2.4	8.8.8.8
May 17, 2021 11:11:38.162951946 CEST	53	55854	8.8.8.8	192.168.2.4
May 17, 2021 11:11:39.335717916 CEST	64549	53	192.168.2.4	8.8.8.8
May 17, 2021 11:11:39.386888027 CEST	53	64549	8.8.8.8	192.168.2.4
May 17, 2021 11:11:40.873972893 CEST	63153	53	192.168.2.4	8.8.8.8
May 17, 2021 11:11:40.933135986 CEST	53	63153	8.8.8.8	192.168.2.4
May 17, 2021 11:11:41.199054956 CEST	52991	53	192.168.2.4	8.8.8.8
May 17, 2021 11:11:41.250248909 CEST	53	52991	8.8.8.8	192.168.2.4
May 17, 2021 11:11:42.903518915 CEST	53700	53	192.168.2.4	8.8.8.8
May 17, 2021 11:11:42.967329979 CEST	53	53700	8.8.8.8	192.168.2.4
May 17, 2021 11:11:44.590914011 CEST	51726	53	192.168.2.4	8.8.8.8
May 17, 2021 11:11:44.643465042 CEST	53	51726	8.8.8.8	192.168.2.4
May 17, 2021 11:11:45.964911938 CEST	56794	53	192.168.2.4	8.8.8.8
May 17, 2021 11:11:46.034563065 CEST	53	56794	8.8.8.8	192.168.2.4
May 17, 2021 11:11:47.239900112 CEST	56534	53	192.168.2.4	8.8.8.8
May 17, 2021 11:11:47.292172909 CEST	53	56534	8.8.8.8	192.168.2.4
May 17, 2021 11:11:48.894725084 CEST	56627	53	192.168.2.4	8.8.8.8
May 17, 2021 11:11:48.944040060 CEST	53	56627	8.8.8.8	192.168.2.4
May 17, 2021 11:11:52.038475037 CEST	56621	53	192.168.2.4	8.8.8.8
May 17, 2021 11:11:52.087925911 CEST	53	56621	8.8.8.8	192.168.2.4
May 17, 2021 11:11:53.152282953 CEST	63116	53	192.168.2.4	8.8.8.8
May 17, 2021 11:11:53.201723099 CEST	53	63116	8.8.8.8	192.168.2.4
May 17, 2021 11:11:54.667450905 CEST	64078	53	192.168.2.4	8.8.8.8
May 17, 2021 11:11:54.717858076 CEST	53	64078	8.8.8.8	192.168.2.4
May 17, 2021 11:11:59.838618994 CEST	64801	53	192.168.2.4	8.8.8.8
May 17, 2021 11:11:59.902707100 CEST	53	64801	8.8.8.8	192.168.2.4
May 17, 2021 11:12:00.538096905 CEST	61721	53	192.168.2.4	8.8.8.8
May 17, 2021 11:12:00.590492964 CEST	53	61721	8.8.8.8	192.168.2.4
May 17, 2021 11:12:01.791645050 CEST	51255	53	192.168.2.4	8.8.8.8
May 17, 2021 11:12:01.842147112 CEST	53	51255	8.8.8.8	192.168.2.4
May 17, 2021 11:12:02.909164906 CEST	61522	53	192.168.2.4	8.8.8.8
May 17, 2021 11:12:02.960594893 CEST	53	61522	8.8.8.8	192.168.2.4
May 17, 2021 11:12:04.054819107 CEST	52337	53	192.168.2.4	8.8.8.8
May 17, 2021 11:12:04.117897034 CEST	53	52337	8.8.8.8	192.168.2.4
May 17, 2021 11:12:05.362389088 CEST	55046	53	192.168.2.4	8.8.8.8
May 17, 2021 11:12:05.411798000 CEST	53	55046	8.8.8.8	192.168.2.4
May 17, 2021 11:12:08.656092882 CEST	49612	53	192.168.2.4	8.8.8.8
May 17, 2021 11:12:08.717983007 CEST	53	49612	8.8.8.8	192.168.2.4
May 17, 2021 11:12:10.868927956 CEST	49285	53	192.168.2.4	8.8.8.8
May 17, 2021 11:12:10.918308020 CEST	53	49285	8.8.8.8	192.168.2.4
May 17, 2021 11:12:11.743505001 CEST	50601	53	192.168.2.4	8.8.8.8
May 17, 2021 11:12:11.801197052 CEST	53	50601	8.8.8.8	192.168.2.4
May 17, 2021 11:12:11.876817942 CEST	49285	53	192.168.2.4	8.8.8.8
May 17, 2021 11:12:11.926659107 CEST	53	49285	8.8.8.8	192.168.2.4
May 17, 2021 11:12:12.752011061 CEST	50601	53	192.168.2.4	8.8.8.8
May 17, 2021 11:12:12.802380085 CEST	53	50601	8.8.8.8	192.168.2.4
May 17, 2021 11:12:12.894129992 CEST	49285	53	192.168.2.4	8.8.8.8
May 17, 2021 11:12:12.952020884 CEST	53	49285	8.8.8.8	192.168.2.4
May 17, 2021 11:12:13.865937948 CEST	50601	53	192.168.2.4	8.8.8.8
May 17, 2021 11:12:13.915277004 CEST	53	50601	8.8.8.8	192.168.2.4
May 17, 2021 11:12:14.947618008 CEST	49285	53	192.168.2.4	8.8.8.8
May 17, 2021 11:12:15.005292892 CEST	53	49285	8.8.8.8	192.168.2.4
May 17, 2021 11:12:16.330773115 CEST	50601	53	192.168.2.4	8.8.8.8
May 17, 2021 11:12:16.382432938 CEST	53	50601	8.8.8.8	192.168.2.4
May 17, 2021 11:12:18.955694914 CEST	49285	53	192.168.2.4	8.8.8.8
May 17, 2021 11:12:19.005012035 CEST	53	49285	8.8.8.8	192.168.2.4
May 17, 2021 11:12:20.346199989 CEST	50601	53	192.168.2.4	8.8.8.8
May 17, 2021 11:12:20.405092955 CEST	53	50601	8.8.8.8	192.168.2.4
May 17, 2021 11:12:27.550005913 CEST	60875	53	192.168.2.4	8.8.8.8
May 17, 2021 11:12:27.610527039 CEST	53	60875	8.8.8.8	192.168.2.4
May 17, 2021 11:12:30.154467106 CEST	56448	53	192.168.2.4	8.8.8.8
May 17, 2021 11:12:30.212251902 CEST	53	56448	8.8.8.8	192.168.2.4
May 17, 2021 11:12:30.693634033 CEST	59172	53	192.168.2.4	8.8.8.8
May 17, 2021 11:12:30.746037006 CEST	53	59172	8.8.8.8	192.168.2.4
May 17, 2021 11:12:31.241776943 CEST	62420	53	192.168.2.4	8.8.8.8
May 17, 2021 11:12:31.294322014 CEST	53	62420	8.8.8.8	192.168.2.4
May 17, 2021 11:12:31.991303921 CEST	60579	53	192.168.2.4	8.8.8.8
May 17, 2021 11:12:32.051986933 CEST	53	60579	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 17, 2021 11:11:42.903518915 CEST	192.168.2.4	8.8.8.8	0xf24a	Standard query (0)	wxhiojortldjyegtkx.bid	A (IP address)	IN (0x0001)
May 17, 2021 11:11:59.838618994 CEST	192.168.2.4	8.8.8.8	0x9a28	Standard query (0)	wxhiojortldjyegtkx.bid	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
May 17, 2021 11:11:42.967329979 CEST	8.8.8.8	192.168.2.4	0xf24a	No error (0)	wxhiojortldjyegtkx.bid	104.21.29.172	A (IP address)	IN (0x0001)
May 17, 2021 11:11:42.967329979 CEST	8.8.8.8	192.168.2.4	0xf24a	No error (0)	wxhiojortldjyegtkx.bid	172.67.149.140	A (IP address)	IN (0x0001)
May 17, 2021 11:11:59.902707100 CEST	8.8.8.8	192.168.2.4	0x9a28	No error (0)	wxhiojortldjyegtkx.bid	172.67.149.140	A (IP address)	IN (0x0001)
May 17, 2021 11:11:59.902707100 CEST	8.8.8.8	192.168.2.4	0x9a28	No error (0)	wxhiojortldjyegtkx.bid	104.21.29.172	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

wxhiojortldjyegtkx.bid

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49732	104.21.29.172	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
May 17, 2021 11:11:43.021940947 CEST	2511	OUT	GET / HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: wxhiojortldjyegtkx.bid Connection: Keep-Alive
May 17, 2021 11:11:43.338330030 CEST	2512	IN	HTTP/1.1 200 OK Date: Mon, 17 May 2021 09:11:43 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 751 Connection: keep-alive Cache-Control: no-transform,no-cache Pragma: no-cache CF-Cache-Status: DYNAMIC cf-request-id: 0a1b3184e40000c2c2d4941000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=ztNbJE7QY1jFnSIIVQFSKCKm4FRLctTrHJr%2FcGKys%2Frp%2FVeYjBdZOAJavDdOevRqj2ZqS3xt8wpAm11LsoCIZli1%2BE0LjXCfEiSxsTH7ygYcNzjIuF7G"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 650bb84e3db8c2c2-FRA alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0a 09 3c 68 65 61 64 3e 0a 09 3c 2f 68 65 61 64 3e 0a 09 3c 2f 68 74 6d 6c 3e 0a 09 3c 62 6f 64 79 3e 0a 09 3c 62 72 2f 3e 3c 63 65 6e 74 65 72 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 69 73 20 75 73 65 64 20 74 6f 20 74 72 61 63 6b 20 74 72 61 66 66 69 63 20 61 6e 64 20 65 6e 73 75 72 65 20 69 74 73 20 71 75 61 6c 69 74 79 20 74 6f 20 6f 75 72 20 61 64 76 65 72 74 69 73 65 72 73 2e 20 49 66 20 79 6f 75 20 61 72 65 20 73 65 65 69 6e 67 20 74 68 69 73 20 6f 6e 20 79 6f 75 72 20 74 72 61 66 66 69 63 20 61 6e 61 6c 79 74 69 63 73 2c 20 74 68 69 73 20 69 73 20 61 6e 20 65 78 70 65 63 74 65 64 20 62 65 68 61 76 69 6f 75 72 2e 0a 09 3c 62 72 2f 3e 0a 09 3c 62 72 2f 3e 0a 09 09 09 46 6f 72 20 61 64 76 65 72 74 69 73 65 6d 65 6e 74 20 69 6e 71 75 69 72 69 65 73 3a 20 20 3c 62 72 2f 3e 3c 62 72 2f 3e 62 69 7a 64 65 76 40 63 70 78 32 34 2e 63 6f 6d 0a 09 3c 2f 63 65 6e 74 65 72 3e 0a 09 0a 09 3c 73 63 72 69 70 74 3e 0a 09 20 20 2f 2a 28 66 75 6e 63 74 69 6f 6e 28 69 2c 73 2c 6f 2c 67 2c 72 2c 61 2c 6d 29 7b 69 5b 27 47 6f 6f 67 6c 65 41 6e 61 6c 79 74 69 63 73 4f 62 6a 65 63 74 27 5d 3d 72 3b 69 5b 72 5d 3d 69 5b 72 5d 7c 7c 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 09 20 20 28 69 5b 72 5d 2e 71 3d 69 5b 72 5d 2e 71 7c 7c 5b 5d 29 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 7d 2c 69 5b 72 5d 2e 6c 3d 31 2a 6e 65 77 20 44 61 74 65 28 29 3b 61 3d 73 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 6f 29 2c 0a 09 20 20 6d 3d 73 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 6f 29 5b 30 5d 3b 61 2e 61 73 79 6e 63 3d 31 3b 61 2e 73 72 63 3d 67 3b 6d 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 61 2c 6d 29 0a 09 20 20 7d 29 28 77 69 6e 64 6f 77 2c 64 6f 63 75 6d 65 6e 74 2c 27 73 63 72 69 70 74 27 2c 27 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2d 61 6e 61 6c 79 74 69 63 73 2e 63 6f 6d 2f 61 6e 61 6c 79 74 69 63 73 2e 6a 73 27 2c 27 67 61 27 29 3b 0a 09 0a 09 20 20 67 Data Ascii: <html><head></head></html><body><br/><center>This domain is used to track traffic and ensure its quality to our advertisers. If you are seeing this on your traffic analytics, this is an expected behaviour.<br/><br/>For advertisement inquiries: <br/><br/>bizdev@cpx24.com</center><script> /(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]\|\|function(){ (i[r].q=i[r].q\|\|[]).push(arguments)},i[r].l=1new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) })(window,document,'script','https://www.google-analytics.com/analytics.js','ga'); g
May 17, 2021 11:11:43.338361979 CEST	2513	IN	Data Raw: 61 28 27 63 72 65 61 74 65 27 2c 20 27 55 41 2d 36 32 30 32 35 35 33 34 2d 31 27 2c 20 27 61 75 74 6f 27 29 3b 0a 09 20 20 67 61 28 27 73 65 6e 64 27 2c 20 27 70 61 67 65 76 69 65 77 27 29 3b 2a 2f 0a 09 0a 09 3c 2f 73 63 72 69 70 74 3e 0a 09 0a Data Ascii: a('create', 'UA-62025534-1', 'auto'); ga('send', 'pageview');*/</script></body></html>
May 17, 2021 11:11:43.819684982 CEST	2513	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: wxhiojortldjyegtkx.bid Connection: Keep-Alive
May 17, 2021 11:11:43.869256020 CEST	2514	IN	HTTP/1.1 200 OK Date: Mon, 17 May 2021 09:11:43 GMT Content-Length: 0 Connection: keep-alive Cache-Control: max-age=14400 CF-Cache-Status: HIT Age: 163 Accept-Ranges: bytes cf-request-id: 0a1b3187fd0000c2c24e2d0000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=ftr%2BgUMrD41P20lgh9Cfn5d9CQTMxDDWX2NWestGuVHdeiCejk%2BcE1jgfakSTlYsQ21ikHhnzAE22eYKDVm7L0iaXyBtbH9UWdGQGzdPBqE0M0qRh7Nr"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: cloudflare CF-RAY: 650bb8532fe3c2c2-FRA alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400

Code Manipulations

Statistics

CPU Usage

• iexplore.exe
• iexplore.exe

Click to jump to process

Memory Usage

• iexplore.exe
• iexplore.exe

Click to jump to process

Behavior

• iexplore.exe
• iexplore.exe

Click to jump to process

System Behavior

Analysis Process: iexplore.exe PID: 6484 Parent PID: 800

Function Logs

General

Start time:	11:11:39
Start date:	17/05/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff6621c0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Process Activities

Process Information Set

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Language or Locale ID Queried

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Window UI Enumerated

Show Windows behavior

Network Activities

Show Windows behavior

Object Security Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: iexplore.exe PID: 6544 Parent PID: 6484

Function Logs

General

Start time:	11:11:40
Start date:	17/05/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6484 CREDAT:17410 /prefetch:2
Imagebase:	0x3d0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Process Information Set

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Show Windows behavior

Network Activities

Show Windows behavior

Object Security Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Disassembly

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report http://wxhiojortldjyegtkx.bid

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

Compliance:

Networking:

System Summary:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

No static file info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: iexplore.exe PID: 6484 Parent PID: 800

General

File Activities

File Opened

File Created

File Written

File Read

File Attributes Queried

Directory Queried

Volume Information Queried

Device IO

Section Activities

Sections loaded by Windows

Registry Activities

Key Opened

Key Value Created