Edit tour

Windows Analysis Report
https://plentyequipment.com/sign.html#UGV0ZXIuS3VlcHBlcnNAdmVyYmlvLmRl&referrer=nonreferrer

Overview

General Information

Sample URL:	https://plentyequipment.com/sign.html#UGV0ZXIuS3VlcHBlcnNAdmVyYmlvLmRl&referrer=nonreferrer
Analysis ID:	636471
Infos:

Detection

HTMLPhisher

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected HtmlPhish44

Yara detected obfuscated html page

Antivirus detection for URL or domain

Classification

Process Tree

System is w10x64

iexplore.exe (PID: 2196 cmdline: "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 352 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2196 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\sign[1].htm	JoeSecurity_Obshtml	Yara detected obfuscated html page	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\sign[1].htm	JoeSecurity_HtmlPhish_44	Yara detected HtmlPhish_44	Joe Security

Source: https://salty-wildwood-51825.herokuapp.com/general/noRobot.html?usr=Peter.Kueppers@verbio.de&interceptiontype=VerifyLogin&interceptiontype=VerifyLogin&service=freemail&successURL=https%3A%2F%sharepoint%2Flogin&statistics=xRbXFc8VKmF6s%2Frp6a5qP4z%2FNdyBHKIvfVNtKKZ%2FMq1vzDMmvcNacavpkSKc0VdsoMzKeZnxxL%2Fl2FTNDJCnPcIHjxpzAgCgOro1V2sZbBxg%3D%3D&username=sdada&requestSecurityToken=9f8d7962-0d22-4c86-8ab0-862cfe04d2e9

SlashNext: Label: Credential Stealing type: Phishing & Social Engineering

Phishing

Yara detected HtmlPhish44

Source: Yara match

File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\sign[1].htm, type: DROPPED

Yara detected obfuscated html page

Source: Yara match

File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\sign[1].htm, type: DROPPED

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 68.65.123.146:443 -> 192.168.2.3:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 68.65.123.146:443 -> 192.168.2.3:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.159.116.102:443 -> 192.168.2.3:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.159.116.102:443 -> 192.168.2.3:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.84.241:443 -> 192.168.2.3:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.84.241:443 -> 192.168.2.3:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.3:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.3:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.159.116.102:443 -> 192.168.2.3:49760 version: TLS 1.2

Source: unknown

DNS traffic detected: queries for: plentyequipment.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443

Source: global traffic	HTTP traffic detected: GET /sign.html HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: plentyequipment.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /general/noRobot.html?usr=Peter.Kueppers@verbio.de&interceptiontype=VerifyLogin&interceptiontype=VerifyLogin&service=freemail&successURL=https%3A%2F%sharepoint%2Flogin&statistics=xRbXFc8VKmF6s%2Frp6a5qP4z%2FNdyBHKIvfVNtKKZ%2FMq1vzDMmvcNacavpkSKc0VdsoMzKeZnxxL%2Fl2FTNDJCnPcIHjxpzAgCgOro1V2sZbBxg%3D%3D&username=sdada&requestSecurityToken=9f8d7962-0d22-4c86-8ab0-862cfe04d2e9 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Referer: https://plentyequipment.com/sign.htmlAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: salty-wildwood-51825.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /general/geo.js HTTP/1.1Accept: application/javascript, /;q=0.8Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: salty-wildwood-51825.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /general/download.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: salty-wildwood-51825.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /get_html.php HTTP/1.1Accept: /Accept-Language: en-USOrigin: https://salty-wildwood-51825.herokuapp.comAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api.hostip.infoConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /%20102.129.143.42 HTTP/1.1Accept: application/json, text/javascript, /; q=0.01Accept-Language: en-USOrigin: https://salty-wildwood-51825.herokuapp.comAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /102.129.143.42 HTTP/1.1Accept: application/json, text/javascript, /; q=0.01Accept-Language: en-USOrigin: https://salty-wildwood-51825.herokuapp.comAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /general/ HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: salty-wildwood-51825.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: salty-wildwood-51825.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /general/ HTTP/1.1User-Agent: AutoItHost: salty-wildwood-51825.herokuapp.com

Source: msapplication.xml.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xda2d1b7e,0x01d87506</date><accdate>0xda913e95,0x01d87506</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml4.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xdc8f7511,0x01d87506</date><accdate>0xdcec711e,0x01d87506</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml6.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xdd935578,0x01d87506</date><accdate>0xddca2c13,0x01d87506</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenConnection: closeDate: Tue, 31 May 2022 06:54:55 GMTServer: ApacheContent-Length: 199Content-Type: text/html; charset=iso-8859-1Via: 1.1 vegur
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeDate: Tue, 31 May 2022 06:54:55 GMTServer: ApacheContent-Length: 196Content-Type: text/html; charset=iso-8859-1Via: 1.1 vegur
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenConnection: closeDate: Tue, 31 May 2022 06:55:07 GMTServer: ApacheContent-Length: 199Content-Type: text/html; charset=iso-8859-1Via: 1.1 vegur

Source: msapplication.xml7.1.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml0.1.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml1.1.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml2.1.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml3.1.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml4.1.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml5.1.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml6.1.dr	String found in binary or memory: http://www.youtube.com/
Source: geo[1].js.2.dr, noRobot[1].htm.2.dr	String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js
Source: geo[1].js.2.dr	String found in binary or memory: https://api.hostip.info/get_html.php
Source: noRobot[1].htm.2.dr	String found in binary or memory: https://burger-fr.com/dns/valid.php
Source: noRobot[1].htm.2.dr	String found in binary or memory: https://fbfiberica-es.com/session/index.php
Source: noRobot[1].htm.2.dr	String found in binary or memory: https://google.com
Source: geo[1].js.2.dr	String found in binary or memory: https://ipinfo.io/
Source: 102.129.143[1].json.2.dr	String found in binary or memory: https://ipinfo.io/missingauth
Source: noRobot[1].htm.2.dr	String found in binary or memory: https://logo.clearbit.com/google.com
Source: noRobot[1].htm.2.dr	String found in binary or memory: https://www.google.com/s2/favicons?domain=
Source: noRobot[1].htm.2.dr	String found in binary or memory: https://www.google.com/s2/favicons?domain=google.com
Source: noRobot[1].htm.2.dr	String found in binary or memory: https://www.google.com/s2/favicons?domain=laobanmail.com

Source: unknown	HTTPS traffic detected: 68.65.123.146:443 -> 192.168.2.3:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 68.65.123.146:443 -> 192.168.2.3:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.159.116.102:443 -> 192.168.2.3:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.159.116.102:443 -> 192.168.2.3:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.84.241:443 -> 192.168.2.3:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.84.241:443 -> 192.168.2.3:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.3:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.3:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.159.116.102:443 -> 192.168.2.3:49760 version: TLS 1.2

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF799962AA13052DA2.TMP

Jump to behavior

Source: classification engine

Classification label: mal64.phis.win@3/16@5/5

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2196 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2196 CREDAT:17410 /prefetch:2	Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Masquerading	OS Credential Dumping	1 File and Directory Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	3 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	4 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	3 Ingress Tool Transfer	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
https://plentyequipment.com/sign.html#UGV0ZXIuS3VlcHBlcnNAdmVyYmlvLmRl&referrer=nonreferrer	3%	Virustotal		Browse
https://plentyequipment.com/sign.html#UGV0ZXIuS3VlcHBlcnNAdmVyYmlvLmRl&referrer=nonreferrer	0%	Avira URL Cloud	safe

Source	Detection	Scanner	Label
https://salty-wildwood-51825.herokuapp.com/general/noRobot.html?usr=Peter.Kueppers@verbio.de&interceptiontype=VerifyLogin&interceptiontype=VerifyLogin&service=freemail&successURL=https%3A%2F%sharepoint%2Flogin&statistics=xRbXFc8VKmF6s%2Frp6a5qP4z%2FNdyBHKIvfVNtKKZ%2FMq1vzDMmvcNacavpkSKc0VdsoMzKeZnxxL%2Fl2FTNDJCnPcIHjxpzAgCgOro1V2sZbBxg%3D%3D&username=sdada&requestSecurityToken=9f8d7962-0d22-4c86-8ab0-862cfe04d2e9	100%	SlashNext	Credential Stealing type: Phishing & Social Engineering
https://api.hostip.info/get_html.php	0%	Avira URL Cloud	safe
https://salty-wildwood-51825.herokuapp.com/favicon.ico	0%	Avira URL Cloud	safe
https://salty-wildwood-51825.herokuapp.com/general/geo.js	0%	Avira URL Cloud	safe
https://salty-wildwood-51825.herokuapp.com/general/download.png	0%	Avira URL Cloud	safe
https://salty-wildwood-51825.herokuapp.com/general/	0%	Avira URL Cloud	safe
https://plentyequipment.com/sign.html	0%	Avira URL Cloud	safe
https://burger-fr.com/dns/valid.php	0%	Avira URL Cloud	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
https://fbfiberica-es.com/session/index.php	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
ipinfo.io	34.117.59.81	true	false	high
salty-wildwood-51825.herokuapp.com	54.159.116.102	true	false	unknown
plentyequipment.com	68.65.123.146	true	false	unknown
api.hostip.info	104.21.84.241	true	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/102.129.143.42	false		high
https://ipinfo.io/%20102.129.143.42	false		high
https://api.hostip.info/get_html.php	false	Avira URL Cloud: safe	unknown
https://salty-wildwood-51825.herokuapp.com/favicon.ico	false	Avira URL Cloud: safe	unknown
https://salty-wildwood-51825.herokuapp.com/general/geo.js	false	Avira URL Cloud: safe	unknown
https://salty-wildwood-51825.herokuapp.com/general/download.png	false	Avira URL Cloud: safe	unknown
https://salty-wildwood-51825.herokuapp.com/general/	false	Avira URL Cloud: safe	unknown
https://plentyequipment.com/sign.html	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/missingauth	102.129.143[1].json.2.dr	false		high
http://www.nytimes.com/	msapplication.xml2.1.dr	false		high
http://www.amazon.com/	msapplication.xml7.1.dr	false		high
https://www.google.com/s2/favicons?domain=laobanmail.com	noRobot[1].htm.2.dr	false		high
https://www.google.com/s2/favicons?domain=	noRobot[1].htm.2.dr	false		high
http://www.twitter.com/	msapplication.xml4.1.dr	false		high
https://www.google.com/s2/favicons?domain=google.com	noRobot[1].htm.2.dr	false		high
https://ipinfo.io/	geo[1].js.2.dr	false		high
https://burger-fr.com/dns/valid.php	noRobot[1].htm.2.dr	false	Avira URL Cloud: safe	unknown
http://www.youtube.com/	msapplication.xml6.1.dr	false		high
https://logo.clearbit.com/google.com	noRobot[1].htm.2.dr	false		high
http://www.wikipedia.com/	msapplication.xml5.1.dr	false	URL Reputation: safe	unknown
http://www.live.com/	msapplication.xml1.1.dr	false		high
https://google.com	noRobot[1].htm.2.dr	false		high
http://www.reddit.com/	msapplication.xml3.1.dr	false		high
http://www.google.com/	msapplication.xml0.1.dr	false		high
https://fbfiberica-es.com/session/index.php	noRobot[1].htm.2.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.84.241	api.hostip.info	United States	13335	CLOUDFLARENETUS	false
34.117.59.81	ipinfo.io	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
68.65.123.146	plentyequipment.com	United States	22612	NAMECHEAP-NETUS	false
54.159.116.102	salty-wildwood-51825.herokuapp.com	United States	14618	AMAZON-AESUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	636471
Start date and time: 31/05/202208:53:45	2022-05-31 08:53:45 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://plentyequipment.com/sign.html#UGV0ZXIuS3VlcHBlcnNAdmVyYmlvLmRl&referrer=nonreferrer
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal64.phis.win@3/16@5/5
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, SgrmBroker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.205.181.161, 142.250.203.106, 152.199.19.161
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ajax.googleapis.com, ie9comview.vo.msecnd.net, ctldl.windowsupdate.com, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, store-images.s-microsoft.com, login.live.com, go.microsoft.com.edgekey.net, cs9.wpc.v0cdn.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	355
Entropy (8bit):	5.095942951139304
Encrypted:	false
SSDEEP:	6:TMVBdc9EMdLD5Ltqc41EAUTD90/QL3WIZK0QhPPWXpsVDHkEtMjwu:TMHdNMNxOERnWimI00ObVbkEtMb
MD5:	A01523C058AC861EAD02514BA3ED619E
SHA1:	900D99B8F14D255F18C80746732748B827690378
SHA-256:	102DFD93A3B4F49C3BD53BECC1039D6996777F5100A4266E71BA79F12CE7E590
SHA-512:	BF0F51C201BD080D8E9B066BDE6B09B8BFE36DFAE5BF1515F1C9C8BE6218172CDA7D9C4B37D9BE0287DC4D752273EE20589E14858D9D1F96E494CE1C9DA9749D
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xdc8f7511,0x01d87506</date><accdate>0xdcec711e,0x01d87506</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text
Category:	downloaded
Size (bytes):	251
Entropy (8bit):	4.878432780549129
Encrypted:	false
SSDEEP:	3:0wMgRq/a9tupqHHf9hyLMfEtpvHf+LLQvSHCh2HExCRAfYC2fQ8CQcCMyt8q25TA:0wMgRRPupGhQpff+LLgS1H5a76W35jY
MD5:	F2B7B6061031841C9FD91B9D344EB5EB
SHA1:	2027EDBC32D007D10E2D7578B977210B1C6C4035
SHA-256:	A5702E4A15BAFCE46954177D4F6510FB5BDB88D89861515AC10DB720BC503E94
SHA-512:	C3F0C6004D3725EA3A579988CE1801E600F94588C594F651F070D5AE3315748C66BD82193776C5634E9F28BEA5CE579FCDA6AB60BCC486AFA0A34B37FF46331C
Malicious:	false
Reputation:	low
IE Cache URL:	https://ipinfo.io/102.129.143.42
Preview:	{. "ip": "102.129.143.42",. "city": "H.nenberg",. "region": "Zug",. "country": "CH",. "loc": "47.1754,8.4250",. "org": "AS212238 Datacamp Limited",. "postal": "6331",. "timezone": "Europe/Zurich",. "readme": "https://ipinfo.io/missingauth".}

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 31, 2022 08:54:50.096159935 CEST	49732	443	192.168.2.3	68.65.123.146
May 31, 2022 08:54:50.096232891 CEST	443	49732	68.65.123.146	192.168.2.3
May 31, 2022 08:54:50.096396923 CEST	49732	443	192.168.2.3	68.65.123.146
May 31, 2022 08:54:50.097309113 CEST	49733	443	192.168.2.3	68.65.123.146
May 31, 2022 08:54:50.097343922 CEST	443	49733	68.65.123.146	192.168.2.3
May 31, 2022 08:54:50.097429037 CEST	49733	443	192.168.2.3	68.65.123.146
May 31, 2022 08:54:50.110791922 CEST	49732	443	192.168.2.3	68.65.123.146
May 31, 2022 08:54:50.110842943 CEST	443	49732	68.65.123.146	192.168.2.3
May 31, 2022 08:54:50.111239910 CEST	49733	443	192.168.2.3	68.65.123.146
May 31, 2022 08:54:50.111267090 CEST	443	49733	68.65.123.146	192.168.2.3
May 31, 2022 08:54:50.472799063 CEST	443	49733	68.65.123.146	192.168.2.3
May 31, 2022 08:54:50.472908020 CEST	49733	443	192.168.2.3	68.65.123.146
May 31, 2022 08:54:50.475038052 CEST	443	49732	68.65.123.146	192.168.2.3
May 31, 2022 08:54:50.475146055 CEST	49732	443	192.168.2.3	68.65.123.146
May 31, 2022 08:54:50.736982107 CEST	49732	443	192.168.2.3	68.65.123.146
May 31, 2022 08:54:50.737018108 CEST	443	49732	68.65.123.146	192.168.2.3
May 31, 2022 08:54:50.737304926 CEST	49733	443	192.168.2.3	68.65.123.146
May 31, 2022 08:54:50.737339973 CEST	443	49733	68.65.123.146	192.168.2.3
May 31, 2022 08:54:50.737523079 CEST	443	49732	68.65.123.146	192.168.2.3
May 31, 2022 08:54:50.737612009 CEST	49732	443	192.168.2.3	68.65.123.146
May 31, 2022 08:54:50.737919092 CEST	49732	443	192.168.2.3	68.65.123.146
May 31, 2022 08:54:50.737931013 CEST	443	49733	68.65.123.146	192.168.2.3
May 31, 2022 08:54:50.737992048 CEST	49733	443	192.168.2.3	68.65.123.146
May 31, 2022 08:54:50.780524015 CEST	443	49732	68.65.123.146	192.168.2.3
May 31, 2022 08:54:50.910335064 CEST	443	49732	68.65.123.146	192.168.2.3
May 31, 2022 08:54:50.910382032 CEST	443	49732	68.65.123.146	192.168.2.3
May 31, 2022 08:54:50.910423040 CEST	49732	443	192.168.2.3	68.65.123.146
May 31, 2022 08:54:50.910446882 CEST	443	49732	68.65.123.146	192.168.2.3
May 31, 2022 08:54:50.910460949 CEST	49732	443	192.168.2.3	68.65.123.146
May 31, 2022 08:54:50.910478115 CEST	443	49732	68.65.123.146	192.168.2.3
May 31, 2022 08:54:50.910491943 CEST	49732	443	192.168.2.3	68.65.123.146
May 31, 2022 08:54:50.910521984 CEST	49732	443	192.168.2.3	68.65.123.146
May 31, 2022 08:54:50.939701080 CEST	49732	443	192.168.2.3	68.65.123.146
May 31, 2022 08:54:50.939726114 CEST	443	49732	68.65.123.146	192.168.2.3
May 31, 2022 08:54:51.439562082 CEST	49734	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:51.439667940 CEST	443	49734	54.159.116.102	192.168.2.3
May 31, 2022 08:54:51.439793110 CEST	49734	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:51.441179991 CEST	49734	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:51.441215992 CEST	443	49734	54.159.116.102	192.168.2.3
May 31, 2022 08:54:51.441442966 CEST	49735	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:51.441485882 CEST	443	49735	54.159.116.102	192.168.2.3
May 31, 2022 08:54:51.441569090 CEST	49735	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:51.442168951 CEST	49735	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:51.442189932 CEST	443	49735	54.159.116.102	192.168.2.3
May 31, 2022 08:54:51.863142967 CEST	443	49735	54.159.116.102	192.168.2.3
May 31, 2022 08:54:51.863261938 CEST	49735	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:51.869265079 CEST	49735	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:51.869280100 CEST	443	49735	54.159.116.102	192.168.2.3
May 31, 2022 08:54:51.869399071 CEST	443	49734	54.159.116.102	192.168.2.3
May 31, 2022 08:54:51.869508028 CEST	49734	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:51.869661093 CEST	443	49735	54.159.116.102	192.168.2.3
May 31, 2022 08:54:51.869718075 CEST	49735	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:51.870099068 CEST	49735	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:51.875633955 CEST	49734	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:51.875664949 CEST	443	49734	54.159.116.102	192.168.2.3
May 31, 2022 08:54:51.875905037 CEST	443	49734	54.159.116.102	192.168.2.3
May 31, 2022 08:54:51.875986099 CEST	49734	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:51.912512064 CEST	443	49735	54.159.116.102	192.168.2.3
May 31, 2022 08:54:52.011889935 CEST	443	49735	54.159.116.102	192.168.2.3
May 31, 2022 08:54:52.011945009 CEST	443	49735	54.159.116.102	192.168.2.3
May 31, 2022 08:54:52.012021065 CEST	49735	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:52.012048960 CEST	443	49735	54.159.116.102	192.168.2.3
May 31, 2022 08:54:52.012063980 CEST	49735	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:52.012073040 CEST	443	49735	54.159.116.102	192.168.2.3
May 31, 2022 08:54:52.012093067 CEST	49735	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:52.012123108 CEST	49735	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:52.014030933 CEST	49735	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:52.014051914 CEST	443	49735	54.159.116.102	192.168.2.3
May 31, 2022 08:54:52.199892998 CEST	49734	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:52.206231117 CEST	49744	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:52.206291914 CEST	443	49744	54.159.116.102	192.168.2.3
May 31, 2022 08:54:52.206374884 CEST	49744	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:52.206993103 CEST	49744	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:52.207021952 CEST	443	49744	54.159.116.102	192.168.2.3
May 31, 2022 08:54:52.244489908 CEST	443	49734	54.159.116.102	192.168.2.3
May 31, 2022 08:54:52.339188099 CEST	443	49734	54.159.116.102	192.168.2.3
May 31, 2022 08:54:52.339232922 CEST	443	49734	54.159.116.102	192.168.2.3
May 31, 2022 08:54:52.339313030 CEST	49734	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:52.339323997 CEST	49734	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:52.339329004 CEST	443	49734	54.159.116.102	192.168.2.3
May 31, 2022 08:54:52.339385986 CEST	49734	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:52.344549894 CEST	49734	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:52.344579935 CEST	443	49734	54.159.116.102	192.168.2.3
May 31, 2022 08:54:52.619446039 CEST	443	49744	54.159.116.102	192.168.2.3
May 31, 2022 08:54:52.619549990 CEST	49744	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:52.623159885 CEST	49744	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:52.623181105 CEST	443	49744	54.159.116.102	192.168.2.3
May 31, 2022 08:54:52.626283884 CEST	49744	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:52.626301050 CEST	443	49744	54.159.116.102	192.168.2.3
May 31, 2022 08:54:52.766239882 CEST	443	49744	54.159.116.102	192.168.2.3
May 31, 2022 08:54:52.766279936 CEST	443	49744	54.159.116.102	192.168.2.3
May 31, 2022 08:54:52.766369104 CEST	443	49744	54.159.116.102	192.168.2.3
May 31, 2022 08:54:52.766431093 CEST	49744	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:52.766458035 CEST	49744	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:52.800247908 CEST	49744	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:52.800285101 CEST	443	49744	54.159.116.102	192.168.2.3
May 31, 2022 08:54:54.146353960 CEST	49753	443	192.168.2.3	104.21.84.241
May 31, 2022 08:54:54.146424055 CEST	443	49753	104.21.84.241	192.168.2.3
May 31, 2022 08:54:54.146500111 CEST	49754	443	192.168.2.3	104.21.84.241
May 31, 2022 08:54:54.146553040 CEST	49753	443	192.168.2.3	104.21.84.241
May 31, 2022 08:54:54.146575928 CEST	443	49754	104.21.84.241	192.168.2.3
May 31, 2022 08:54:54.146666050 CEST	49754	443	192.168.2.3	104.21.84.241
May 31, 2022 08:54:54.147491932 CEST	49754	443	192.168.2.3	104.21.84.241
May 31, 2022 08:54:54.147524118 CEST	443	49754	104.21.84.241	192.168.2.3
May 31, 2022 08:54:54.148077965 CEST	49753	443	192.168.2.3	104.21.84.241
May 31, 2022 08:54:54.148104906 CEST	443	49753	104.21.84.241	192.168.2.3
May 31, 2022 08:54:54.233316898 CEST	443	49753	104.21.84.241	192.168.2.3
May 31, 2022 08:54:54.233540058 CEST	49753	443	192.168.2.3	104.21.84.241
May 31, 2022 08:54:54.237004042 CEST	443	49754	104.21.84.241	192.168.2.3
May 31, 2022 08:54:54.237193108 CEST	49754	443	192.168.2.3	104.21.84.241
May 31, 2022 08:54:54.350498915 CEST	49754	443	192.168.2.3	104.21.84.241
May 31, 2022 08:54:54.350537062 CEST	443	49754	104.21.84.241	192.168.2.3
May 31, 2022 08:54:54.351155043 CEST	443	49754	104.21.84.241	192.168.2.3
May 31, 2022 08:54:54.351213932 CEST	49754	443	192.168.2.3	104.21.84.241
May 31, 2022 08:54:54.351224899 CEST	49754	443	192.168.2.3	104.21.84.241
May 31, 2022 08:54:54.356080055 CEST	49753	443	192.168.2.3	104.21.84.241
May 31, 2022 08:54:54.356137991 CEST	443	49753	104.21.84.241	192.168.2.3
May 31, 2022 08:54:54.356511116 CEST	443	49753	104.21.84.241	192.168.2.3
May 31, 2022 08:54:54.356580973 CEST	49753	443	192.168.2.3	104.21.84.241
May 31, 2022 08:54:54.392509937 CEST	443	49754	104.21.84.241	192.168.2.3
May 31, 2022 08:54:54.422770977 CEST	443	49754	104.21.84.241	192.168.2.3
May 31, 2022 08:54:54.422962904 CEST	49754	443	192.168.2.3	104.21.84.241
May 31, 2022 08:54:54.422975063 CEST	443	49754	104.21.84.241	192.168.2.3
May 31, 2022 08:54:54.423038960 CEST	49754	443	192.168.2.3	104.21.84.241
May 31, 2022 08:54:54.443377972 CEST	49754	443	192.168.2.3	104.21.84.241
May 31, 2022 08:54:54.443397999 CEST	443	49754	104.21.84.241	192.168.2.3
May 31, 2022 08:54:54.962934971 CEST	49756	443	192.168.2.3	34.117.59.81
May 31, 2022 08:54:54.962992907 CEST	443	49756	34.117.59.81	192.168.2.3
May 31, 2022 08:54:54.963084936 CEST	49756	443	192.168.2.3	34.117.59.81
May 31, 2022 08:54:54.963990927 CEST	49757	443	192.168.2.3	34.117.59.81
May 31, 2022 08:54:54.964025021 CEST	443	49757	34.117.59.81	192.168.2.3
May 31, 2022 08:54:54.964088917 CEST	49757	443	192.168.2.3	34.117.59.81
May 31, 2022 08:54:54.965014935 CEST	49756	443	192.168.2.3	34.117.59.81
May 31, 2022 08:54:54.965042114 CEST	443	49756	34.117.59.81	192.168.2.3
May 31, 2022 08:54:54.970436096 CEST	49757	443	192.168.2.3	34.117.59.81
May 31, 2022 08:54:54.970455885 CEST	443	49757	34.117.59.81	192.168.2.3
May 31, 2022 08:54:55.022983074 CEST	443	49756	34.117.59.81	192.168.2.3
May 31, 2022 08:54:55.023190975 CEST	49756	443	192.168.2.3	34.117.59.81
May 31, 2022 08:54:55.025037050 CEST	443	49757	34.117.59.81	192.168.2.3
May 31, 2022 08:54:55.025197983 CEST	49757	443	192.168.2.3	34.117.59.81
May 31, 2022 08:54:55.070542097 CEST	49758	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:55.070626974 CEST	443	49758	54.159.116.102	192.168.2.3
May 31, 2022 08:54:55.070736885 CEST	49758	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:55.071609974 CEST	49759	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:55.071666002 CEST	443	49759	54.159.116.102	192.168.2.3
May 31, 2022 08:54:55.071742058 CEST	49759	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:55.072678089 CEST	49758	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:55.072707891 CEST	443	49758	54.159.116.102	192.168.2.3
May 31, 2022 08:54:55.072923899 CEST	49759	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:55.072946072 CEST	443	49759	54.159.116.102	192.168.2.3
May 31, 2022 08:54:55.083329916 CEST	49756	443	192.168.2.3	34.117.59.81
May 31, 2022 08:54:55.083374023 CEST	443	49756	34.117.59.81	192.168.2.3
May 31, 2022 08:54:55.083918095 CEST	443	49756	34.117.59.81	192.168.2.3
May 31, 2022 08:54:55.084002972 CEST	49756	443	192.168.2.3	34.117.59.81
May 31, 2022 08:54:55.089149952 CEST	49757	443	192.168.2.3	34.117.59.81
May 31, 2022 08:54:55.089174986 CEST	443	49757	34.117.59.81	192.168.2.3
May 31, 2022 08:54:55.089498043 CEST	443	49757	34.117.59.81	192.168.2.3
May 31, 2022 08:54:55.089562893 CEST	49757	443	192.168.2.3	34.117.59.81
May 31, 2022 08:54:55.100291014 CEST	49756	443	192.168.2.3	34.117.59.81
May 31, 2022 08:54:55.140496016 CEST	443	49756	34.117.59.81	192.168.2.3
May 31, 2022 08:54:55.227031946 CEST	443	49756	34.117.59.81	192.168.2.3
May 31, 2022 08:54:55.227176905 CEST	443	49756	34.117.59.81	192.168.2.3
May 31, 2022 08:54:55.227200031 CEST	49756	443	192.168.2.3	34.117.59.81
May 31, 2022 08:54:55.227269888 CEST	49756	443	192.168.2.3	34.117.59.81
May 31, 2022 08:54:55.228033066 CEST	49756	443	192.168.2.3	34.117.59.81
May 31, 2022 08:54:55.228051901 CEST	443	49756	34.117.59.81	192.168.2.3
May 31, 2022 08:54:55.240410089 CEST	49757	443	192.168.2.3	34.117.59.81
May 31, 2022 08:54:55.280492067 CEST	443	49757	34.117.59.81	192.168.2.3
May 31, 2022 08:54:55.366149902 CEST	443	49757	34.117.59.81	192.168.2.3
May 31, 2022 08:54:55.366229057 CEST	49757	443	192.168.2.3	34.117.59.81
May 31, 2022 08:54:55.366241932 CEST	443	49757	34.117.59.81	192.168.2.3
May 31, 2022 08:54:55.366286039 CEST	49757	443	192.168.2.3	34.117.59.81
May 31, 2022 08:54:55.366286993 CEST	443	49757	34.117.59.81	192.168.2.3
May 31, 2022 08:54:55.366336107 CEST	49757	443	192.168.2.3	34.117.59.81
May 31, 2022 08:54:55.377759933 CEST	49757	443	192.168.2.3	34.117.59.81
May 31, 2022 08:54:55.377779961 CEST	443	49757	34.117.59.81	192.168.2.3
May 31, 2022 08:54:55.485467911 CEST	443	49759	54.159.116.102	192.168.2.3
May 31, 2022 08:54:55.485557079 CEST	49759	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:55.486320019 CEST	49759	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:55.486336946 CEST	443	49759	54.159.116.102	192.168.2.3
May 31, 2022 08:54:55.486680984 CEST	443	49758	54.159.116.102	192.168.2.3
May 31, 2022 08:54:55.486757994 CEST	49758	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:55.489244938 CEST	49759	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:55.489264011 CEST	443	49759	54.159.116.102	192.168.2.3
May 31, 2022 08:54:55.490093946 CEST	49758	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:55.490113974 CEST	443	49758	54.159.116.102	192.168.2.3
May 31, 2022 08:54:55.627366066 CEST	443	49759	54.159.116.102	192.168.2.3
May 31, 2022 08:54:55.627460003 CEST	49759	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:55.627481937 CEST	443	49759	54.159.116.102	192.168.2.3
May 31, 2022 08:54:55.627538919 CEST	49759	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:55.627590895 CEST	443	49759	54.159.116.102	192.168.2.3
May 31, 2022 08:54:55.627640963 CEST	49759	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:55.627928972 CEST	49759	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:55.627950907 CEST	443	49759	54.159.116.102	192.168.2.3
May 31, 2022 08:54:55.627966881 CEST	49759	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:55.628027916 CEST	49759	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:55.631202936 CEST	49758	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:55.631227970 CEST	443	49758	54.159.116.102	192.168.2.3
May 31, 2022 08:54:55.771651030 CEST	443	49758	54.159.116.102	192.168.2.3
May 31, 2022 08:54:55.771770954 CEST	49758	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:55.771816969 CEST	443	49758	54.159.116.102	192.168.2.3
May 31, 2022 08:54:55.771846056 CEST	443	49758	54.159.116.102	192.168.2.3
May 31, 2022 08:54:55.771888971 CEST	49758	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:55.771915913 CEST	49758	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:55.784425974 CEST	49758	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:55.784466982 CEST	443	49758	54.159.116.102	192.168.2.3
May 31, 2022 08:54:55.784498930 CEST	49758	443	192.168.2.3	54.159.116.102
May 31, 2022 08:54:55.784548044 CEST	49758	443	192.168.2.3	54.159.116.102
May 31, 2022 08:55:05.635210037 CEST	443	49733	68.65.123.146	192.168.2.3
May 31, 2022 08:55:05.635322094 CEST	443	49733	68.65.123.146	192.168.2.3
May 31, 2022 08:55:05.635348082 CEST	49733	443	192.168.2.3	68.65.123.146
May 31, 2022 08:55:05.635382891 CEST	49733	443	192.168.2.3	68.65.123.146
May 31, 2022 08:55:07.486295938 CEST	49760	443	192.168.2.3	54.159.116.102
May 31, 2022 08:55:07.486361980 CEST	443	49760	54.159.116.102	192.168.2.3
May 31, 2022 08:55:07.486464024 CEST	49760	443	192.168.2.3	54.159.116.102
May 31, 2022 08:55:07.489161015 CEST	49760	443	192.168.2.3	54.159.116.102
May 31, 2022 08:55:07.489192963 CEST	443	49760	54.159.116.102	192.168.2.3
May 31, 2022 08:55:07.911290884 CEST	443	49760	54.159.116.102	192.168.2.3
May 31, 2022 08:55:07.911413908 CEST	49760	443	192.168.2.3	54.159.116.102
May 31, 2022 08:55:07.931077957 CEST	49760	443	192.168.2.3	54.159.116.102
May 31, 2022 08:55:07.931121111 CEST	443	49760	54.159.116.102	192.168.2.3
May 31, 2022 08:55:07.931715012 CEST	443	49760	54.159.116.102	192.168.2.3
May 31, 2022 08:55:07.931802034 CEST	49760	443	192.168.2.3	54.159.116.102
May 31, 2022 08:55:07.932934046 CEST	49760	443	192.168.2.3	54.159.116.102
May 31, 2022 08:55:07.976519108 CEST	443	49760	54.159.116.102	192.168.2.3
May 31, 2022 08:55:08.072114944 CEST	443	49760	54.159.116.102	192.168.2.3
May 31, 2022 08:55:08.072221994 CEST	49760	443	192.168.2.3	54.159.116.102
May 31, 2022 08:55:08.072242022 CEST	443	49760	54.159.116.102	192.168.2.3
May 31, 2022 08:55:08.072304964 CEST	49760	443	192.168.2.3	54.159.116.102
May 31, 2022 08:55:08.072439909 CEST	443	49760	54.159.116.102	192.168.2.3
May 31, 2022 08:55:08.072510004 CEST	49760	443	192.168.2.3	54.159.116.102
May 31, 2022 08:55:08.072520018 CEST	49760	443	192.168.2.3	54.159.116.102
May 31, 2022 08:55:08.072525024 CEST	443	49760	54.159.116.102	192.168.2.3
May 31, 2022 08:55:08.072787046 CEST	49760	443	192.168.2.3	54.159.116.102
May 31, 2022 08:55:09.213732958 CEST	443	49753	104.21.84.241	192.168.2.3
May 31, 2022 08:55:09.213859081 CEST	443	49753	104.21.84.241	192.168.2.3
May 31, 2022 08:55:09.213916063 CEST	49753	443	192.168.2.3	104.21.84.241
May 31, 2022 08:55:09.213959932 CEST	49753	443	192.168.2.3	104.21.84.241

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 31, 2022 08:54:50.063900948 CEST	57723	53	192.168.2.3	8.8.8.8
May 31, 2022 08:54:50.084374905 CEST	53	57723	8.8.8.8	192.168.2.3
May 31, 2022 08:54:51.396872044 CEST	58116	53	192.168.2.3	8.8.8.8
May 31, 2022 08:54:51.418437004 CEST	53	58116	8.8.8.8	192.168.2.3
May 31, 2022 08:54:54.123126984 CEST	65358	53	192.168.2.3	8.8.8.8
May 31, 2022 08:54:54.143867016 CEST	53	65358	8.8.8.8	192.168.2.3
May 31, 2022 08:54:54.830082893 CEST	49873	53	192.168.2.3	8.8.8.8
May 31, 2022 08:54:54.848912001 CEST	53	49873	8.8.8.8	192.168.2.3
May 31, 2022 08:55:07.463335991 CEST	53802	53	192.168.2.3	8.8.8.8
May 31, 2022 08:55:07.482964039 CEST	53	53802	8.8.8.8	192.168.2.3

Timestamp	Direction	Data
2022-05-31 06:54:50 UTC	OUT	GET /sign.html HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: plentyequipment.com Connection: Keep-Alive
2022-05-31 06:54:50 UTC	IN	HTTP/1.1 200 OK keep-alive: timeout=5, max=100 content-type: text/html last-modified: Tue, 31 May 2022 06:19:25 GMT accept-ranges: bytes content-length: 2929 date: Tue, 31 May 2022 06:54:50 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close
2022-05-31 06:54:50 UTC	IN	Data Raw: 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 3c 21 2d 2d 0d 0a 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 75 6e 65 73 63 61 70 65 28 27 25 33 43 25 36 38 25 37 34 25 36 44 25 36 43 25 33 45 25 30 41 25 33 43 25 37 33 25 36 33 25 37 32 25 36 39 25 37 30 25 37 34 25 32 30 25 37 34 25 37 39 25 37 30 25 36 35 25 33 44 25 32 32 25 37 34 25 36 35 25 37 38 25 37 34 25 32 46 25 36 41 25 36 31 25 37 36 25 36 31 25 37 33 25 36 33 25 37 32 25 36 39 25 37 30 25 37 34 25 32 32 25 33 45 25 30 41 25 32 30 25 32 30 25 32 30 25 30 41 25 32 30 25 32 30 25 32 30 25 32 46 25 32 46 25 37 36 25 36 31 25 37 32 25 32 30 25 37 36 25 37 33 25 37 32 25 32 30 25 33 44 25 32 30 25 36 37 25 36 35 25 37 34 25 35 35 25 37 32 25 36 43 Data Ascii: <script language="javascript">...document.write(unescape('%3C%68%74%6D%6C%3E%0A%3C%73%63%72%69%70%74%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%3E%0A%20%20%20%0A%20%20%20%2F%2F%76%61%72%20%76%73%72%20%3D%20%67%65%74%55%72%6C

Timestamp	kBytes transferred	Direction	Data
2022-05-31 06:54:51 UTC	3	OUT	GET /general/noRobot.html?usr=Peter.Kueppers@verbio.de&interceptiontype=VerifyLogin&interceptiontype=VerifyLogin&service=freemail&successURL=https%3A%2F%sharepoint%2Flogin&statistics=xRbXFc8VKmF6s%2Frp6a5qP4z%2FNdyBHKIvfVNtKKZ%2FMq1vzDMmvcNacavpkSKc0VdsoMzKeZnxxL%2Fl2FTNDJCnPcIHjxpzAgCgOro1V2sZbBxg%3D%3D&username=sdada&requestSecurityToken=9f8d7962-0d22-4c86-8ab0-862cfe04d2e9 HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Referer: https://plentyequipment.com/sign.html Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: salty-wildwood-51825.herokuapp.com Connection: Keep-Alive
2022-05-31 06:54:52 UTC	4	IN	HTTP/1.1 200 OK Connection: close Date: Tue, 31 May 2022 06:54:51 GMT Server: Apache Last-Modified: Tue, 31 May 2022 03:44:28 GMT Etag: "1921-5e04696ecff00" Accept-Ranges: bytes Content-Length: 6433 Content-Type: text/html Via: 1.1 vegur
2022-05-31 06:54:52 UTC	4	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 69 64 3d 22 53 74 65 6e 63 69 6c 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 22 3e 0a 20 20 20 20 20 20 20 20 3c Data Ascii: <!DOCTYPE html><html id="Stencil" class="no-js"> <head> <meta charset="utf-8"> <meta name="viewport" content="initial-scale=1, maximum-scale=1, user-scalable=0"/> <meta name="format-detection" content="telephone=no"> <

Timestamp	kBytes transferred	Direction	Data
2022-05-31 06:54:52 UTC	10	OUT	GET /general/geo.js HTTP/1.1 Accept: application/javascript, /;q=0.8 Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: salty-wildwood-51825.herokuapp.com Connection: Keep-Alive
2022-05-31 06:54:52 UTC	10	IN	HTTP/1.1 200 OK Connection: close Date: Tue, 31 May 2022 06:54:52 GMT Server: Apache Last-Modified: Tue, 31 May 2022 03:44:28 GMT Etag: "6e6-5e04696ecff00" Accept-Ranges: bytes Content-Length: 1766 Content-Type: application/javascript Via: 1.1 vegur
2022-05-31 06:54:52 UTC	11	IN	Data Raw: 2f 2f 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 33 2e 33 2e 31 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 0a 0a 0a 0a 0a 66 75 6e 63 74 69 6f 6e 20 67 65 74 43 6f 75 6e 74 72 79 28 29 7b 0a 09 76 61 72 20 49 50 61 64 64 72 65 73 73 20 3d 20 6d 79 49 50 28 29 3b 0a 24 2e 67 65 74 4a 53 4f 4e 28 22 68 74 74 70 73 3a 2f 2f 69 70 69 6e 66 6f 2e 69 6f 2f 22 2b 49 50 61 64 64 72 65 73 73 2c 20 66 75 6e 63 74 69 6f 6e 28 64 61 74 61 29 20 7b 0a 20 20 20 20 76 61 72 20 6c 6f 63 20 3d 20 64 61 74 61 2e 63 6f 75 6e 74 72 79 3b 0a 09 24 28 22 23 6c 6f 63 22 29 2e 76 61 6c 28 6c 6f 63 29 3b 0a 09 67 65 Data Ascii: //<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>function getCountry(){var IPaddress = myIP();$.getJSON("https://ipinfo.io/"+IPaddress, function(data) { var loc = data.country;$("#loc").val(loc);ge

Timestamp	kBytes transferred	Direction	Data
2022-05-31 06:54:52 UTC	12	OUT	GET /general/download.png HTTP/1.1 Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5 Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: salty-wildwood-51825.herokuapp.com Connection: Keep-Alive
2022-05-31 06:54:52 UTC	13	IN	HTTP/1.1 200 OK Connection: close Date: Tue, 31 May 2022 06:54:52 GMT Server: Apache Last-Modified: Tue, 31 May 2022 03:44:28 GMT Etag: "ad2-5e04696ecff00" Accept-Ranges: bytes Content-Length: 2770 Content-Type: image/png Via: 1.1 vegur
2022-05-31 06:54:52 UTC	13	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 c8 00 00 00 c8 08 03 00 00 00 9a 86 5e ac 00 00 00 b1 50 4c 54 45 ff ff ff ab ab ab 42 85 f4 1c 3a a9 a6 a6 a6 10 2f a4 3a 80 f4 a9 b4 de cf cf cf ae ae ae b5 b5 b5 d4 d4 d4 ca ca ca e9 e9 e9 f2 f2 f2 c5 c5 c5 61 99 f6 bd bd bd e0 e0 e0 dd e2 f2 b1 ad a7 7a a9 f7 85 9d c7 1e 42 b3 f9 f9 f9 33 4e b2 e0 eb fd de de de ba ba ba 0e 2e a4 ec ec ec 15 34 a7 50 67 bd 43 5b b8 c4 cc e9 6c 7f c7 85 96 d1 f5 f8 fe 95 bb f9 36 7a ef 6d a1 f7 5f 74 c2 9d c0 f9 76 88 cb cb dd fc d9 e7 fd 26 43 ad 9c a9 d9 aa c8 fa bf d6 fb 04 25 a0 8a b3 f8 d2 d8 ee 91 9f d5 e9 ec f6 50 8e f5 b7 c1 e4 c3 d9 fb 8c a1 c4 e8 5f 95 b7 00 00 09 dc 49 44 41 54 78 9c ed 9c 7b 7b a3 28 14 87 63 43 ac 57 1c ed ce 0e ad d6 f4 36 f7 4e 67 Data Ascii: PNGIHDR^PLTEB:/:azB3N.4PgC[l6zm_tv&C%P_IDATx{{(cCW6Ng

Timestamp	kBytes transferred	Direction	Data
2022-05-31 06:54:54 UTC	16	OUT	GET /get_html.php HTTP/1.1 Accept: / Accept-Language: en-US Origin: https://salty-wildwood-51825.herokuapp.com Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: api.hostip.info Connection: Keep-Alive
2022-05-31 06:54:54 UTC	16	IN	HTTP/1.1 200 OK Date: Tue, 31 May 2022 06:54:54 GMT Content-Type: text/plain; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close Expires: Wed, 01 Jun 2022 06:54:54 GMT Last-Modified: Tue, 31 May 2022 06:54:54 GMT Cache-Control: public, max-age=86400 Pragma: !invalid Access-Control-Allow-Origin: * Strict-Transport-Security: max-age=31536000 CF-Cache-Status: DYNAMIC Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=FOGhY0tYbpUgVC1oSpDB%2F0CFZ65zNsHldRP%2BdNQKSWhTpWDbOz11fq3hYTtG3m0VsYpynO0BeQMp%2FFr4XfQyEtvLhEkzi6vDMp4YjxxBDy66qAEqUWWos47bL9Qi476uNc8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 713dcd05cbda7525-LHR alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
2022-05-31 06:54:54 UTC	17	IN	Data Raw: 34 61 0d 0a 43 6f 75 6e 74 72 79 3a 20 28 55 6e 6b 6e 6f 77 6e 20 43 6f 75 6e 74 72 79 3f 29 20 28 58 58 29 0a 43 69 74 79 3a 20 28 55 6e 6b 6e 6f 77 6e 20 43 69 74 79 3f 29 0a 49 50 3a 20 31 30 32 2e 31 32 39 2e 31 34 33 2e 34 32 0a 0d 0a Data Ascii: 4aCountry: (Unknown Country?) (XX)City: (Unknown City?)IP: 102.129.143.42
2022-05-31 06:54:54 UTC	17	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	kBytes transferred	Direction	Data
2022-05-31 06:54:55 UTC	17	OUT	GET /%20102.129.143.42 HTTP/1.1 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-US Origin: https://salty-wildwood-51825.herokuapp.com Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: ipinfo.io Connection: Keep-Alive
2022-05-31 06:54:55 UTC	17	IN	HTTP/1.1 302 Found access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin location: /102.129.143.42 vary: Accept, Accept-Encoding content-type: text/plain; charset=utf-8 content-length: 37 date: Tue, 31 May 2022 06:54:55 GMT x-envoy-upstream-service-time: 2 strict-transport-security: max-age=2592000; includeSubDomains Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2022-05-31 06:54:55 UTC	18	IN	Data Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 2f 31 30 32 2e 31 32 39 2e 31 34 33 2e 34 32 Data Ascii: Found. Redirecting to /102.129.143.42

Timestamp	kBytes transferred	Direction	Data
2022-05-31 06:54:55 UTC	18	OUT	GET /102.129.143.42 HTTP/1.1 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-US Origin: https://salty-wildwood-51825.herokuapp.com Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: ipinfo.io Connection: Keep-Alive
2022-05-31 06:54:55 UTC	18	IN	HTTP/1.1 200 OK access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin content-type: application/json; charset=utf-8 content-length: 251 date: Tue, 31 May 2022 06:54:55 GMT x-envoy-upstream-service-time: 1 strict-transport-security: max-age=2592000; includeSubDomains vary: Accept-Encoding Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2022-05-31 06:54:55 UTC	19	IN	Data Raw: 7b 0a 20 20 22 69 70 22 3a 20 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 34 32 22 2c 0a 20 20 22 63 69 74 79 22 3a 20 22 48 c3 bc 6e 65 6e 62 65 72 67 22 2c 0a 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 5a 75 67 22 2c 0a 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 43 48 22 2c 0a 20 20 22 6c 6f 63 22 3a 20 22 34 37 2e 31 37 35 34 2c 38 2e 34 32 35 30 22 2c 0a 20 20 22 6f 72 67 22 3a 20 22 41 53 32 31 32 32 33 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 36 33 33 31 22 2c 0a 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 0a 20 20 22 72 65 61 64 6d 65 22 3a 20 22 68 74 74 70 73 3a 2f 2f 69 70 69 6e 66 6f 2e 69 6f 2f 6d 69 73 73 69 6e 67 61 75 74 68 22 0a 7d Data Ascii: { "ip": "102.129.143.42", "city": "Hnenberg", "region": "Zug", "country": "CH", "loc": "47.1754,8.4250", "org": "AS212238 Datacamp Limited", "postal": "6331", "timezone": "Europe/Zurich", "readme": "https://ipinfo.io/missingauth"}

Timestamp	kBytes transferred	Direction	Data
2022-05-31 06:54:55 UTC	19	OUT	GET /general/ HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: salty-wildwood-51825.herokuapp.com Connection: Keep-Alive
2022-05-31 06:54:55 UTC	19	IN	HTTP/1.1 403 Forbidden Connection: close Date: Tue, 31 May 2022 06:54:55 GMT Server: Apache Content-Length: 199 Content-Type: text/html; charset=iso-8859-1 Via: 1.1 vegur
2022-05-31 06:54:55 UTC	19	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p></body></html>

Timestamp	kBytes transferred	Direction	Data
2022-05-31 06:54:55 UTC	19	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: salty-wildwood-51825.herokuapp.com Connection: Keep-Alive
2022-05-31 06:54:55 UTC	20	IN	HTTP/1.1 404 Not Found Connection: close Date: Tue, 31 May 2022 06:54:55 GMT Server: Apache Content-Length: 196 Content-Type: text/html; charset=iso-8859-1 Via: 1.1 vegur
2022-05-31 06:54:55 UTC	20	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Timestamp	kBytes transferred	Direction	Data
2022-05-31 06:55:07 UTC	20	OUT	GET /general/ HTTP/1.1 User-Agent: AutoIt Host: salty-wildwood-51825.herokuapp.com
2022-05-31 06:55:08 UTC	20	IN	HTTP/1.1 403 Forbidden Connection: close Date: Tue, 31 May 2022 06:55:07 GMT Server: Apache Content-Length: 199 Content-Type: text/html; charset=iso-8859-1 Via: 1.1 vegur
2022-05-31 06:55:08 UTC	20	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p></body></html>

Target ID:	1
Start time:	08:54:47
Start date:	31/05/2022
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
Imagebase:	0x7ff6825d0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Target ID:	2
Start time:	08:54:48
Start date:	31/05/2022
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2196 CREDAT:17410 /prefetch:2
Imagebase:	0x11b0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://plentyequipment.com/sign.html#UGV0ZXIuS3VlcHBlcnNAdmVyYmlvLmRl&referrer=nonreferrer

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Networking

System Summary

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\102.129.143[1].json

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\noRobot[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\get_html[1].php

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\geo[1].js

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\jquery.min[1].js

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\sign[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\download[1].png

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Windows Analysis Report
https://plentyequipment.com/sign.html#UGV0ZXIuS3VlcHBlcnNAdmVyYmlvLmRl&referrer=nonreferrer

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre