Automated Malware Analysis Report for Http:/\Tr.Subscribermail.Com/Cc

ID: 276764 Cookbook: browseurl.jbs Time: 13:55:32 Date: 25/08/2020 Version: 29.0.0 Ocean Jasper Table of Contents

Table of Contents 2 Analysis Report http:/\tr.subscribermail.com/cc.cfm?sendto=http:/\recp.mkt91.net/ctt? m=804040&r=Njg0NjYxMDU1NQS2&b=0&j=NjAwMDczOTg3S0&k=NCLogo&kx=1&kt=12&kd=https:/\t.dripemail2.com/c/eyJhY2NvdW50X2lkIjoiNDgxODMzMSIsImRlbGl2ZXJ5X2lkIjoibTllYTV3NTFkdWFsbWJpaTdhcmgiLCJ1cmwiOiJodHRwczovL3N0b3JhZ2UuZ29vZ2xlYXBpcy5jb20vc2hha2RqaHBvczEuYXBwc3BvdC5jb20vaW5kZXguaHRtbCJ9#c3VuaWwubWVub25AYWVyaWVzdGVjaG5vbG9neS5jb20= Overview 33 General Information 3 Detection 3 Signatures 3 Classification 3 Startup 3 Malware Configuration 3 Yara Overview 4 Sigma Overview 4 Signature Overview 4 Mitre Att&ck Matrix 4 Behavior Graph 4 Screenshots 5 Thumbnails 5 Antivirus, Machine Learning and Genetic Malware Detection 6 Initial Sample 6 Dropped Files 6 Unpacked PE Files 6 Domains 6 URLs 6 Domains and IPs 7 Contacted Domains 7 Contacted IPs 7 General Information 7 Simulations 8 Behavior and APIs 8 Joe Sandbox View / Context 8 IPs 8 Domains 8 ASN 9 JA3 Fingerprints 9 Dropped Files 9 Created / dropped Files 9 Static File Info 10 No static file info 10 Network Behavior 10 UDP Packets 10 DNS Queries 11 DNS Answers 11 Code Manipulations 11 Statistics 12 Behavior 12 System Behavior 12 Analysis Process: iexplore.exe PID: 7136 Parent PID: 800 12 General 12 File Activities 12 Registry Activities 12 Analysis Process: iexplore.exe PID: 5816 Parent PID: 7136 13 General 13 File Activities 13 Registry Activities 13 Analysis Process: ssvagent.exe PID: 1276 Parent PID: 5816 13 General 13 Registry Activities 13 Disassembly 13

Copyright null 2020 Page 2 of 13 Analysis Report http:/\tr.subscribermail.com/cc.cfm?se…ndto=http:/\recp.mkt91.net/ctt?m=804040&r=Njg0NjYxMDU1NQS2&b=0&j=NjAwMDczOTg3S0&k=NCLogo&kx=1&kt=12&kd=https:/\t.dripemail2.com/c/eyJhY2NvdW50X2lkIjoiNDgxODMzMSIsImRlbGl2ZXJ5X2lkIjoibTllYTV3NTFkdWFsbWJpaTdhcmgiLCJ1cmwiOiJodHRwczovL3N0b3JhZ2UuZ29vZ2xlYXBpcy5jb20vc2hha2RqaHBvczEuYXBwc3BvdC5jb20vaW5kZXguaHRtbCJ9#c3VuaWwubWVub25AYWVyaWVzdGVjaG5vbG9neS5jb20=

Overview

General Information Detection Signatures Classification

Sample URL: http:/\tr.subscribermail.com No high impact signatures. /cc.cfm?sendto=http:/\recp. mkt91.net/ctt? m=804040&r=Njg0NjYxMD U1NQS2&b=0&j=NjAwMD czOTg3S0&k=NCLogo&kx =1&kt=12&kd=https:/\t.drip email2.com/c/eyJhY2Nvd W50X2lkIjoiNDgxODMzM SIsImRlbGl2ZXJ5X2lkIjoib TllYTV3NTFkdWFsbWJpa TdhcmgiLCJ1cmwiOiJodH RwczovL3N0b3JhZ2UuZ2 9vZ2xlYXBpcy5jb20vc2hh a2RqaHBvczEuYXBwc3Bv dC5jb20vaW5kZXguaHRtb CJ9#c3VuaWwubWVub25 AYWVyaWVzdGVjaG5vb Score: 0 G9neS5jb20= Range: 0 - 100 Analysis ID: 276764 Whitelisted: false Most interesting Screenshot: Confidence: 100%

Startup

System is w10x64 iexplore.exe (PID: 7136 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596) iexplore.exe (PID: 5816 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7136 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A) ssvagent.exe (PID: 1276 cmdline: 'C:\PROGRA~2\Java\JRE18~1.0_2\bin\ssvagent.exe' -new MD5: A3DBA514D38464A5C5A9DEA19E6159F9) cleanup

Malware Configuration

No configs have been found

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

• Networking • System Summary • Hooking and other Techniques for Hiding and Protection

Click to jump to signature section

There are no malicious signatures, click here to show all signatures .

Mitre Att&ck Matrix

Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Windows Path Process Masquerading 1 OS File and Remote Data from Exfiltration Non- Eavesdrop on Remotely Modify Accounts Management Interception Injection 1 Credential Directory Services Local Over Other Application Insecure Track Device System Instrumentation Dumping Discovery 1 System Network Layer Network Without Partition Medium Protocol 1 Communication Authorization Default Scheduled Boot or Boot or Process LSASS Application Remote Data from Exfiltration Application Exploit SS7 to Remotely Device Accounts Task/Job Logon Logon Injection 1 Memory Window Desktop Removable Over Layer Redirect Phone Wipe Data Lockout Initialization Initialization Discovery Protocol Media Bluetooth Protocol 1 Calls/SMS Without Scripts Scripts Authorization

Behavior Graph

Copyright null 2020 Page 4 of 13 Hide Legend Behavior Graph Legend: ID: 276764 Process URL: http:/\tr.subscribermail.co... Signature Startdate: 25/08/2020 Created File Architecture: WINDOWS DNS/IP Info Score: 0 Is Dropped

Is Windows Process

Number of created Registry Values cdn.onenote.net started Number of created Files

Visual Basic

Delphi

iexplore.exe Java

.Net C# or VB.NET

C, C++ or other language 14 61 Is malicious

started Internet

iexplore.exe

started

ssvagent.exe

501

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Initial Sample

Source Detection Scanner Label Link http:/\tr.subscribermail.com/cc.cfm?sendto=http:/\recp.mkt91.net/ctt?m=804040&r=Njg0NjYxMD 0% Avira URL Cloud safe U1NQS2&b=0&j=NjAwMDczOTg3S0&k=NCLogo&kx=1&kt=12&kd=https:/\t.dripemail2.com/c/ey JhY2NvdW50X2lkIjoiNDgxODMzMSIsImRlbGl2ZXJ5X2lkIjoibTllYTV3NTFkdWFsbWJpaTdhcmgiLC J1cmwiOiJodHRwczovL3N0b3JhZ2UuZ29vZ2xlYXBpcy5jb20vc2hha2RqaHBvczEuYXBwc3BvdC5jb2 0vaW5kZXguaHRtbCJ9#c3VuaWwubWVub25AYWVyaWVzdGVjaG5vbG9neS5jb20=

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source Detection Scanner Label Link cdn.onenote.net 1% Virustotal Browse

URLs

No Antivirus matches

Contacted Domains

Name IP Active Malicious Antivirus Detection Reputation cdn.onenote.net unknown unknown false 1%, Virustotal, Browse unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version: 29.0.0 Ocean Jasper Analysis ID: 276764 Start date: 25.08.2020 Start time: 13:55:32 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 13m 48s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: browseurl.jbs Sample URL: http:/\tr.subscribermail.com/cc.cfm?sendto=http:/\recp. mkt91.net/ctt?m=804040&r=Njg0NjYxMDU1NQS2&b=0 &j=NjAwMDczOTg3S0&k=NCLogo&kx=1&kt=12&kd=ht tps:/\t.dripemail2.com/c/eyJhY2NvdW50X2lkIjoiNDgxO DMzMSIsImRlbGl2ZXJ5X2lkIjoibTllYTV3NTFkdWFsbW JpaTdhcmgiLCJ1cmwiOiJodHRwczovL3N0b3JhZ2UuZ 29vZ2xlYXBpcy5jb20vc2hha2RqaHBvczEuYXBwc3Bvd C5jb20vaW5kZXguaHRtbCJ9#c3VuaWwubWVub25AY WVyaWVzdGVjaG5vbG9neS5jb20= Analysis system description: w10x64 Windows 10 64 bit v1803 with Office Professional Plus 2016, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 38 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: CLEAN Classification: clean0.win@5/4@1/0 Cookbook Comments: Adjust boot time Enable AMSI

Copyright null 2020 Page 7 of 13 Warnings: Show All Max analysis timeout: 720s exceeded, the analysis took too long Exclude process from analysis (whitelisted): MpCmdRun.exe, WinStore.App.exe, RuntimeBroker.exe, Microsoft.Photos.exe, backgroundTaskHost.exe, ApplicationFrameHost.exe, audiodg.exe, BackgroundTransferHost.exe, ielowutil.exe, HxTsr.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.54.113.104, 95.100.50.217, 51.104.146.109, 51.143.111.7, 52.184.221.185, 23.210.254.117, 152.199.19.161, 23.0.174.185, 23.0.174.184, 40.67.254.36, 52.164.221.179, 95.100.62.38, 52.155.217.156, 51.104.139.180, 23.54.113.45 Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.glo balredir.akadns.net, au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s- microsoft.com-c.edgekey.net, fs- wildcard.microsoft.com.edgekey.net, fs- wildcard.microsoft.com.edgekey.net.globalredir.aka dns.net, wns.notify.windows.com.akadns.net, arc.msn.com, storeedgefd.xbetservices.akadns.net, cdn.onenote.net.edgekey.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadn s.net, e12564.dspb.akamaiedge.net, go.microsoft.com, db5p.wns.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, au-bg- shim.trafficmanager.net, storeedgefd.dsx.mp.microsoft.com, displaycatalog- europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, ie9comview.vo.msecnd.net, ris- prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, emea2.notify.windows.com.akadns.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, store- images.s-microsoft.com, go.microsoft.com.edgekey.net, e1553.dspg.akamaiedge.net, e16646.dscg.akamaiedge.net, cs9.wpc.v0cdn.net Report size getting too big, too many NtCreateKey calls found. Report size getting too big, too many NtSetValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6E456424-E715-11EA-90E0-ECF4BB2D2496}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Size (bytes): 24664 Entropy (8bit): 1.7919709464004527 Encrypted: false MD5: 2FBC8A75223C9C89418199FF7638AE4C SHA1: 03AF9F651A355633B20AE458A53EDE5DC5888C93 SHA-256: 973BD0B87858BE55E69B0710707E13B87634AD9AB2B83C3D0BD1458B9C16A184 SHA-512: EB2826D3A047727E43DEC241E143F9C945CDE269418A524E0F594EB6D809C0168B2D626682AAAA291FD69AD8429FF96434BA99FB1B82DC6A6152A42F2B4ED556 Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6E456426-E715-11EA-90E0-ECF4BB2D2496}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Size (bytes): 16984 Entropy (8bit): 1.5738313034139322 Encrypted: false MD5: D27045D16C29505794C04B83AA9F82B8 SHA1: 9E02AC1C233A3E694EBC87924ECA9257245362CA SHA-256: 85903298D3BE9A55A2F6422A23EC71DDAA101B425D89D8CE590372F6258792E9 SHA-512: A80215FC03C02F14C5BE7BE76B539B748F81893EB42838002C9F045B18D0CFA3C658AE034F3F48E272421DB9BC6810FDAB3705F4F50D9B71E9FF0EF645E8A8D9 Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Temp\~DF5C659190E9A91A20.TMP Process: C:\Program Files\internet explorer\iexplore.exe File Type: data Size (bytes): 12965 Entropy (8bit): 0.43132591019721706 Encrypted: false MD5: 46E494AD2E164C01D910600291616CDB SHA1: D30C4980427C7C3B464B916B77C550238F0AAF19 SHA-256: BB003950C399C74E449F12AB5F97673A26FF3D1D505B27E12027A297600B6F5A SHA-512: 890CC79D6EC0B0B5F31224BF4773F0718A8A72555EAA872BC52F63A9E014E1CBC984666CA2C2596926A2E68BB5D156C1ECC58F58ADF658E809C8A83D15A375E 0 Malicious: false Reputation: low

Copyright null 2020 Page 9 of 13 C:\Users\user\AppData\Local\Temp\~DF5C659190E9A91A20.TMP Preview: ...... *%..H..M..{y..+.0...(...... *%..H..M..{y..+.0...(......

C:\Users\user\AppData\Local\Temp\~DF86D51FA198F09519.TMP Process: C:\Program Files\internet explorer\iexplore.exe File Type: data Size (bytes): 25657 Entropy (8bit): 0.3137788287401588 Encrypted: false MD5: 2738CCA6F7415A1D2A30F1DDDFB78757 SHA1: 6A2BD9DF3C4D8A168EDD059D18119C8DA443B78D SHA-256: 0E1E15B0EB0A11B035A6D8CD5189ECA497EF70F8C4392B20C2855905DF5BAF1A SHA-512: 4DB726D3F7CD9176FDFFABD94507A6B3021F0486B624455710730D42244A354C52A0AB5A0AFA3A41556FFD705CB45DBA4B70A802D69DD1ECF8DE8A219B09AF2 C Malicious: false Reputation: low Preview: ...... *%..H..M..{y..+.0...(...... *%..H..M..{y..+.0...(......

Static File Info

No static file info

Network Behavior

UDP Packets

Timestamp Source Port Dest Port Source IP Dest IP Aug 25, 2020 13:56:19.925179958 CEST 55903 53 192.168.2.6 8.8.8.8 Aug 25, 2020 13:56:19.976572037 CEST 53 55903 8.8.8.8 192.168.2.6 Aug 25, 2020 13:56:23.455240011 CEST 62504 53 192.168.2.6 8.8.8.8 Aug 25, 2020 13:56:23.486339092 CEST 53 62504 8.8.8.8 192.168.2.6 Aug 25, 2020 13:56:40.993807077 CEST 64005 53 192.168.2.6 8.8.8.8 Aug 25, 2020 13:56:41.005744934 CEST 53 64005 8.8.8.8 192.168.2.6 Aug 25, 2020 13:56:47.175070047 CEST 58250 53 192.168.2.6 8.8.8.8 Aug 25, 2020 13:56:47.187535048 CEST 53 58250 8.8.8.8 192.168.2.6 Aug 25, 2020 13:56:48.283813000 CEST 64093 53 192.168.2.6 8.8.8.8 Aug 25, 2020 13:56:48.298098087 CEST 53 64093 8.8.8.8 192.168.2.6 Aug 25, 2020 13:56:49.416007996 CEST 60184 53 192.168.2.6 8.8.8.8 Aug 25, 2020 13:56:49.427900076 CEST 53 60184 8.8.8.8 192.168.2.6 Aug 25, 2020 13:56:51.525242090 CEST 61957 53 192.168.2.6 8.8.8.8 Aug 25, 2020 13:56:51.554671049 CEST 53 61957 8.8.8.8 192.168.2.6 Aug 25, 2020 13:56:53.458224058 CEST 65261 53 192.168.2.6 8.8.8.8 Aug 25, 2020 13:56:53.470546007 CEST 53 65261 8.8.8.8 192.168.2.6 Aug 25, 2020 13:56:54.275387049 CEST 49772 53 192.168.2.6 8.8.8.8 Aug 25, 2020 13:56:54.304178953 CEST 53 49772 8.8.8.8 192.168.2.6 Aug 25, 2020 13:56:54.453933954 CEST 65261 53 192.168.2.6 8.8.8.8 Aug 25, 2020 13:56:54.466326952 CEST 53 65261 8.8.8.8 192.168.2.6 Aug 25, 2020 13:56:55.283041954 CEST 49772 53 192.168.2.6 8.8.8.8 Aug 25, 2020 13:56:55.296622992 CEST 53 49772 8.8.8.8 192.168.2.6 Aug 25, 2020 13:56:55.469274044 CEST 65261 53 192.168.2.6 8.8.8.8 Aug 25, 2020 13:56:55.481571913 CEST 53 65261 8.8.8.8 192.168.2.6 Aug 25, 2020 13:56:56.297156096 CEST 49772 53 192.168.2.6 8.8.8.8 Aug 25, 2020 13:56:56.310302973 CEST 53 49772 8.8.8.8 192.168.2.6 Aug 25, 2020 13:56:57.469552040 CEST 65261 53 192.168.2.6 8.8.8.8

Copyright null 2020 Page 10 of 13 Timestamp Source Port Dest Port Source IP Dest IP Aug 25, 2020 13:56:57.491501093 CEST 53 65261 8.8.8.8 192.168.2.6 Aug 25, 2020 13:56:58.312800884 CEST 49772 53 192.168.2.6 8.8.8.8 Aug 25, 2020 13:56:58.325442076 CEST 53 49772 8.8.8.8 192.168.2.6 Aug 25, 2020 13:57:01.560734987 CEST 65261 53 192.168.2.6 8.8.8.8 Aug 25, 2020 13:57:01.573786020 CEST 53 65261 8.8.8.8 192.168.2.6 Aug 25, 2020 13:57:02.331465006 CEST 49772 53 192.168.2.6 8.8.8.8 Aug 25, 2020 13:57:02.349052906 CEST 53 49772 8.8.8.8 192.168.2.6 Aug 25, 2020 13:57:06.601653099 CEST 65371 53 192.168.2.6 8.8.8.8 Aug 25, 2020 13:57:06.622373104 CEST 53 65371 8.8.8.8 192.168.2.6 Aug 25, 2020 13:57:09.547142029 CEST 50551 53 192.168.2.6 8.8.8.8 Aug 25, 2020 13:57:09.594177961 CEST 53 50551 8.8.8.8 192.168.2.6 Aug 25, 2020 13:57:11.980957031 CEST 50267 53 192.168.2.6 8.8.8.8 Aug 25, 2020 13:57:11.992810011 CEST 53 50267 8.8.8.8 192.168.2.6 Aug 25, 2020 13:57:16.649878025 CEST 60490 53 192.168.2.6 8.8.8.8 Aug 25, 2020 13:57:16.677453041 CEST 53 60490 8.8.8.8 192.168.2.6 Aug 25, 2020 13:57:47.985073090 CEST 50785 53 192.168.2.6 8.8.8.8 Aug 25, 2020 13:57:48.015849113 CEST 53 50785 8.8.8.8 192.168.2.6 Aug 25, 2020 13:58:08.866951942 CEST 58685 53 192.168.2.6 8.8.8.8 Aug 25, 2020 13:58:08.896536112 CEST 53 58685 8.8.8.8 192.168.2.6 Aug 25, 2020 13:58:09.366996050 CEST 51112 53 192.168.2.6 8.8.8.8 Aug 25, 2020 13:58:09.380146027 CEST 53 51112 8.8.8.8 192.168.2.6 Aug 25, 2020 13:58:09.767410994 CEST 58964 53 192.168.2.6 8.8.8.8 Aug 25, 2020 13:58:09.885241032 CEST 59666 53 192.168.2.6 8.8.8.8 Aug 25, 2020 13:58:09.897408962 CEST 53 59666 8.8.8.8 192.168.2.6 Aug 25, 2020 13:58:09.926121950 CEST 53 58964 8.8.8.8 192.168.2.6 Aug 25, 2020 13:58:10.214541912 CEST 52686 53 192.168.2.6 8.8.8.8 Aug 25, 2020 13:58:10.225677013 CEST 59571 53 192.168.2.6 8.8.8.8 Aug 25, 2020 13:58:10.241560936 CEST 53 52686 8.8.8.8 192.168.2.6 Aug 25, 2020 13:58:10.290813923 CEST 53 59571 8.8.8.8 192.168.2.6 Aug 25, 2020 13:58:10.724383116 CEST 65152 53 192.168.2.6 8.8.8.8 Aug 25, 2020 13:58:10.736639023 CEST 53 65152 8.8.8.8 192.168.2.6 Aug 25, 2020 13:58:11.236833096 CEST 59302 53 192.168.2.6 8.8.8.8 Aug 25, 2020 13:58:11.249444008 CEST 53 59302 8.8.8.8 192.168.2.6 Aug 25, 2020 13:58:11.768764019 CEST 64051 53 192.168.2.6 8.8.8.8 Aug 25, 2020 13:58:11.781346083 CEST 53 64051 8.8.8.8 192.168.2.6 Aug 25, 2020 13:58:12.102243900 CEST 63901 53 192.168.2.6 8.8.8.8 Aug 25, 2020 13:58:12.115344048 CEST 53 63901 8.8.8.8 192.168.2.6 Aug 25, 2020 13:58:13.128391981 CEST 49983 53 192.168.2.6 8.8.8.8 Aug 25, 2020 13:58:13.141319990 CEST 53 49983 8.8.8.8 192.168.2.6 Aug 25, 2020 13:58:13.724555016 CEST 55928 53 192.168.2.6 8.8.8.8 Aug 25, 2020 13:58:13.737231016 CEST 53 55928 8.8.8.8 192.168.2.6 Aug 25, 2020 14:00:53.514820099 CEST 50258 53 192.168.2.6 8.8.8.8 Aug 25, 2020 14:00:53.572707891 CEST 53 50258 8.8.8.8 192.168.2.6 Aug 25, 2020 14:02:49.027245045 CEST 51888 53 192.168.2.6 8.8.8.8 Aug 25, 2020 14:02:49.039232016 CEST 53 51888 8.8.8.8 192.168.2.6 Aug 25, 2020 14:03:16.889951944 CEST 53675 53 192.168.2.6 8.8.8.8 Aug 25, 2020 14:03:16.923758030 CEST 53 53675 8.8.8.8 192.168.2.6

DNS Queries

Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Aug 25, 2020 13:57:47.985073090 CEST 192.168.2.6 8.8.8.8 0x5870 Standard query cdn.onenote.net A (IP address) IN (0x0001) (0)

DNS Answers

Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class Aug 25, 2020 8.8.8.8 192.168.2.6 0x5870 No error (0) cdn.onenote.net cdn.onenote.net.edgekey. CNAME IN (0x0001) 13:57:48.015849113 net (Canonical CEST name)

Code Manipulations

Behavior

• iexplore.exe • iexplore.exe • ssvagent.exe

Click to jump to process

System Behavior

Analysis Process: iexplore.exe PID: 7136 Parent PID: 800

General

Start time: 13:56:22 Start date: 25/08/2020 Path: C:\Program Files\internet explorer\iexplore.exe Wow64 process (32bit): false Commandline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding Imagebase: 0x7ff6897c0000 File size: 823560 bytes MD5 hash: 6465CB92B25A7BC1DF8E01D8AC5E7596 Has administrator privileges: false Programmed in: C, C++ or other language Reputation: low

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Source File Path Offset Length Completion Count Address Symbol

Registry Activities

Source Key Path Completion Count Address Symbol

Source Key Path Name Type Data Completion Count Address Symbol

Source Key Path Name Type Old Data New Data Completion Count Address Symbol

General

Start time: 13:56:23 Start date: 25/08/2020 Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe Wow64 process (32bit): true Commandline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7136 CREDAT:17410 /prefetch:2 Imagebase: 0x830000 File size: 822536 bytes MD5 hash: 071277CC2E3DF41EEEA8013E2AB58D5A Has administrator privileges: false Programmed in: C, C++ or other language Reputation: low

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Source File Path Offset Length Completion Count Address Symbol

Registry Activities

Source Key Path Completion Count Address Symbol

Analysis Process: ssvagent.exe PID: 1276 Parent PID: 5816

General

Start time: 13:56:24 Start date: 25/08/2020 Path: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe Wow64 process (32bit): true Commandline: 'C:\PROGRA~2\Java\JRE18~1.0_2\bin\ssvagent.exe' -new Imagebase: 0x870000 File size: 57720 bytes MD5 hash: A3DBA514D38464A5C5A9DEA19E6159F9 Has administrator privileges: false Programmed in: C, C++ or other language Reputation: low

Registry Activities

Source Key Path Completion Count Address Symbol

Source Key Path Name Type Data Completion Count Address Symbol

Disassembly