Proof of payment2.html
This report is generated from a file or URL submitted to this webservice on February 2nd 2018 16:10:46 (UTC) and action script Default browser analysis
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v7.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Network Behavior
- Contacts 2 domains and 1 host. View all details
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 1
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 1/59 Antivirus vendors marked sample as malicious (1% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by at least one Antivirus engine
-
Suspicious Indicators 4
-
Anti-Reverse Engineering
-
Possibly checks for known debuggers/analysis tools
- details
- "download.sysinternals.com" (Indicator: "sysinternals")
- source
- File/Memory
- relevance
- 2/10
-
Possibly checks for known debuggers/analysis tools
-
Ransomware/Banking
-
Detected text artifact in screenshot that indicate file could be ransomware
- details
-
"proofofpayment.)pg" (Source: screen_3.png, Indicator: "payment")
"payme,t" (Source: screen_3.png, Indicator: "payment") - source
- File/Memory
- relevance
- 10/10
-
Detected text artifact in screenshot that indicate file could be ransomware
-
Spyware/Information Retrieval
-
Found an instsant messenger related domain
- details
-
"*.cdn.skype.com" (Indicator: "skype.com"; File: "network.pcap")
"*.dev.skype.com" (Indicator: "skype.com"; File: "network.pcap")
"do.skype.com" (Indicator: "skype.com"; File: "network.pcap") - source
- File/Memory
- relevance
- 10/10
-
Found an instsant messenger related domain
-
Unusual Characteristics
-
Checks for a resource fork (ADS) file
- details
- "iexplore.exe" checked file "C:"
- source
- API Call
- relevance
- 5/10
-
Checks for a resource fork (ADS) file
-
Informative 15
-
Anti-Reverse Engineering
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
- details
- "iexplore.exe" is protecting 8192 bytes with PAGE_GUARD access rights
- source
- API Call
- relevance
- 10/10
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
-
General
-
Contacts domains
- details
-
"ssl.gstatic.com"
"lh5.googleusercontent.com" - source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
- "2.22.48.33:80"
- source
- Network Traffic
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\IsoScope_cf4_IESQMMUTEX_0_519"
"IsoScope_cf4_IESQMMUTEX_0_303"
"{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"
"Local\!BrowserEmulation!SharedMemory!Mutex"
"IsoScope_cf4_IESQMMUTEX_0_331"
"IsoScope_cf4_ConnHashTable<3316>_HashTable_Mutex"
"IsoScope_cf4_IE_EarlyTabStart_0x57c_Mutex"
"Local\ZonesCacheCounterMutex"
"Local\URLBLOCK_HASHFILESWITCH_MUTEX"
"Local\URLBLOCK_FILEMAPSWITCH_MUTEX_3316"
"Local\ZonesLockedCacheCounterMutex"
"Local\VERMGMTBlockListFileMutex"
"{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}"
"Local\URLBLOCK_DOWNLOAD_MUTEX"
"\Sessions\1\BaseNamedObjects\Local\!BrowserEmulation!SharedMemory!Mutex"
"\Sessions\1\BaseNamedObjects\Local\VERMGMTBlockListFileMutex"
"\Sessions\1\BaseNamedObjects\Local\URLBLOCK_FILEMAPSWITCH_MUTEX_3316"
"\Sessions\1\BaseNamedObjects\Local\URLBLOCK_HASHFILESWITCH_MUTEX"
"\Sessions\1\BaseNamedObjects\Local\URLBLOCK_DOWNLOAD_MUTEX"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "urlblockindex[1].bin" as clean (type is "data")
- source
- Binary File
- relevance
- 10/10
-
Launches a browser
- details
- Launches browser "iexplore.exe" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Scanning for window names
- details
-
"iexplore.exe" searching for class "Shell_TrayWnd"
"iexplore.exe" searching for class "ImmersiveWorkerWindowClass" - source
- API Call
- relevance
- 10/10
-
Spawns new processes
- details
- Spawned process "iexplore.exe" with commandline "SCODEF:3316 CREDAT:275457 /prefetch:2" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistance
-
Creates new processes
- details
- "iexplore.exe" is creating a new process (Name: "%PROGRAMFILES%\Internet Explorer\iexplore.exe", Handle: 884)
- source
- API Call
- relevance
- 8/10
-
Dropped files
- details
-
"urlblockindex[1].bin" has type "data"
"8059E9A0D314877E40FE93D8CCFB3C69_4D891102A445145000931758DC5D5B89" has type "data"
"77EC63BDA74BD0D0E0426DC8F8008506" has type "data"
"6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04" has type "data"
"CabD334.tmp" has type "Microsoft Cabinet archive data 54018 bytes 1 file"
"828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56" has type "data"
"50D6B15D9F2DCE1EDBB0C098625FBE47_281AC807DE0FEF15F2CA9911FE760A9B" has type "data"
"RecoveryStore.{92276975-082B-11E8-AC62-0A0027F6B408}.dat" has type "Composite Document File V2 Document Cannot read section info"
"search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" has type "PNG image data 16 x 16 4-bit colormap non-interlaced"
"verE49D.tmp" has type "XML 1.0 document UTF-8 Unicode (with BOM) text with CRLF line terminators"
"8059E9A0D314877E40FE93D8CCFB3C69_0D2522239AFEBE0D36E671C7F3E9784C" has type "data"
"RecoveryStore.{88B090C0-D917-11E7-B67B-080027A49DD6}.dat" has type "Composite Document File V2 Document Cannot read section info"
"23B523C9E7746F715D33C6527C18EB9D" has type "data"
"CabD355.tmp" has type "Microsoft Cabinet archive data 54018 bytes 1 file"
"6BADA8974A10C4BD62CC921D13E43B18_C9FB72B5AE80778A08024D8B0FDECC6F" has type "data"
"suggestions[1].en-US" has type "data"
"JavaDeployReg.log" has type "ASCII text with CRLF line terminators"
"{F3AE920C-082C-11E8-AC62-0A0027F6B408}.dat" has type "Composite Document File V2 Document Cannot read short stream" - source
- Binary File
- relevance
- 3/10
-
Found a string that may be used as part of an injection method
- details
- "Shell_TrayWnd" (Taskbar window class may be used to inject into explorer with the SetWindowLong method)
- source
- File/Memory
- relevance
- 4/10
-
Creates new processes
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "docs.google.com"
Heuristic match: "*.vo.msecnd.net"
Heuristic match: "*.adn.azureedge.net"
Heuristic match: "*.ads2.msads.net"
Heuristic match: "*.aspnetcdn.com"
Heuristic match: "*.azurecomcdn.net"
Heuristic match: "*.azureedge.net"
Heuristic match: "*.azureedge-test.net"
Heuristic match: "*.cdn.skype.com"
Heuristic match: "*.cdn.skype.net"
Heuristic match: "*.cmsresources.windowsphone.com"
Heuristic match: "#*.cmsresources.windowsphone-int.com"
Heuristic match: "*.dev.skype.com"
Heuristic match: "*.fms.azureedge.net"
Heuristic match: "*.microsoft-sbs-domains.com"
Heuristic match: "*.secure.skypeassets.com"
Heuristic match: "*.secure.skypeassets.net"
Heuristic match: "*.wac.azureedge.net"
Heuristic match: "*.wpc.azureedge.net"
Heuristic match: "*.ec.azureedge.net"
Heuristic match: "*.wpc.ec.azureedge.net"
Heuristic match: "*.wac.ec.azureedge.net"
Heuristic match: "*.adn.ec.azureedge.net"
Heuristic match: "*.fms.ec.azureedge.net"
Heuristic match: "cdnads.msads.net"
Heuristic match: "cdn-resources.windowsphone.com"
Heuristic match: "#cdn-resources-beta.windowsphone.com"
Heuristic match: "ecnads1.msn.com"
Heuristic match: "images-cms-pn.windowsphone-int.com"
Heuristic match: "#images-cms-tst.windowsphone-int.com"
Heuristic match: "montage.msn.com"
Heuristic match: "%*.streaming.mediaservices.windows.net"
Heuristic match: "*.origin.mediaservices.windows.net"
Heuristic match: "download.sysinternals.com"
Heuristic match: "amp.azure.net"
Heuristic match: "rt.ms-studiosmedia.com"
Heuristic match: "gtm.ms-studiosmedia.com"
Heuristic match: "*.aisvc.visualstudio.com"
Heuristic match: "*.cdn.powerbi.com"
Heuristic match: "dist.asp.net"
Heuristic match: "embed.powerbi.com"
Heuristic match: "msitembed.powerbi.com"
Heuristic match: "dxtembed.powerbi.com"
Heuristic match: "*.cdn.powerappscdn.net"
Heuristic match: "'downloads.subscriptionsint.tfsallin.net"
Heuristic match: "download.my.visualstudio.com"
Heuristic match: "cdn.vsassets.io"
Heuristic match: "cdnppe.vsassets.io"
Heuristic match: "datafactory.azure.com"
Heuristic match: "*.cortanaanalytics.com"
Heuristic match: "do.skype.com"
Heuristic match: "prss.centralvalidation.com"
Heuristic match: "*.gallerycdn.vsassets.io"
Heuristic match: "*.gallerycdnppe.vsassets.io"
Heuristic match: "global.asazure.windows.net"
Pattern match: "www.videobreakdown.com"
Pattern match: "www.breakdown.me"
Heuristic match: "*.gallerycdntest.vsassets.io"
Heuristic match: "agavecdn.o365weve-dev.com"
Heuristic match: "agavecdn.o365weve-ppe.com"
Heuristic match: "agavecdn.o365weve.com"
Heuristic match: "download.visualstudio.com"
Heuristic match: "*.Applicationinsights.net"
Heuristic match: "*.Applicationinsights.io"
Heuristic match: "*.sfbassets.com"
Heuristic match: "*.sfbassets.net"
Heuristic match: "download.mono-project.com"
Heuristic match: "&*.streaming.media-test.windows-int.net"
Heuristic match: "&*.origin.mediaservices.windows-int.net"
Heuristic match: "rosoft-ppe.com"
Pattern match: "www.videoindexer.ai"
Heuristic match: "*.nuget.org"
Heuristic match: "*.nugettest.org"
Heuristic match: "cdn.botframework.com"
Heuristic match: "*.streaming.media.azure.net"
Heuristic match: "*.streaming.media.azure-test.net"
Heuristic match: "cdn.cloudappsecurity.com"
Pattern match: "mscrl.microsoft.com/pki/mscorp/crl/Microsoft%20IT%20TLS%20CA%205.crl"
Pattern match: "crl.microsoft.com/pki/mscorp/crl/Microsoft%20IT%20TLS%20CA%205.crl0"
Pattern match: "www.microsoft.com/pki/mscorp/Microsoft%20IT%20TLS%20CA%205.crt0"
Pattern match: "http://ocsp.msocsp.com0"
Pattern match: "http://www.microsoft.com/pki/mscorp/cps0"
Pattern match: "http://ocsp.digicert.com0"
Pattern match: "http://crl3.digicert.com/Omniroot2025.crl0="
Pattern match: "https://www.dig"
Pattern match: "icert.com/CPS0"
Heuristic match: "*.google.com"
Heuristic match: "*.android.com"
Heuristic match: "*.appengine.google.com"
Heuristic match: "*.cloud.google.com"
Heuristic match: "*.db833953.google.cn"
Heuristic match: "*.gcp.gvt2.com"
Heuristic match: "*.google-analytics.com"
Heuristic match: "*.google.ca"
Heuristic match: "*.google.cl"
Heuristic match: "*.google.co.in"
Heuristic match: "*.google.co.jp"
Heuristic match: "*.google.co.uk"
Heuristic match: "*.google.com.ar"
Heuristic match: "*.google.com.au"
Heuristic match: "*.google.com.br"
Heuristic match: "*.google.com.co"
Heuristic match: "*.google.com.mx"
Heuristic match: "*.google.com.tr"
Heuristic match: "*.google.com.vn"
Heuristic match: "*.google.de"
Heuristic match: "*.google.es"
Heuristic match: "*.google.fr"
Heuristic match: "*.google.hu"
Heuristic match: "*.google.it"
Heuristic match: "*.google.nl"
Heuristic match: "*.google.pl"
Heuristic match: "*.google.pt"
Heuristic match: "*.googleadapis.com"
Heuristic match: "*.googleapis.cn"
Heuristic match: "*.googlecommerce.com"
Heuristic match: "*.googlevideo.com"
Heuristic match: "*.gstatic.cn"
Heuristic match: "*.gstatic.com"
Heuristic match: "*.gvt1.com"
Heuristic match: "*.gvt2.com"
Heuristic match: "*.metric.gstatic.com"
Heuristic match: "*.urchin.com"
Heuristic match: "*.url.google.com"
Heuristic match: "*.youtube-nocookie.com"
Heuristic match: "*.youtube.com"
Heuristic match: "*.youtubeeducation.com"
Heuristic match: "*.ytimg.com"
Heuristic match: "android.clients.google.com"
Heuristic match: "android.com"
Heuristic match: "developer.android.google.cn"
Heuristic match: "developers.android.google.cn"
Heuristic match: "google-analytics.com"
Heuristic match: "google.com"
Heuristic match: "googlecommerce.com"
Heuristic match: "source.android.google.cn"
Heuristic match: "urchin.com"
Pattern match: "www.goo.gl"
Heuristic match: "youtube.com"
Heuristic match: "youtubeeducation.com"
Pattern match: "http://pki.google.com/GIAG2.crt0+"
Pattern match: "http://clients1.google.com/ocsp0"
Pattern match: "http://pki.google.com/GIAG2.crl0"
Pattern match: "http://g.symcd.com0"
Pattern match: "http://g.symcb.com/crls/gtglobal.crl0"
Pattern match: "http://crl.geotrust.com/crls/secureca.crl0N"
Pattern match: "https://www.geotrust.com/resources/repository0"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAiIzVJfGSRETRSlgpHeuVI%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ocsp.digicert.com"
Heuristic match: "GET /crls/secureca.crl HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: crl.geotrust.com"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACEAEAISWIsPpZp3fvBXtmJ98%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: g.symcd.com"
Heuristic match: "GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih%2BZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCF5S97nUY3nb HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: clients1.google.com"
Heuristic match: "GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?21b390010b911a8b HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ctldl.windowsupdate.com"
Heuristic match: "GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?2a25489cfe1534f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ctldl.windowsupdate.com"
Heuristic match: "ssl.gstatic.com"
Heuristic match: "lh5.googleusercontent.com"
Heuristic match: "*.googleusercontent.com"
Heuristic match: "*.apps.googleusercontent.com"
Heuristic match: "$*.appspot.com.storage.googleapis.com"
Heuristic match: "*.blogspot.com"
Heuristic match: "*.bp.blogspot.com"
Heuristic match: "*.commondatastorage.googleapis.com"
Heuristic match: ")*.content-storage-download.googleapis.com"
Heuristic match: "'*.content-storage-upload.googleapis.com"
Heuristic match: "*.content-storage.googleapis.com"
Heuristic match: "*.doubleclickusercontent.com"
Heuristic match: "*.ggpht.com"
Heuristic match: "*.googledrive.com"
Heuristic match: "*.googlesyndication.com"
Heuristic match: "*.googleweblight.com"
Heuristic match: "&*.local.amp4mail.googleusercontent.com"
Heuristic match: "%*.prod.amp4mail.googleusercontent.com"
Heuristic match: "*.safenup.googleusercontent.com"
Heuristic match: "*.sandbox.googleusercontent.com"
Heuristic match: "!*.storage-download.googleapis.com"
Heuristic match: "*.storage-upload.googleapis.com"
Heuristic match: "*.storage.googleapis.com"
Heuristic match: "*.storage.select.googleapis.com"
Heuristic match: "blogspot.com"
Heuristic match: "bp.blogspot.com"
Heuristic match: "commondatastorage.googleapis.com"
Heuristic match: "doubleclickusercontent.com"
Heuristic match: "ggpht.com"
Heuristic match: "googledrive.com"
Heuristic match: "googleusercontent.com"
Heuristic match: "googleweblight.com"
Heuristic match: "manifest.lh3.googleusercontent.com"
Heuristic match: "storage.googleapis.com"
Heuristic match: "storage.select.googleapis.com"
Heuristic match: "GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih%2BZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCEQB9k7h8wRo HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: clients1.google.com"
Pattern match: "www.bing.com"
Pattern match: "www.bing.com0"
Heuristic match: "dict.bing.com.cn"
Heuristic match: "*.platform.bing.com"
Heuristic match: "*.bing.com"
Heuristic match: "*.windowssearch.com"
Heuristic match: "*.origin.bing.com"
Heuristic match: "*.mm.bing.net"
Heuristic match: "pi.bing.com"
Heuristic match: "ecn.dev.virtualearth.net"
Heuristic match: "*.cn.bing.net"
Heuristic match: "*.cn.bing.com"
Heuristic match: "ssl-api.bing.com"
Heuristic match: "ssl-api.bing.net"
Heuristic match: "*.api.bing.net"
Heuristic match: "*.bingapis.com"
Heuristic match: "bingsandbox.com"
Heuristic match: "insertmedia.bing.office.net"
Heuristic match: "r.bat.bing.com"
Heuristic match: "*.r.bat.bing.com"
Heuristic match: "*.dict.bing.com.cn"
Heuristic match: "*.dict.bing.com"
Heuristic match: "*.ssl.bing.com"
Heuristic match: "*.appex.bing.com"
Heuristic match: "*.platform.cn.bing.com"
Heuristic match: "wp.m.bing.com"
Heuristic match: "*.m.bing.com"
Heuristic match: "global.bing.com"
Heuristic match: "windowssearch.com"
Heuristic match: "search.msn.com"
Heuristic match: "*.bingsandbox.com"
Heuristic match: "*.api.tiles.ditu.live.com"
Heuristic match: "*.ditu.live.com"
Heuristic match: "*.t0.tiles.ditu.live.com"
Heuristic match: "*.t1.tiles.ditu.live.com"
Heuristic match: "*.t2.tiles.ditu.live.com"
Heuristic match: "*.t3.tiles.ditu.live.com"
Heuristic match: "*.tiles.ditu.live.com"
Heuristic match: "3d.live.com"
Heuristic match: "api.search.live.com"
Heuristic match: "beta.search.live.com"
Heuristic match: "cnweb.search.live.com"
Heuristic match: "dev.live.com"
Heuristic match: "ditu.live.com"
Heuristic match: "farecast.live.com"
Heuristic match: "image.live.com"
Heuristic match: "images.live.com"
Heuristic match: "local.live.com.au"
Heuristic match: "localsearch.live.com"
Heuristic match: "ls4d.search.live.com"
Heuristic match: "mail.live.com"
Heuristic match: "mapindia.live.com"
Heuristic match: "local.live.com"
Heuristic match: "maps.live.com"
Heuristic match: "maps.live.com.au"
Heuristic match: "mindia.live.com"
Heuristic match: "news.live.com"
Heuristic match: "origin.cnweb.search.live.com"
Heuristic match: "preview.local.live.com"
Heuristic match: "search.live.com"
Heuristic match: "test.maps.live.com"
Heuristic match: "video.live.com"
Heuristic match: "videos.live.com"
Heuristic match: "virtualearth.live.com"
Heuristic match: "wap.live.com"
Heuristic match: "webmaster.live.com"
Heuristic match: "webmasters.live.com"
Pattern match: "www.local.live.com.au"
Pattern match: "www.maps.live.com.au0"
Pattern match: "https://www.digicert.com/CPS0"
Pattern match: "www.aka.ms"
Pattern match: "www.msn.com"
Pattern match: "mscrl.microsoft.com/pki/mscorp/crl/Microsoft%20IT%20TLS%20CA%204.crl"
Pattern match: "crl.microsoft.com/pki/mscorp/crl/Microsoft%20IT%20TLS%20CA%204.crl0"
Pattern match: "www.microsoft.com/pki/mscorp/Microsoft%20IT%20TLS%20CA%204.crt0"
Heuristic match: "*.msn.com"
Heuristic match: "*.services.msn.com"
Heuristic match: "query.prod.cms.msn.com"
Pattern match: "mscrl.microsoft.com/pki/mscorp/crl/msitwww2.crl"
Pattern match: "crl.microsoft.com/pki/mscorp/crl/msitwww2.crl0p"
Pattern match: "www.microsoft.com/pki/mscorp/msitwww2.crt0"
Pattern match: "http://www.microsoft.com/pki/mscorp/cps"
Heuristic match: "cdn.query.prod.cms.msn.com"
Heuristic match: ")cms-centralus-data-query-amp.cloudapp.net"
Heuristic match: "&cms-eastus-data-query-amp.cloudapp.net"
Pattern match: "http://cybertrust.omniroot.com/repository.cfm0"
Pattern match: "http://ocsp.omniroot.com/baltimoreroot0"
Pattern match: "cdp1.public-trust.com/CRL/Omniroot2025.crl0" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Spyware/Information Retrieval
-
Found a reference to a known community page
- details
-
"*.youtube-nocookie.com" (Indicator: "youtube")
"*.youtube.com" (Indicator: "youtube")
"*.youtubeeducation.com" (Indicator: "youtube")
"youtube.com" (Indicator: "youtube")
"youtubeeducation.com" (Indicator: "youtube") - source
- File/Memory
- relevance
- 7/10
-
Found a reference to a known community page
-
Unusual Characteristics
-
Drops cabinet archive files
- details
-
"CabD334.tmp" has type "Microsoft Cabinet archive data 54018 bytes 1 file"
"CabD355.tmp" has type "Microsoft Cabinet archive data 54018 bytes 1 file"
"77EC63BDA74BD0D0E0426DC8F8008506" has type "Microsoft Cabinet archive data 54018 bytes 1 file" - source
- Binary File
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
-
"iexplore.exe" wrote bytes "60cd736d" to virtual address "0x7588130C" (part of module "SHLWAPI.DLL")
"iexplore.exe" wrote bytes "3030706d" to virtual address "0x75881380" (part of module "SHLWAPI.DLL")
"iexplore.exe" wrote bytes "a035706d" to virtual address "0x7403139C" (part of module "UXTHEME.DLL")
"iexplore.exe" wrote bytes "60cd736d" to virtual address "0x76541E14" (part of module "SHELL32.DLL")
"iexplore.exe" wrote bytes "a035706d" to virtual address "0x7588131C" (part of module "SHLWAPI.DLL")
"iexplore.exe" wrote bytes "60d2736d" to virtual address "0x76541D7C" (part of module "SHELL32.DLL")
"iexplore.exe" wrote bytes "b033706d" to virtual address "0x6CC8F6A0" (part of module "IEFRAME.DLL")
"iexplore.exe" wrote bytes "b033706d" to virtual address "0x75AF17CC" (part of module "ADVAPI32.DLL")
"iexplore.exe" wrote bytes "b033706d" to virtual address "0x76291100" (part of module "MSCTF.DLL")
"iexplore.exe" wrote bytes "b033706d" to virtual address "0x748E1038" (part of module "VERSION.DLL")
"iexplore.exe" wrote bytes "a035706d" to virtual address "0x75E4B0CC" (part of module "IERTUTIL.DLL")
"iexplore.exe" wrote bytes "b033706d" to virtual address "0x74031250" (part of module "UXTHEME.DLL")
"iexplore.exe" wrote bytes "b033706d" to virtual address "0x758811B8" (part of module "SHLWAPI.DLL")
"iexplore.exe" wrote bytes "b033706d" to virtual address "0x75BA1164" (part of module "USP10.DLL")
"iexplore.exe" wrote bytes "70cc736d" to virtual address "0x75881310" (part of module "SHLWAPI.DLL")
"iexplore.exe" wrote bytes "b033706d" to virtual address "0x013370C0" (part of module "IEXPLORE.EXE")
"iexplore.exe" wrote bytes "60cd736d" to virtual address "0x6CC8FEC0" (part of module "IEFRAME.DLL")
"iexplore.exe" wrote bytes "c0bf716d" to virtual address "0x76541F68" (part of module "SHELL32.DLL")
"iexplore.exe" wrote bytes "60d2736d" to virtual address "0x6CC8FEC4" (part of module "IEFRAME.DLL")
"iexplore.exe" wrote bytes "c03a706d" to virtual address "0x6CC8FE80" (part of module "IEFRAME.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Drops cabinet archive files
File Details
Proof of payment2.html
- Filename
- Proof of payment2.html
- Size
- 346KiB (354415 bytes)
- Type
- html
- Description
- HTML document, ASCII text, with very long lines, with CRLF line terminators
- Architecture
- WINDOWS
- SHA256
- c0010fe419a912a4fafdaa2085fe06ab27b6a3024c3f0aa2b8c23df6d59eae27
- MD5
- a689be91b693b88c0eafe4ecc8e70ca2
- SHA1
- ab62422d0b47e8d6d1379dd9058dd5da9d5f73b2
Classification (TrID)
- 100.0% (.HTML) HyperText Markup Language
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total (System Resource Monitor).
-
iexplore.exe
C:\c0010fe419a912a4fafdaa2085fe06ab27b6a3024c3f0aa2b8c23df6d59eae27.html
(PID: 3316)
- iexplore.exe SCODEF:3316 CREDAT:275457 /prefetch:2 (PID: 3524)
Network Analysis
DNS Requests
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
2.22.48.33 |
80
TCP |
svchost.exe PID: 1176 |
European Union |
Contacted Countries
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 21 extracted file(s). The remaining 13 file(s) are available in the full version and XML/JSON reports.
-
Clean 1
-
-
urlblockindex[1].bin
- Size
- 16B (16 bytes)
- Type
- data
- AV Scan Result
- 0/66
- Runtime Process
- iexplore.exe (PID: 3316)
- MD5
- fa518e3dfae8ca3a0e495460fd60c791
- SHA1
- e4f30e49120657d37267c0162fd4a08934800c69
- SHA256
- 775853600060162c4b4e5f883f9fd5a278e61c471b3ee1826396b6d129499aa7
-
-
Informative Selection 2
-
-
77EC63BDA74BD0D0E0426DC8F8008506
- Size
- 53KiB (54018 bytes)
- Type
- data
- Description
- Microsoft Cabinet archive data, 54018 bytes, 1 file
- Runtime Process
- iexplore.exe (PID: 3524)
- MD5
- 06ed9a39ac55eb00dd78e416e1a804f6
- SHA1
- 270464d1618197d86ff89184ba5ed45708d38bd9
- SHA256
- 298bba62caa0b61a402f715bb5b8d1d28ecd0b58d9a9b6b8ae7947b39da8b1eb
-
CabD355.tmp
- Size
- 53KiB (54018 bytes)
- Type
- data
- Description
- Microsoft Cabinet archive data, 54018 bytes, 1 file
- Runtime Process
- iexplore.exe (PID: 3524)
- MD5
- 06ed9a39ac55eb00dd78e416e1a804f6
- SHA1
- 270464d1618197d86ff89184ba5ed45708d38bd9
- SHA256
- 298bba62caa0b61a402f715bb5b8d1d28ecd0b58d9a9b6b8ae7947b39da8b1eb
-
-
Informative 18
-
-
RecoveryStore.{92276975-082B-11E8-AC62-0A0027F6B408}.dat
- Size
- 5.5KiB (5632 bytes)
- Type
- text
- Description
- Composite Document File V2 Document, Cannot read section info
- Runtime Process
- iexplore.exe (PID: 3316)
- MD5
- e68e94d5eca9e89cb2dac54842c28b71
- SHA1
- 19ae7d99ddcc92092cc73a14e42345e53ab348cc
- SHA256
- eb77dbeb6af98b107b544460aee64c307d6c975da685e20ab0048811e4508f56
-
{92276977-082B-11E8-AC62-0A0027F6B408}.dat
- Size
- 6.5KiB (6656 bytes)
- Runtime Process
- iexplore.exe (PID: 3316)
- MD5
- 49a5f6d5d63c0bbef1c71c7daafdc7a1
- SHA1
- 8d325bfdd04d815cc52af24da8e141aff878d240
- SHA256
- 412de4265029913b542810667749672a644ced4f27508c52e10a144453a55eb3
-
{C8FDBC7D-082B-11E8-AC62-0A0027F6B408}.dat
- Size
- 4.5KiB (4608 bytes)
- Runtime Process
- iexplore.exe (PID: 3316)
- MD5
- 3874baf9b6afe845a06c9eefe3e373b1
- SHA1
- 45cc34bc0b5fc4da5ce160d736cff1fd7cce2ad7
- SHA256
- e6345f6018345fccf51c231343a45f3f90d57feca5308b210736579330c4b47f
-
RecoveryStore.{88B090C0-D917-11E7-B67B-080027A49DD6}.dat
- Size
- 16KiB (15872 bytes)
- Type
- text
- Description
- Composite Document File V2 Document, Cannot read section info
- Runtime Process
- iexplore.exe (PID: 3316)
- MD5
- 91278fa75056c4c5354e45baa900130d
- SHA1
- ac00137b40d6ef748f293c0b6e64d0bc87295b05
- SHA256
- b197301b5a9312ec48a6d864471285f8f9b6094428c4dc49e2037e35babc1e0c
-
{F3AE920C-082C-11E8-AC62-0A0027F6B408}.dat
- Size
- 5.8KiB (5990 bytes)
- Type
- text
- Description
- Composite Document File V2 Document, Cannot read short stream
- Runtime Process
- iexplore.exe (PID: 3316)
- MD5
- 272b35f96c0884f6842b8d25576ac34a
- SHA1
- 847a0973ee7af01760f1fc3b5d8e47dee1ac75c5
- SHA256
- 76047416af25c655dd07930fa144946d466096b6f6798d8a0d76b2579144b5d9
-
verE47A.tmp
- Size
- 15KiB (15789 bytes)
- Runtime Process
- iexplore.exe (PID: 3316)
- MD5
- a37d5835a4a14c9bfad7898c3b719f3c
- SHA1
- f21cf355b4515c09174f5d5e5badbf3319dd70f0
- SHA256
- f0b53707b2932957387ca2c39c782dd32bcb60df970313a029d605b719ac1bf9
-
verE49D.tmp
- Size
- 15KiB (15789 bytes)
- Type
- text
- Description
- XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
- Runtime Process
- iexplore.exe (PID: 3524)
- MD5
- a37d5835a4a14c9bfad7898c3b719f3c
- SHA1
- f21cf355b4515c09174f5d5e5badbf3319dd70f0
- SHA256
- f0b53707b2932957387ca2c39c782dd32bcb60df970313a029d605b719ac1bf9
-
search[1].json
- Size
- 281B (281 bytes)
- Runtime Process
- iexplore.exe (PID: 3316)
- MD5
- d8bad3e02a197f5524373f868655a725
- SHA1
- dc82d45b29ba7dcd9eb5b100c707e35911b38a67
- SHA256
- 45492c31786ea8122530a6bbb5f43f8c1ea25c8f502e02486eb8f0145a742029
-
favicon[1].ico
- Size
- 237B (237 bytes)
- Runtime Process
- iexplore.exe (PID: 3316)
- MD5
- 9fb559a691078558e77d6848202f6541
- SHA1
- ea13848d33c2c7f4f4baa39348aeb1dbfad3df31
- SHA256
- 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914
-
favicon[3].ico
- Size
- 237B (237 bytes)
- Runtime Process
- iexplore.exe (PID: 3316)
- MD5
- 9fb559a691078558e77d6848202f6541
- SHA1
- ea13848d33c2c7f4f4baa39348aeb1dbfad3df31
- SHA256
- 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914
-
suggestions[1].en-US
- Size
- 18KiB (18176 bytes)
- Type
- data
- Runtime Process
- iexplore.exe (PID: 3316)
- MD5
- 5a34cb996293fde2cb7a4ac89587393a
- SHA1
- 3c96c993500690d1a77873cd62bc639b3a10653f
- SHA256
- c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
-
23B523C9E7746F715D33C6527C18EB9D
- Size
- 292B (292 bytes)
- Runtime Process
- iexplore.exe (PID: 3524)
- MD5
- 99e108104195635acf38b1ddcec916f3
- SHA1
- 723d403fd70d5cf94a5db48b5706c1d978a01d27
- SHA256
- 4db1492bcee335df7a6caa4728f32fa5761cf0c87afe7ae005b03ce0b5bb50e0
-
6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04
- Size
- 434B (434 bytes)
- Runtime Process
- iexplore.exe (PID: 3524)
- MD5
- 7ce0d78f2e948441c9b32b5e57f17ba0
- SHA1
- 30b241415a3d0bfd4926d906d74ff81001685127
- SHA256
- c60c9d4f0a766b41534585abf86da741b25039098e749fd68a4fcd0152e800d8
-
6BADA8974A10C4BD62CC921D13E43B18_C9FB72B5AE80778A08024D8B0FDECC6F
- Size
- 442B (442 bytes)
- Runtime Process
- iexplore.exe (PID: 3316)
- MD5
- 09dc3bebfe1f132a3b31186e0ed8c4d3
- SHA1
- 88b6be8bfc39e663789aef01878a948ebfe7d551
- SHA256
- 24a6565d917c4b34937b2e3d91dc3a70d6fd342fc848c57fe6e337c57777da6e
-
8059E9A0D314877E40FE93D8CCFB3C69_0D2522239AFEBE0D36E671C7F3E9784C
- Size
- 463B (463 bytes)
- Runtime Process
- iexplore.exe (PID: 3524)
- MD5
- f7493290d7336f6bb7bfe654f3f13f91
- SHA1
- 5760312ac72c352f81aad09e68cd7c1ba87c6ec0
- SHA256
- 1a90e2fe35f26d63cf04dc3e77fef87c91b2f12a4054b9071665a131e7070ded
-
828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56
- Size
- 1.4KiB (1391 bytes)
- Type
- data
- Runtime Process
- iexplore.exe (PID: 3524)
- MD5
- 58aaa1f615b7266e78a11f32e2f1a776
- SHA1
- 9c015441d08ca4ddb319c16ffbfe062db35c53cb
- SHA256
- e426e0b277b4102b58163a70795c6911fdd6f69e6839ae52489cf474c673e261
-
50D6B15D9F2DCE1EDBB0C098625FBE47_281AC807DE0FEF15F2CA9911FE760A9B
- Size
- 486B (486 bytes)
- Runtime Process
- iexplore.exe (PID: 3316)
- MD5
- 0028c9691bb7440e4b3206be7bfd4866
- SHA1
- 8d053b3578b08548c7389788946263c2c3824290
- SHA256
- 3194111e743fc90c60ab8af6d1ffae4cae61f72dd3c56574c58871fb008ad6b9
-
8059E9A0D314877E40FE93D8CCFB3C69_4D891102A445145000931758DC5D5B89
- Size
- 386B (386 bytes)
- Type
- data
- Runtime Process
- iexplore.exe (PID: 3524)
- MD5
- 4ffd53d879675e4382956e907b994879
- SHA1
- 2de5d8516b399ac5e911d2638e32c10fec916c05
- SHA256
- b597ce82e6b687162ac2b3d20a9b67e81b066079f3eecdf08644b51b947e90f1
-
Notifications
-
Runtime
- No static analysis parsing on sample was performed
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report