ID: Cookbook: browseurl.jbs Time: 11:59:06 Date: 14/05/2018 Version:

Transcription

1 ID: 5945 Cookbook: browseurl.jbs Time: 11:59:06 Date: 14/05/201 Version:

2 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice Signature Overview Networking: System Summary: HIPS / PFW / Operating System Protection Evasion: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Unpacked PE Files Domains Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshots Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info No static file info Network Behavior Network Port Distribution TCP Packets UDP Packets DNS Queries DNS Answers HTTP Request Dependency Graph HTTP Packets Code Manipulations Statistics Behavior Copyright Joe Security LLC 201 Page 2 of 20

3 System Behavior Analysis iexplore.exe PID: 37 Parent PID: 54 General File Activities Registry Activities Analysis iexplore.exe PID: 352 Parent PID: 37 General File Activities Registry Activities Disassembly Code Analysis Copyright Joe Security LLC 201 Page 3 of 20

4 Analysis Report Overview General Information Joe Sandbox Version: Analysis ID: 5945 Start time: 11:59:06 Joe Sandbox Product: CloudBasic Start date: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Cookbook file name: Sample URL: 0h 4m 19s light browseurl.jbs ebsite/ruqo7kuum9s694c7k0eo2aq23m9g6d/pe dido_nf-e.pdf Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 4 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Analysis stop reason: Detection: Classification: HCA enabled EGA enabled HDC enabled Timeout CLEAN clean0.win@3/22@1/1 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: HDC Information: Cookbook Comments: Warnings: Failed Failed Adjust boot time Correcting counters for adjusted boot time URL browsing timeout Show All Exclude process from analysis (whitelisted): WmiPrvSE.exe, dllhost.exe Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtQueryVolumeInformationFile calls found. Detection Strategy Score Range Reporting Detection Threshold Report FP / FN Copyright Joe Security LLC 201 Page 4 of 20

5 Confidence Strategy Score Range Further Analysis Required? Threshold Confidence Classification Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Copyright Joe Security LLC 201 Page 5 of 20

6 Analysis Advice Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior Signature Overview Networking System Summary HIPS / PFW / Operating System Protection Evasion Click to jump to signature section Networking: Social media urls found in memory data Downloads files Downloads files from webservers via HTTP Found strings which match to known social media urls Performs DNS lookups Urls found in memory or binary data System Summary: Classification label Creates files inside the user directory Creates temporary files Reads ini files Spawns processes Uses an in-process (OLE) Automation server Uses new MSVCR Dlls HIPS / PFW / Operating System Protection Evasion: May try to detect the Windows Explorer process (often used for injection) Behavior Graph Copyright Joe Security LLC 201 Page 6 of 20

7 Behavior Graph ID: 5945 URL: Startdate: 14/05/201 Architecture: WINDOWS Score: 0 Legend: Process Signature Created File DNS/IP Info Is Dropped Is Windows Process Hide Legend started Number of created Registry Values Number of created Files iexplore.exe Visual Basic Delphi Java.Net C# or VB.NET C, C++ or other language Is malicious klaro2d4okf.comprovante-005ox.website started iexplore.exe 9 klaro2d4okf.comprovante-005ox.website , 49174, 49175, 4914 GOOGLE-GoogleIncUS United States Simulations Behavior and APIs Time Type Description 11:59:25 API Interceptor 1750x Sleep call for process: iexplore.exe modified Antivirus Detection Initial Sample Detection Scanner Label Link dido_nf-e.pdf 0% virustotal Browse Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains No Antivirus matches Copyright Joe Security LLC 201 Page 7 of 20

8 Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Screenshots Copyright Joe Security LLC 201 Page of 20

9 Startup System is w7 iexplore.exe (PID: 37 cmdline: '' -Embedding CA1F703CD66567E132D2946FB55750) iexplore.exe (PID: 352 cmdline: '' SCODEF:37 CREDAT: /prefetch:2 CA1F703CD66567E132D2946FB55750) cleanup Created / dropped Files C:\Users\SAMTAR~1\AppData\Local\Temp\~DF CECCFE36.TMP FoxPro FPT, blocks size 25, next free block index Size (bytes): Entropy (bit): CBB6CA0CC2A0CEC5E09A17BA909D ED533E705FF245C151207D246E1E43237DC6 0DDD36BE51B72BE3BD0E29341C4F9F34DB299635FBBF747A12B62E0F9639D 6CEDB07565D9773E1F31A73E7D4DC60AE4B04F902153CBFD7710D AED7E972271D C7E9E 310B9D732CF6CC69D42D0B91E6E B3 Copyright Joe Security LLC 201 Page 9 of 20

10 C:\Users\SAMTAR~1\AppData\Local\Temp\~DF5AD792D15AEDFEE4.TMP FoxPro FPT, blocks size 25, next free block index Size (bytes): Entropy (bit): B476C6720C3403D5AB96FA6ABD3CE92 26AE17C FA5B3D3BAA67534A2DB1B 1A5AF5FEB674BCEB BC3211A1352E01CFE0B05DC6D14A95E16970EA0 B523E95BA17716C BD43C4D242EE64CADC6A775E5FFF7B2275C45256FBBECAC557BD73EED7AFC72 44E62C60A D3CBC BA677D15 C:\Users\SAMTAR~1\AppData\Local\Temp\~DFE5D0F222EB23A59.TMP FoxPro FPT, blocks size 25, next free block index Size (bytes): Entropy (bit): BA6F33CB A552CCB9BB5B4 F771F32EB72F905F3B37D CDB51D9F01 CF17161B0E5E536E13A16C4FE0DA16172AA F3BABB250A754D D4FE5E549BE9A07A12E0AF90C047AE1A307F07BA310BBA91465DE E56D703EB590EDA54CF9AE D4C10BF5434CE67F1F64C54090CF46B992F3 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57CEDB95DF3F0AD4EE2DC2BCFD4157 Size (bytes): 6509 Entropy (bit): Microsoft Cabinet archive data, 6509 bytes, 1 file 33B39E2A516EF730AFA92294F0FBD5 03D45553DDA59215D945AF76AF6293B202F56F 9446EF2056FEA3AC1365A09ADA C396F72FFE42FD1B71C24CBA 75763AA13B43EB96294B0F4E E06FB79F4AF4F35D020ED0ADD9DD1B42FE7EC2C6340ACE0B 12F3469D1307C321C7F96970C C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA974A10C4BD62CC921D13E43B1_BEB37ABADF B E0 4 data Size (bytes): 471 Entropy (bit): F0210FCA CC216A307999E2 D10B6C6F353C30D9B55BFCAADD40E7D493397C 397AD7DB2D20AFD65BA634252E B09E1C9526BD654291D1221F9 C5CA0CE0D36CB0716ECC6E37F96C261EF4E992C6C6B03D7EF703252D5494DE7AAFB22209CBEC0A52ECD39D CF B9949E994C7D29CC513BB690DA C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2CB34DD3343FE727DF90D352E0DF data Size (bytes): 4405 Entropy (bit): F49D05A12DAF7DC1437DCCDB1A74 CC31C730E0CB60FF D71ADF1FDB7F B6CAF30D26C9B F0E345C3C5F343AE0D437DE4FEECB0E9E5D9DA27C16 Copyright Joe Security LLC 201 Page 10 of 20

11 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2CB34DD3343FE727DF90D352E0DF 956F073E50CC D01450C632CDCA0CE7B449221FF1DA4C2775D1F1933A5C43FE97994CC7C67EBB 70E177ADA752BFDE76AD061C7B047FB54C C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57CEDB95DF3F0AD4EE2DC2BCFD4157 data Size (bytes): 342 Entropy (bit): F1644DD69CB6FC29A71565CB56B1E5 E3F5AADF5C CE4F9BF1EEEF5AF1 3D6F36C706976F090F14095FD703AB3B93E44EF7EF3CDA D3A5BB1 511F3D06CB6DD9EFFDFC267FE4E601EC5A73EBA5443A5CEDA9277CF16DA411BC2B22E70C9F96E462BC5 746AA77AE9CB1E7CBD527DBDFCCEA46030 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA974A10C4BD62CC921D13E43B1_BEB37ABADF B E04 data Size (bytes): 6 Entropy (bit): BCCD4E2D4E01F4CCF2CDC24 10A44C35907F46662D9747B1A3ACF900FB95C6F 4E99F6C4ABFBF099D0AFAE3721BB6BADBA175C4D60BC079FFF1A75EDB03C10 E41C4110B94D1DD957CC6AD4A0F9953A00FE3CD95CABD2497A7D597E22FA1CD14E70099C1744B03DB5 569C571D44CBEF2A ED6F33A1FFA C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2CB34DD3343FE727DF90D352E0DF data Size (bytes): 452 Entropy (bit): DAC71DC1A64BCFFEC7D27D F4D9ED46063EEFED3BBAC2334 2F021D43FCD34D9351CC1D35176E7C9CB9C25AB29324E1A7C7F013262ACE3 9C30D29F236917CBB7E6F5693BB93E562EFA FADAE3010F559B44B73DC456F7E53DFE790CD5D7D6A A B3DE92D97CC97BB3F09B34AEC266 C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D f-A0FF-E1416BB2E3A}.ico Size (bytes): 237 Entropy (bit): PNG image data, 16 x 16, 4-bit colormap, non-interlaced 9FB559A E77D64202F6541 EA134D33C2C7F4F4BAA3934AEB1DBFAD3DF31 6DA01DC7647BC21D003B5FE04049E24A B7E0CEBAE76EDF5BB914 0E09356CD123BEA20B7D9A3AAF5CB05249DE7F26FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCF B74437DE D0009D452FB96AECE236B C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DomainSuggestions\en-US.1 data Size (bytes): 1176 Copyright Joe Security LLC 201 Page 11 of 20

12 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DomainSuggestions\en-US.1 Entropy (bit): A34CB996293FDE2CB7A4AC957393A 3C96C D1A7773CD62BC639B3A10653F C6A5377CBC07EECE33790CFC70572E12C7A4AD296BE25C0CC05A1F34DBAD E1B7D F E70F6B1BE6FD0CA65DCCF4FF D4427D3A77F704AEDFF59D2DBC0D56A6 09B2590CEC0DD6BC4AB30F1DAD0C07A0A3EE C:\Users\user\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml Size (bytes): Entropy (bit): XML 1.0 document, UTF- Unicode (with BOM) text, with CRLF line terminators 01EFD99D7BECF410A420CCB5F969F9D 061EAA63C4C02D0B09D3A9E140AAC90A DABC2429BE2D5E7B60FE C1BEF0FF223BA144AFCCC7F711B6BB CC3B66B14A9FD15AA601B774F2B CB5D4C20A205415B622744EB3C55AC720E62CC462A0AB3593BEC92 F506D433ECBEAE73369F6FD41B67171D6D C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7B34BE1-575D-11E-B3E3-CCDA62336E41}.dat Size (bytes): Microsoft Word Document Entropy (bit): FB6B21BF21EC63F34E74BD512A41AC2F 59FB513E1AA454FA521446AD22E9EC3F2992F FEAEDAAA9F255BA59B9FC24FB60BCDBE341FF5BE069AD47A7A2C5BD7FDB C467F07F6755D1A743BDD6BAFB63A2C123ABB5AA769CA90D6B106DC6DE792D9031ACEB7C6CA7152AE240F B39A354FC71FB5DA5EF0F30D61B732EB2EF7E C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7B34BE3-575D-11E-B3E3-CCDA62336E41}.dat Size (bytes): 1694 Microsoft Word Document Entropy (bit): B24A020AFE137A0FF2220B2E06170 BE949B E2BCF0B2BAB144EF7C5CED 6323DB924750F4EBBCAC F766D5F99A7999AA1B12D067A6F4EFAE E2DC2E31A2C5E230ED31324B0EF4D70012DA293FC01B11715F77B9CABEABBF DA619D3E1C54E E120E0AA9AD44BA93F355F514CE673F1BE20 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{515B5D0-575D-11E-B3E3-CCDA62336E41}.dat Size (bytes): 1694 Microsoft Word Document Entropy (bit): B31EBA5E76740ACDB2B24CDCA0BC1C 3FC5C965C2B73DDBBACC907E7BC9D5D01F34 776CC51169CDCE0E3737F0CD46D9C4CFD6B96C25BC77DA4109A91010C2CB0 5E1C77A10129FFBBB1A0A04C542ABDC9D2CDD25BD573FAA1AFC672E4CB6B376F27B1E5B557119D9AE30760 EAB6AD23EA14DF59E2B96ABE2EDB37165B Copyright Joe Security LLC 201 Page 12 of 20

13 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver6E4D.tmp Size (bytes): 1545 Entropy (bit): XML 1.0 document, UTF- Unicode (with BOM) text, with CRLF line terminators 095C726DE7D90E6526DC0D7F3F6 A1CAE12FB7E6C74FB5467C0014B2A27472BE DA E9B4B0D245C5B7E1FAC1242A07DED44EAF3B792E4A231E AB7FD229A6F532AE11E4CCEB01F2310B33D5C740BC9F290C79646C422AFFC27DDB476C931D6E4A966EED97 0E219B6CEBBF6F9A12B6C629B616CDE1615C C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\favicon[2].ico Size (bytes): 237 Entropy (bit): PNG image data, 16 x 16, 4-bit colormap, non-interlaced 9FB559A E77D64202F6541 EA134D33C2C7F4F4BAA3934AEB1DBFAD3DF31 6DA01DC7647BC21D003B5FE04049E24A B7E0CEBAE76EDF5BB914 0E09356CD123BEA20B7D9A3AAF5CB05249DE7F26FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCF B74437DE D0009D452FB96AECE236B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\urlblockindex[2].bin Size (bytes): 16 Entropy (bit): data FA51E3DFAECA3A0E495460FD60C791 E4F30E D37267C0162FD4A093400C C4B4E5F3F9FD5A27E61C471B3EE126396B6D129499AA7 D21667F3FB01D39B57917E74E9BB1B6E9A97F C165729A5F177DC0ADADD90CD026C7A601D416665A 1AC13A69E49A6A2FE2FDD096793AA645C07 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\iecompatviewlist[1].xml Size (bytes): Entropy (bit): XML 1.0 document, UTF- Unicode (with BOM) text, with CRLF line terminators CE5A2EA36F7070BAA6799FB7C39E0D 70AE543F05CABCD2FBED9C95BF0312A C0654B0B4367B3A02D00BCECD1DB365D6A3D7B747F0B059EB4D016E0D F54676DEA245CB47D3337BA7C0136B9D773FDA9BEF52C5C156CC4F4F212DE46796F0F F2FA1 6436E31E9E369BA0A6513EC6DFFD C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\suggestions[1].en-US data Size (bytes): 1176 Entropy (bit): A34CB996293FDE2CB7A4AC957393A 3C96C D1A7773CD62BC639B3A10653F C6A5377CBC07EECE33790CFC70572E12C7A4AD296BE25C0CC05A1F34DBAD E1B7D F E70F6B1BE6FD0CA65DCCF4FF D4427D3A77F704AEDFF59D2DBC0D56A6 09B2590CEC0DD6BC4AB30F1DAD0C07A0A3EE Copyright Joe Security LLC 201 Page 13 of 20

14 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\suggestions[1].en-US Contacted Domains/Contacted IPs Contacted Domains Name IP Active Malicious Antivirus Detection Reputation klaro2d4okf.comprovante-005ox.website true unknown Contacted IPs No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs IP Country Flag ASN ASN Name Malicious United States GOOGLE-GoogleIncUS Static File Info No static file info Network Behavior Network Port Distribution Total Packets: 6 Copyright Joe Security LLC 201 Page 14 of 20

15 0 (HTTP) 53 (DNS) TCP Packets Timestamp Port Dest Port IP Dest IP May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST Copyright Joe Security LLC 201 Page 15 of 20

16 Timestamp Port Dest Port IP Dest IP May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST Copyright Joe Security LLC 201 Page 16 of 20

17 UDP Packets Timestamp Port Dest Port IP Dest IP May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :59: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST May 14, :00: CEST Copyright Joe Security LLC 201 Page 17 of 20

18 DNS Queries Timestamp IP Dest IP Trans ID OP Code Name Type Class May 14, :59: CEST x9cf1 Standard query (0) klaro2d4o kf.comprovante- 005ox.website A (IP address) IN (0x0001) DNS Answers Timestamp IP Dest IP Trans ID Replay Code Name CName Address Type Class May 14, x9cf1 No error (0) klaro2d4o 11:59: kf.comprovante- CEST 005ox.website A (IP address) IN (0x0001) HTTP Request Dependency Graph klaro2d4okf.comprovante-005ox.website HTTP Packets Session ID IP Port Destination IP Destination Port Process Timestamp kbytes transferred Direction Data May 14, :59: CEST 27 OUT GET /RUQO7KUUM9S694C7K0EO2AQ23M9G6D/pedido_NF-e.pdf HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: klaro2d4okf.comprovante-005ox.website DNT: 1 Connection: Keep-Alive Session ID IP Port Destination IP Destination Port Process Timestamp kbytes transferred Direction Data May 14, :00: CEST 161 OUT GET /RUQO7KUUM9S694C7K0EO2AQ23M9G6D/pedido_NF-e.pdf HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: klaro2d4okf.comprovante-005ox.website DNT: 1 Connection: Keep-Alive Code Manipulations Statistics Behavior iexplore.exe iexplore.exe Copyright Joe Security LLC 201 Page 1 of 20

19 Click to jump to process System Behavior Analysis iexplore.exe PID: 37 Parent PID: 54 General Start time: 11:59:25 Start date: 14/05/201 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: '' -Embedding 0xd bytes CA1F703CD66567E132D2946FB55750 true C, C++ or other language File Activities File Path Access Attributes Options Completion Count File Path Completion Count Old File Path New File Path Completion Count File Path Offset Length Value Ascii Completion Count File Path Offset Length Completion Count Registry Activities Key Path Completion Count Key Path Name Type Data Completion Count Key Path Name Type Old Data New Data Completion Count Copyright Joe Security LLC 201 Page 19 of 20

20 Analysis iexplore.exe PID: 352 Parent PID: 37 General Start time: 11:59:25 Start date: 14/05/201 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: '' SCODEF:37 CREDAT: /prefetch:2 0xd bytes CA1F703CD66567E132D2946FB55750 true C, C++ or other language File Activities File Path Access Attributes Options Completion Count File Path Offset Length Value Ascii Completion Count File Path Offset Length Completion Count Registry Activities Key Path Name Type Old Data New Data Completion Count Disassembly Code Analysis Copyright Joe Security LLC 201 Page 20 of 20