Loading ...

Analysis Report 81Transcript.scr

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:102804
Start date:11.01.2019
Start time:19:33:59
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 55s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:81Transcript.scr (renamed file extension from scr to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:10
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal76.troj.evad.winEXE@3/8@0/7
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 100% (good quality ratio 83.2%)
  • Quality average: 65.9%
  • Quality standard deviation: 36.1%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 56
  • Number of non-executed functions: 67
Cookbook Comments:
  • Adjust boot time
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, wermgr.exe, conhost.exe, CompatTelRunner.exe, svchost.exe
  • Report size getting too big, too many NtOpenFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold760 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementWinlogon Helper DLLProcess Injection1Masquerading11Credential DumpingProcess Discovery1Application Deployment SoftwareData from Local SystemData CompressedUncommonly Used Port1
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesSoftware Packing1Network SniffingSecurity Software Discovery4Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback Channels
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionProcess Injection1Input CaptureFile and Directory Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information11Credentials in FilesSystem Information Discovery11Logon ScriptsInput CaptureData EncryptedMultiband Communication

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\Windows\lsass.exeAvira: Label: WORM/Mydoom.L.1
Antivirus detection for submitted fileShow sources
Source: 81Transcrip.exeAvira: Label: WORM/Mydoom.L.1
Antivirus detection for unpacked fileShow sources
Source: 1.0.81Transcript.exe.800000.1.unpackAvira: Label: TR/Agent.Blkhl.dam
Source: 4.2.lsass.exe.800000.0.unpackAvira: Label: TR/Agent.Blkhl.dam
Source: 1.1.81Transcript.exe.800000.0.unpackAvira: Label: TR/Agent.Blkhl.dam
Source: 4.1.lsass.exe.800000.0.unpackAvira: Label: TR/Agent.Blkhl.dam
Source: 1.2.81Transcript.exe.800000.0.unpackAvira: Label: TR/Agent.Blkhl.dam
Source: 1.0.81Transcript.exe.800000.2.unpackAvira: Label: TR/Agent.Blkhl.dam
Source: 1.0.81Transcript.exe.800000.0.unpackAvira: Label: TR/Agent.Blkhl.dam
Source: 4.0.lsass.exe.800000.0.unpackAvira: Label: TR/Agent.Blkhl.dam

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Users\user\Desktop\81Transcript.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Jump to behavior
Source: C:\Users\user\Desktop\81Transcript.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Jump to behavior
Source: C:\Users\user\Desktop\81Transcript.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Jump to behavior
Source: C:\Users\user\Desktop\81Transcript.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Jump to behavior
Source: C:\Users\user\Desktop\81Transcript.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Jump to behavior
Source: C:\Users\user\Desktop\81Transcript.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Setup\Jump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\81Transcript.exeCode function: 1_2_00804D32 lstrcat,Sleep,lstrcpy,lstrcpy,CharLowerA,strstr,strstr,strstr,strstr,strstr,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose,1_2_00804D32
Source: C:\Users\user\Desktop\81Transcript.exeCode function: 1_1_00804D32 lstrcat,Sleep,lstrcpy,lstrcpy,CharLowerA,strstr,strstr,strstr,strstr,strstr,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose,1_1_00804D32
Source: C:\Windows\lsass.exeCode function: 4_2_00804D32 lstrcat,Sleep,lstrcpy,lstrcpy,CharLowerA,strstr,strstr,strstr,strstr,strstr,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose,4_2_00804D32
Source: C:\Windows\lsass.exeCode function: 4_1_00804D32 lstrcat,Sleep,lstrcpy,lstrcpy,CharLowerA,strstr,strstr,strstr,strstr,strstr,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose,4_1_00804D32

Networking:

barindex
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.6:49808 -> 15.75.188.57:1042
Source: global trafficTCP traffic: 192.168.2.6:49809 -> 199.41.199.217:1042
Source: global trafficTCP traffic: 192.168.2.6:49810 -> 16.105.82.93:1042
Source: global trafficTCP traffic: 192.168.2.6:49816 -> 15.228.172.115:1042
Source: global trafficTCP traffic: 192.168.2.6:49817 -> 167.194.206.231:1042
Source: global trafficTCP traffic: 192.168.2.6:49818 -> 15.61.231.193:1042
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 15.75.188.57
Source: unknownTCP traffic detected without corresponding DNS query: 15.75.188.57
Source: unknownTCP traffic detected without corresponding DNS query: 15.75.188.57
Source: unknownTCP traffic detected without corresponding DNS query: 199.41.199.217
Source: unknownTCP traffic detected without corresponding DNS query: 199.41.199.217
Source: unknownTCP traffic detected without corresponding DNS query: 199.41.199.217
Source: unknownTCP traffic detected without corresponding DNS query: 16.105.82.93
Source: unknownTCP traffic detected without corresponding DNS query: 16.105.82.93
Source: unknownTCP traffic detected without corresponding DNS query: 16.105.82.93
Source: unknownTCP traffic detected without corresponding DNS query: 172.156.1.158
Source: unknownTCP traffic detected without corresponding DNS query: 172.156.1.158
Source: unknownTCP traffic detected without corresponding DNS query: 172.156.1.158
Source: unknownTCP traffic detected without corresponding DNS query: 15.228.172.115
Source: unknownTCP traffic detected without corresponding DNS query: 15.228.172.115
Source: unknownTCP traffic detected without corresponding DNS query: 15.228.172.115
Source: unknownTCP traffic detected without corresponding DNS query: 167.194.206.231
Source: unknownTCP traffic detected without corresponding DNS query: 167.194.206.231
Source: unknownTCP traffic detected without corresponding DNS query: 167.194.206.231
Source: unknownTCP traffic detected without corresponding DNS query: 15.61.231.193
Source: unknownTCP traffic detected without corresponding DNS query: 15.61.231.193
Source: unknownTCP traffic detected without corresponding DNS query: 15.61.231.193
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 172.156.1.158 172.156.1.158
Source: Joe Sandbox ViewIP Address: 15.61.231.193 15.61.231.193
Source: Joe Sandbox ViewIP Address: 199.41.199.217 199.41.199.217
Source: Joe Sandbox ViewIP Address: 167.194.206.231 167.194.206.231
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: CPQ-ALF-IOMC-Hewlett-PackardCompanyUS CPQ-ALF-IOMC-Hewlett-PackardCompanyUS
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\Desktop\81Transcript.exeCode function: 1_2_00807983 Sleep,socket,connect,recv,htons,htons,htons,send,htons,recv,closesocket,1_2_00807983
Found strings which match to known social media urlsShow sources
Source: 81Transcript.exe, lsass.exeString found in binary or memory: hotmail equals www.hotmail.com (Hotmail)
Source: 81Transcript.exe, lsass.exeString found in binary or memory: yahoo.com equals www.yahoo.com (Yahoo)

System Summary:

barindex
Creates files inside the system directoryShow sources
Source: C:\Users\user\Desktop\81Transcript.exeFile created: C:\Windows\lsass.exeJump to behavior
Creates mutexesShow sources
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1688
Source: C:\Windows\lsass.exeMutant created: \Sessions\1\BaseNamedObjects\
Deletes files inside the Windows folderShow sources
Source: C:\Users\user\Desktop\81Transcript.exeFile deleted: C:\Windows\lsass.exeJump to behavior
One or more processes crashShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 1104
PE file contains strange resourcesShow sources
Source: 81Transcrip.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: lsass.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\81Transcript.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\lsass.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)Show sources
Source: 81Transcrip.exeStatic PE information: Section: UPX1 ZLIB complexity 0.992410714286
Source: lsass.exe.1.drStatic PE information: Section: UPX1 ZLIB complexity 0.992410714286
Classification labelShow sources
Source: classification engineClassification label: mal76.troj.evad.winEXE@3/8@0/7
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\81Transcript.exeFile created: C:\Users\CRAIGH~1\AppData\Local\Temp\fQbgl9mcdrn.txtJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\81Transcript.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\81Transcript.exe 'C:\Users\user\Desktop\81Transcript.exe'
Source: unknownProcess created: C:\Windows\lsass.exe 'C:\Windows\lsass.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 1104

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\81Transcript.exeCode function: 1_2_00803108 GetModuleHandleA,LoadLibraryA,GetProcAddress,InternetGetConnectedState,1_2_00803108
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\81Transcript.exeCode function: 1_2_00807EE0 push eax; ret 1_2_00807F0E
Source: C:\Users\user\Desktop\81Transcript.exeCode function: 1_1_00807EE0 push eax; ret 1_1_00807F0E
Source: C:\Windows\lsass.exeCode function: 4_2_00807EE0 push eax; ret 4_2_00807F0E
Source: C:\Windows\lsass.exeCode function: 4_1_00807EE0 push eax; ret 4_1_00807F0E
Sample is packed with UPXShow sources
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1

Persistence and Installation Behavior:

barindex
Drops PE files with benign system namesShow sources
Source: C:\Users\user\Desktop\81Transcript.exeFile created: C:\Windows\lsass.exeJump to dropped file
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: unknownExecutable created and started: C:\Windows\lsass.exe
Drops PE filesShow sources
Source: C:\Users\user\Desktop\81Transcript.exeFile created: C:\Windows\lsass.exeJump to dropped file
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\user\Desktop\81Transcript.exeFile created: C:\Windows\lsass.exeJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Creates PE files with a name equal or similiar to existing files in WindowsShow sources
Source: C:\Windows\lsass.exeFile created: Name: lsass.exe in C:\Users\user\Desktop\81Transcript.exeJump to dropped file
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after checking mutex)Show sources
Source: C:\Windows\lsass.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_4-2046
Source: C:\Windows\lsass.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_4-2046
Source: C:\Users\user\Desktop\81Transcript.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_1-2064
Enumerates the file systemShow sources
Source: C:\Users\user\Desktop\81Transcript.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Jump to behavior
Source: C:\Users\user\Desktop\81Transcript.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\Jump to behavior
Source: C:\Users\user\Desktop\81Transcript.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Jump to behavior
Source: C:\Users\user\Desktop\81Transcript.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Jump to behavior
Source: C:\Users\user\Desktop\81Transcript.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Jump to behavior
Source: C:\Users\user\Desktop\81Transcript.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Setup\Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Windows\lsass.exeWindow / User API: threadDelayed 668Jump to behavior
Found decision node followed by non-executed suspicious APIsShow sources
Source: C:\Users\user\Desktop\81Transcript.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_1-2590
Source: C:\Windows\lsass.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_4-2860
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\81Transcript.exe TID: 2028Thread sleep time: -55000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\81Transcript.exe TID: 2028Thread sleep count: 59 > 30Jump to behavior
Source: C:\Windows\lsass.exe TID: 1084Thread sleep count: 57 > 30Jump to behavior
Source: C:\Windows\lsass.exe TID: 1084Thread sleep count: 45 > 30Jump to behavior
Source: C:\Windows\lsass.exe TID: 1084Thread sleep count: 87 > 30Jump to behavior
Source: C:\Windows\lsass.exe TID: 1084Thread sleep count: 136 > 30Jump to behavior
Source: C:\Windows\lsass.exe TID: 1084Thread sleep count: 668 > 30Jump to behavior
Source: C:\Windows\lsass.exe TID: 1084Thread sleep time: -50100s >= -30000sJump to behavior
Queries disk information (often used to detect virtual machines)Show sources
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: PhysicalDrive0Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Users\user\Desktop\81Transcript.exeLast function: Thread delayed
Source: C:\Windows\lsass.exeLast function: Thread delayed
Uses the system / local time for branch decision (may execute only at specific dates)Show sources
Source: C:\Users\user\Desktop\81Transcript.exeCode function: 1_2_00805247 GetSystemTime followed by cmp: cmp word ptr [ebp-10h], 07dch and CTI: jbe 00805288h1_2_00805247
Source: C:\Users\user\Desktop\81Transcript.exeCode function: 1_1_00805247 GetSystemTime followed by cmp: cmp word ptr [ebp-10h], 07dch and CTI: jbe 00805288h1_1_00805247
Source: C:\Windows\lsass.exeCode function: 4_2_00805247 GetSystemTime followed by cmp: cmp word ptr [ebp-10h], 07dch and CTI: jbe 00805288h4_2_00805247
Source: C:\Windows\lsass.exeCode function: 4_1_00805247 GetSystemTime followed by cmp: cmp word ptr [ebp-10h], 07dch and CTI: jbe 00805288h4_1_00805247
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\81Transcript.exeCode function: 1_2_00804D32 lstrcat,Sleep,lstrcpy,lstrcpy,CharLowerA,strstr,strstr,strstr,strstr,strstr,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose,1_2_00804D32
Source: C:\Users\user\Desktop\81Transcript.exeCode function: 1_1_00804D32 lstrcat,Sleep,lstrcpy,lstrcpy,CharLowerA,strstr,strstr,strstr,strstr,strstr,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose,1_1_00804D32
Source: C:\Windows\lsass.exeCode function: 4_2_00804D32 lstrcat,Sleep,lstrcpy,lstrcpy,CharLowerA,strstr,strstr,strstr,strstr,strstr,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose,4_2_00804D32
Source: C:\Windows\lsass.exeCode function: 4_1_00804D32 lstrcat,Sleep,lstrcpy,lstrcpy,CharLowerA,strstr,strstr,strstr,strstr,strstr,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose,4_1_00804D32
Program exit pointsShow sources
Source: C:\Users\user\Desktop\81Transcript.exeAPI call chain: ExitProcess graph end nodegraph_1-2014
Source: C:\Windows\lsass.exeAPI call chain: ExitProcess graph end nodegraph_4-2031
Queries a list of all running processesShow sources
Source: C:\Windows\SysWOW64\WerFault.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for debuggers (devices)Show sources
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\Windows\WinSxS\FileMaps\users_craig_holland_desktop_6e4174ecf6a92c5a.cdf-ms
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\81Transcript.exeSystem information queried: KernelDebuggerInformationJump to behavior
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\Desktop\81Transcript.exeProcess queried: DebugPortJump to behavior
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\81Transcript.exeCode function: 1_2_00803108 GetModuleHandleA,LoadLibraryA,GetProcAddress,InternetGetConnectedState,1_2_00803108
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\81Transcript.exeCode function: 1_2_0080418A strlen,lstrcmpi,lstrlen,GetProcessHeap,RtlAllocateHeap,memset,GetTickCount,_mbscpy,1_2_0080418A
Enables debug privilegesShow sources
Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: 81Transcript.exe, 00000001.00000000.6673754345.0000000000EC0000.00000002.sdmp, lsass.exe, 00000004.00000002.7688832196.0000000000EF0000.00000002.sdmpBinary or memory string: Program Manager
Source: 81Transcript.exe, 00000001.00000000.6673754345.0000000000EC0000.00000002.sdmp, lsass.exe, 00000004.00000002.7688832196.0000000000EF0000.00000002.sdmpBinary or memory string: Shell_TrayWnd
Source: 81Transcript.exe, 00000001.00000000.6673754345.0000000000EC0000.00000002.sdmp, lsass.exe, 00000004.00000002.7688832196.0000000000EF0000.00000002.sdmpBinary or memory string: Progman
Source: 81Transcript.exe, 00000001.00000000.6673754345.0000000000EC0000.00000002.sdmp, lsass.exe, 00000004.00000002.7688832196.0000000000EF0000.00000002.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\81Transcript.exeCode function: 1_2_00802DB3 lstrlen,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeZoneInformation,lstrcat,wsprintfA,1_2_00802DB3
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\Desktop\81Transcript.exeCode function: 1_2_00802DB3 lstrlen,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeZoneInformation,lstrcat,wsprintfA,1_2_00802DB3

Stealing of Sensitive Information:

barindex
Contains functionality to search for IE or Outlook window (often done to steal information)Show sources
Source: C:\Users\user\Desktop\81Transcript.exeCode function: 1_2_00802C72 FindWindowA,FindWindowA,FindWindowA,FindWindowA,RtlExitUserThread,1_2_00802C72
Source: C:\Users\user\Desktop\81Transcript.exeCode function: 1_1_00802C72 FindWindowA,FindWindowA,FindWindowA,FindWindowA,RtlExitUserThread,1_1_00802C72
Source: C:\Windows\lsass.exeCode function: 4_2_00802C72 FindWindowA,FindWindowA,FindWindowA,FindWindowA,RtlExitUserThread,GetFileAttributesA,CreateThread,CreateThread,Sleep,CreateThread,Sleep,CreateThread,Sleep,4_2_00802C72
Source: C:\Windows\lsass.exeCode function: 4_1_00802C72 FindWindowA,FindWindowA,FindWindowA,FindWindowA,RtlExitUserThread,GetFileAttributesA,CreateThread,CreateThread,Sleep,CreateThread,Sleep,CreateThread,Sleep,4_1_00802C72

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Users\user\Desktop\81Transcript.exeCode function: 1_2_00807D81 malloc,memset,htons,htons,socket,socket,bind,closesocket,Sleep,htons,socket,bind,listen,CreateThread,CreateThread,malloc,memset,accept,Sleep,??3@YAXPAX@Z,1_2_00807D81
Source: C:\Users\user\Desktop\81Transcript.exeCode function: 1_1_00807D81 malloc,memset,htons,htons,socket,socket,bind,closesocket,Sleep,htons,socket,bind,listen,CreateThread,CreateThread,malloc,memset,accept,Sleep,??3@YAXPAX@Z,1_1_00807D81
Source: C:\Windows\lsass.exeCode function: 4_2_00807D81 malloc,memset,htons,htons,socket,socket,bind,closesocket,Sleep,htons,socket,bind,listen,CreateThread,CreateThread,malloc,memset,accept,Sleep,??3@YAXPAX@Z,4_2_00807D81
Source: C:\Windows\lsass.exeCode function: 4_1_00807D81 malloc,memset,htons,htons,socket,socket,bind,closesocket,Sleep,htons,socket,bind,listen,CreateThread,CreateThread,malloc,memset,accept,Sleep,??3@YAXPAX@Z,4_1_00807D81

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 102804 Sample: 81Transcript.scr Startdate: 11/01/2019 Architecture: WINDOWS Score: 76 29 Antivirus detection for submitted file 2->29 31 Detected TCP or UDP traffic on non-standard ports 2->31 33 Drops executables to the windows directory (C:\Windows) and starts them 2->33 35 Antivirus detection for unpacked file 2->35 6 81Transcript.exe 1 4 2->6         started        11 lsass.exe 192 2->11         started        process3 dnsIp4 19 199.41.199.217, 1042 SPRINTLINK-SprintUS Czech Republic 6->19 21 15.75.188.57, 1042 CPQ-ALF-IOMC-Hewlett-PackardCompanyUS United States 6->21 15 C:\Windows\lsass.exe, PE32 6->15 dropped 17 C:\Windows\lsass.exe:Zone.Identifier, ASCII 6->17 dropped 37 Found evasive API chain (may stop execution after checking mutex) 6->37 39 Drops PE files with benign system names 6->39 13 WerFault.exe 25 10 6->13         started        23 16.105.82.93, 1042 HP-INTERNET-AS-Hewlett-PackardCompanyUS United States 11->23 25 167.194.206.231, 1042 GEORGIA-1-GeorgiaTechnologyAuthorityUS United States 11->25 27 3 other IPs or domains 11->27 41 Antivirus detection for dropped file 11->41 file5 43 Detected TCP or UDP traffic on non-standard ports 25->43 signatures6 process7

Simulations

Behavior and APIs

TimeTypeDescription
19:34:53API Interceptor1x Sleep call for process: 81Transcript.exe modified
19:34:54AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Traybar C:\Windows\lsass.exe

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
81Transcrip.exe100%AviraWORM/Mydoom.L.1

Dropped Files

SourceDetectionScannerLabelLink
C:\Windows\lsass.exe100%AviraWORM/Mydoom.L.1

Unpacked PE Files

SourceDetectionScannerLabelLink
1.0.81Transcript.exe.800000.1.unpack100%AviraTR/Agent.Blkhl.dam
4.2.lsass.exe.800000.0.unpack100%AviraTR/Agent.Blkhl.dam
1.1.81Transcript.exe.800000.0.unpack100%AviraTR/Agent.Blkhl.dam
4.1.lsass.exe.800000.0.unpack100%AviraTR/Agent.Blkhl.dam
1.2.81Transcript.exe.800000.0.unpack100%AviraTR/Agent.Blkhl.dam
1.0.81Transcript.exe.800000.2.unpack100%AviraTR/Agent.Blkhl.dam
1.0.81Transcript.exe.800000.0.unpack100%AviraTR/Agent.Blkhl.dam
4.0.lsass.exe.800000.0.unpack100%AviraTR/Agent.Blkhl.dam

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
15.228.172.11529tex.exe495d8343a50bacaedddc797910c19836011d1a63d6091917fda709991120b0b5maliciousBrowse
    5DOCUMEN.exed61149b44f024bfab50f8d2c235bade622344b2ba65b5c0df6a01f7b1ba3292cmaliciousBrowse
      16sales@youtube.exec8d7c10665fe25b2eca0f4f0e3ec19f0be2783ff14b8b4282c21c64be6763debmaliciousBrowse
        28zxx.exeb09c714b17e1327358a3df7d81e74fee07d7a23c5f706ae4e01bc412ce00f23emaliciousBrowse
          172.156.1.158 .exeeaa6478d715a004867a1c330236ffcfdfac0638beceea772aec3547a9f0f5ad6maliciousBrowse
            49vpbs.exe1dffede4c669f3d63f3882ca3a1e6a67eb558535666c2b10103376d2280ac77emaliciousBrowse
              23messag.exea1ce2f7a7f7ca2178b9550b60e1d8db9fc035a0f4973da6c1a0d472cc9e5fc9bmaliciousBrowse
                31.htm .exe1a0671e43ecc8de1fb4c87a6a11cc2a77a181dc4cdb05711b9c06c3dd9f04534maliciousBrowse
                  38mail.exea6d9c2306de89322fb9fcf6b7965af8fea434a44eea7d583f430e17432ef2a79maliciousBrowse
                    41Readm.exe0a33e2942485275277a4db00f760c22df7ed7b2cc1f01af0f26cdb9b2b778882maliciousBrowse
                      55wangsl@coio.exed7e63fcc374a545634be261c3bd4dd0fd07f064b5805969c7f7ffe363426e5edmaliciousBrowse
                        35trbarr.exe1996d06d6c461fa523048fb097c7fd2f5cbcc26a2a24cdc86cacf3f57caa7880maliciousBrowse
                          67mai.exe68475c7271bc6ac0935b9caa1ff506b528e38f8bcccae23ab5952f9edd18da03maliciousBrowse
                            15.61.231.19314noemai.exeda5065cb1d6b893a83ef0312ac0b8cd69a60d8ecebdaca4a74180dcdf5e2f09amaliciousBrowse
                              .exebd48db5a101041c1c33b867d4dd3d8e53e39c656a2c2d75dc7131bcaa6584f8fmaliciousBrowse
                                27attachmen.exe9ccf08810b117bb0e2ab0433e7cb72c5e48d7bdccf0be76163d59f4cbdb71a29maliciousBrowse
                                  23message.exe897d84c36e68c75dba61276fe9da5164d6e2a5b4281131169c114c983bd39475maliciousBrowse
                                    26Transcrip.exe3dbf7ed1303394bbd56bceca4727f29183d62ea0f0fcdf4d9d2963e1be0b5ed8maliciousBrowse
                                      16.105.82.9334john@youtube.exeaeb30a49b6198d29f3b592e9a430b1df3e07fde1a9fa66e063fe92faa9a7a308maliciousBrowse
                                        .txt .exedb3c720470617bcdd05e025837b7118e577cd8a3f3a943a3a2dcc4c2ddcbc7c7maliciousBrowse
                                          5tex.exe0a8cf19cc6a42a1a81a228612521de5044f5bdf3e01a14af9f64d4822965c3a5maliciousBrowse
                                            199.41.199.217 .exeaddc2d0a4f54fe7ed52bea69c73612d2f83d7d2c1088312387a60901c8e11496maliciousBrowse
                                              .exe7b00b68d02c84994368e280d757af9845a53977bbbb3b8e7b4a6d1dab4dad0d0maliciousBrowse
                                                8file.exe74c3841668533a0469126367ec9e5175c3bee7272bf3186b19233d35fca75a2dmaliciousBrowse
                                                  .exeee07c3a278734d255395eed815db06f752b225015e8a349ae112f03d212be616maliciousBrowse
                                                    7messag.exef2594ce344d151f41c1271267776cb4d25ebf8cfb39a14a6a6afa2d94bf0d421maliciousBrowse
                                                      42mai.exe61dddb3d5d0617cbc0caf088f3130be52f3f84bd5b0cb2c9a10338854fd457e4maliciousBrowse
                                                        21Snjpnli.exea1a85d0baaefaee972041e92d172d991259fa3474f7c449d87563260d4067a4emaliciousBrowse
                                                          mail.comb09217cb739892b228bfac657168202feb670b202fdb6b6f5d60ae5a92cb2dc1maliciousBrowse
                                                            7file.execba6559344dd714b757824913a9bfdd9e486f552b969f5219f68eb8f05566929maliciousBrowse
                                                              167.194.206.23128transcript.htm .exe78495dd0d8e4c95becc1d14d3b5e6e519b57048bce5b84f264d4f95ffbf7260fmaliciousBrowse
                                                                .exeb16ae0bffcb8c2e4354afb4107661001dd14a0643601c193e03f361063edc4c2maliciousBrowse
                                                                  .scr1dbffa7b3f1df7b2316504319c1ec94f38cd05bc2d8aec4622aef67582ce3dc5maliciousBrowse
                                                                    35messag.exe473ef0a6a7b7c3272caf7b54743220671c86f42dd5ffaf74a0dcf6b88011ac3cmaliciousBrowse
                                                                      1pvqt.exe116a55da8ea070c8e68c5fb539a4c74c1ed34d6cd69950f1e92b9c6bc16bca1amaliciousBrowse
                                                                        39veXxKXM9ky.exe92388b21c3ef8513a82d2702d106eabbf915f350853a29a873882091d1f3e4a6maliciousBrowse
                                                                          9noemai.exe26219269f6cb374f9967aaf43b72a66b6035769f6c13d026838bf020ceabd555maliciousBrowse
                                                                            .exe94052a9a758de0b2ec6dafdbcf4370b90d701b0aff592117cb13c4fdbfa025c8maliciousBrowse
                                                                              zhenxin051@kaifa.comd84c108aaebc0cef3c41d0ab6ade30c9009a1d922bc4dc2a8517f04ea55bb65emaliciousBrowse
                                                                                33police@polic.exe61daecfe1511fb53a8fea3cc2262d82b7a5fb82e6dc3d0743b0ee389aeb0f98bmaliciousBrowse

                                                                                  Domains

                                                                                  No context

                                                                                  ASN

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                  CPQ-ALF-IOMC-Hewlett-PackardCompanyUS15BnMtyiNGL2.exe78d02091d54bc695bcab40f7b218be0cfa33bc8a6e31f9635a439ececb2be991maliciousBrowse
                                                                                  • 15.237.16.176
                                                                                  34text.exe24a87613e32bec42fefc058dd48eb569a764b6184c61175a57d486902f11627dmaliciousBrowse
                                                                                  • 15.47.82.48
                                                                                  14ozmoV8jIK8.exe6332528a17efbfa1a3fe71312851aac2bc335d3ba47480e7f809e0e5f65d0723maliciousBrowse
                                                                                  • 15.87.21.34
                                                                                  11file.exeeb2e4f4e73b68bcb478bd86aefdea1dd0564e876d9234c0829c262283655d7dbmaliciousBrowse
                                                                                  • 15.236.161.88
                                                                                  13youtube.exed86abe31fdcf459847f301dca15f46e00285b1918f4dda88b803683802647438maliciousBrowse
                                                                                  • 15.16.238.38
                                                                                  9tWFkSC6ehC.exeaedf183975b8593c36b67fb0e29932006f1e33824b8679c8713368b8f17d07a9maliciousBrowse
                                                                                  • 15.87.22.172
                                                                                  53lette.exe927450af7ad7f12dac92643f15a1751cf65304e8ed3e281fca5cce3523d111a6maliciousBrowse
                                                                                  • 15.40.86.187
                                                                                  .exe086e132b327fcbf28b5e8a86e8f235333ad606a18037c1d00d58e5e6a0658ccamaliciousBrowse
                                                                                  • 15.98.148.239
                                                                                  45attachment.txt .exe7d93925c8697a586002e7fd2d04b38e6b1fc720f2d6756e85be801e72295d928maliciousBrowse
                                                                                  • 15.228.160.65
                                                                                  51readm.exe66a346e7e48b7aed69369a6915131956d13cc68eb3b12fa12adc4ad87b1acd90maliciousBrowse
                                                                                  • 15.56.223.18
                                                                                  15waeWKm9GTf.exeff1f49b2b8e3d0ca35327dc1ade1ad80126344cc8b99cef9ec5ead7c8c31a666maliciousBrowse
                                                                                  • 15.238.21.226
                                                                                  43gukjf.exe9a92e8f85ca7c9e72af5921d9e5fc7480a5680a054ffed061313ec098d91db90maliciousBrowse
                                                                                  • 15.80.188.101
                                                                                  57text.txt .exe3c809a60ee8f6cd40be48be772db6c1ceb99d2d77e3ee802b37cc7b3f8ea640bmaliciousBrowse
                                                                                  • 15.238.7.218
                                                                                  37readm.exe4f05ac588cb9631db031f4e4b67ac8e755e4a8b7b7b50cc9b2619e057d448bb4maliciousBrowse
                                                                                  • 15.2.233.48
                                                                                  .exe8aad6fd4f77562cdffa25accdea878d91463075ef4a9e45af3209726900fd3e4maliciousBrowse
                                                                                  • 15.99.23.41
                                                                                  17Transcrip.exe623201b1356897ca522aa852cda83f63a0721d880cf7d2733addb704fe55f2afmaliciousBrowse
                                                                                  • 15.62.46.5
                                                                                  13documen.exede8a2298b9753d681fba9102d19f0181f89c3439f3aae09e55bb712c87d2fc66maliciousBrowse
                                                                                  • 15.128.28.66
                                                                                  49lette.exe0009999b9e367b9e13412d5e58e2ba4129131ddade7bca93ec353ea8423e2616maliciousBrowse
                                                                                  • 15.238.5.149
                                                                                  19john@youtube.exea4ca9138c9aa6fce9158c01a8fb729979f1122a96aadc76e5fce034c521ea49amaliciousBrowse
                                                                                  • 15.98.154.233
                                                                                  65MAI.exeec3a84e22d82f7d134e711865c0f61f9915cfb7ec9b844fe82af93259f102513maliciousBrowse
                                                                                  • 15.16.193.193
                                                                                  AOL-ATDN-AOLTransitDataNetworkUSwccftech.commaliciousBrowse
                                                                                  • 152.163.56.2
                                                                                  57messag.exeb34523c50ecfb21ec9b29ee2eaea0bfb8b35409b13e617cc47ceec781bc859e7maliciousBrowse
                                                                                  • 172.209.101.155
                                                                                  25readm.exe04fbe641470f44618416cf544aff01a93840b46bd5d1b42f3c248d2457277657maliciousBrowse
                                                                                  • 152.163.190.1
                                                                                  78ag5NU9TYw.exe6928fe29e34505b9c6a2c8d82baec4965c8260c6e4aeb5d43a7ec3e1856d1f24maliciousBrowse
                                                                                  • 149.174.149.73
                                                                                  17mai.exe07d4486af97a5099a3e52e76230b0c0536a2119793267d8744092a0fd0181998maliciousBrowse
                                                                                  • 172.208.55.52
                                                                                  http://api.addons.aol.com/toolbar/builds/aol/current/aol_nto.exemaliciousBrowse
                                                                                  • 64.12.239.143
                                                                                  19message.htm .exe965561f9e810bc45d00e1a1557b1d733080b64e9da2ff657b97c1a83197b0a23maliciousBrowse
                                                                                  • 172.150.85.28
                                                                                  381XrdNmguWP.exe0e68af8af48994941da9ee369c32d3ce91548c01f9a70670e8158e06b2915929maliciousBrowse
                                                                                  • 172.168.0.132
                                                                                  5messag.exe4f6ee4512724eace2bec010dd708cf7088f3464cd10ca3b8014e44a3b914dd4bmaliciousBrowse
                                                                                  • 172.168.0.171
                                                                                  777SqyBFAEcE.exe02400dcc633b5541cf9ce6aef93cc45464dcac2faf432cf4fe8eab892fe2af09maliciousBrowse
                                                                                  • 64.12.249.135
                                                                                  14Transcrip.exed59653f2696ed841c7b81247748510b3e45a22ce71d872df587021c476354c38maliciousBrowse
                                                                                  • 172.168.0.196
                                                                                  5XWZmuQvvPQ.exef4cb503dccf44e4d92e99ade1bd772693a161bbf1f8d9866ba5f859b46da9eaemaliciousBrowse
                                                                                  • 149.174.110.105
                                                                                  67wsW2ykasp5.exe04a01d6d2d3c8ae53e791e5ab2f314a7a0dc63eb3cd15a0d8a3c8e5362dc0417maliciousBrowse
                                                                                  • 172.209.101.155
                                                                                  23On8YogEnJM.exeb28183e8623c4d0536745d0250bc2b7bee1a9d2c4ace248101f970bc83772686maliciousBrowse
                                                                                  • 64.12.249.135
                                                                                  39attachmen.exee1fae5b0a593ec2f5082fa51c7fddc17b9cd305b8b90ec789aa8fe6699862492maliciousBrowse
                                                                                  • 172.168.0.127
                                                                                  53IyBzR2CrRa.exebd4b4fc56120c6b793858be5ccc0d868c42330e987518a997495be17451f7958maliciousBrowse
                                                                                  • 172.169.247.52
                                                                                  5.htm .exe94df6b7680f475fc01945aa99f9b2e92f049e10ae93b6d4744725d493f049857maliciousBrowse
                                                                                  • 172.168.0.128
                                                                                  53giu.exe5673c38ecc8709d41b8cc26ca6e5c0703ad260271a13309a8f613e2b38993e9amaliciousBrowse
                                                                                  • 64.12.249.135
                                                                                  11TEX.exe8eb592551cb9b38e42ce0a867aa8dc42af4c659b47d48c30954e7e3d1cb6abe2maliciousBrowse
                                                                                  • 207.200.74.55
                                                                                  .exe2512801a5d9c90fb362ecca8ee6a73d12e8ec8bd1b4189b2313577214ad34ab4maliciousBrowse
                                                                                  • 207.200.74.55

                                                                                  Dropped Files

                                                                                  No context

                                                                                  Screenshots

                                                                                  Thumbnails

                                                                                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.