Joe Sandbox Cloud Basic Analysis Report
Create Interactive Tour

Analysis Report https://us.klinge.biz/SimpleFileDownload/Home/File?file=f5dedb19-5b3a-4729-bbde-d6dff15ca3b2

Overview

General Information

Sample URL:https://us.klinge.biz/SimpleFileDownload/Home/File?file=f5dedb19-5b3a-4729-bbde-d6dff15ca3b2
Analysis ID:337367

Most interesting Screenshot:

Detection

Score:4
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Antivirus or Machine Learning detection for unpacked file
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Potential browser exploit detected (process start blacklist hit)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Startup

  • System is w10x64
  • iexplore.exe (PID: 5172 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5480 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5172 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • unarchiver.exe (PID: 5744 cmdline: 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\Manfilter_3104.zip' MD5: 8B435F8731563566F3F49203BA277865)
      • 7za.exe (PID: 1632 cmdline: 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\poyytgcb.bev' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\Manfilter_3104.zip' MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
        • conhost.exe (PID: 3840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 800 cmdline: 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\poyytgcb.bev\Manfilter_3104\manfiltr.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 3152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • manfiltr.exe (PID: 2616 cmdline: C:\Users\user\AppData\Local\Temp\poyytgcb.bev\Manfilter_3104\manfiltr.exe MD5: AF9EEDACA97462C974D9933011DE3584)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

  • AV Detection
  • Compliance
  • Software Vulnerabilities
  • Networking
  • System Summary
  • Persistence and Installation Behavior
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • Anti Debugging
  • HIPS / PFW / Operating System Protection Evasion
  • Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: 8.2.manfiltr.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 8.0.manfiltr.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 022A097Fh3_2_022A02A8
Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 022A097Eh3_2_022A02A8
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Windows\SysWOW64\unarchiver.exeJump to behavior
Source: unknownDNS traffic detected: queries for: us.klinge.biz
Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
Source: unknownNetwork traffic detected: HTTP traffic on port 49694 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49694
Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 3_2_022A02A83_2_022A02A8
Source: classification engineClassification label: clean4.win@13/12@1/1
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3840:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3152:120:WilError_01
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DFD1E092C5CA8B53EC.TMPJump to behavior
Source: C:\Users\user\AppData\Local\Temp\poyytgcb.bev\Manfilter_3104\manfiltr.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: manfiltr.exe, 00000008.00000002.474259718.0000000000401000.00000020.00020000.sdmp, manfiltr.exe.4.drBinary or memory string: INSERT INTO SYSUSERS ( USER_NAME, PASSWORD, SAM_ONLY, [LEVEL] ) VALUES ('0123' , 'CORN' , True, 3)8DELETE * FROM USER_SECURITY;bUPDATE AUDIT_EVENTS_TTC SET WIN_USER = 'Filtered'>Command line arguments missing.*Application version: |Input TTC database filename command line argument is required.~Output TTC database filename command line argument is required.
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5172 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\Manfilter_3104.zip'
Source: unknownProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\poyytgcb.bev' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\Manfilter_3104.zip'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\poyytgcb.bev\Manfilter_3104\manfiltr.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\poyytgcb.bev\Manfilter_3104\manfiltr.exe C:\Users\user\AppData\Local\Temp\poyytgcb.bev\Manfilter_3104\manfiltr.exe
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5172 CREDAT:17410 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\Manfilter_3104.zip'Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\poyytgcb.bev' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\Manfilter_3104.zip'Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\poyytgcb.bev\Manfilter_3104\manfiltr.exe'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\poyytgcb.bev\Manfilter_3104\manfiltr.exe C:\Users\user\AppData\Local\Temp\poyytgcb.bev\Manfilter_3104\manfiltr.exeJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\poyytgcb.bev\Manfilter_3104\manfiltr.exeJump to dropped file
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\poyytgcb.bev\Manfilter_3104\manfiltr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 4228Thread sleep count: 204 > 30Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 4228Thread sleep time: -102000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\unarchiver.exeLast function: Thread delayed
Source: manfiltr.exe, 00000008.00000002.474259718.0000000000401000.00000020.00020000.sdmp, manfiltr.exe.4.drBinary or memory string: LLLLLLLLLNNNNNNMMMMMMMMMNOPQQQTUVSSSMMMOPQSSSSTUOY]TVXTUVRRRMMMKKKJJJKKKMMMOPQOVYS_eNclNclMfqOeoPfpRgpOckQemUgoUgoTelSdkN=lG2`F/]F/]F/\G0]I2`J3`G3cG4cG4cG3cG2`H2`G1_G0^G0]F/]F/]F/]G0]G0]G0]F/]F/\F/]FHmEv
Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\poyytgcb.bev' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\Manfilter_3104.zip'Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\poyytgcb.bev\Manfilter_3104\manfiltr.exe'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\poyytgcb.bev\Manfilter_3104\manfiltr.exe C:\Users\user\AppData\Local\Temp\poyytgcb.bev\Manfilter_3104\manfiltr.exeJump to behavior
Source: unarchiver.exe, 00000003.00000002.475289152.0000000000DE0000.00000002.00000001.sdmp, manfiltr.exe, 00000008.00000002.475198206.0000000000D30000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: unarchiver.exe, 00000003.00000002.475289152.0000000000DE0000.00000002.00000001.sdmp, manfiltr.exe, 00000008.00000002.475198206.0000000000D30000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: unarchiver.exe, 00000003.00000002.475289152.0000000000DE0000.00000002.00000001.sdmp, manfiltr.exe, 00000008.00000002.475198206.0000000000D30000.00000002.00000001.sdmpBinary or memory string: Progman
Source: unarchiver.exe, 00000003.00000002.475289152.0000000000DE0000.00000002.00000001.sdmp, manfiltr.exe, 00000008.00000002.475198206.0000000000D30000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsExploitation for Client Execution1Path InterceptionProcess Injection12Masquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSFile and Directory Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsSystem Information Discovery12SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 337367 URL: https://us.klinge.biz/Simpl... Startdate: 08/01/2021 Architecture: WINDOWS Score: 4 7 iexplore.exe 7 69 2->7         started        process3 9 unarchiver.exe 5 7->9         started        11 iexplore.exe 26 7->11         started        dnsIp4 14 7za.exe 5 9->14         started        17 cmd.exe 1 9->17         started        27 us.klinge.biz 52.202.55.99, 443, 49694, 49695 AMAZON-AESUS United States 11->27 process5 file6 25 C:\Users\user\AppData\Local\...\manfiltr.exe, PE32 14->25 dropped 19 conhost.exe 14->19         started        21 manfiltr.exe 1 17->21         started        23 conhost.exe 17->23         started        process7

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
https://us.klinge.biz/SimpleFileDownload/Home/File?file=f5dedb19-5b3a-4729-bbde-d6dff15ca3b20%VirustotalBrowse
https://us.klinge.biz/SimpleFileDownload/Home/File?file=f5dedb19-5b3a-4729-bbde-d6dff15ca3b20%Avira URL Cloudsafe

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\poyytgcb.bev\Manfilter_3104\manfiltr.exe4%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\poyytgcb.bev\Manfilter_3104\manfiltr.exe2%ReversingLabs

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
8.2.manfiltr.exe.400000.0.unpack100%AviraTR/Dropper.VB.GenDownload File
8.0.manfiltr.exe.400000.0.unpack100%AviraTR/Dropper.VB.GenDownload File

Domains

SourceDetectionScannerLabelLink
us.klinge.biz0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
00%VirustotalBrowse

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
us.klinge.biz
52.202.55.99
truefalseunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
0falselow

Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public

IPDomainCountryFlagASNASN NameMalicious
52.202.55.99
unknownUnited States
14618AMAZON-AESUSfalse

General Information

Joe Sandbox Version:31.0.0 Red Diamond
Analysis ID:337367
Start date:08.01.2021
Start time:13:56:32
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 1s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:browseurl.jbs
Sample URL:https://us.klinge.biz/SimpleFileDownload/Home/File?file=f5dedb19-5b3a-4729-bbde-d6dff15ca3b2
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:21
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean4.win@13/12@1/1
EGA Information:
  • Successful, ratio: 50%
HCA Information:
  • Successful, ratio: 96%
  • Number of executed functions: 11
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, ielowutil.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
  • Excluded IPs from analysis (whitelisted): 52.255.188.83, 104.43.139.144, 88.221.62.148, 23.210.248.85, 152.199.19.161, 205.185.216.10, 205.185.216.42
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ie9comview.vo.msecnd.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, cds.d2s7q6s2.hwcdn.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, skypedataprdcoleus17.cloudapp.net, go.microsoft.com, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, cs9.wpc.v0cdn.net
  • Execution Graph export aborted for target unarchiver.exe, PID 5744 because it is empty

Simulations

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7B9283D2-51FC-11EB-90E4-ECF4BB862DED}.dat
Process:C:\Program Files\internet explorer\iexplore.exe
File Type:Microsoft Word Document
Category:dropped
Size (bytes):32344
Entropy (8bit):1.7973882827359091
Encrypted:false
SSDEEP:48:IwKGcpr/GwpLaG/ap82trGIpcyhGvnZpvyNGoQqp9yGGo4BpmydOGWe+9yQGWo+u:ruZJZA22t9WyutyDfyhBMydoygtJrn2
MD5:6FABD66FB2F10C75FA2D86F67DA189A7
SHA1:41E135C63D865A3759AF34BCF2DAF9CE05C61957
SHA-256:C2A6DB3B8CC226ECAE5FD69580A6AF367882C00F02F5EE18F81DB15401B6067B
SHA-512:52BD434E5BF5917B069DF0C62D1A6D4278608C6117A3DC867010EBC5792EE4EF03BFF4FA804EE23B2B6E906EF399A7D6352262D04D44B5BE3B18122AD307EDFC
Malicious:false
Reputation:low
Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7B9283D4-51FC-11EB-90E4-ECF4BB862DED}.dat
Process:C:\Program Files\internet explorer\iexplore.exe
File Type:Microsoft Word Document
Category:dropped
Size (bytes):19032
Entropy (8bit):1.596994914264384
Encrypted:false
SSDEEP:48:IwSGcprDGwpaTG4pQPGrapbSRztrGQpBiGHHpcwtsTGUpQz9/WGcpm:rmZdQl6TBSRztFj52wtk6Ug
MD5:F5297E5623A1886836E7D7364347CAE0
SHA1:1FE6691D8FBF07D4DAC8B71FBB2DEC5848F12D9F
SHA-256:B546BDE300EC1FA0C4ACF762413E16A7550769BD4C80A76F102036894973E220
SHA-512:4FD08824B6095E06E69C0B17FD8BFE154C01C63FD90F7110467A6CF4CC53DA25F3CA539BEF0B1139C8662F902EFFD1983EAF76E055830ED11D5ED6B4936E584D
Malicious:false
Reputation:low
Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\Manfilter_3104.zip.o1mr3q3.partial
Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:Zip archive data, at least v2.0 to extract
Category:dropped
Size (bytes):319796
Entropy (8bit):7.997870894325883
Encrypted:true
SSDEEP:6144:wNxFDNiRl4mV5MAac4cDI6giNSVhfd4gm1BK8xPTVP0r7JwIWptFxri3EguO8:SxFhijnMAlT9pohYBK8tTF0JVq
MD5:8B894AD8091B41D9ABF67A27CCE5D938
SHA1:1293A6920535ECB8215F04A0A17A9478953776D3
SHA-256:053ABE83D6FB545381E920449812B3EFCA925AFC93B097904ECB2A2803228F9B
SHA-512:2288469ED08037F3898E4FD811DB54AF67C7D185B76BCC61F3C289D96C2594E8BDB1CE9534AAA97E660DBB325E2949FC554546C60147B5FC62D7EC7D9B1FB5A5
Malicious:false
Reputation:low
Preview: PK..........BN................Manfilter_3104/PK........aV.Lg!.L.a..........Manfilter_3104/klinge.mdw...b-..E..}b.m......m...m.m?.O......0....+.........0........B...WX8...e.....f2..w^3v.N..o\..._k.}^q.f...S...F..&...=w.<.PE...XX..t.[|...}2.q.Q...m....R..#.B-F.)D.o...!...<1.............8........V,..z%.r. ...W...$...S.'...Q..hG......}`I..WL2:r...M...mQ.I..%{M...]J=8.m..U+*NS.X[.....".......u...N;...<.s.^..l.G.5.[W...DB2..8..mo.....KS..u.&#.$....~..QU......:...g`V.x)..; |K.z.-.-..t:.c..Q..%.C....E`..C..0.:.[_..K\....@\.<..L.\..k...FI..XP......_.+.e.&.G0....5..\c[....|.4T.A1.?....]...|A.....<._.V.e....6.(@.g..[.AERU.......b.g.@4..S...+U...C...UC.p..'..{!...K.......&Ei..{9..........$.{).._{..(U.......3...-u..p.Q.... pu ......=S.XN....=.......-...yb......0g}.I1.]jn.qb....Pb.dm* .~.1...Z....^.)>t.9..4.C.... .C....fG..A...AG|#.I.?.3eY..]...J..X16.......>T1*.F..#<.{yr....AQ4.D.g..>...M"~$.f...95...v5.EM...s.3`#......;."{...?.eW..I....4...w.D...3.
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\Manfilter_3104.zip.o1mr3q3.partial:Zone.Identifier
Process:C:\Program Files\internet explorer\iexplore.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):26
Entropy (8bit):3.95006375643621
Encrypted:false
SSDEEP:3:gAWY3n:qY3n
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA1:D59FC84CDD5217C6CF74785703655F78DA6B582B
SHA-256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
SHA-512:AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
Malicious:false
Reputation:low
Preview: [ZoneTransfer]..ZoneId=3..
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\Manfilter_3104.zip:Zone.Identifier
Process:C:\Program Files\internet explorer\iexplore.exe
File Type:very short file (no magic)
Category:modified
Size (bytes):1
Entropy (8bit):0.0
Encrypted:false
SSDEEP:3:W:W
MD5:ECCBC87E4B5CE2FE28308FD9F2A7BAF3
SHA1:77DE68DAECD823BABBB58EDB1C8E14D7106E83BB
SHA-256:4E07408562BEDB8B60CE05C1DECFE3AD16B72230967DE01F640B7E4729B49FCE
SHA-512:3BAFBF08882A2D10133093A1B8433F50563B93C14ACD05B79028EB1D12799027241450980651994501423A66C276AE26C43B739BC65C4E16B10C3AF6C202AEBB
Malicious:false
Reputation:low
Preview: 3
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\Manfilter_3104[1].zip
Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:Zip archive data, at least v2.0 to extract
Category:dropped
Size (bytes):319796
Entropy (8bit):7.997870894325883
Encrypted:true
SSDEEP:6144:wNxFDNiRl4mV5MAac4cDI6giNSVhfd4gm1BK8xPTVP0r7JwIWptFxri3EguO8:SxFhijnMAlT9pohYBK8tTF0JVq
MD5:8B894AD8091B41D9ABF67A27CCE5D938
SHA1:1293A6920535ECB8215F04A0A17A9478953776D3
SHA-256:053ABE83D6FB545381E920449812B3EFCA925AFC93B097904ECB2A2803228F9B
SHA-512:2288469ED08037F3898E4FD811DB54AF67C7D185B76BCC61F3C289D96C2594E8BDB1CE9534AAA97E660DBB325E2949FC554546C60147B5FC62D7EC7D9B1FB5A5
Malicious:false
Reputation:low
Preview: PK..........BN................Manfilter_3104/PK........aV.Lg!.L.a..........Manfilter_3104/klinge.mdw...b-..E..}b.m......m...m.m?.O......0....+.........0........B...WX8...e.....f2..w^3v.N..o\..._k.}^q.f...S...F..&...=w.<.PE...XX..t.[|...}2.q.Q...m....R..#.B-F.)D.o...!...<1.............8........V,..z%.r. ...W...$...S.'...Q..hG......}`I..WL2:r...M...mQ.I..%{M...]J=8.m..U+*NS.X[.....".......u...N;...<.s.^..l.G.5.[W...DB2..8..mo.....KS..u.&#.$....~..QU......:...g`V.x)..; |K.z.-.-..t:.c..Q..%.C....E`..C..0.:.[_..K\....@\.<..L.\..k...FI..XP......_.+.e.&.G0....5..\c[....|.4T.A1.?....]...|A.....<._.V.e....6.(@.g..[.AERU.......b.g.@4..S...+U...C...UC.p..'..{!...K.......&Ei..{9..........$.{).._{..(U.......3...-u..p.Q.... pu ......=S.XN....=.......-...yb......0g}.I1.]jn.qb....Pb.dm* .~.1...Z....^.)>t.9..4.C.... .C....fG..A...AG|#.I.?.3eY..]...J..X16.......>T1*.F..#<.{yr....AQ4.D.g..>...M"~$.f...95...v5.EM...s.3`#......;."{...?.eW..I....4...w.D...3.
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log
Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):89
Entropy (8bit):4.313894914180916
Encrypted:false
SSDEEP:3:oVXU3s+UdH8JOGXnE3s+US+n:o9UxeHqExs
MD5:1C57FD428ED94D455865F6C5640850E7
SHA1:D6CEDC24C5DB49A9195AC04D87CC1FE774AA8D9B
SHA-256:207F57B38E3069365B76C3A15C39FB722660ED9D1B5569AC19E1FE92193CEF34
SHA-512:D8FE9D278B0A847DAE8D5A0EC7B8FB0A204EA04B327CD8F9933C10FBBB60C8E659890574912E623854202895C5701EA6F7668AE66D7A2C5591BE23BD1EF52B5D
Malicious:false
Reputation:low
Preview: [2021/01/08 13:57:23.111] Latest deploy version: ..[2021/01/08 13:57:23.111] 11.211.2 ..
C:\Users\user\AppData\Local\Temp\mtp4esta.md5\unarchiver.log
Process:C:\Windows\SysWOW64\unarchiver.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1717
Entropy (8bit):5.20692432796918
Encrypted:false
SSDEEP:48:4EDjaPK2GA2GbA2GA2GpC2GPN2GA2GpCDja2Gbu2GRDja2G42GY12GA2GL2GA2Gs:4cj5qUe2ZV
MD5:60ADC02DA1B6D08E45FA845A42EEDCC2
SHA1:79FBE1431D2DBE3E739E12BF30796CF9D87D184A
SHA-256:E2EF6589A80383B85D83907B8BA2F86C489DBBE74C528630B24FB539C3EA162D
SHA-512:9455EE20C7F0A388A1B0FCA5370C3631E8F5CE59A621BC438CA81CB9DB24A00D236E6332C8EC18C9B1311956061822ED2A28884013688ECC4C1AD712241C5AE9
Malicious:false
Reputation:low
Preview: 01/08/2021 1:57 PM: Unpack: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\Manfilter_3104.zip..01/08/2021 1:57 PM: Tmp dir: C:\Users\user\AppData\Local\Temp\poyytgcb.bev..01/08/2021 1:57 PM: Received from standard out: ..01/08/2021 1:57 PM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..01/08/2021 1:57 PM: Received from standard out: ..01/08/2021 1:57 PM: Received from standard out: Scanning the drive for archives:..01/08/2021 1:57 PM: Received from standard out: 1 file, 319796 bytes (313 KiB)..01/08/2021 1:57 PM: Received from standard out: ..01/08/2021 1:57 PM: Received from standard out: Extracting archive: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\Manfilter_3104.zip..01/08/2021 1:57 PM: Received from standard out: --..01/08/2021 1:57 PM: Received from standard out: Path = C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\Manfilter_3104.zip..01/08/2021 1:57 PM: Rec
C:\Users\user\AppData\Local\Temp\poyytgcb.bev\Manfilter_3104\klinge.mdw
Process:C:\Windows\SysWOW64\7za.exe
File Type:data
Category:dropped
Size (bytes):137216
Entropy (8bit):6.178450688497555
Encrypted:false
SSDEEP:3072:O5mPTXo55N47Rl4yV53etjAacGcoTyurJ:PW5NGRl4yV5sAacG+WJ
MD5:FFC9102C983930D33AF7DC5917324286
SHA1:C88A928FAFF7820ABB3742CCA798BCF537325615
SHA-256:A41E646A09771962B167C442FB2AE1DC41091A6A0A9D1B165E2B4E62F8ACDAA2
SHA-512:19BEFE95F475CC9A71EE2170226B0645563C368D752A686AA31AB47FC87BAC051EDC5DAB13C073745D7D09BBC71F91F875C239DEFEBDC43E947A67490FE4583D
Malicious:false
Reputation:low
Preview: ....Jet System DB ......n.b`..U.gr@?..~.....1....0...b...F..X...7]D...^(....`T.{6Vx.w..C..34ay[..|*..|......OJ.l>`&_...$.g..'D...e....F.x....-..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Users\user\AppData\Local\Temp\poyytgcb.bev\Manfilter_3104\manfiltr.exe
Process:C:\Windows\SysWOW64\7za.exe
File Type:PE32 executable (GUI) Intel 80386, for MS Windows
Category:dropped
Size (bytes):733184
Entropy (8bit):5.93295584987334
Encrypted:false
SSDEEP:6144:EHOjpHvff12IKY8u2OQV3nU+nKtS2Nv4zPHOjpHvfaEoREBGOHpcNh2RL7hknA9V:oOH2Ma2UOYEIOHpcDqLf9fXFWSn17
MD5:AF9EEDACA97462C974D9933011DE3584
SHA1:22FDC9D667D32C00A5DC989E911962378147009B
SHA-256:9694DCC0BE8F9C5979F893D074F9E56E2AE41DDD5AFF91025A63D7E862FCE724
SHA-512:F0AE7039AFD56EFEA8CE42FE3D74961B87FBC7ACE1D7BBCC57595458C7B3C7A4C320836A0FE8291D420A8B4C3A5AD0EE7EC2105B1C08AD5C562BC03BB5E9DAFA
Malicious:false
Antivirus:
  • Antivirus: Virustotal, Detection: 4%, Browse
  • Antivirus: ReversingLabs, Detection: 2%
Reputation:low
Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............i...i...i...d...i.Rich..i.................PE..L.....pU.....................@......L........ ....@..........................`......jJ..........................................(....P...................................................................... ... ....................................text............................... ..`.data...$.... ......................@....rsrc........P....... ..............@..@...H............MSVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Users\user\AppData\Local\Temp\~DFD1E092C5CA8B53EC.TMP
Process:C:\Program Files\internet explorer\iexplore.exe
File Type:data
Category:dropped
Size (bytes):12981
Entropy (8bit):0.44420853702577207
Encrypted:false
SSDEEP:24:c9lLh9lLh9lIn9lIn9loJF9loL9lWSZz/7n:kBqoIsySp/7n
MD5:FD3B5518C77DF332F12668A6FC2E7CB0
SHA1:2D09FDD686A08601B9C8806D5E74BF14289AD5AE
SHA-256:4B4635342B54702CAA5B4D31FFD3E6BEB3D5AAF9E8AECA71F3FCE1C4A5EF42A5
SHA-512:F40980DB335E62F806BF127B8E2723EC57FD828AC6466AA843F6623352F5F35ABD8BE32B365D607FF8D627D2FEBF23F5914A1176DF6BB619B482926D824EC879
Malicious:false
Reputation:low
Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Users\user\AppData\Local\Temp\~DFE1328C7B448C3F3B.TMP
Process:C:\Program Files\internet explorer\iexplore.exe
File Type:data
Category:dropped
Size (bytes):29989
Entropy (8bit):0.3298275912603426
Encrypted:false
SSDEEP:24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lw829lwJ9l2f/9l2H9lx:kBqoxKAuvScS+85sf+azy
MD5:72D0AA8B7A6AA44D165605D6F2C9F793
SHA1:46EA6C8D6B7E16B05EC11329EDB2868E2F79C655
SHA-256:4DD878CAD7D73EDBA0778946F10428093A8E7019493443B73B19DE43DA9EEB06
SHA-512:8FAA360A58D1318213614D7500C7634F1CD1BCC250747005D5DFB744830D3D8CE9EC08FD3A6DBD2B50CEC3C767256F011DE1216E03B68656C210DE1C46F46FC9
Malicious:false
Reputation:low
Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

No static file info

Network Behavior

Download Network PCAP: filteredfull

Network Port Distribution

  • Total Packets: 274
  • 443 (HTTPS)
  • 53 (DNS)
TimestampSource PortDest PortSource IPDest IP
Jan 8, 2021 13:57:24.021728992 CET49695443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.022275925 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.147872925 CET4434969552.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.148041964 CET49695443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.148219109 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.148319960 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.160247087 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.160525084 CET49695443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.292232990 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.292280912 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.292321920 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.292388916 CET4434969552.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.292426109 CET4434969552.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.292471886 CET4434969552.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.292475939 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.292615891 CET49695443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.341391087 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.341607094 CET49695443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.347116947 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.468736887 CET4434969552.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.468780994 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.468858004 CET49695443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.468931913 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.476843119 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.476897001 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.476933956 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.476972103 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.476979017 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.477010965 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.477049112 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.477056026 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.477144957 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.595626116 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.595693111 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.603099108 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.603142023 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.603179932 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.603179932 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.603195906 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.603219032 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.603230953 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.603256941 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.603275061 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.603303909 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.603308916 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.603359938 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.603370905 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.603396893 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.603408098 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.603435040 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.603446960 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.603472948 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.603485107 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.603509903 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.603523016 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.603548050 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.603559971 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.603600025 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.722402096 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.722457886 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.722603083 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.729502916 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.729553938 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.729568958 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.729604959 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.729605913 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.729650974 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.729660034 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.729707003 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.729711056 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.729756117 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.729758978 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.729804993 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.729813099 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.729859114 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.729861021 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.729907036 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.729923010 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.729970932 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.729976892 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.730024099 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.730027914 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.730073929 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.730079889 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.730124950 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.730130911 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.730178118 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.730179071 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.730223894 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.730232954 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.730278969 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.730283022 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.730329037 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.730344057 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.730389118 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.730396032 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.730442047 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.730446100 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.730489016 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.730495930 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.730546951 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.730546951 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.730592966 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.730597019 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.730638981 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.730649948 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.730695963 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.730698109 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.730745077 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.848712921 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.848764896 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.848793983 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.848823071 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.848877907 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.848942041 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.856722116 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.856807947 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.856808901 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.856858969 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.856878996 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.856918097 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.856924057 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.856962919 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.856962919 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.857007980 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.857011080 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.857053041 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.857089996 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.857126951 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.857162952 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.857167959 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.857193947 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.857198000 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.857198954 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.857203960 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.857208014 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.857234955 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.857271910 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.857290030 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.857297897 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.857317924 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.857321024 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.857362032 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.857367039 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.857412100 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.857434034 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.857474089 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.857486963 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.857511997 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.857522011 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.857548952 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.857563019 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.857584953 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.857599020 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.857621908 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.857635021 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.857659101 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.857672930 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.857705116 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.857707024 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.857745886 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.857755899 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.857781887 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.857795954 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.857820988 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.857834101 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.857857943 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.857871056 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.857892990 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.857906103 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.857929945 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.857944012 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.857966900 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.857981920 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.858015060 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.858016968 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.858057022 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.858063936 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.858093023 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.858105898 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.858129978 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.858141899 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.858166933 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.858181953 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.858201981 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.858220100 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.858238935 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.858248949 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.858273983 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.858299017 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.858320951 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.858335018 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.858372927 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.858416080 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.858458042 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.858472109 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.858505964 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.858505964 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.858547926 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.858555079 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.858583927 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.858603954 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.858628988 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.858642101 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.858665943 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.858680010 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.858700991 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.858717918 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.858738899 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.858746052 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.858792067 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.974989891 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.975024939 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.975075960 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.975092888 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.985479116 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.985533953 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.985574961 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.985588074 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.985621929 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.985641003 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.985651970 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.985693932 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.985706091 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.985748053 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.985757113 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.985801935 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.985806942 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.985896111 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.985914946 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.985966921 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.985980034 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.986020088 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.986042976 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.986068964 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.986083984 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.986107111 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.986134052 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.986148119 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.986167908 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.986181974 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.986202002 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.986217022 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.986237049 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.986251116 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.986279011 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.986284018 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.986298084 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.986316919 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.986339092 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.986360073 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.986373901 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.986397028 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.986416101 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.986447096 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.986463070 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.986500978 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.986519098 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.986550093 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.986572027 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.986602068 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.986624002 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.986654997 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.986694098 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.986706972 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.986706972 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.986767054 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.986790895 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.986821890 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.986840010 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.986874104 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.986886024 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.986924887 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.986936092 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.986977100 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.986990929 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.987030029 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.987042904 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.987080097 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.987087011 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.987122059 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.987158060 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.987179041 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.987190008 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.987222910 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.987231970 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.987257004 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.987277985 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.987291098 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.987313032 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.987324953 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.987358093 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.987358093 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.987377882 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.987391949 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.987416029 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.987426043 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.987445116 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.987468004 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.987485886 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.987504959 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.987526894 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.987538099 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.987554073 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.987571955 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.987595081 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.987606049 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.987623930 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.987637997 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.987658978 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.987672091 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.987687111 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.987696886 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.987728119 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.987760067 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.987771988 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.987806082 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.987823963 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.987838984 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.987860918 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.987871885 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.987889051 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.987905025 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.987926960 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.987937927 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.987956047 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.987972021 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.987997055 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.988027096 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.988030910 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.988071918 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.988089085 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.988106966 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.988122940 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.988143921 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.988161087 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.988179922 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.988197088 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.988215923 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.988234043 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.988253117 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.988270998 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.988291025 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.988306046 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.988337040 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.988343954 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.988378048 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.988392115 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.988414049 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.988434076 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.988451004 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.988467932 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.988487959 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.988504887 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.988523960 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.988543987 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.988559961 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.988575935 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.988596916 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.988615990 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.988642931 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.988648891 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.988683939 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.988702059 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.988719940 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.988744974 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.988755941 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.988776922 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.988794088 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.988810062 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.988828897 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.988847017 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.988866091 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.988884926 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.988903999 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.988950014 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.988950968 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.988984108 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.988991976 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.989006996 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.989027977 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.989043951 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.989065886 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.989084005 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.989103079 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.989124060 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.989137888 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.989157915 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.989176035 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.989193916 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.989212036 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.989229918 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.989258051 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.989263058 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.989300013 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.989322901 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.989336014 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.989366055 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.989373922 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.989406109 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.989424944 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.989440918 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.989478111 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.989495993 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.989512920 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.989531994 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.989550114 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.989578009 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.989593029 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.989620924 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.989639997 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.989654064 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.989681005 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.989694118 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.989716053 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.989742041 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.989753962 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.989778042 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.989790916 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:24.989800930 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:24.989850998 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:25.105494976 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:25.105547905 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:25.105590105 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:25.105595112 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:25.105629921 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:25.105648041 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:25.115856886 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:25.115910053 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:25.115926027 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:25.115947008 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:25.115994930 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:25.116003036 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:25.116012096 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:25.116038084 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:25.116043091 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:25.116074085 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:25.116097927 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:25.116112947 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:25.116117954 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:25.116149902 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:25.116158962 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:25.116189003 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:25.116204977 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:25.116226912 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:25.116240978 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:25.116262913 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:25.116280079 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:25.116309881 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:25.116312027 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:25.116350889 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:25.116364956 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:25.116388083 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:25.116400957 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:25.116425991 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:25.116441965 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:25.116462946 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:25.116476059 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:25.116499901 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:25.116514921 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:25.116538048 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:25.116552114 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:25.116574049 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:25.116588116 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:25.116621971 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:25.116626978 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:25.116663933 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:25.116672039 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:25.116700888 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:25.116715908 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:25.116740942 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:25.116754055 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:25.116776943 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:25.116791010 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:25.116812944 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:25.116822004 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:25.116851091 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:25.116864920 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:25.116887093 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:25.116899967 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:25.116935015 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:25.116938114 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:25.116976976 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:25.116992950 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:25.117014885 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:25.117028952 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:25.117053032 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:25.117065907 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:25.117089033 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:25.117101908 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:25.117125034 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:25.117141962 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:25.117162943 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:25.117188931 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:25.117198944 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:25.117206097 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:25.117245913 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:25.117255926 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:25.117285967 CET4434969452.202.55.99192.168.2.3
Jan 8, 2021 13:57:25.117300987 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:25.117335081 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:37.406632900 CET49694443192.168.2.352.202.55.99
Jan 8, 2021 13:57:37.409297943 CET49695443192.168.2.352.202.55.99
TimestampSource PortDest PortSource IPDest IP
Jan 8, 2021 13:57:17.961195946 CET4987353192.168.2.38.8.8.8
Jan 8, 2021 13:57:18.009367943 CET53498738.8.8.8192.168.2.3
Jan 8, 2021 13:57:18.818311930 CET5319653192.168.2.38.8.8.8
Jan 8, 2021 13:57:18.866297960 CET53531968.8.8.8192.168.2.3
Jan 8, 2021 13:57:19.679153919 CET5677753192.168.2.38.8.8.8
Jan 8, 2021 13:57:19.729990005 CET53567778.8.8.8192.168.2.3
Jan 8, 2021 13:57:20.898179054 CET5864353192.168.2.38.8.8.8
Jan 8, 2021 13:57:20.949225903 CET53586438.8.8.8192.168.2.3
Jan 8, 2021 13:57:21.900305033 CET6098553192.168.2.38.8.8.8
Jan 8, 2021 13:57:21.956677914 CET53609858.8.8.8192.168.2.3
Jan 8, 2021 13:57:22.680814981 CET5020053192.168.2.38.8.8.8
Jan 8, 2021 13:57:22.744077921 CET53502008.8.8.8192.168.2.3
Jan 8, 2021 13:57:23.055399895 CET5128153192.168.2.38.8.8.8
Jan 8, 2021 13:57:23.106204987 CET53512818.8.8.8192.168.2.3
Jan 8, 2021 13:57:23.829370022 CET4919953192.168.2.38.8.8.8
Jan 8, 2021 13:57:23.993784904 CET53491998.8.8.8192.168.2.3
Jan 8, 2021 13:57:24.067456007 CET5062053192.168.2.38.8.8.8
Jan 8, 2021 13:57:24.115411997 CET53506208.8.8.8192.168.2.3
Jan 8, 2021 13:57:25.105437040 CET6493853192.168.2.38.8.8.8
Jan 8, 2021 13:57:25.153460026 CET53649388.8.8.8192.168.2.3
Jan 8, 2021 13:57:27.168555975 CET6015253192.168.2.38.8.8.8
Jan 8, 2021 13:57:27.216695070 CET53601528.8.8.8192.168.2.3
Jan 8, 2021 13:57:28.361356974 CET5754453192.168.2.38.8.8.8
Jan 8, 2021 13:57:28.409178972 CET53575448.8.8.8192.168.2.3
Jan 8, 2021 13:57:29.307199955 CET5598453192.168.2.38.8.8.8
Jan 8, 2021 13:57:29.357979059 CET53559848.8.8.8192.168.2.3
Jan 8, 2021 13:57:30.264095068 CET6418553192.168.2.38.8.8.8
Jan 8, 2021 13:57:30.312165022 CET53641858.8.8.8192.168.2.3
Jan 8, 2021 13:57:31.053258896 CET6511053192.168.2.38.8.8.8
Jan 8, 2021 13:57:31.101202011 CET53651108.8.8.8192.168.2.3
Jan 8, 2021 13:57:31.853590965 CET5836153192.168.2.38.8.8.8
Jan 8, 2021 13:57:31.901606083 CET53583618.8.8.8192.168.2.3
Jan 8, 2021 13:57:49.348191023 CET6349253192.168.2.38.8.8.8
Jan 8, 2021 13:57:49.409419060 CET53634928.8.8.8192.168.2.3
Jan 8, 2021 13:57:52.687067986 CET6083153192.168.2.38.8.8.8
Jan 8, 2021 13:57:52.738132954 CET53608318.8.8.8192.168.2.3
Jan 8, 2021 13:57:53.683758020 CET6083153192.168.2.38.8.8.8
Jan 8, 2021 13:57:53.734771013 CET53608318.8.8.8192.168.2.3
Jan 8, 2021 13:57:54.682180882 CET6083153192.168.2.38.8.8.8
Jan 8, 2021 13:57:54.733089924 CET53608318.8.8.8192.168.2.3
Jan 8, 2021 13:57:56.682621002 CET6083153192.168.2.38.8.8.8
Jan 8, 2021 13:57:56.733491898 CET53608318.8.8.8192.168.2.3
Jan 8, 2021 13:58:00.698340893 CET6083153192.168.2.38.8.8.8
Jan 8, 2021 13:58:00.749102116 CET53608318.8.8.8192.168.2.3
Jan 8, 2021 13:58:07.446932077 CET6010053192.168.2.38.8.8.8
Jan 8, 2021 13:58:07.497704029 CET53601008.8.8.8192.168.2.3

DNS Queries

TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
Jan 8, 2021 13:57:23.829370022 CET192.168.2.38.8.8.80xb68Standard query (0)us.klinge.bizA (IP address)IN (0x0001)

DNS Answers

TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
Jan 8, 2021 13:57:23.993784904 CET8.8.8.8192.168.2.30xb68No error (0)us.klinge.biz52.202.55.99A (IP address)IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

  • File
  • Registry

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: iexplore.exe PID: 5172 Parent PID: 792

Function Logs

General

Start time:13:57:21
Start date:08/01/2021
Path:C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):false
Commandline:'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:0x7ff7109c0000
File size:823560 bytes
MD5 hash:6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

Show Windows behavior

System Activities

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Show Windows behavior

Network Activities

Show Windows behavior

Object Security Activities

Show Windows behavior

LPC Port Activities

Analysis Process: iexplore.exe PID: 5480 Parent PID: 5172

Function Logs

General

Start time:13:57:22
Start date:08/01/2021
Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):true
Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5172 CREDAT:17410 /prefetch:2
Imagebase:0x3a0000
File size:822536 bytes
MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

Show Windows behavior

System Activities

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Show Windows behavior

Network Activities

Show Windows behavior

Object Security Activities

Show Windows behavior

LPC Port Activities

Analysis Process: unarchiver.exe PID: 5744 Parent PID: 5172

Function Logs

General

Start time:13:57:37
Start date:08/01/2021
Path:C:\Windows\SysWOW64\unarchiver.exe
Wow64 process (32bit):true
Commandline:'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\Manfilter_3104.zip'
Imagebase:0xf0000
File size:10240 bytes
MD5 hash:8B435F8731563566F3F49203BA277865
Has elevated privileges:true
Has administrator privileges:true
Programmed in:.Net C# or VB.NET
Reputation:low
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

Show Windows behavior

System Activities

Show Windows behavior

LPC Port Activities

Analysis Process: 7za.exe PID: 1632 Parent PID: 5744

Function Logs

General

Start time:13:57:39
Start date:08/01/2021
Path:C:\Windows\SysWOW64\7za.exe
Wow64 process (32bit):true
Commandline:'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\poyytgcb.bev' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\Manfilter_3104.zip'
Imagebase:0xf60000
File size:289792 bytes
MD5 hash:77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

Show Windows behavior

System Activities

Show Windows behavior

Process Token Activities

Show Windows behavior

LPC Port Activities

Analysis Process: conhost.exe PID: 3840 Parent PID: 1632

Function Logs

General

Start time:13:57:39
Start date:08/01/2021
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff6b2800000
File size:625664 bytes
MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

Show Windows behavior

System Activities

Show Windows behavior

LPC Port Activities

Analysis Process: cmd.exe PID: 800 Parent PID: 5744

Function Logs

General

Start time:13:57:40
Start date:08/01/2021
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\poyytgcb.bev\Manfilter_3104\manfiltr.exe'
Imagebase:0x380000
File size:232960 bytes
MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Show Windows behavior

Process Activities

Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

Show Windows behavior

System Activities

Show Windows behavior

LPC Port Activities

Analysis Process: conhost.exe PID: 3152 Parent PID: 800

Function Logs

General

Start time:13:57:40
Start date:08/01/2021
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff6b2800000
File size:625664 bytes
MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

Show Windows behavior

System Activities

Show Windows behavior

LPC Port Activities

Analysis Process: manfiltr.exe PID: 2616 Parent PID: 800

Function Logs

General

Start time:13:57:40
Start date:08/01/2021
Path:C:\Users\user\AppData\Local\Temp\poyytgcb.bev\Manfilter_3104\manfiltr.exe
Wow64 process (32bit):true
Commandline:C:\Users\user\AppData\Local\Temp\poyytgcb.bev\Manfilter_3104\manfiltr.exe
Imagebase:0x400000
File size:733184 bytes
MD5 hash:AF9EEDACA97462C974D9933011DE3584
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Visual Basic
Antivirus matches:
  • Detection: 4%, Virustotal, Browse
  • Detection: 2%, ReversingLabs
Reputation:low
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

Show Windows behavior

System Activities

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Show Windows behavior

LPC Port Activities

Disassembly

Code Analysis

Analysis Process: unarchiver.exe PID: 5744 Parent PID: 5172 unarchiver.exeCOMMON

Executed Functions

Download Yara Rule
Strings
Memory Dump Source
  • Source File: 00000003.00000002.475462193.00000000022A0000.00000040.00000001.sdmp, Offset: 022A0000, based on PE: false
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_3_2_22a0000_unarchiver.jbxd
Similarity
  • API ID:
  • String ID: :@:r$X1ar
  • API String ID: 0-3821969665
  • Opcode ID: f76bc85624ae26be9aa9284343396fc0198cb7aa4925e3f48464436b5ee18d93
  • Instruction ID: 01a7813732d9dcb24f5028215dbe9df9f461beefa0652f3db874d4ccb589cb96
  • Opcode Fuzzy Hash: f76bc85624ae26be9aa9284343396fc0198cb7aa4925e3f48464436b5ee18d93
  • Instruction Fuzzy Hash: 33221874E11218DFDB14DFA5D894BADBBB2FB89300F20D56AD809A7359DB349A81CF10
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
Memory Dump Source
  • Source File: 00000003.00000002.475462193.00000000022A0000.00000040.00000001.sdmp, Offset: 022A0000, based on PE: false
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_3_2_22a0000_unarchiver.jbxd
Similarity
  • API ID:
  • String ID:
  • API String ID:
  • Opcode ID: 2b46b774bd3e04519ab1874ae423036acb12d17daddca15e687af8fcf5bdd1cd
  • Instruction ID: c07dff54c50fc5651992e019d46b76749b88c37544366e02042e99adcb74e258
  • Opcode Fuzzy Hash: 2b46b774bd3e04519ab1874ae423036acb12d17daddca15e687af8fcf5bdd1cd
  • Instruction Fuzzy Hash: EA51E670E42208DFDB19DFB9D490AAEBBB6FF8A300F209469E405B7354DB399941CB54
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
Memory Dump Source
  • Source File: 00000003.00000002.475462193.00000000022A0000.00000040.00000001.sdmp, Offset: 022A0000, based on PE: false
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_3_2_22a0000_unarchiver.jbxd
Similarity
  • API ID:
  • String ID:
  • API String ID:
  • Opcode ID: 7cfa72ef3b0186db84f2df08a3596bb15f19f27275a2914ca4f0759bf0dff361
  • Instruction ID: ca0e7d80e8f68889cfe7ae92fe8f89d7565003f9ff320625e5a01ae9a7347c70
  • Opcode Fuzzy Hash: 7cfa72ef3b0186db84f2df08a3596bb15f19f27275a2914ca4f0759bf0dff361
  • Instruction Fuzzy Hash: 35216B31D06108CFCB00DFA5D954BEDBBB6EF89305F10952AD900B3255EB74AA06CF50
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
Memory Dump Source
  • Source File: 00000003.00000002.475462193.00000000022A0000.00000040.00000001.sdmp, Offset: 022A0000, based on PE: false
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_3_2_22a0000_unarchiver.jbxd
Similarity
  • API ID:
  • String ID:
  • API String ID:
  • Opcode ID: a31ba6f657658ea7435e9cc3c0f9499670f57cbcd371ffbe6579a072c974cf42
  • Instruction ID: 6bd7899022788854a97e2ffa3b6fb065d05230622ffa0613b45368277a45b560
  • Opcode Fuzzy Hash: a31ba6f657658ea7435e9cc3c0f9499670f57cbcd371ffbe6579a072c974cf42
  • Instruction Fuzzy Hash: 00213875D01108DFCB04DFA5D954BEEBBB6EB89305F10952AD900B3258EB74AA06CF90
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
Memory Dump Source
  • Source File: 00000003.00000002.475471854.00000000022B0000.00000040.00000040.sdmp, Offset: 022B0000, based on PE: false
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_3_2_22b0000_unarchiver.jbxd
Similarity
  • API ID:
  • String ID:
  • API String ID:
  • Opcode ID: e95baeb5078a201a33c3332afc3fe6e780b076783c5861252c043671d64a2ee2
  • Instruction ID: 983b4fada43bfa018866832f742ad27996b0b0a480061a4e49c2bbf916e97c42
  • Opcode Fuzzy Hash: e95baeb5078a201a33c3332afc3fe6e780b076783c5861252c043671d64a2ee2
  • Instruction Fuzzy Hash: 1001B5B24097906FD701CB159C45C56FBF8DF86520B08C55FFC489B202E265A9148BB2
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
Memory Dump Source
  • Source File: 00000003.00000002.475471854.00000000022B0000.00000040.00000040.sdmp, Offset: 022B0000, based on PE: false
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_3_2_22b0000_unarchiver.jbxd
Similarity
  • API ID:
  • String ID:
  • API String ID:
  • Opcode ID: 1a3fd7849a5264f067028da1f6f60e98af8592ddd2aa87c96a76eda2549564af
  • Instruction ID: 9496f5cc2c364e1ae1c7e6d1b3514db962e28115e12513bba2dc7a3f8b9cdc98
  • Opcode Fuzzy Hash: 1a3fd7849a5264f067028da1f6f60e98af8592ddd2aa87c96a76eda2549564af
  • Instruction Fuzzy Hash: B701F9B65097805FD7128B16EC40863FFFCEF86230708C0AFED898B612D225A904CB72
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
Memory Dump Source
  • Source File: 00000003.00000002.475462193.00000000022A0000.00000040.00000001.sdmp, Offset: 022A0000, based on PE: false
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_3_2_22a0000_unarchiver.jbxd
Similarity
  • API ID:
  • String ID:
  • API String ID:
  • Opcode ID: 6be986eb8946c2e08b2c8de4ab71b4739e13c9c3d691c463c2548ddef0d895c0
  • Instruction ID: f136aed8416913584b074c1ce09f1f11fad891e5666093c67164239b68f52758
  • Opcode Fuzzy Hash: 6be986eb8946c2e08b2c8de4ab71b4739e13c9c3d691c463c2548ddef0d895c0
  • Instruction Fuzzy Hash: A4011D70C02209DFCB04EFB8C454BAEBBB1BB44301F2098A9C00563280D7799B84CF80
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
Memory Dump Source
  • Source File: 00000003.00000002.475471854.00000000022B0000.00000040.00000040.sdmp, Offset: 022B0000, based on PE: false
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_3_2_22b0000_unarchiver.jbxd
Similarity
  • API ID:
  • String ID:
  • API String ID:
  • Opcode ID: 959f3a613b691acb14950a99c5bfc85e66f6dcd8deea37ba10eafa1f03a0e683
  • Instruction ID: a88a6dde132ed5d43eca3be599ec0a3a01ea70ace3bfc8bc6f9d44064d4f5e4a
  • Opcode Fuzzy Hash: 959f3a613b691acb14950a99c5bfc85e66f6dcd8deea37ba10eafa1f03a0e683
  • Instruction Fuzzy Hash: BAF082B28452046FD640DF05EC45896F7ECDFC4921B14C52EFC488B300E276AA144AF2
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
Memory Dump Source
  • Source File: 00000003.00000002.475462193.00000000022A0000.00000040.00000001.sdmp, Offset: 022A0000, based on PE: false
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_3_2_22a0000_unarchiver.jbxd
Similarity
  • API ID:
  • String ID:
  • API String ID:
  • Opcode ID: fc611c932c4ce4937dc0bf859466367c6f188ec20d18ee29837f86de60ff8b04
  • Instruction ID: 7378fe5e8b87823fa00f92915842eb7a638241cf86de8ce6a19a3ccb0cb50743
  • Opcode Fuzzy Hash: fc611c932c4ce4937dc0bf859466367c6f188ec20d18ee29837f86de60ff8b04
  • Instruction Fuzzy Hash: 39F0A4B4D05209DBCB04EFA9C651AAEBBF5AF88300F2095AAD414A3354EB715B44DF91
Uniqueness

Uniqueness Score: -1.00%

Download Yara Rule
Memory Dump Source
  • Source File: 00000003.00000002.475471854.00000000022B0000.00000040.00000040.sdmp, Offset: 022B0000, based on PE: false
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_3_2_22b0000_unarchiver.jbxd
Similarity
  • API ID:
  • String ID:
  • API String ID:
  • Opcode ID: 1e71b68640a60bf5455e8a5fbbe44639d7ab535ed0f1661de318537d11707b37
  • Instruction ID: 4cbfaa543bcc74f73db60fee4b2324910b8f34e76f25e1f14cdaaaceaca43114
  • Opcode Fuzzy Hash: 1e71b68640a60bf5455e8a5fbbe44639d7ab535ed0f1661de318537d11707b37
  • Instruction Fuzzy Hash: 72E092B66406008BD650CF0BFC41456F7E8EB88631B18C47FDC0D8B700E235B504CEA6
Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: manfiltr.exe PID: 2616 Parent PID: 800 manfiltr.exeCOMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:0.9%
Dynamic/Decrypted Code Coverage:100%
Signature Coverage:0%
Total number of Nodes:3
Total number of Limit Nodes:1

Graph

Show Legend
Hide Nodes/Edges
execution_graph 141 40124c #100 142 4012b0 141->142 143 401239 #306 141->143 143->141

Callgraph

Hide Legend
  • Executed
  • Not Executed
  • Opacity -> Relevance
  • Disassembly available
callgraph 0 Function_00406140 1 Function_00402343 2 Function_00403745 3 Function_00403146 4 Function_00405A49 5 Function_0040124C 6 Function_00407551 7 Function_00408C53 8 Function_00402D55 9 Function_0040A657 10 Function_00404A5A 11 Function_0040605C 12 Function_0040435D 13 Function_00404E60 14 Function_00409361 15 Function_00406E6C 16 Function_00405C6D 17 Function_0040346F 18 Function_00408971 19 Function_00402F76 20 Function_0040237A 21 Function_00402A7C 22 Function_00407C7F 23 Function_00409200 24 Function_00404401 25 Function_00406701 26 Function_00404602 27 Function_00403304 28 Function_00406D04 29 Function_00407A0A 30 Function_0040200E 31 Function_00409113 32 Function_00408A14 33 Function_00403A19 34 Function_0040991C 35 Function_00403C1E 36 Function_00405220 37 Function_00405D28 38 Function_00404B2E 39 Function_00404A31 40 Function_00404D33 41 Function_00406B39 42 Function_00408D39 43 Function_0040163A 44 Function_0040803C 45 Function_0040A0C3 46 Function_004024C3 47 Function_004012C5 48 Function_00404FC5 49 Function_00409AC6 50 Function_004056C7 51 Function_004024CB 52 Function_004047CE 53 Function_004040D0 54 Function_004093D1 55 Function_004069D1 56 Function_00406FD4 57 Function_00408BD7 58 Function_004035DA 59 Function_00408DDD 60 Function_00407EDE 61 Function_004085E3 62 Function_00407EE6 63 Function_00408AE8 64 Function_004048EF 65 Function_00403CEF 66 Function_004097F1 67 Function_0040A4F2 68 Function_00409DF4 69 Function_0040A2F7 70 Function_004053F7 71 Function_00405BF9 72 Function_004065FC 73 Function_00407282 74 Function_00402783 75 Function_00407984 76 Function_00409085 77 Function_00403D86 78 Function_00407A8E 79 Function_0040A18F 80 Function_00405292 81 Function_00404D93 82 Function_00405994 83 Function_00406494 84 Function_00409595 85 Function_00404795 86 Function_0040879B 87 Function_00406B9C 88 Function_00402CA2 89 Function_004062A8 90 Function_004054AA 91 Function_004033AB 92 Function_004060AC 93 Function_004081AE 94 Function_004021AE 95 Function_004038B0 96 Function_004097B4 97 Function_004080B7 98 Function_004093B8 99 Function_004075B8 100 Function_0040A7BC 101 Function_00408DBE

Executed Functions

Download Yara Rule

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 0 40124c-4012ae #100 1 4012b0-4012b6 0->1 2 401239-401240 #306 0->2 2->0
APIs
Strings
Memory Dump Source
  • Source File: 00000008.00000002.474259718.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000008.00000002.474245712.0000000000400000.00000002.00020000.sdmp Download File
  • Associated: 00000008.00000002.474443752.00000000004B2000.00000004.00020000.sdmp Download File
  • Associated: 00000008.00000002.474455182.00000000004B5000.00000002.00020000.sdmp Download File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_8_2_400000_manfiltr.jbxd
Similarity
  • API ID: #100
  • String ID: VB5!6&*
  • API String ID: 1341478452-3593831657
  • Opcode ID: 1604e7e5e69e035b0cdba5df60b7404361c82bb99116d157d519fbc4961034f1
  • Instruction ID: 04d9866c0cf20be843a8a60807f6a25529058e4ebf059373b5464b6fe199661b
  • Opcode Fuzzy Hash: 1604e7e5e69e035b0cdba5df60b7404361c82bb99116d157d519fbc4961034f1
  • Instruction Fuzzy Hash: 7C01D822A1E7C08FC3071730996918A7FB48E23200B1A85EBC0C2DE1F3C56C4809C727
Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions