Evasive Gootkit Banking Trojan

Network Overview

Hosts (8)

Hostname	IP Address	Location	Protocols	Reputation Status	WHOIS Data
amd.martatovaglieri.it	176.10.125.81	Switzerland	HTTP, TCP	Has Blacklisted URL	Not Queried
drk.fm604.com	109.230.199.169	Hägersten (Sweden)	HTTPS, TCP	Has Blacklisted URL	Not Queried
xmpp.dolcesognar.it	109.230.199.30	Hägersten (Sweden)	HTTPS, TCP	Unknown	Not Queried
localhost	0000:0000:0000:0000:0000:0000:0000:0001, 127.0.0.1	-	-	Unknown	Not Queried
spop.lestanzedifederica.com	-	-	HTTPS, TCP	Not Queried	Not Queried
arb.palaser.eu	-	-	HTTPS, TCP	Not Queried	Not Queried
gttopr.space	198.251.83.27	Cheyenne (United States)	HTTPS, TCP	Not Queried	Not Queried
0, ::1	-	-	-	Query Error	Not Queried

DNS Queries (3)

Hostname	Categories	Names	Source	Reputation Status
xmpp.dolcesognar.it	-	-	Function Log	Unknown
localhost	-	-	Function Log	Unknown
::1	-	-	Function Log	Query Error

URLs (9)

URL	Categories	Names	Source	HTTP Status Code	Reputation Status
http://amd.martatovaglieri.it/upll?26201	Malware	Mal/HTMLGen-A	Function Log	OK (200)	Blacklisted
HTTP://drk.fm604.com/rbody320	Malware	Mal/HTMLGen-A	Function Log	-	Blacklisted
HTTP://drk.fm604.com/rbody32	Malware	Mal/HTMLGen-A	Function Log	-	Blacklisted
HTTP://drk.fm604.com/rpersist4/2091998236	Malware	Mal/HTMLGen-A	Function Log	-	Blacklisted
HTTP://xmpp.dolcesognar.it/rbody320	-	-	Function Log	-	Unknown
HTTP://xmpp.dolcesognar.it/rpersist4/1197631235	-	-	Function Log	-	Unknown
HTTP://spop.lestanzedifederica.com/rpersist4/1197631235	-	-	Function Log	-	Unknown
HTTP://arb.palaser.eu/rpersist4/1197631235	-	-	Function Log	-	Unknown
HTTP://gttopr.space/rpersist4/1197631235	-	-	Function Log	-	Unknown

Connections

ICMP (3)

Operation	Additional Information	Success	Count	Logfile
Send ICMP Echo	source_address = 48.238.12.0, destination_address = 128.84.17.1, timeout = 4000		3	Fn

DNS (13)

Operation	Additional Information	Count	Logfile
Get Hostname	-	1	Fn
Get Hostname	name_out = x2vS1cum	5	Fn
Resolve Address	address = 0, host_out = ::1	4	Fn
Resolve Name	host = xmpp.dolcesognar.it, address_out = 109.230.199.30	1	Fn
Resolve Name	host = localhost	1	Fn
Resolve Name	host = localhost, address_out = 0000:0000:0000:0000:0000:0000:0000:0001, 127.0.0.1	1	Fn

TCP Sessions (2)

Information	Value
Total Data Sent	0.00 KB
Total Data Received	0.00 KB
Contacted Host Count	1
Contacted Hosts	109.230.199.30:443

TCP Session #1

Information	Value
Handle	0xa24
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_IP
Remote Address	109.230.199.30
Remote Port	443
Local Address	0.0.0.0
Local Port	49700
Data Sent	0.00 KB
Data Received	0.00 KB

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Bind	local_address = 0.0.0.0, local_port = 49700, hint = OS assigned a local port from the dynamic client port range	1	Fn
Connect	remote_address = 109.230.199.30, remote_port = 443	1	Fn
Receive	flags = NO_FLAG_SET, size = 34272832	1	Fn
Send	flags = NO_FLAG_SET, size_out = 302	1	Fn
Receive	flags = NO_FLAG_SET, size = 34274288	1	Fn
Send	flags = NO_FLAG_SET, size_out = 191	1	Fn
Receive	flags = NO_FLAG_SET, size = 34274252	1	Fn
Receive	flags = NO_FLAG_SET, size = 34274288	1	Fn
Send	flags = NO_FLAG_SET, size_out = 335	1	Fn
Receive	flags = NO_FLAG_SET, size = 34274252	1	Fn
Receive	flags = NO_FLAG_SET, size = 34274288	1	Fn
Close	type = SOCK_STREAM	1	Fn

TCP Session #2

Information	Value
Handle	0xa24
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_IP
Remote Address	109.230.199.30
Remote Port	443
Local Address	0.0.0.0
Local Port	49700
Data Sent	0.00 KB
Data Received	0.00 KB

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Bind	local_address = 0.0.0.0, local_port = 49700, hint = OS assigned a local port from the dynamic client port range	1	Fn
Connect	remote_address = 109.230.199.30, remote_port = 443	1	Fn
Receive	flags = NO_FLAG_SET, size = 34272832	1	Fn
Send	flags = NO_FLAG_SET, size_out = 302	1	Fn
Receive	flags = NO_FLAG_SET, size = 34274288	1	Fn
Send	flags = NO_FLAG_SET, size_out = 191	1	Fn
Receive	flags = NO_FLAG_SET, size = 34274252	1	Fn
Receive	flags = NO_FLAG_SET, size = 34274288	1	Fn
Send	flags = NO_FLAG_SET, size_out = 33	1	Fn
Receive	flags = NO_FLAG_SET, size = 34274252	1	Fn
Send	flags = NO_FLAG_SET, size_out = 818	1	Fn
Receive	flags = NO_FLAG_SET, size = 34274288	1	Fn
Send	flags = NO_FLAG_SET, size_out = 33	1	Fn
Receive	flags = NO_FLAG_SET, size = 34274288	3	Fn
Receive	flags = NO_FLAG_SET, size = 34274252	1	Fn
Send	flags = NO_FLAG_SET, size_out = 949	1	Fn
Receive	flags = NO_FLAG_SET, size = 34274288	1	Fn
Receive	flags = NO_FLAG_SET, size = 34274252	1	Fn
Close	type = SOCK_STREAM	1	Fn

TCP Server (2)

Operation	Additional Information	Success	Count	Logfile
Listen	local_address = 127.0.0.1, local_port = 281, queue_length = 511		1	Fn
Listen	local_address = 127.0.0.1, local_port = 402, queue_length = 511		1	Fn

HTTP Sessions (14)

Information	Value
Total Data Sent	3.34 KB
Total Data Received	249.06 KB
Contacted Host Count	6
Contacted Hosts	amd.martatovaglieri.it, drk.fm604.com, xmpp.dolcesognar.it, spop.lestanzedifederica.com, arb.palaser.eu, gttopr.space

HTTP Session #1

Information	Value
Source	Function Log
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729)
Server Name	amd.martatovaglieri.it
Server Port	80
Data Sent	0.00 KB
Data Received	0.00 KB

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = http, server_name = amd.martatovaglieri.it, server_port = 80	1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /upll	1	Fn

HTTP Session #2

Information	Value
Source	Function Log
User Agent	Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0
Server Name	drk.fm604.com
Server Port	443
Data Sent	0.25 KB
Data Received	124.51 KB

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0, access_type = INTERNET_OPEN_TYPE_DIRECT	1	Fn
Open Connection	protocol = HTTP, server_name = drk.fm604.com, server_port = 443	1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /rpersist4/2091998236, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Add HTTP Request Headers	headers = X-File-Name: C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe	1	Fn
Add HTTP Request Headers	headers = X-User-Name: X2VS1CUM\Nd9E1FYi	1	Fn
Add HTTP Request Headers	headers = X-ComputerName: X2VS1CUM	1	Fn
Add HTTP Request Headers	headers = X-OSVersion: 6.2.9200\| 0.0\|1\|0x00000100	1	Fn
Add HTTP Request Headers	headers = X-VendorId: 2816	1	Fn
Add HTTP Request Headers	headers = X-User-Info: Nd9E1FYi\|X2VS1CUM\|0x00000000\|0x00010201\|admin\|\\*	1	Fn
Add HTTP Request Headers	headers = X-IsTrustedComp: 0	1	Fn
Add HTTP Request Headers	headers = X-HTTP-Agent: WININET	1	Fn
Add HTTP Request Headers	headers = X-Proxy-Present: FALSE	1	Fn
Add HTTP Request Headers	headers = X-Proxy-Used: FALSE	1	Fn
Add HTTP Request Headers	headers = X-Proxy-AutoDetect: FALSE	1	Fn
Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = drk.fm604.com/rpersist4/2091998236	1	Fn
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4	1	Fn Data
Read Response	size = 512, size_out = 512	249	Fn Data
Close Session	-	1	Fn

HTTP Session #3

Information	Value
Source	Function Log
User Agent	Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0
Server Name	drk.fm604.com
Server Port	443
Data Sent	0.24 KB
Data Received	0.01 KB

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0, access_type = INTERNET_OPEN_TYPE_DIRECT	1	Fn
Open Connection	protocol = HTTP, server_name = drk.fm604.com, server_port = 443	1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /rbody320, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Add HTTP Request Headers	headers = X-File-Name: C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe	1	Fn
Add HTTP Request Headers	headers = X-User-Name: X2VS1CUM\Nd9E1FYi	1	Fn
Add HTTP Request Headers	headers = X-ComputerName: X2VS1CUM	1	Fn
Add HTTP Request Headers	headers = X-OSVersion: 6.2.9200\| 0.0\|1\|0x00000100	1	Fn
Add HTTP Request Headers	headers = X-VendorId: 2816	1	Fn
Add HTTP Request Headers	headers = X-User-Info: Nd9E1FYi\|X2VS1CUM\|0x00000000\|0x00010201\|admin\|\\*	1	Fn
Add HTTP Request Headers	headers = X-IsTrustedComp: 0	1	Fn
Add HTTP Request Headers	headers = X-HTTP-Agent: WININET	1	Fn
Add HTTP Request Headers	headers = X-Proxy-Present: FALSE	1	Fn
Add HTTP Request Headers	headers = X-Proxy-Used: FALSE	1	Fn
Add HTTP Request Headers	headers = X-Proxy-AutoDetect: FALSE	1	Fn
Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = drk.fm604.com/rbody320	1	Fn
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4	1	Fn Data
Read Response	size = 512, size_out = 4	1	Fn Data
Read Response	size = 512, 0	1	Fn
Close Session	-	2	Fn

HTTP Session #4

Information	Value
Source	Function Log
User Agent	Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0
Server Name	drk.fm604.com
Server Port	443
Data Sent	0.24 KB
Data Received	124.51 KB

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0, access_type = INTERNET_OPEN_TYPE_DIRECT	1	Fn
Open Connection	protocol = HTTP, server_name = drk.fm604.com, server_port = 443	1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /rbody32, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Add HTTP Request Headers	headers = X-File-Name: C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe	1	Fn
Add HTTP Request Headers	headers = X-User-Name: X2VS1CUM\Nd9E1FYi	1	Fn
Add HTTP Request Headers	headers = X-ComputerName: X2VS1CUM	1	Fn
Add HTTP Request Headers	headers = X-OSVersion: 6.2.9200\| 0.0\|1\|0x00000100	1	Fn
Add HTTP Request Headers	headers = X-VendorId: 2816	1	Fn
Add HTTP Request Headers	headers = X-User-Info: Nd9E1FYi\|X2VS1CUM\|0x00000000\|0x00010201\|admin\|\\*	1	Fn
Add HTTP Request Headers	headers = X-IsTrustedComp: 0	1	Fn
Add HTTP Request Headers	headers = X-HTTP-Agent: WININET	1	Fn
Add HTTP Request Headers	headers = X-Proxy-Present: FALSE	1	Fn
Add HTTP Request Headers	headers = X-Proxy-Used: FALSE	1	Fn
Add HTTP Request Headers	headers = X-Proxy-AutoDetect: FALSE	1	Fn
Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = drk.fm604.com/rbody32	1	Fn
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4	1	Fn Data
Read Response	size = 512, size_out = 512	249	Fn Data
Close Session	-	2	Fn

HTTP Session #5

Information	Value
Source	Function Log
User Agent	Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0
Server Name	xmpp.dolcesognar.it
Server Port	443
Data Sent	0.26 KB
Data Received	0.00 KB

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0, access_type = INTERNET_OPEN_TYPE_DIRECT	1	Fn
Open Connection	protocol = HTTP, server_name = xmpp.dolcesognar.it, server_port = 443	1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /rpersist4/1197631235, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Add HTTP Request Headers	headers = X-File-Name: C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe	1	Fn
Add HTTP Request Headers	headers = X-User-Name: X2VS1CUM\Nd9E1FYi	1	Fn
Add HTTP Request Headers	headers = X-ComputerName: X2VS1CUM	1	Fn
Add HTTP Request Headers	headers = X-OSVersion: 6.2.9200\| 0.0\|1\|0x00000100	1	Fn
Add HTTP Request Headers	headers = X-VendorId: 3007	1	Fn
Add HTTP Request Headers	headers = X-User-Info: Nd9E1FYi\|X2VS1CUM\|0x00000000\|0x00010201\|admin\|\\*	1	Fn
Add HTTP Request Headers	headers = X-IsTrustedComp: 0	1	Fn
Add HTTP Request Headers	headers = X-HTTP-Agent: WININET	1	Fn
Add HTTP Request Headers	headers = X-Proxy-Present: FALSE	1	Fn
Add HTTP Request Headers	headers = X-Proxy-Used: FALSE	1	Fn
Add HTTP Request Headers	headers = X-Proxy-AutoDetect: FALSE	1	Fn
Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = xmpp.dolcesognar.it/rpersist4/1197631235	1	Fn
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Close Session	-	4	Fn

HTTP Session #6

Information	Value
Source	Function Log
User Agent	Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0
Server Name	xmpp.dolcesognar.it
Server Port	443
Data Sent	0.26 KB
Data Received	0.00 KB

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0, access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = HTTP, server_name = xmpp.dolcesognar.it, server_port = 443	1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /rpersist4/1197631235, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Add HTTP Request Headers	headers = X-File-Name: C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe	1	Fn
Add HTTP Request Headers	headers = X-User-Name: X2VS1CUM\Nd9E1FYi	1	Fn
Add HTTP Request Headers	headers = X-ComputerName: X2VS1CUM	1	Fn
Add HTTP Request Headers	headers = X-OSVersion: 6.2.9200\| 0.0\|1\|0x00000100	1	Fn
Add HTTP Request Headers	headers = X-VendorId: 3007	1	Fn
Add HTTP Request Headers	headers = X-User-Info: Nd9E1FYi\|X2VS1CUM\|0x00000000\|0x00010201\|admin\|\\*	1	Fn
Add HTTP Request Headers	headers = X-IsTrustedComp: 0	1	Fn
Add HTTP Request Headers	headers = X-HTTP-Agent: WININET	1	Fn
Add HTTP Request Headers	headers = X-Proxy-Present: FALSE	1	Fn
Add HTTP Request Headers	headers = X-Proxy-Used: FALSE	1	Fn
Add HTTP Request Headers	headers = X-Proxy-AutoDetect: FALSE	1	Fn
Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = xmpp.dolcesognar.it/rpersist4/1197631235	1	Fn
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Close Session	-	4	Fn

HTTP Session #7

Information	Value
Source	Function Log
User Agent	Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0
Server Name	spop.lestanzedifederica.com
Server Port	443
Data Sent	0.28 KB
Data Received	0.00 KB

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0, access_type = INTERNET_OPEN_TYPE_DIRECT	1	Fn
Open Connection	protocol = HTTP, server_name = spop.lestanzedifederica.com, server_port = 443	1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /rpersist4/1197631235, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Add HTTP Request Headers	headers = X-File-Name: C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe	1	Fn
Add HTTP Request Headers	headers = X-User-Name: X2VS1CUM\Nd9E1FYi	1	Fn
Add HTTP Request Headers	headers = X-ComputerName: X2VS1CUM	1	Fn
Add HTTP Request Headers	headers = X-OSVersion: 6.2.9200\| 0.0\|1\|0x00000100	1	Fn
Add HTTP Request Headers	headers = X-VendorId: 3007	1	Fn
Add HTTP Request Headers	headers = X-User-Info: Nd9E1FYi\|X2VS1CUM\|0x00000000\|0x00010201\|admin\|\\*	1	Fn
Add HTTP Request Headers	headers = X-IsTrustedComp: 0	1	Fn
Add HTTP Request Headers	headers = X-HTTP-Agent: WININET	1	Fn
Add HTTP Request Headers	headers = X-Proxy-Present: FALSE	1	Fn
Add HTTP Request Headers	headers = X-Proxy-Used: FALSE	1	Fn
Add HTTP Request Headers	headers = X-Proxy-AutoDetect: FALSE	1	Fn
Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = spop.lestanzedifederica.com/rpersist4/1197631235	1	Fn
Close Session	-	4	Fn

HTTP Session #8

Information	Value
Source	Function Log
User Agent	Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0
Server Name	spop.lestanzedifederica.com
Server Port	443
Data Sent	0.28 KB
Data Received	0.00 KB

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0, access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = HTTP, server_name = spop.lestanzedifederica.com, server_port = 443	1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /rpersist4/1197631235, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Add HTTP Request Headers	headers = X-File-Name: C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe	1	Fn
Add HTTP Request Headers	headers = X-User-Name: X2VS1CUM\Nd9E1FYi	1	Fn
Add HTTP Request Headers	headers = X-ComputerName: X2VS1CUM	1	Fn
Add HTTP Request Headers	headers = X-OSVersion: 6.2.9200\| 0.0\|1\|0x00000100	1	Fn
Add HTTP Request Headers	headers = X-VendorId: 3007	1	Fn
Add HTTP Request Headers	headers = X-User-Info: Nd9E1FYi\|X2VS1CUM\|0x00000000\|0x00010201\|admin\|\\*	1	Fn
Add HTTP Request Headers	headers = X-IsTrustedComp: 0	1	Fn
Add HTTP Request Headers	headers = X-HTTP-Agent: WININET	1	Fn
Add HTTP Request Headers	headers = X-Proxy-Present: FALSE	1	Fn
Add HTTP Request Headers	headers = X-Proxy-Used: FALSE	1	Fn
Add HTTP Request Headers	headers = X-Proxy-AutoDetect: FALSE	1	Fn
Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = spop.lestanzedifederica.com/rpersist4/1197631235	1	Fn
Close Session	-	4	Fn

HTTP Session #9

Information	Value
Source	Function Log
User Agent	Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0
Server Name	arb.palaser.eu
Server Port	443
Data Sent	0.25 KB
Data Received	0.00 KB

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0, access_type = INTERNET_OPEN_TYPE_DIRECT	1	Fn
Open Connection	protocol = HTTP, server_name = arb.palaser.eu, server_port = 443	1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /rpersist4/1197631235, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Add HTTP Request Headers	headers = X-File-Name: C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe	1	Fn
Add HTTP Request Headers	headers = X-User-Name: X2VS1CUM\Nd9E1FYi	1	Fn
Add HTTP Request Headers	headers = X-ComputerName: X2VS1CUM	1	Fn
Add HTTP Request Headers	headers = X-OSVersion: 6.2.9200\| 0.0\|1\|0x00000100	1	Fn
Add HTTP Request Headers	headers = X-VendorId: 3007	1	Fn
Add HTTP Request Headers	headers = X-User-Info: Nd9E1FYi\|X2VS1CUM\|0x00000000\|0x00010201\|admin\|\\*	1	Fn
Add HTTP Request Headers	headers = X-IsTrustedComp: 0	1	Fn
Add HTTP Request Headers	headers = X-HTTP-Agent: WININET	1	Fn
Add HTTP Request Headers	headers = X-Proxy-Present: FALSE	1	Fn
Add HTTP Request Headers	headers = X-Proxy-Used: FALSE	1	Fn
Add HTTP Request Headers	headers = X-Proxy-AutoDetect: FALSE	1	Fn
Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = arb.palaser.eu/rpersist4/1197631235	1	Fn
Close Session	-	4	Fn

HTTP Session #10

Information	Value
Source	Function Log
User Agent	Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0
Server Name	arb.palaser.eu
Server Port	443
Data Sent	0.25 KB
Data Received	0.00 KB

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/21000101 Firefox/25.0, access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = HTTP, server_name = arb.palaser.eu, server_port = 443	1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /rpersist4/1197631235, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Add HTTP Request Headers	headers = X-File-Name: C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe	1	Fn
Add HTTP Request Headers	headers = X-User-Name: X2VS1CUM\Nd9E1FYi	1	Fn
Add HTTP Request Headers	headers = X-ComputerName: X2VS1CUM	1	Fn
Add HTTP Request Headers	headers = X-OSVersion: 6.2.9200\| 0.0\|1\|0x00000100	1	Fn
Close Session	-	4	Fn

The remaining 4 entries are omitted for performance reasons and can be found in glog.xml or analysis.pcap .

WHOIS Domain Information

Function Logfile

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".

Before

After

Screenshot

Notifications (2/2)

Network Overview

Connections

WHOIS Domain Information

Before

After